Edit tour

Windows Analysis Report
Slf.msi

Overview

General Information

Sample name:	Slf.msi
Analysis ID:	1565486
MD5:	6f92f923d8f87afe5fe757ff2ff56951
SHA1:	44780713a7026b9b0ff3cadeaffacb3cc3584eca
SHA256:	6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
Tags:	msiuser-aachum
Infos:

Detection

Clipboard Hijacker, MicroClip, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Clipboard Hijacker

Yara detected MicroClip

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found API chain indicative of debugger detection

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5700 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Slf.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1680 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2228 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CCD88EF77E0BFA64C5AD6E35B211C368 MD5: 9D09DC1EDA745A5F87553048E57620CF)

EHttpSrv.exe (PID: 7136 cmdline: "C:\Users\user\AppData\Local\Temp\EHttpSrv.exe" MD5: 9329BA45C8B97485926A171E34C2ABB8)

cmd.exe (PID: 6532 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EHttpSrv.exe (PID: 6844 cmdline: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe MD5: 9329BA45C8B97485926A171E34C2ABB8)

Updwork.exe (PID: 4460 cmdline: "C:\Users\user\AppData\Local\Temp\Updwork.exe" MD5: 253C52411B256E4AF301CBA58DCB6CEF)

WerFault.exe (PID: 2380 cmdline: "C:\Windows\System32\WerFault.exe" MD5: C31336C1EFC2CCB44B4326EA793040F2)

EHttpSrv.exe (PID: 6780 cmdline: "C:\Users\user\AppData\Local\Temp\EHttpSrv.exe" MD5: 9329BA45C8B97485926A171E34C2ABB8)

cmd.exe (PID: 4720 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RaftelibeGasrss.exe (PID: 7100 cmdline: "C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe" MD5: 253C52411B256E4AF301CBA58DCB6CEF)

WerFault.exe (PID: 1408 cmdline: "C:\Windows\System32\WerFault.exe" MD5: C31336C1EFC2CCB44B4326EA793040F2)

EHttpSrv.exe (PID: 6036 cmdline: "C:\Users\user\AppData\Local\Temp\EHttpSrv.exe" MD5: 9329BA45C8B97485926A171E34C2ABB8)

cmd.exe (PID: 2508 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EHttpSrv.exe (PID: 4720 cmdline: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe MD5: 9329BA45C8B97485926A171E34C2ABB8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["185.157.162.126:1995:1"], "Assigned name": "v", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "qsdazeazd-EL00KX", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\fcpumhrmyq	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\fcpumhrmyq	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\fcpumhrmyq	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\fcpumhrmyq	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\fcpumhrmyq	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000002.4482451053.0000000000421000.00000002.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
00000018.00000002.4482451053.0000000000421000.00000002.00000400.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab70:$a1: Remcos restarted by watchdog! 0x6b0e8:$a3: %02i:%02i:%02i:%03i
0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000003.2219955750.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
00000005.00000003.2219955750.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134a8:$a1: Remcos restarted by watchdog! 0x13a20:$a3: %02i:%02i:%02i:%03i
00000010.00000003.2574423454.0000000002320000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
00000010.00000003.2574423454.0000000002320000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x134a8:$a1: Remcos restarted by watchdog! 0x13a20:$a3: %02i:%02i:%02i:%03i
00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ab70:$a1: Remcos restarted by watchdog! 0x6b0e8:$a3: %02i:%02i:%02i:%03i
00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.4482449704.0000000000421000.00000002.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
0000000B.00000002.4482449704.0000000000421000.00000002.00000400.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000003.2574373433.0000000002370000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
00000010.00000003.2574373433.0000000002370000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
0000000E.00000002.2422716456.00000000036F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000003.2220074790.0000000002230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
00000005.00000003.2220074790.0000000002230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: EHttpSrv.exe PID: 7136	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Updwork.exe PID: 4460	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Updwork.exe PID: 4460	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: cmd.exe PID: 6532	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 6532	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6532	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xc2c7:$a1: Remcos restarted by watchdog! 0xc821:$a3: %02i:%02i:%02i:%03i 0xcc50:$a3: %02i:%02i:%02i:%03i
Process Memory Space: WerFault.exe PID: 2380	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: WerFault.exe PID: 2380	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: EHttpSrv.exe PID: 6844	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: EHttpSrv.exe PID: 6844	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: EHttpSrv.exe PID: 6844	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x141c3:$a1: Remcos restarted by watchdog! 0x1471d:$a3: %02i:%02i:%02i:%03i 0x14b4c:$a3: %02i:%02i:%02i:%03i
Process Memory Space: EHttpSrv.exe PID: 6780	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 4720	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RaftelibeGasrss.exe PID: 7100	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: RaftelibeGasrss.exe PID: 7100	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: EHttpSrv.exe PID: 6036	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 2508	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: cmd.exe PID: 2508	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 2508	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1731d:$a1: Remcos restarted by watchdog! 0x17877:$a3: %02i:%02i:%02i:%03i 0x17ca6:$a3: %02i:%02i:%02i:%03i
Process Memory Space: WerFault.exe PID: 1408	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: WerFault.exe PID: 1408	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
Process Memory Space: EHttpSrv.exe PID: 4720	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: EHttpSrv.exe PID: 4720	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: EHttpSrv.exe PID: 4720	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x5bf48:$a1: Remcos restarted by watchdog! 0x5c4a2:$a3: %02i:%02i:%02i:%03i 0x5c8d1:$a3: %02i:%02i:%02i:%03i
Click to see the 52 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.3.Updwork.exe.2230000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
5.3.Updwork.exe.2230000.1.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
16.3.RaftelibeGasrss.exe.2320000.1.raw.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
16.3.RaftelibeGasrss.exe.2320000.1.raw.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
24.2.WerFault.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
24.2.WerFault.exe.400000.0.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
14.2.cmd.exe.56acb90.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.56acb90.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d079:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d305:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d104:$s1: CoGetObject 0x1d390:$s1: CoGetObject 0x1d05d:$s2: Elevation:Administrator!new: 0x1d2e9:$s2: Elevation:Administrator!new:
12.2.EHttpSrv.exe.255fb90.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.EHttpSrv.exe.255fb90.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d079:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d305:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d104:$s1: CoGetObject 0x1d390:$s1: CoGetObject 0x1d05d:$s2: Elevation:Administrator!new: 0x1d2e9:$s2: Elevation:Administrator!new:
12.2.EHttpSrv.exe.255ef90.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.EHttpSrv.exe.255ef90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc79:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd04:$s1: CoGetObject 0x1df90:$s1: CoGetObject 0x1dc5d:$s2: Elevation:Administrator!new: 0x1dee9:$s2: Elevation:Administrator!new:
4.2.EHttpSrv.exe.237e2e4.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.EHttpSrv.exe.237e2e4.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc79:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd04:$s1: CoGetObject 0x1df90:$s1: CoGetObject 0x1dc5d:$s2: Elevation:Administrator!new: 0x1dee9:$s2: Elevation:Administrator!new:
25.2.EHttpSrv.exe.25b2b90.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
25.2.EHttpSrv.exe.25b2b90.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d079:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d305:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d104:$s1: CoGetObject 0x1d390:$s1: CoGetObject 0x1d05d:$s2: Elevation:Administrator!new: 0x1d2e9:$s2: Elevation:Administrator!new:
21.2.cmd.exe.52a0f90.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.52a0f90.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc79:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd04:$s1: CoGetObject 0x1df90:$s1: CoGetObject 0x1dc5d:$s2: Elevation:Administrator!new: 0x1dee9:$s2: Elevation:Administrator!new:
4.2.EHttpSrv.exe.235ca18.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.EHttpSrv.exe.235ca18.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f545:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f7d1:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f5d0:$s1: CoGetObject 0x3f85c:$s1: CoGetObject 0x3f529:$s2: Elevation:Administrator!new: 0x3f7b5:$s2: Elevation:Administrator!new:
14.2.cmd.exe.56abf90.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.56abf90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc79:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd04:$s1: CoGetObject 0x1df90:$s1: CoGetObject 0x1dc5d:$s2: Elevation:Administrator!new: 0x1dee9:$s2: Elevation:Administrator!new:
16.3.RaftelibeGasrss.exe.2370000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
16.3.RaftelibeGasrss.exe.2370000.0.raw.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
6.2.cmd.exe.5b600c8.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.cmd.exe.5b600c8.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.5b600c8.7.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
6.2.cmd.exe.5b600c8.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
6.2.cmd.exe.5b600c8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
20.2.EHttpSrv.exe.2308a18.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.EHttpSrv.exe.2308a18.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f545:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f7d1:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f5d0:$s1: CoGetObject 0x3f85c:$s1: CoGetObject 0x3f529:$s2: Elevation:Administrator!new: 0x3f7b5:$s2: Elevation:Administrator!new:
16.3.RaftelibeGasrss.exe.2320000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
16.3.RaftelibeGasrss.exe.2320000.1.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
6.2.cmd.exe.5220f90.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.5220f90.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc79:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd04:$s1: CoGetObject 0x1df90:$s1: CoGetObject 0x1dc5d:$s2: Elevation:Administrator!new: 0x1dee9:$s2: Elevation:Administrator!new:
6.2.cmd.exe.5221b90.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.5221b90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d079:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d305:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d104:$s1: CoGetObject 0x1d390:$s1: CoGetObject 0x1d05d:$s2: Elevation:Administrator!new: 0x1d2e9:$s2: Elevation:Administrator!new:
14.2.cmd.exe.36f07f8.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.36f07f8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10220:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x101e8:$s2: Elevation:Administrator!new:
5.3.Updwork.exe.2aa0000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
5.3.Updwork.exe.2aa0000.0.raw.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
25.2.EHttpSrv.exe.25b1f90.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
25.2.EHttpSrv.exe.25b1f90.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc79:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd04:$s1: CoGetObject 0x1df90:$s1: CoGetObject 0x1dc5d:$s2: Elevation:Administrator!new: 0x1dee9:$s2: Elevation:Administrator!new:
13.2.EHttpSrv.exe.23b82e4.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.EHttpSrv.exe.23b82e4.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc79:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd04:$s1: CoGetObject 0x1df90:$s1: CoGetObject 0x1dc5d:$s2: Elevation:Administrator!new: 0x1dee9:$s2: Elevation:Administrator!new:
21.2.cmd.exe.2eb00c8.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
21.2.cmd.exe.2eb00c8.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.2eb00c8.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
21.2.cmd.exe.2eb00c8.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
21.2.cmd.exe.2eb00c8.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
11.2.WerFault.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
11.2.WerFault.exe.400000.0.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
14.2.cmd.exe.568a6c4.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.568a6c4.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f545:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f7d1:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f5d0:$s1: CoGetObject 0x3f85c:$s1: CoGetObject 0x3f529:$s2: Elevation:Administrator!new: 0x3f7b5:$s2: Elevation:Administrator!new:
21.2.cmd.exe.2eb00c8.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
21.2.cmd.exe.2eb00c8.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.2eb00c8.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
21.2.cmd.exe.2eb00c8.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
21.2.cmd.exe.2eb00c8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
13.2.EHttpSrv.exe.23b8ee4.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.EHttpSrv.exe.23b8ee4.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d079:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d305:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d104:$s1: CoGetObject 0x1d390:$s1: CoGetObject 0x1d05d:$s2: Elevation:Administrator!new: 0x1d2e9:$s2: Elevation:Administrator!new:
21.2.cmd.exe.52a1b90.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.52a1b90.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d079:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d305:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d104:$s1: CoGetObject 0x1d390:$s1: CoGetObject 0x1d05d:$s2: Elevation:Administrator!new: 0x1d2e9:$s2: Elevation:Administrator!new:
20.2.EHttpSrv.exe.232aee4.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.EHttpSrv.exe.232aee4.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d079:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d305:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d104:$s1: CoGetObject 0x1d390:$s1: CoGetObject 0x1d05d:$s2: Elevation:Administrator!new: 0x1d2e9:$s2: Elevation:Administrator!new:
6.2.cmd.exe.5b600c8.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.cmd.exe.5b600c8.7.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.5b600c8.7.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
6.2.cmd.exe.5b600c8.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
6.2.cmd.exe.5b600c8.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
16.3.RaftelibeGasrss.exe.2370000.0.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
16.3.RaftelibeGasrss.exe.2370000.0.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
6.2.cmd.exe.51ff6c4.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.51ff6c4.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f545:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f7d1:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f5d0:$s1: CoGetObject 0x3f85c:$s1: CoGetObject 0x3f529:$s2: Elevation:Administrator!new: 0x3f7b5:$s2: Elevation:Administrator!new:
5.3.Updwork.exe.2230000.1.raw.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
5.3.Updwork.exe.2230000.1.raw.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
4.2.EHttpSrv.exe.237eee4.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.EHttpSrv.exe.237eee4.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d079:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d305:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d104:$s1: CoGetObject 0x1d390:$s1: CoGetObject 0x1d05d:$s2: Elevation:Administrator!new: 0x1d2e9:$s2: Elevation:Administrator!new:
5.3.Updwork.exe.2aa0000.0.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
5.3.Updwork.exe.2aa0000.0.unpack	JoeSecurity_MicroClip	Yara detected MicroClip	Joe Security
12.2.EHttpSrv.exe.253d6c4.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.EHttpSrv.exe.253d6c4.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f545:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f7d1:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f5d0:$s1: CoGetObject 0x3f85c:$s1: CoGetObject 0x3f529:$s2: Elevation:Administrator!new: 0x3f7b5:$s2: Elevation:Administrator!new:
25.2.EHttpSrv.exe.25906c4.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
25.2.EHttpSrv.exe.25906c4.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f545:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f7d1:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f5d0:$s1: CoGetObject 0x3f85c:$s1: CoGetObject 0x3f529:$s2: Elevation:Administrator!new: 0x3f7b5:$s2: Elevation:Administrator!new:
21.2.cmd.exe.527f6c4.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.527f6c4.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f545:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f7d1:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f5d0:$s1: CoGetObject 0x3f85c:$s1: CoGetObject 0x3f529:$s2: Elevation:Administrator!new: 0x3f7b5:$s2: Elevation:Administrator!new:
20.2.EHttpSrv.exe.232a2e4.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.EHttpSrv.exe.232a2e4.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc79:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df05:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd04:$s1: CoGetObject 0x1df90:$s1: CoGetObject 0x1dc5d:$s2: Elevation:Administrator!new: 0x1dee9:$s2: Elevation:Administrator!new:
13.2.EHttpSrv.exe.2396a18.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.EHttpSrv.exe.2396a18.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f545:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f7d1:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x3f5d0:$s1: CoGetObject 0x3f85c:$s1: CoGetObject 0x3f529:$s2: Elevation:Administrator!new: 0x3f7b5:$s2: Elevation:Administrator!new:
Click to see the 85 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Updwork.exe, ProcessId: 4460, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Avira: detection malicious, Label: HEUR/AGEN.1338067
Source: C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	Avira: detection malicious, Label: HEUR/AGEN.1363590
Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\http_dll.dll	Avira: detection malicious, Label: TR/HijackLoader.cugkp

Found malware configuration

Source: 6.2.cmd.exe.5b600c8.7.raw.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["185.157.162.126:1995:1"], "Assigned name": "v", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "qsdazeazd-EL00KX", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	Virustotal: Detection: 45%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\http_dll.dll	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: Slf.msi	ReversingLabs: Detection: 57%
Source: Slf.msi	Virustotal: Detection: 56%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq	Joe Sandbox ML: detected

Source: cmd.exe, 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_ae2bd487-b

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 14.2.cmd.exe.56acb90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.EHttpSrv.exe.255fb90.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.EHttpSrv.exe.255ef90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHttpSrv.exe.237e2e4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.EHttpSrv.exe.25b2b90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.52a0f90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHttpSrv.exe.235ca18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.56abf90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.EHttpSrv.exe.2308a18.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.5220f90.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.5221b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.36f07f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.EHttpSrv.exe.25b1f90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.EHttpSrv.exe.23b82e4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.568a6c4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.EHttpSrv.exe.23b8ee4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.52a1b90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.EHttpSrv.exe.232aee4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.51ff6c4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.EHttpSrv.exe.237eee4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.EHttpSrv.exe.253d6c4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.EHttpSrv.exe.25906c4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.527f6c4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.EHttpSrv.exe.232a2e4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.EHttpSrv.exe.2396a18.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2422716456.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 7136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 6780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 6036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Users\root\Desktop\clipmain\CryptoAddressReplacer\Release\CryptoAddressReplacer.pdb source: Updwork.exe, 00000005.00000003.2219955750.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp, Updwork.exe, 00000005.00000003.2220074790.0000000002230000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000002.4482449704.0000000000421000.00000002.00000400.00020000.00000000.sdmp, RaftelibeGasrss.exe, 00000010.00000003.2574423454.0000000002320000.00000004.00001000.00020000.00000000.sdmp, RaftelibeGasrss.exe, 00000010.00000003.2574373433.0000000002370000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000018.00000002.4482451053.0000000000421000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: d:\installbuild\kalab\ess_4_0_400\build\apps\work\release\http_server\winnt32\EHttpSrv.pdb source: EHttpSrv.exe, 00000004.00000000.2028514418.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000004.00000002.2100945274.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000C.00000002.2373690214.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000C.00000000.2289119886.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000D.00000002.2358895312.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000D.00000000.2305410663.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000014.00000002.2477645230.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000014.00000000.2421494010.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000019.00000000.2615497904.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000019.00000002.2658278222.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe.1.dr
Source:	Binary string: msvcr80.i386.pdb source: msvcr80.dll.1.dr
Source:	Binary string: d:\installbuild\kalab\ess_4_0_400\build\apps\work\release\http_server\winnt32\EHttpSrv.pdb@@P5@ source: EHttpSrv.exe, 00000004.00000000.2028514418.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000004.00000002.2100945274.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000C.00000002.2373690214.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000C.00000000.2289119886.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000D.00000002.2358895312.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000D.00000000.2305410663.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000014.00000002.2477645230.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000014.00000000.2421494010.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000019.00000000.2615497904.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000019.00000002.2658278222.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe.1.dr
Source:	Binary string: d:\installbuild\kalab\ess_4_0_400\build\apps\work\release\epfw\winnt32\eguiEpfw.pdbd1J source: EHttpSrv.exe, 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmp, EHttpSrv.exe, 0000000D.00000002.2360017627.0000000020483000.00000002.00000001.01000000.00000005.sdmp, EHttpSrv.exe, 00000014.00000002.2479855520.0000000020483000.00000002.00000001.01000000.00000005.sdmp, http_dll.dll.1.dr
Source:	Binary string: wntdll.pdbUGP source: EHttpSrv.exe, 00000004.00000002.2106167622.000000000242D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374052498.0000000004E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374290735.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2373997038.0000000002187000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374238264.0000000002600000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359683630.00000000025A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2423011161.0000000005750000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422792608.00000000052D4000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479232646.00000000024D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658701095.0000000004EDC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658960621.0000000005340000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658669093.00000000021E8000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658937976.0000000002650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MFC80U.i386.pdb source: EHttpSrv.exe, 00000004.00000002.2106626105.000000006C831000.00000020.00000001.01000000.00000006.sdmp, EHttpSrv.exe, 0000000D.00000002.2360124157.000000006C181000.00000020.00000001.01000000.00000006.sdmp, EHttpSrv.exe, 00000014.00000002.2480010616.000000006BCD1000.00000020.00000001.01000000.00000006.sdmp, mfc80u.dll.1.dr
Source:	Binary string: wntdll.pdb source: EHttpSrv.exe, 00000004.00000002.2106167622.000000000242D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374052498.0000000004E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374290735.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2373997038.0000000002187000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374238264.0000000002600000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359683630.00000000025A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2423011161.0000000005750000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422792608.00000000052D4000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479232646.00000000024D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658701095.0000000004EDC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658960621.0000000005340000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658669093.00000000021E8000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658937976.0000000002650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\installbuild\kalab\ess_4_0_400\build\apps\work\release\epfw\winnt32\eguiEpfw.pdb source: EHttpSrv.exe, 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmp, EHttpSrv.exe, 0000000D.00000002.2360017627.0000000020483000.00000002.00000001.01000000.00000005.sdmp, EHttpSrv.exe, 00000014.00000002.2479855520.0000000020483000.00000002.00000001.01000000.00000005.sdmp, http_dll.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_00405768
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_004026FE FindFirstFileA,	5_2_004026FE
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_004062A3 FindFirstFileA,FindClose,	5_2_004062A3
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_0041502B FindFirstFileExW,	11_2_0041502B

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4x nop then mov word ptr [ebp+edx*2+00h], si	4_2_20404160
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4x nop then xor dword ptr [edi+eax], ebp	4_2_20403A70
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4x nop then mov word ptr [ebp+edx*2+00h], si	13_2_20404160
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4x nop then xor dword ptr [edi+eax], ebp	13_2_20403A70

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.157.162.126

Source: Joe Sandbox View

ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE

Source: EHttpSrv.exe, 00000004.00000002.2106626105.000000006C831000.00000020.00000001.01000000.00000006.sdmp, EHttpSrv.exe, 0000000D.00000002.2360124157.000000006C181000.00000020.00000001.01000000.00000006.sdmp, EHttpSrv.exe, 00000014.00000002.2480010616.000000006BCD1000.00000020.00000001.01000000.00000006.sdmp, mfc80u.dll.1.dr	String found in binary or memory: ftp://http://HTTP/1.0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Updwork.exe, Updwork.exe, 00000005.00000000.2028584430.000000000040A000.00000008.00000001.01000000.00000004.sdmp, Updwork.exe, 00000005.00000002.2220303039.000000000040A000.00000004.00000001.01000000.00000004.sdmp, RaftelibeGasrss.exe, 00000010.00000000.2386481779.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, RaftelibeGasrss.exe, 00000010.00000002.2574583228.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, Updwork.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Updwork.exe, 00000005.00000000.2028584430.000000000040A000.00000008.00000001.01000000.00000004.sdmp, Updwork.exe, 00000005.00000002.2220303039.000000000040A000.00000004.00000001.01000000.00000004.sdmp, RaftelibeGasrss.exe, 00000010.00000000.2386481779.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, RaftelibeGasrss.exe, 00000010.00000002.2574583228.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, Updwork.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp, Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp, Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002300000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051B0000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.00000000024EE000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.000000000233A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.000000000563B000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.00000000022AC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005230000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: Updwork.exe, Updwork.exe, 00000005.00000000.2028605382.0000000000438000.00000002.00000001.01000000.00000004.sdmp, RaftelibeGasrss.exe, 00000010.00000000.2386509811.0000000000438000.00000002.00000001.01000000.0000000C.sdmp, Updwork.exe.1.dr	String found in binary or memory: http://www.zlib.net/
Source: Updwork.exe, 00000005.00000002.2220303039.000000000040A000.00000004.00000001.01000000.00000004.sdmp, RaftelibeGasrss.exe, 00000010.00000002.2574583228.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, zlib1.dll.5.dr	String found in binary or memory: http://www.zlib.net/D
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

Code function: 5_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_00405205

Source: C:\Windows\SysWOW64\WerFault.exe

Code function: 11_2_00402F40 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_00402F40

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Code function: 4_2_20433600 GetFocus,#2366,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetFocus,#2366,GetParent,#2366,#2648,SendMessageW,InvalidateRect,InvalidateRect,InvalidateRect,InvalidateRect,InvalidateRect,InvalidateRect,InvalidateRect,#5210,

4_2_20433600

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.cmd.exe.56acb90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.EHttpSrv.exe.255fb90.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.EHttpSrv.exe.255ef90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.EHttpSrv.exe.237e2e4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.EHttpSrv.exe.25b2b90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.52a0f90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.EHttpSrv.exe.235ca18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.56abf90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.EHttpSrv.exe.2308a18.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.5220f90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.5221b90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.36f07f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.EHttpSrv.exe.25b1f90.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.EHttpSrv.exe.23b82e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.568a6c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.EHttpSrv.exe.23b8ee4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.52a1b90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.EHttpSrv.exe.232aee4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.51ff6c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.EHttpSrv.exe.237eee4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.EHttpSrv.exe.253d6c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 25.2.EHttpSrv.exe.25906c4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.527f6c4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.EHttpSrv.exe.232a2e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.EHttpSrv.exe.2396a18.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6532, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: EHttpSrv.exe PID: 6844, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 2508, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: EHttpSrv.exe PID: 4720, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

Code function: 5_2_62E86020 NtProtectVirtualMemory,NtProtectVirtualMemory,

5_2_62E86020

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Code function: 4_2_004016E0 GetCommandLineW,OpenSCManagerW,wcsstr,OpenServiceW,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

4_2_004016E0

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

Code function: 5_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

5_2_0040320C

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6b430b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4434.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44A2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44C3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4502.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4561.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI4434.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_204660B0	4_2_204660B0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20413950	4_2_20413950
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_2041C9A0	4_2_2041C9A0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_204211A0	4_2_204211A0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20403A70	4_2_20403A70
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20464B40	4_2_20464B40
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20405C10	4_2_20405C10
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20462D50	4_2_20462D50
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20405DB0	4_2_20405DB0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_2040EE60	4_2_2040EE60
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_204276C0	4_2_204276C0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20464FC0	4_2_20464FC0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_204677F0	4_2_204677F0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_204157B0	4_2_204157B0
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_00404A44	5_2_00404A44
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_00406F54	5_2_00406F54
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_0040677D	5_2_0040677D
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E81A10	5_2_62E81A10
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E8AB40	5_2_62E8AB40
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E8770C	5_2_62E8770C
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E83704	5_2_62E83704
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E818B8	5_2_62E818B8
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E91420	5_2_62E91420
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_0041B010	11_2_0041B010
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_004090C0	11_2_004090C0
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_004058B0	11_2_004058B0
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_004054B0	11_2_004054B0
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_0041ACB0	11_2_0041ACB0
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_004055F0	11_2_004055F0
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_0040ADB9	11_2_0040ADB9
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_204660B0	13_2_204660B0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20413950	13_2_20413950
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_2041C9A0	13_2_2041C9A0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_204211A0	13_2_204211A0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20403A70	13_2_20403A70
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20464B40	13_2_20464B40
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20405C10	13_2_20405C10
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20462D50	13_2_20462D50
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20405DB0	13_2_20405DB0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_2040EE60	13_2_2040EE60
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_204276C0	13_2_204276C0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20464FC0	13_2_20464FC0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_204677F0	13_2_204677F0
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_204157B0	13_2_204157B0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe EFFA6FCB8759375B4089CCF61202A5C63243F4102872E64E3EB0A1BDC2727659
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll A91F13AECE1EA7EBE326F0E340BDA9D00613D3365CD81B7F138A4C9446FFBD38

Source: C:\Windows\SysWOW64\WerFault.exe	Code function: String function: 0040AD70 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: String function: 20402000 appears 58 times

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

Process created: C:\Windows\SysWOW64\WerFault.exe "C:\Windows\System32\WerFault.exe"

Source: zlib1.dll.5.dr

Static PE information: Number of sections : 11 > 10

Source: Slf.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs Slf.msi

Source: 14.2.cmd.exe.56acb90.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.EHttpSrv.exe.255fb90.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.EHttpSrv.exe.255ef90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.EHttpSrv.exe.237e2e4.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.EHttpSrv.exe.25b2b90.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.52a0f90.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.EHttpSrv.exe.235ca18.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.56abf90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.EHttpSrv.exe.2308a18.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.5220f90.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.5221b90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.36f07f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.EHttpSrv.exe.25b1f90.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.EHttpSrv.exe.23b82e4.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.568a6c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.EHttpSrv.exe.23b8ee4.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.52a1b90.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.EHttpSrv.exe.232aee4.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.51ff6c4.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.EHttpSrv.exe.237eee4.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.EHttpSrv.exe.253d6c4.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 25.2.EHttpSrv.exe.25906c4.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.527f6c4.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.EHttpSrv.exe.232a2e4.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.EHttpSrv.exe.2396a18.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6532, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: EHttpSrv.exe PID: 6844, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 2508, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: EHttpSrv.exe PID: 4720, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: http_dll.dll.1.dr

Binary string: Software\ESET\ESET Security\CurrentVersion\InfoAppDataDirInstallDirScannerVersionInstallDir32x86\\Device\LanmanRedirector\;%c:Enable@My profileActive${ProfileName}=|NODE;NAME=;TYPE=SUBNODE${PluginID}=Software\ESET\ESET Security\CurrentVersion\Plugins\${PluginID}\ProfilesSECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=#${PluginID}\PROFILESDllGetVersioncomctl32.dllInitCommonControlsExUpdateModuleAfterRestartAllowOnlyWhiteListUrlInstallationLevelDontAskForTrustedZoneAllowChangeSignedFilegui_RuleShowLevelAdvancedModegui_SeeApplicationHowRedirectByProxyEnabledPop3sPortsStr995HttpsPortsStr443BlockSslV2SslCompatibleModeAddRootCertToBrowsersSslRootCreateTimePop3sScanModeHttpsScanModeAskIfCertIsNotTrustedAskIfRootCertIsUnknownSslUseModeLearningEndTimeSECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=#${PluginID}\PROFILES\NODE;NAME=${ProfileName};TYPE=SUBNODE\NODE;NAME=LearningMode;TYPE=SUBNODEHKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\${PluginID}\Profiles\${ProfileName}\LearningModeSECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=#${PluginID}\PROFILES\NODE;NAME=${ProfileName};TYPE=SUBNODE\NODE;NAME=LearningMode;TYPE=SUBNODE\NODE;NAME=UntrustedOut;TYPE=SUBNODEHKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\${PluginID}\Profiles\${ProfileName}\LearningMode\UntrustedOutSECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=#${PluginID}\PROFILES\NODE;NAME=${ProfileName};TYPE=SUBNODE\NODE;NAME=LearningMode;TYPE=SUBNODE\NODE;NAME=UntrustedIn;TYPE=SUBNODEHKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\${PluginID}\Profiles\${ProfileName}\LearningMode\UntrustedInSECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=#${PluginID}\PROFILES\NODE;NAME=${ProfileName};TYPE=SUBNODE\NODE;NAME=LearningMode;TYPE=SUBNODE\NODE;NAME=TrustedOut;TYPE=SUBNODEHKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\${PluginID}\Profiles\${ProfileName}\LearningMode\TrustedOutMaxSameRulesAddRemoteAddressAddRemotePortAddLocalPortAddApplicationSECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=#${PluginID}\PROFILES\NODE;NAME=${ProfileName};TYPE=SUBNODE\NODE;NAME=LearningMode;TYPE=SUBNODE\NODE;NAME=TrustedIn;TYPE=SUBNODEHKLM\Software\ESET\ESET Security\CurrentVersion\Plugins\${PluginID}\Profiles\${ProfileName}\LearningMode\TrustedInWriteBlockedToPcapDisplayNameSubjectPublicKeyBlobCertificateCertificatesNode_H^I @

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winMSI@28/41@0/1

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

5_2_0040320C

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

Code function: 5_2_004044D1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

5_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: GetCommandLineW,GetModuleFileNameW,OpenSCManagerW,wcsstr,CreateServiceW,CloseServiceHandle,CloseServiceHandle,RegOpenKeyExW,RegSetValueExW,RegCreateKeyExW,RegCloseKey,RegCloseKey,RegCloseKey,CloseServiceHandle,		4_2_00401580
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: GetCommandLineW,GetModuleFileNameW,OpenSCManagerW,wcsstr,CreateServiceW,CloseServiceHandle,CloseServiceHandle,RegOpenKeyExW,RegSetValueExW,RegCreateKeyExW,RegCloseKey,RegCloseKey,RegCloseKey,CloseServiceHandle,		12_2_00401580

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

Code function: 5_2_004020D1 CoCreateInstance,MultiByteToWideChar,

5_2_004020D1

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Code function: 4_2_2043AC00 FindResourceW,LoadResource,LockResource,SizeofResource,

4_2_2043AC00

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Code function: 4_2_00401550 StartServiceCtrlDispatcherW,

4_2_00401550

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_00401550 StartServiceCtrlDispatcherW,		4_2_00401550
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 12_2_00401550 StartServiceCtrlDispatcherW,		12_2_00401550

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML458C.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIb41e2.LOG

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Command line argument: http_dll.dll	4_2_00401000
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Command line argument: StartHttpServer	4_2_00401000
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Command line argument: StopHttpServer	4_2_00401000
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Command line argument: -app	4_2_00401000
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Command line argument: http_dll.dll	12_2_00401000
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Command line argument: StartHttpServer	12_2_00401000
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Command line argument: StopHttpServer	12_2_00401000
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Command line argument: -app	12_2_00401000

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Slf.msi	ReversingLabs: Detection: 57%
Source: Slf.msi	Virustotal: Detection: 56%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Slf.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CCD88EF77E0BFA64C5AD6E35B211C368
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe "C:\Users\user\AppData\Local\Temp\EHttpSrv.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\Updwork.exe "C:\Users\user\AppData\Local\Temp\Updwork.exe"
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Process created: C:\Windows\SysWOW64\WerFault.exe "C:\Windows\System32\WerFault.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe "C:\Users\user\AppData\Local\Temp\EHttpSrv.exe"
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe "C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe "C:\Users\user\AppData\Local\Temp\EHttpSrv.exe"
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Process created: C:\Windows\SysWOW64\WerFault.exe "C:\Windows\System32\WerFault.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CCD88EF77E0BFA64C5AD6E35B211C368	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe "C:\Users\user\AppData\Local\Temp\EHttpSrv.exe"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\Updwork.exe "C:\Users\user\AppData\Local\Temp\Updwork.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Process created: C:\Windows\SysWOW64\WerFault.exe "C:\Windows\System32\WerFault.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Process created: C:\Windows\SysWOW64\WerFault.exe "C:\Windows\System32\WerFault.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: http_dll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mfc80eng.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mfc80eng.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mfc80loc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: http_dll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mfc80eng.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mfc80eng.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mfc80loc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: http_dll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mfc80eng.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mfc80eng.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: mfc80loc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: RaftelibeGasrss.lnk.5.dr

LNK file: ..\..\..\..\..\..\..\..\..\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe

Source: C:\Windows\SysWOW64\cmd.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: Slf.msi

Static file information: File size 3581440 > 1048576

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\Users\root\Desktop\clipmain\CryptoAddressReplacer\Release\CryptoAddressReplacer.pdb source: Updwork.exe, 00000005.00000003.2219955750.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp, Updwork.exe, 00000005.00000003.2220074790.0000000002230000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 0000000B.00000002.4482449704.0000000000421000.00000002.00000400.00020000.00000000.sdmp, RaftelibeGasrss.exe, 00000010.00000003.2574423454.0000000002320000.00000004.00001000.00020000.00000000.sdmp, RaftelibeGasrss.exe, 00000010.00000003.2574373433.0000000002370000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000018.00000002.4482451053.0000000000421000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: d:\installbuild\kalab\ess_4_0_400\build\apps\work\release\http_server\winnt32\EHttpSrv.pdb source: EHttpSrv.exe, 00000004.00000000.2028514418.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000004.00000002.2100945274.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000C.00000002.2373690214.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000C.00000000.2289119886.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000D.00000002.2358895312.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000D.00000000.2305410663.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000014.00000002.2477645230.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000014.00000000.2421494010.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000019.00000000.2615497904.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000019.00000002.2658278222.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe.1.dr
Source:	Binary string: msvcr80.i386.pdb source: msvcr80.dll.1.dr
Source:	Binary string: d:\installbuild\kalab\ess_4_0_400\build\apps\work\release\http_server\winnt32\EHttpSrv.pdb@@P5@ source: EHttpSrv.exe, 00000004.00000000.2028514418.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000004.00000002.2100945274.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000C.00000002.2373690214.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000C.00000000.2289119886.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000D.00000002.2358895312.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 0000000D.00000000.2305410663.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000014.00000002.2477645230.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000014.00000000.2421494010.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000019.00000000.2615497904.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe, 00000019.00000002.2658278222.0000000000403000.00000002.00000001.01000000.00000003.sdmp, EHttpSrv.exe.1.dr
Source:	Binary string: d:\installbuild\kalab\ess_4_0_400\build\apps\work\release\epfw\winnt32\eguiEpfw.pdbd1J source: EHttpSrv.exe, 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmp, EHttpSrv.exe, 0000000D.00000002.2360017627.0000000020483000.00000002.00000001.01000000.00000005.sdmp, EHttpSrv.exe, 00000014.00000002.2479855520.0000000020483000.00000002.00000001.01000000.00000005.sdmp, http_dll.dll.1.dr
Source:	Binary string: wntdll.pdbUGP source: EHttpSrv.exe, 00000004.00000002.2106167622.000000000242D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374052498.0000000004E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374290735.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2373997038.0000000002187000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374238264.0000000002600000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359683630.00000000025A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2423011161.0000000005750000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422792608.00000000052D4000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479232646.00000000024D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658701095.0000000004EDC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658960621.0000000005340000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658669093.00000000021E8000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658937976.0000000002650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MFC80U.i386.pdb source: EHttpSrv.exe, 00000004.00000002.2106626105.000000006C831000.00000020.00000001.01000000.00000006.sdmp, EHttpSrv.exe, 0000000D.00000002.2360124157.000000006C181000.00000020.00000001.01000000.00000006.sdmp, EHttpSrv.exe, 00000014.00000002.2480010616.000000006BCD1000.00000020.00000001.01000000.00000006.sdmp, mfc80u.dll.1.dr
Source:	Binary string: wntdll.pdb source: EHttpSrv.exe, 00000004.00000002.2106167622.000000000242D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374052498.0000000004E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374290735.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2373997038.0000000002187000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374238264.0000000002600000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359683630.00000000025A4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2423011161.0000000005750000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422792608.00000000052D4000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479232646.00000000024D7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658701095.0000000004EDC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658960621.0000000005340000.00000004.00001000.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658669093.00000000021E8000.00000004.00000020.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658937976.0000000002650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\installbuild\kalab\ess_4_0_400\build\apps\work\release\epfw\winnt32\eguiEpfw.pdb source: EHttpSrv.exe, 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmp, EHttpSrv.exe, 0000000D.00000002.2360017627.0000000020483000.00000002.00000001.01000000.00000005.sdmp, EHttpSrv.exe, 00000014.00000002.2479855520.0000000020483000.00000002.00000001.01000000.00000005.sdmp, http_dll.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Code function: 4_2_00401000 GetCommandLineW,GetCommandLineW,wcsstr,wcsstr,GetCommandLineW,wcsstr,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetCommandLineW,wcsstr,FreeLibrary,FreeLibrary,

4_2_00401000

Source: http_dll.dll.1.dr	Static PE information: real checksum: 0xe0ba0 should be: 0xe21bb
Source: zlib1.dll.5.dr	Static PE information: real checksum: 0x29cf3 should be: 0x5c414
Source: fcpumhrmyq.6.dr	Static PE information: real checksum: 0x0 should be: 0x84c79
Source: bgbhtsgyxsvqc.21.dr	Static PE information: real checksum: 0x0 should be: 0x84c79
Source: Updwork.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8a18a

Source: zlib1.dll.5.dr	Static PE information: section name: .eh_fram
Source: fcpumhrmyq.6.dr	Static PE information: section name: umlwqq
Source: bgbhtsgyxsvqc.21.dr	Static PE information: section name: umlwqq

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_004021B1 push ecx; ret	4_2_004021C4
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_2047906D push ecx; ret	4_2_20479080
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_2043DD30 push ecx; mov dword ptr [esp], 00000080h	4_2_2043DD31
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E972DE push cs; iretd	5_2_62E972B2
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E9D751 push ebx; ret	5_2_62E9D752
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E9A8B3 push es; iretd	5_2_62E9A9B4
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E9748E push ebx; ret	5_2_62E9748F
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E971DC push cs; iretd	5_2_62E972B2
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_0041F460 push ecx; ret	11_2_0041F473
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 12_2_004021B1 push ecx; ret	12_2_004021C4
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_2047906D push ecx; ret	13_2_20479080
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_2043DD30 push ecx; mov dword ptr [esp], 00000080h	13_2_2043DD31

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\msvcr80.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fcpumhrmyq	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\mfc80u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File created: C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4434.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\Updwork.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\http_dll.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4502.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4434.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4502.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fcpumhrmyq			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RaftelibeGasrss\RaftelibeGasrss.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Code function: 4_2_00401550 StartServiceCtrlDispatcherW,

4_2_00401550

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\FCPUMHRMYQ
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BGBHTSGYXSVQC

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	API/Special instruction interceptor: Address: 6C6B5B2D
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C6B3AF9
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	API/Special instruction interceptor: Address: 2A3D7E4
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	API/Special instruction interceptor: Address: 6AF23799
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	API/Special instruction interceptor: Address: 2A6D7E4
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	API/Special instruction interceptor: Address: 6B033799

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EA32A0 second address: 62EB3821 instructions: 0x00000000 rdtsc 0x00000002 not al 0x00000004 mov eax, dword ptr [ebp-000000DCh] 0x0000000a push eax 0x0000000b lahf 0x0000000c bswap ax 0x0000000f jmp 00007F9014D676CBh 0x00000014 mov ecx, dword ptr [ebp-000000E0h] 0x0000001a mov ax, 49EAh 0x0000001e push ecx 0x0000001f mov ah, FFFFFFA5h 0x00000022 movzx dx, al 0x00000026 cbw 0x00000028 push FFFFFFFFh 0x0000002a push FFFFFFFFh 0x0000002c movzx edx, bx 0x0000002f movzx ax, al 0x00000033 push 00000000h 0x00000035 cbw 0x00000037 push 00000005h 0x00000039 cwd 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EB4B3A second address: 62EAE213 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 movsx dx, bl 0x00000007 jmp 00007F90150312B7h 0x0000000c lea edx, dword ptr [ebp-24h] 0x0000000f mov ch, 00000005h 0x00000012 bswap ecx 0x00000014 cbw 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EAE213 second address: 62EAE21F instructions: 0x00000000 rdtsc 0x00000002 setle ch 0x00000005 push 00000000h 0x00000007 push 590C0DF7h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EB3433 second address: 62EB344A instructions: 0x00000000 rdtsc 0x00000002 cmovns eax, ebp 0x00000005 lea eax, dword ptr [ebp-40h] 0x00000008 push eax 0x00000009 movsx edx, ax 0x0000000c cbw 0x0000000e mov al, 27h 0x00000010 push 00000000h 0x00000012 push A4DA8725h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EA316D second address: 62EB9F3D instructions: 0x00000000 rdtsc 0x00000002 mov byte ptr [ebp-27h], FFFFFF88h 0x00000006 mov byte ptr [ebp-26h], 00000050h 0x0000000a movsx ecx, bx 0x0000000d mov byte ptr [ebp-25h], 00000048h 0x00000011 bswap cx 0x00000014 cmovl cx, di 0x00000018 mov byte ptr [ebp-24h], FFFFFF92h 0x0000001c cwde 0x0000001d mov byte ptr [ebp-23h], 00000077h 0x00000021 bswap dx 0x00000024 movzx cx, ah 0x00000028 cwd 0x0000002a mov byte ptr [ebp-22h], 00000011h 0x0000002e jmp 00007F9014D6CE38h 0x00000033 mov byte ptr [ebp-21h], FFFFFFB8h 0x00000037 mov byte ptr [ebp-20h], 0000005Bh 0x0000003b xchg ch, dh 0x0000003d mov byte ptr [ebp-1Fh], FFFFFFDBh 0x00000041 not ch 0x00000043 mov byte ptr [ebp-1Eh], FFFFFF8Eh 0x00000047 jmp 00007F9014D43ABEh 0x0000004c mov byte ptr [ebp-1Dh], 00000009h 0x00000050 mov byte ptr [ebp-1Ch], 0000005Fh 0x00000054 cdq 0x00000055 movzx edx, sp 0x00000058 jmp 00007F9014D6B908h 0x0000005d mov byte ptr [ebp-1Bh], FFFFFFABh 0x00000061 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EB9F3D second address: 62EA6271 instructions: 0x00000000 rdtsc 0x00000002 mov dx, sp 0x00000005 mov byte ptr [ebp-1Ah], 0000007Ah 0x00000009 movsx eax, di 0x0000000c mov byte ptr [ebp-19h], FFFFFF94h 0x00000010 mov edx, esp 0x00000012 mov byte ptr [ebp-18h], 0000005Ch 0x00000016 cwd 0x00000018 cbw 0x0000001a mov byte ptr [ebp-17h], 0000000Ah 0x0000001e cwde 0x0000001f movsx edx, ax 0x00000022 not ecx 0x00000024 mov byte ptr [ebp-16h], 00000013h 0x00000028 mov byte ptr [ebp-15h], 0000004Ch 0x0000002c jmp 00007F9015027FE4h 0x00000031 mov byte ptr [ebp-14h], FFFFFFB4h 0x00000035 mov byte ptr [ebp-13h], FFFFFFD6h 0x00000039 mov byte ptr [ebp-12h], 0000004Bh 0x0000003d movzx edx, ax 0x00000040 bswap cx 0x00000043 mov byte ptr [ebp-11h], FFFFFFF7h 0x00000047 seto dl 0x0000004a mov byte ptr [ebp-10h], FFFFFF83h 0x0000004e cwde 0x0000004f cwd 0x00000051 mov byte ptr [ebp-0Fh], 0000006Fh 0x00000055 setnbe dh 0x00000058 mov dh, 00000073h 0x0000005b mov byte ptr [ebp-0Eh], FFFFFFC9h 0x0000005f mov byte ptr [ebp-0Dh], FFFFFFF8h 0x00000063 jmp 00007F9015033AA1h 0x00000068 mov byte ptr [ebp-3Ch], 0000001Eh 0x0000006c mov byte ptr [ebp-3Bh], 0000006Dh 0x00000070 lahf 0x00000071 not ah 0x00000073 mov byte ptr [ebp-3Ah], FFFFFF82h 0x00000077 cwde 0x00000078 xchg dh, dh 0x0000007a mov byte ptr [ebp-39h], 00000043h 0x0000007e mov dh, FFFFFFECh 0x00000081 cmovb eax, esi 0x00000084 mov byte ptr [ebp-38h], 00000018h 0x00000088 mov byte ptr [ebp-37h], FFFFFFE7h 0x0000008c cwde 0x0000008d mov byte ptr [ebp-36h], FFFFFFEEh 0x00000091 movzx ecx, si 0x00000094 cdq 0x00000095 mov byte ptr [ebp-35h], 00000042h 0x00000099 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EA6271 second address: 62EA6278 instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 mov byte ptr [ebp-34h], FFFFFFBCh 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EB860E second address: 62EB862A instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 lea ecx, dword ptr [ebp-1Ch] 0x00000007 push ecx 0x00000008 movsx eax, ax 0x0000000b mov dh, FFFFFFA5h 0x0000000e cbw 0x00000010 push 00000001h 0x00000012 cbw 0x00000014 cwd 0x00000016 push 00000000h 0x00000018 cmovne dx, ax 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EBC64F second address: 62EBC656 instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 mov word ptr [ebp-06h], cx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EAAFE7 second address: 62EAA162 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 lea ecx, dword ptr [ebp-28h] 0x00000006 push ecx 0x00000007 lea edx, dword ptr [ebp-00000158h] 0x0000000d jmp 00007F9015036D5Dh 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EB53BC second address: 62EB5958 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9014D5E817h 0x00000007 mov ecx, dword ptr [ebp-24h] 0x0000000a push ecx 0x0000000b push 00000000h 0x0000000d jmp 00007F9014D50078h 0x00000012 push 42E519A4h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	RDTSC instruction interceptor: First address: 62EAC1A1 second address: 62EAC1B2 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, bx 0x00000005 push FFFFFFFFh 0x00000007 push 00000000h 0x00000009 push 006FBC1Eh 0x0000000e movzx eax, ax 0x00000011 rdtsc
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	RDTSC instruction interceptor: First address: 62EA32A0 second address: 62EB3821 instructions: 0x00000000 rdtsc 0x00000002 not al 0x00000004 mov eax, dword ptr [ebp-000000DCh] 0x0000000a push eax 0x0000000b lahf 0x0000000c bswap ax 0x0000000f jmp 00007F9014D676CBh 0x00000014 mov ecx, dword ptr [ebp-000000E0h] 0x0000001a mov ax, 49EAh 0x0000001e push ecx 0x0000001f mov ah, FFFFFFA5h 0x00000022 movzx dx, al 0x00000026 cbw 0x00000028 push FFFFFFFFh 0x0000002a push FFFFFFFFh 0x0000002c movzx edx, bx 0x0000002f movzx ax, al 0x00000033 push 00000000h 0x00000035 cbw 0x00000037 push 00000005h 0x00000039 cwd 0x0000003b rdtsc
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	RDTSC instruction interceptor: First address: 62EB4B3A second address: 62EAE213 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 movsx dx, bl 0x00000007 jmp 00007F90150312B7h 0x0000000c lea edx, dword ptr [ebp-24h] 0x0000000f mov ch, 00000005h 0x00000012 bswap ecx 0x00000014 cbw 0x00000016 push edx 0x00000017 rdtsc
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	RDTSC instruction interceptor: First address: 62EAE213 second address: 62EAE21F instructions: 0x00000000 rdtsc 0x00000002 setle ch 0x00000005 push 00000000h 0x00000007 push 590C0DF7h 0x0000000c rdtsc
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	RDTSC instruction interceptor: First address: 62EBC64F second address: 62EBC656 instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 mov word ptr [ebp-06h], cx 0x00000007 rdtsc
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	RDTSC instruction interceptor: First address: 62EAAFE7 second address: 62EAA162 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 lea ecx, dword ptr [ebp-28h] 0x00000006 push ecx 0x00000007 lea edx, dword ptr [ebp-00000158h] 0x0000000d jmp 00007F9014D562EDh 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	RDTSC instruction interceptor: First address: 62EB53BC second address: 62EB5958 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F901503F287h 0x00000007 mov ecx, dword ptr [ebp-24h] 0x0000000a push ecx 0x0000000b push 00000000h 0x0000000d jmp 00007F9015030AE8h 0x00000012 push 42E519A4h 0x00000017 rdtsc
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	RDTSC instruction interceptor: First address: 62EAC1A1 second address: 62EAC1B2 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, bx 0x00000005 push FFFFFFFFh 0x00000007 push 00000000h 0x00000009 push 006FBC1Eh 0x0000000e movzx eax, ax 0x00000011 rdtsc

Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 909	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 1451	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 1442	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 1062	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 1355	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 1490	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 1422	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 942	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 361	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 433	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 493	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 655	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 865	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 546	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 512	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 520	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 825	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 879	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 905	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 897	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Window / User API: threadDelayed 896	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcr80.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fcpumhrmyq	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mfc80u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4434.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI44A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI44C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4502.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	API coverage: 0.6 %
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	API coverage: 8.5 %
Source: C:\Windows\SysWOW64\WerFault.exe	API coverage: 0.6 %
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	API coverage: 0.4 %

Source: C:\Windows\SysWOW64\WerFault.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WerFault.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WerFault.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WerFault.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WerFault.exe	Thread sleep count: Count: 1451 delay: -3	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Thread sleep count: Count: 1062 delay: -6	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Thread sleep count: Count: 1355 delay: -5	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Thread sleep count: Count: 1490 delay: -4	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	5_2_00405768
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_004026FE FindFirstFileA,	5_2_004026FE
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_004062A3 FindFirstFileA,FindClose,	5_2_004062A3
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_0041502B FindFirstFileExW,	11_2_0041502B

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\SysWOW64\WerFault.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Code function: 4_2_00401F94 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

4_2_00401F94

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

4_2_00401000

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_204046ED mov eax, dword ptr fs:[00000030h]	4_2_204046ED
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20402F80 mov eax, dword ptr fs:[00000030h]	4_2_20402F80
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20402F80 mov eax, dword ptr fs:[00000030h]	4_2_20402F80
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Code function: 5_2_62E86020 mov eax, dword ptr fs:[00000030h]	5_2_62E86020
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_204046ED mov eax, dword ptr fs:[00000030h]	13_2_204046ED
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20402F80 mov eax, dword ptr fs:[00000030h]	13_2_20402F80
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20402F80 mov eax, dword ptr fs:[00000030h]	13_2_20402F80

Source: C:\Windows\SysWOW64\WerFault.exe

Code function: 11_2_004168A0 GetProcessHeap,

11_2_004168A0

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe "C:\Users\user\AppData\Local\Temp\EHttpSrv.exe"

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_00402225 SetUnhandledExceptionFilter,	4_2_00402225
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_00401F94 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_00401F94
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 4_2_20478952 _crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	4_2_20478952
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_00410075 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00410075
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_0040B0F6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0040B0F6
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_0040B286 SetUnhandledExceptionFilter,	11_2_0040B286
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 11_2_0040AB30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0040AB30
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 12_2_00402225 SetUnhandledExceptionFilter,	12_2_00402225
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 12_2_00401F94 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	12_2_00401F94
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Code function: 13_2_20478952 _crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	13_2_20478952

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Memory allocated: C:\Windows\SysWOW64\WerFault.exe base: 400000 protect: page read and write			Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Memory allocated: C:\Windows\SysWOW64\WerFault.exe base: 400000 protect: page read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	NtAllocateVirtualMemory: Direct from: 0x62EAD477	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtProtectVirtualMemory: Direct from: 0x4013A8	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtCreateFile: Direct from: 0x62EA6806	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	NtCreateFile: Direct from: 0x6AF23B31	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtUnmapViewOfSection: Direct from: 0x62EB40A6	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtUnmapViewOfSection: Direct from: 0x62EA676A	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtQueryInformationProcess: Direct from: 0x62EB5025	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	NtAllocateVirtualMemory: Direct from: 0x6B034AC4	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtAllocateVirtualMemory: Direct from: 0x62EBB3D6	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	NtQueryInformationProcess: Direct from: 0x62EB1047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	NtAllocateVirtualMemory: Direct from: 0x6AF24AC4	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtReadVirtualMemory: Direct from: 0x62EA8D6F	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtWriteVirtualMemory: Direct from: 0x62EBBF48	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtProtectVirtualMemory: Direct from: 0x62EB2791	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtReadVirtualMemory: Direct from: 0x62EAA88E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	NtSetInformationThread: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtAllocateVirtualMemory: Direct from: 0x62EA530E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	NtQueryInformationToken: Direct from: 0x62EB6504	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	NtProtectVirtualMemory: Direct from: 0x62EAB264	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtAllocateVirtualMemory: Direct from: 0x62EB5A71	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtAllocateVirtualMemory: Direct from: 0x62EB0A1E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	NtCreateFile: Direct from: 0x6B033B31	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtProtectVirtualMemory: Direct from: 0x62EA3DA1	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtSuspendThread: Direct from: 0x62EA9819	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtAllocateVirtualMemory: Direct from: 0x62EAC69C	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	NtWriteVirtualMemory: Direct from: 0x62EA8A84	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2EA5008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe base: 6AF21000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe base: 410000	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 400000	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 61C008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe base: 6B031000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe base: 410000	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Process created: C:\Windows\SysWOW64\WerFault.exe "C:\Windows\System32\WerFault.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe	Process created: C:\Windows\SysWOW64\WerFault.exe "C:\Windows\System32\WerFault.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Code function: EnumSystemLocalesW,	11_2_004190D4
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: EnumSystemLocalesW,	11_2_0041911F
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: EnumSystemLocalesW,	11_2_004191BA
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: EnumSystemLocalesW,	11_2_004161BD
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_00419245
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: GetLocaleInfoW,	11_2_00419499
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_004195BE
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	11_2_00418E22
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: GetLocaleInfoW,	11_2_00416637
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: GetLocaleInfoW,	11_2_004196C4
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_004197A0

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Updwork.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Code function: 4_2_00402404 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_00402404

Source: C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Code function: 4_2_2043D840 GetVersionExW,

4_2_2043D840

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.3.Updwork.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.WerFault.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Updwork.exe.2aa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.WerFault.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Updwork.exe.2230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Updwork.exe.2aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.4482451053.0000000000421000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2219955750.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2574423454.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4482449704.0000000000421000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2574373433.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2220074790.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Updwork.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RaftelibeGasrss.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 1408, type: MEMORYSTR

Yara detected MicroClip

Source: Yara match	File source: 5.3.Updwork.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.WerFault.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Updwork.exe.2aa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.WerFault.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Updwork.exe.2230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Updwork.exe.2aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.4482451053.0000000000421000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2219955750.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2574423454.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4482449704.0000000000421000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2574373433.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2220074790.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Updwork.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RaftelibeGasrss.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 1408, type: MEMORYSTR

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED

Remote Access Functionality

Yara detected MicroClip

Source: Yara match	File source: 5.3.Updwork.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2320000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.WerFault.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2370000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Updwork.exe.2aa0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.WerFault.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.RaftelibeGasrss.exe.2370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Updwork.exe.2230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.Updwork.exe.2aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.4482451053.0000000000421000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2219955750.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2574423454.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4482449704.0000000000421000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2574373433.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2220074790.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Updwork.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RaftelibeGasrss.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 1408, type: MEMORYSTR

Yara detected Remcos RAT

Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.2eb00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 6844, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EHttpSrv.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	14 Windows Service	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	11 Input Capture	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Service Execution	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	14 Windows Service	3 Obfuscated Files or Information	NTDS	225 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	411 Process Injection	11 DLL Side-Loading	LSA Secrets	421 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 File Deletion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	411 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Slf.msi	58%	ReversingLabs	Win32.Infostealer.Tinba
Slf.msi	56%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Updwork.exe	100%	Avira	HEUR/AGEN.1338067
C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	100%	Avira	HEUR/AGEN.1363590
C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\fcpumhrmyq	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Temp\http_dll.dll	100%	Avira	TR/HijackLoader.cugkp
C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\fcpumhrmyq	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	46%	ReversingLabs	Win32.Trojan.Nekark
C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	46%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\Updwork.exe	37%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc	89%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Local\Temp\fcpumhrmyq	89%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Local\Temp\http_dll.dll	62%	ReversingLabs	Win32.Trojan.HijackLoader
C:\Users\user\AppData\Local\Temp\mfc80u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\msvcr80.dll	0%	ReversingLabs
C:\Windows\Installer\MSI4434.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI44A2.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI44C3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4502.tmp	0%	ReversingLabs

Name	Source	Malicious	Reputation
http://nsis.sf.net/NSIS_Error	Updwork.exe, Updwork.exe, 00000005.00000000.2028584430.000000000040A000.00000008.00000001.01000000.00000004.sdmp, Updwork.exe, 00000005.00000002.2220303039.000000000040A000.00000004.00000001.01000000.00000004.sdmp, RaftelibeGasrss.exe, 00000010.00000000.2386481779.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, RaftelibeGasrss.exe, 00000010.00000002.2574583228.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, Updwork.exe.1.dr	false	high
http://www.vmware.com/0	EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zlib.net/	Updwork.exe, Updwork.exe, 00000005.00000000.2028605382.0000000000438000.00000002.00000001.01000000.00000004.sdmp, RaftelibeGasrss.exe, 00000010.00000000.2386509811.0000000000438000.00000002.00000001.01000000.0000000C.sdmp, Updwork.exe.1.dr	false	high
ftp://http://HTTP/1.0	EHttpSrv.exe, 00000004.00000002.2106626105.000000006C831000.00000020.00000001.01000000.00000006.sdmp, EHttpSrv.exe, 0000000D.00000002.2360124157.000000006C181000.00000020.00000001.01000000.00000006.sdmp, EHttpSrv.exe, 00000014.00000002.2480010616.000000006BCD1000.00000020.00000001.01000000.00000006.sdmp, mfc80u.dll.1.dr	false	high
https://www.thawte.com/cps0/	Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	false	high
http://www.symauth.com/rpa00	EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zlib.net/D	Updwork.exe, 00000005.00000002.2220303039.000000000040A000.00000004.00000001.01000000.00000004.sdmp, RaftelibeGasrss.exe, 00000010.00000002.2574583228.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, zlib1.dll.5.dr	false	high
https://www.thawte.com/repository0W	Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	false	high
http://www.info-zip.org/	EHttpSrv.exe, 00000004.00000002.2106063393.0000000002300000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051B0000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.00000000024EE000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.000000000233A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.000000000563B000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.00000000022AC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005230000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002541000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.vmware.com/0/	EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.advancedinstaller.com	Slf.msi, 6b430b.msi.1.dr, MSI4434.tmp.1.dr, MSI44A2.tmp.1.dr, MSI44C3.tmp.1.dr, MSI4502.tmp.1.dr	false	high
http://nsis.sf.net/NSIS_ErrorError	Updwork.exe, 00000005.00000000.2028584430.000000000040A000.00000008.00000001.01000000.00000004.sdmp, Updwork.exe, 00000005.00000002.2220303039.000000000040A000.00000004.00000001.01000000.00000004.sdmp, RaftelibeGasrss.exe, 00000010.00000000.2386481779.000000000040A000.00000008.00000001.01000000.0000000C.sdmp, RaftelibeGasrss.exe, 00000010.00000002.2574583228.000000000040A000.00000004.00000001.01000000.0000000C.sdmp, Updwork.exe.1.dr	false	high
http://www.symauth.com/cps0(	EHttpSrv.exe, 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, EHttpSrv.exe, 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.157.162.126	unknown	Sweden		197595	OBE-EUROPEObenetworkEuropeSE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565486
Start date and time:	2024-11-30 01:22:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Slf.msi
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winMSI@28/41@0/1
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 53% Number of executed functions: 6 Number of non-executed functions: 332
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target EHttpSrv.exe, PID 6844 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:23:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\checkdaemon_test.lnk
01:23:28	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RaftelibeGasrss.lnk
19:23:35	API Interceptor	3x Sleep call for process: cmd.exe modified
19:23:56	API Interceptor	10002669x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.157.162.126	LauncherPred8.3.389 stablesetup.msi	Get hash	malicious	Clipboard Hijacker, MicroClip, Remcos	Browse
	LauncherPred8.3.37Stablesetup.msi	Get hash	malicious	Remcos	Browse
	Slf.msi	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OBE-EUROPEObenetworkEuropeSE	LauncherPred8.3.389 stablesetup.msi	Get hash	malicious	Clipboard Hijacker, MicroClip, Remcos	Browse	185.157.162.126
	la.bot.arm6.elf	Get hash	malicious	Unknown	Browse	193.183.116.8
	LauncherPred8.3.37Stablesetup.msi	Get hash	malicious	Remcos	Browse	185.157.162.126
	Slf.msi	Get hash	malicious	Remcos	Browse	185.157.162.126
	HSG-IVN-2093456FIN.exe	Get hash	malicious	Remcos	Browse	185.157.163.135
	Payload 94.75.225.exe	Get hash	malicious	Unknown	Browse	45.148.17.56
	nabarm5.elf	Get hash	malicious	Unknown	Browse	185.242.230.228
	ZW_PCCE-010023024001.bat	Get hash	malicious	Remcos, GuLoader	Browse	193.187.91.212
	Order_MG2027176.vbs	Get hash	malicious	Remcos, GuLoader	Browse	185.157.163.135
	Scanned_22C-6e24090516030.pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	193.187.91.214

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll	LauncherPred8.3.389 stablesetup.msi	Get hash	malicious	Clipboard Hijacker, MicroClip, Remcos	Browse
C:\Users\user\AppData\Local\Temp\EHttpSrv.exe	LauncherPred8.3.389 stablesetup.msi	Get hash	malicious	Clipboard Hijacker, MicroClip, Remcos	Browse
	LauncherPred8.3.37Stablesetup.msi	Get hash	malicious	Remcos	Browse
	Slf.msi	Get hash	malicious	Remcos	Browse
	ystCwvqbxR.exe	Get hash	malicious	LummaC Stealer, RedLine, SectopRAT	Browse
	D3VUOgNs63.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Config.Msi\6b430d.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	2676
Entropy (8bit):	5.468420560993108
Encrypted:	false
SSDEEP:	48:KTYTQ9hsp4lZ/QUOT+bLPT0dZhVdZZLdZyoi3plelHq3vcR2u:KTYT2hQ4lZ/nOS/yhh1/21cUu
MD5:	E96CFD4EFE56B7D8B9C702000996BD48
SHA1:	5A6D582538F39805C39573C6DDE9BFC9A0FE022D
SHA-256:	B760EF1DF27537C05EDAB9CC7E7C08DD034892633AFFA29ED5C09FA3C0FBBC29
SHA-512:	8BAB6E90759FC154C6EA2975DFE05A10EECE9B2A6B4293891F3AD60EDBE84603EB57A82E1B4537124D70AA7957FD3E654FE270203540B45750AFF63C04963CF9
Malicious:	false
Preview:	...@IXOS.@.....@.}Y.@.....@.....@.....@.....@.....@......&.{BB2F3E18-3F04-450F-B8B5-60A9665181A8}..dermys..Slf.msi.@.....@.....@.....@........&.{02DCC2F2-67E6-46B0-92E0-2CB394AB055F}.....@.....@.....@.....@.......@.....@.....@.......@......dermys......Rollback..Annulation de l'action: ....RollbackCleanup%.Effacement des fichiers de sauvegarde..Fichier: [1]....ProcessComponents9.M.i.s.e. ... .j.o.u.r. .d.e.s. .i.n.f.o.r.m.a.t.i.o.n. .d.'.e.n.r.e.g.i.s.t.r.e.m.e.n.t. .d.u. .c.o.m.p.o.s.a.n.t...&.{0E0C50F8-B210-4B4D-91B3-D1FB7FE78CFA}&.{BB2F3E18-3F04-450F-B8B5-60A9665181A8}.@......&.{BA5264B4-F3AE-4F52-99B5-3968C5A81E6A}&.{BB2F3E18-3F04-450F-B8B5-60A9665181A8}.@......&.{6B83B1C9-08BB-4AEA-A6A8-8797A2558FDB}&.{BB2F3E18-3F04-450F-B8B5-60A9665181A8}.@......&.{F74533CE-84F1-400D-ABB3-76E2590644A5}&.{BB2F3E18-3F04-450F-B8B5-60A9665181A8}.@......&.{80922E60-CA5C-47B6-8B4C-D47FFA72F238}&.{BB2F3E18-3F04-450F-B8B5-60A9665181A8}.@......&.{6D606797-1F46-48D5-926D-D91FB8EFECB0}&.{BB2F3E18-3F04-450F-

C:\Users\user\AppData\Local\Temp\5ef74389

Download File

Process:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
File Type:	data
Category:	dropped
Size (bytes):	1088536
Entropy (8bit):	7.6736003096784975
Encrypted:	false
SSDEEP:	24576:+RoUT/ADs5MmhJJ1uJ9uUKjsOTXgMgk9WpkDK3jgt/rS:+RBT/ADs51hJJ0JkUKjskQ7k9W70jS
MD5:	57C4E3BFEB87A9FDA6744F3CE0E954BD
SHA1:	4CCAFBE5B13D0DB5345F48E6DFE43876D6970AB2
SHA-256:	D59A5FD1BF8AC8832D31DFB6800DB00F280FD2C84BA13528E8D864670C66F01D
SHA-512:	F189452CD23EB575940769B743612C353A29146395792270B62F47CE4332E09E674F30B8CD9CD7A9A90DBBA956DD5618879CB42965299484086F3E0F15BD74F7
Malicious:	false
Preview:	....................N.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................../.YKN.]Z/.Dri.fhe.}G].g.e.zGY.hi~.D~d.UKx.nik.zGY.hi~.y.............................................I.@uc.`zf.s~O.......................................................................................I.Jio.}~C.zok.j~..................................................................................../.@UN.[>V.`xx.ztl.'UO.U]x.d~}.{p....................................................................\|.'+$.9,8...........................................

C:\Users\user\AppData\Local\Temp\6f377be8

Download File

Process:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
File Type:	data
Category:	dropped
Size (bytes):	1088536
Entropy (8bit):	7.673601287626026
Encrypted:	false
SSDEEP:	24576:ERoUT/ADs5MmhJJ1uJ9uUKjsOTXgMgk9WpkDK3jgt/rS:ERBT/ADs51hJJ0JkUKjskQ7k9W70jS
MD5:	DF47212EB166482EDCC4E01FA739FC22
SHA1:	9E653508E86C4A53CD04D187F813E233205E9A8B
SHA-256:	6D0B9265561EE34B34E1656A34A0AB7EE2E21D8650B99A205E6702B8E8925D64
SHA-512:	40794166F2FD1EE2DB88B282094D4624321A2C40E3D5F6F475B8FD59EB6EAF82CDDD09059C1FF972F74AF04647563CF0ACA6760A6D7BC56DA4EAEDAEEFFA25E2
Malicious:	false
Preview:	....................N.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................../.YKN.]Z/.Dri.fhe.}G].g.e.zGY.hi~.D~d.UKx.nik.zGY.hi~.y.............................................I.@uc.`zf.s~O.......................................................................................I.Jio.}~C.zok.j~..................................................................................../.@UN.[>V.`xx.ztl.'UO.U]x.d~}.{p....................................................................\|.'+$.9,8...........................................

C:\Users\user\AppData\Local\Temp\761dc869

Download File

Process:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
File Type:	data
Category:	dropped
Size (bytes):	1088536
Entropy (8bit):	7.673598658770088
Encrypted:	false
SSDEEP:	24576:2RoUT/ADs5MmhJJ1uJ9uUKjsOTXgMgk9WpkDK3jgt/rS:2RBT/ADs51hJJ0JkUKjskQ7k9W70jS
MD5:	2047876D8B0C5355556A8EB7DE562058
SHA1:	3454FE148EC7D780F13CA7FD7661F0ED2CB12D60
SHA-256:	6BCA37D65AC2165D97A50C00EBC10908D55BF0B58DD1B6047D7689864B6360A5
SHA-512:	258E5082C75768E4CB29A72FB4A51EB2300AC2D25BD21DDEDF096E0BBD63B039649D823ABE59D2986D2D648EB8D24E8C0A778994A47358AFD820AEB75AD3B886
Malicious:	false
Preview:	....................N.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................../.YKN.]Z/.Dri.fhe.}G].g.e.zGY.hi~.D~d.UKx.nik.zGY.hi~.y.............................................I.@uc.`zf.s~O.......................................................................................I.Jio.}~C.zok.j~..................................................................................../.@UN.[>V.`xx.ztl.'UO.U]x.d~}.{p....................................................................\|.'+$.9,8...........................................

C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20680
Entropy (8bit):	6.088615575328619
Encrypted:	false
SSDEEP:	384:Damtvzlx5v02RIDauMTnxOn6sGCYJLW7wycJbi6jc:D7Jv0qpukxO6s6Lhbimc
MD5:	9329BA45C8B97485926A171E34C2ABB8
SHA1:	20118BC0432B4E8B3660A4B038B20CA28F721E5C
SHA-256:	EFFA6FCB8759375B4089CCF61202A5C63243F4102872E64E3EB0A1BDC2727659
SHA-512:	0AF06B5495142BA0632A46BE0778A7BD3D507E9848B3159436AA504536919ABBCACD8B740EF4B591296E86604B49E0642FEE2C273A45E44B41A80F91A1D52ACC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: LauncherPred8.3.389 stablesetup.msi, Detection: malicious, Browse Filename: LauncherPred8.3.37Stablesetup.msi, Detection: malicious, Browse Filename: Slf.msi, Detection: malicious, Browse Filename: ystCwvqbxR.exe, Detection: malicious, Browse Filename: D3VUOgNs63.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3.u....3......3......3......3......3..3.3......3......3......3.Rich.3.................PE..L......K.....................................0....@..........................`......_A.......................................6..d....P...............6..............P1...............................4..@............0..(............................text............................... ..`.rdata..6....0......................@..@.data........@.......(..............@....rsrc........P.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIb41e2.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	175242
Entropy (8bit):	3.797622015355177
Encrypted:	false
SSDEEP:	1536:BMe/DX20gLjo52ZbG0Xr8hXRFfo8NSkSAyRTnSsh9+K/1vWpW6qVm52UsNeZ1MTO:yj4vjpgaXb7aG6KeQ
MD5:	DED1EC3BDD2DF1C3336A6F9E497BBF65
SHA1:	C20B0DBC6A94894FF8CAD516F19070EC9B880C5F
SHA-256:	19E47350FD247688DFCFF8351DFC4A8DFF04C1D8E86AF029270E247615FCF774
SHA-512:	8AEF988DD488B299CC8B54CCCC3F1186D42FF6C85205356C443E36F07DF6C6FE731B6C25FD6CE52D46A9F1B43FBBA7CEFFB45E40283163D2994946304389B58A
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .2.9./.1.1./.2.0.2.4. . .1.9.:.2.2.:.5.9. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.4.4.:.2.0.). .[.1.9.:.2.2.:.5.9.:.5.7.7.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.4.4.:.2.0.). .[.1.9.:.2.2.:.5.9.:.5.7.7.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.4.4.:.6.4.). .[.1.9.:.2.2.:.5.9.:.6.3.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.4.4.:.6.4.). .[.1.9.:.2.2.:.5.9.:.6.3.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .

C:\Users\user\AppData\Local\Temp\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF line terminators
Category:	dropped
Size (bytes):	1870
Entropy (8bit):	5.392327712070946
Encrypted:	false
SSDEEP:	48:3SlK+hig4FB09kkK0hpzWU09kkKqYhzVC09kkK0FFzY:ClthaTXkHnCUXk8hgXkFj8
MD5:	D34B3DA03C59F38A510EAA8CCC151EC7
SHA1:	41B978588A9902F5E14B2B693973CB210ED900B2
SHA-256:	A50941352CB9D8F7BA6FBF7DB5C8AF95FB5AB76FC5D60CFD0984E558678908CC
SHA-512:	231A97761D652A0FC133B930ABBA07D456BA6CD70703A632FD7292F6EE00E50EF28562159E54ACC3FC6CC118F766EA3F2F8392579AE31CC9C0C1C0DD761D36F7
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr80.dll" hash="0a38b652c9d03caab803c6b2505fa301e345bab2" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>TM0VvywbHVQayIOw9CSX6M7WpaM=</dsig:DigestValue></asmv2:hash></file>.. <file name="msvcp80.dll" hash="678bf3da5d1987bb88fd47c4801ecb41f51366ef" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xm

C:\Users\user\AppData\Local\Temp\Microsoft.VC80.MFC.manifest

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF line terminators
Category:	dropped
Size (bytes):	2372
Entropy (8bit):	5.379862999788816
Encrypted:	false
SSDEEP:	48:3SlK+5g4DJO09kkKBhZzY09kkKeIzl09kkKzzP09kkKXzY:CltFUXkcLEXkhIRXkm7Xk+8
MD5:	F1BB778577CFB1E45ADFBB2EAAAD7F58
SHA1:	171B0121B165B701482F96B02E7ADFFD6C799FCE
SHA-256:	53B6CDAB4A829674082048606A65111A2D6AC3A1B2BCFB8BE34D8296590D42DE
SHA-512:	4D125D773A3DD6A0CB755B69053F7D305DE03C3FA9854A87A9ECF504C23C8C37BA3FE533B0CD45762B340E6B8065D33BF7280A76376077FB734EAE52F950249D
Malicious:	false
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFC" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="mfc80.dll" hash="46fc9af0bb795fec574d619bfd84f019f56debb4" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>JMgFAKGMt+YOD/s362I/Ku+VEqs=</dsig:DigestValue></asmv2:hash></file>.. <file name="mfc80u.dll" hash="1d3d4e3c0689295a042c2834f2336a76ebaa9e4f" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns

C:\Users\user\AppData\Local\Temp\Microsoft.VC80.MFCLOC.manifest

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1237
Entropy (8bit):	5.33286502858899
Encrypted:	false
SSDEEP:	24:2dtMEDJ/eiNK+EItg4NnZsstwsED4lla117+7W28mcP:ciEDJdK+/g4BgCCw76l
MD5:	526C8811D11C65F7EBCA8D5F38421188
SHA1:	F964CC250E326101F636A6293ECC710761EF7CCF
SHA-256:	571AF1EA18CA3F68C321975E7B1A1146B00DFA9349D5711A30C7CF89045A6A1A
SHA-512:	42E328781BFFF24112D6D9C2A84CF2DE95DC9767B8B4DD8B6DE099722C236350401E483C2710196DD7092C5B9A03F65A6938DD680E5A2CBBC288A6344F950929
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable/>.. <assemblyIdentity type="win32" name="Microsoft.VC80.MFCLOC" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"/>.. <file name="mfc80CHS.dll" hash="754165cac2d8fce9978dafeb313cea44852c9bf4" hashalg="SHA1"/>.. <file name="mfc80CHT.dll" hash="9167a79af2333f96551b12db36100f24801c4e98" hashalg="SHA1"/>.. <file name="mfc80DEU.dll" hash="72017b690322656f574718d51bc926ace81808f2" hashalg="SHA1"/>.. <file name="mfc80ENU.dll" hash="fb919708d073d2fa2174d3a328457c3be36cd4b5" hashalg="SHA1"/>.. <file name="mfc80ESP.dll" hash="b4536e19ba2f27ed4eb4d714a6f4b7fc69b5fb99" hashalg="SHA1"/>.. <file name="mfc80FRA.dll" hash="9157b1ab7a8c2b56f562f962370c75bbe726e8c6" hashalg="SHA1"/>.. <file name="mfc80ITA.dll" hash="5bcbbcf7fcc05361078ae12cc803

C:\Users\user\AppData\Local\Temp\RaftelibeGarss\zlib1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\Updwork.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	372224
Entropy (8bit):	7.7008720235421775
Encrypted:	false
SSDEEP:	6144:HmkM9O5geNqoeWzPKclTBjAadj2BnEMbFmWuxTrA3a0UJYLuO5eJzm6LR6KrI3:9M9O5geNMBclTNAad6BnRm95AK1JY6a1
MD5:	3CA940E27E87443F7891D39536650F9B
SHA1:	2603FF220C43F13591A51ABB0CF339AECB758207
SHA-256:	A91F13AECE1EA7EBE326F0E340BDA9D00613D3365CD81B7F138A4C9446FFBD38
SHA-512:	0C0E04CBB8247F6DFE0790D1C3453596E3CB5F5FF0D2C3BC4E01FB38AD8E042322130072263C135C5637A745EF70AC68487BDADE3510990CE8F609CAD46566EE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46% Antivirus: Virustotal, Detection: 46%, Browse
Joe Sandbox View:	Filename: LauncherPred8.3.389 stablesetup.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... .T...........#.....4..........`........P.....b.........................0............... ......................................0..X.................... ............................... .......................................................text....3.......4..................`.P`.data...\....P.......8..............@.0..rdata..@J...`...L...:..............@.`@.eh_fram *.......,..................@.0@.bss....0.............................`..edata..............................@.0@.idata..............................@.0..CRT................................@.0..tls.... .... ......................@.0..rsrc...X....0......................@.0..reloc....... ......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Updwork.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	506816
Entropy (8bit):	7.443415941343508
Encrypted:	false
SSDEEP:	6144:n7eZ+haXoavdfm10f4MS1djcX6Sc+B/b+XdNUaMkfxnMfJYLuO1CJzy6LR6KrI1O:78+haL5miiB8c+BEUaMuGJY64wzRprB
MD5:	253C52411B256E4AF301CBA58DCB6CEF
SHA1:	F21252C959B9EB47CD210F41B997CF598612D7C9
SHA-256:	7D57B704DD881413E7EE2EFFB3D85BDFFF1E208B0F3F745419E640930D9D339D
SHA-512:	40DE728EDAE55F97AC9459CF78BBC31B38E8B59BDB7A74FBD9E09D7EFD2A81B1DC5FD8011007C66EFB58E850F1C57D099EC340AECD62911D6AEBF2E70D1275D0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L...)..\.................d...\|.......2............@..........................0............@.................................<........... ............................................................................................................text....b.......d.................. ..`.rdata..\............h..............@..@.data....U...........\|..............@....ndata...................................rsrc... ...........................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\audiogram.tif

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PNG image data, 535 x 323, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	898642
Entropy (8bit):	7.939726917918056
Encrypted:	false
SSDEEP:	24576:huxSUG0FCq7vlCaw416/GCvEowni/F9jXR54:MRJFCq7vl6zdj2
MD5:	5124236FD955464317FBB1F344A1D2F2
SHA1:	FE3A91E252F1DC3C3B4980ADE7157369EA6F5097
SHA-256:	ED1389002CDF96C9B54DE35B6E972166EE3296D628943FD594A383E674C5CBA6
SHA-512:	2B2AC23244B16F936EF9A4049586F58C809FCC4391A56390CC5DB2E8D96140001E0B977680ED1D8B0AB9C410E865A880209E22ADD8D42E563DC40BC91236B252
Malicious:	false
Preview:	.PNG........IHDR.......C.......,4....sRGB.........bKGD..............pHYs...9...9...F....tIME.....8..v0j....iTXtComment.....Created with GIMPd.e... .IDATx..y..Gy...}M.fF..iY.!.........!.$...9...6$\.4....bgm.`...N.......,...X..e.l.#.4.9.~..?.....o..3:...?...y...W.......c../..+..r.\+..r.\....G~...7.....k.......2.B......`q...8.5....7K.......L..w#qa... .c..D......tH. .r..%.~.<..9K..g[.....x./...d.W`an..........k....y.g@...B....0..>.[.......J!.)..<".0.1!BC...L....E.].DtH..":.K..&"tuK."....&B.PD...=NZ.q&:.vXE[.E...{t.?A../.Kzx....d.P.".9..B....*;.D.#%..##."#...MF.../N.~m.W{........{.......>d.<....l.7..(......r.+{..2d\|.].....ON.{..\.....b.OV.....+.8.....M4B .@U.s..XR.8k.O..xz....FkK...=.l..r_......:u...W.A.B.......0...q.ym.B6..&...FC.h....IO.N$P.<.u..q.E......H-.S..l.,13...8]B..\|...{j....I6...r0...u..-.yZh..X/`@..x..A.Te.K..>.tX9.]...<..".B.)..eY..y. @UUTE..^vA..h$3......e..t...^4.F1.......E...J..`..bth."Z.#......G..........T.=`!.....!...T..

C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500736
Entropy (8bit):	6.582878001257931
Encrypted:	false
SSDEEP:	6144:w/7iPrcL3ArwhBq7Kjsn9iHGXg0lwGS9MNNhdFvPxps9gsAOZZAAXgc7S7ovz:w/uPq3AfK496Gw0lwGXN3pvs/ZA58vz
MD5:	16EC8B91B5461B1C810DCCDEAD6DE87F
SHA1:	FC9F07EE1F1BC5CC09F290B935BECC85223970E7
SHA-256:	C71E4D86B24B883F8DAF83CD2E3F689283185CF1DB4BDEFBEE213E50550CF968
SHA-512:	8EBD977810D7AD3AB051EC9F3BA18DB48FAE5FA2399ABD7E4C202C4551167B1394FACA42789AE0FEF636F90E1E29F69541009671BB45D13E4A8986D480889997
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\bgbhtsgyxsvqc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..- ..~ ..~ ..~.f$~3..~.f&~...~.f'~>..~).Q~!..~.Z.~"..~....:..~.......~.......~).F~9..~ ..~...~....D..~..*~!..~....!..~Rich ..~........PE..L....TCX.................r..........=I............@..........................@...........................................................J.......................;..@...8...........................x...@............................................text....p.......r.................. ..`.rdata...y.......z...v..............@..@.data...4]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....J.......L..................@..@.reloc...;.......<...P..............@..Bumlwqq... ... ......................@...........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fcpumhrmyq

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	500736
Entropy (8bit):	6.582878001257931
Encrypted:	false
SSDEEP:	6144:w/7iPrcL3ArwhBq7Kjsn9iHGXg0lwGS9MNNhdFvPxps9gsAOZZAAXgc7S7ovz:w/uPq3AfK496Gw0lwGXN3pvs/ZA58vz
MD5:	16EC8B91B5461B1C810DCCDEAD6DE87F
SHA1:	FC9F07EE1F1BC5CC09F290B935BECC85223970E7
SHA-256:	C71E4D86B24B883F8DAF83CD2E3F689283185CF1DB4BDEFBEE213E50550CF968
SHA-512:	8EBD977810D7AD3AB051EC9F3BA18DB48FAE5FA2399ABD7E4C202C4551167B1394FACA42789AE0FEF636F90E1E29F69541009671BB45D13E4A8986D480889997
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\fcpumhrmyq, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..- ..~ ..~ ..~.f$~3..~.f&~...~.f'~>..~).Q~!..~.Z.~"..~....:..~.......~.......~).F~9..~ ..~...~....D..~..*~!..~....!..~Rich ..~........PE..L....TCX.................r..........=I............@..........................@...........................................................J.......................;..@...8...........................x...@............................................text....p.......r.................. ..`.rdata...y.......z...v..............@..@.data...4]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....J.......L..................@..@.reloc...;.......<...P..............@..Bumlwqq... ... ......................@...........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\http_dll.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	904880
Entropy (8bit):	6.130048225121867
Encrypted:	false
SSDEEP:	12288:CouStsPOf+YVeAVWiqnm5dVjPiqW95XZxByK0Dp:CouStsPOf+2nVWiqnm5dVjPiV95xyKGp
MD5:	4366CD6C5D795811822B9CCC3DF3EAB4
SHA1:	30F6050729B4C08B7657454CB79DD5A3D463C606
SHA-256:	55497A3ECED5D8D190400BCD1A4B43A304EBF74A0D6D098665474ED4B1B0E9DA
SHA-512:	4A56A2DA7DED16125C2795D5760C7C08A93362536C9212CFF3A31DBF6613CB3FCA436EFD77C256338F5134DA955BC7CCC564B4AF0C45AC0DFD645460B922A349
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........XboRXboRXboR..RYboR...RQboR...RIboR...REboRXbnR.aoR...RHboR...R.boR...RYboR...RYboR...RYboRRichXboR........................PE..L...K..K...........!..... ...p......j........0....@ ....................................................................g...\|........`...<...........................;..............................(=..@............0..x............................text............ .................. ..`.rdata.......0.......0..............@..@.data....(...0...0...0..............@....rsrc....<...`...@...`..............@..@.reloc..^...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kbtwvnkhifqe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Oct 26 05:02:16 2023, mtime=Fri Nov 29 23:23:00 2024, atime=Thu Oct 26 05:02:16 2023, length=20680, window=hide
Category:	dropped
Size (bytes):	990
Entropy (8bit):	5.009822669751724
Encrypted:	false
SSDEEP:	24:81lIf18DDxU59RngK5UixAPiIooe1b/qygm:8oqDtU59RxRCPip1Wyg
MD5:	CE14614B4CD158C1A751ABE3DD29EA57
SHA1:	8E10CEB298453B3285701C4FB0F9D9B4299EFF66
SHA-256:	7DC89CA901C701522524EEAAC764CF3142AA3B9F5158A40B4B820B52AF682049
SHA-512:	735FB220A7CB6443243BC38174A965A1C113C0CD4CAE0C3321642FF587D8E6109D6D9F121246CDCCA8DACA834734F0FC9EE806C054581CE90062F1D3E2A6FBFC
Malicious:	false
Preview:	L..................F.... ..........G....B..........P........................:..DG..Yr?.D..U..k0.&...&...... M.........B.......B......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl~Y......B.....................Bdg.A.p.p.D.a.t.a...B.P.1.....~Y....Local.<......DWSl~Y......V......................l..L.o.c.a.l.....N.1.....~Y....Temp..:......DWSl~Y......\......................Y.T.e.m.p.....f.2..P..ZWH0 .EHttpSrv.exe..J......ZWH0~Y................................E.H.t.t.p.S.r.v...e.x.e.......^...............-.......]...........L........C:\Users\user\AppData\Local\Temp\EHttpSrv.exe......\.E.H.t.t.p.S.r.v...e.x.e.........\|....I.J.H..K..:...`.......X.......128757...........hT..CrF.f4... ...2=.b...,...W..hT..CrF.f4... ...2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Local\Temp\mfc80u.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1093120
Entropy (8bit):	6.520969816214873
Encrypted:	false
SSDEEP:	12288:wsaHmJ//R12t2PdMvWxMIQ1zoKyK0ivyHCJKjswl/KY6oQy3AmgVk2YDFpR7m81H:KHmJ+tKtxMIQNmCcjswl/KYh/2YFnb
MD5:	686B224B4987C22B153FBB545FEE9657
SHA1:	684EE9F018FBB0BBF6FFA590F3782BA49D5D096C
SHA-256:	A2AC851F35066C2F13A7452B7A9A3FEE05BFB42907AE77A6B85B212A2227FC36
SHA-512:	44D65DB91CEEA351D2B6217EAA27358DBC2ED27C9A83D226B59AECB336A9252B60AEC5CE5E646706A2AF5631D5EE0F721231EC751E97E47BBBC32D5F40908875
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................R..............R.......R...............l......n......l......l......l......l.L....l......l......l.....Rich............PE..L...(YYJ...........!.....p...\.......U.............x.................................M....@..............................e......x.......................................................................@...............4............................text....n.......p.................. ..`.data....k.......J...t..............@....rsrc...............................@..@.reloc..V7.......8...v..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\msvcr80.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	632656
Entropy (8bit):	6.854474744694894
Encrypted:	false
SSDEEP:	12288:bxzh9hH5RVKTp0G+vjhr46CIw+0yZmGyYCj:bph9hHzVKOpXwymGyYo
MD5:	1169436EE42F860C7DB37A4692B38F0E
SHA1:	4CCD15BF2C1B1D541AC883B0F42497E8CED6A5A3
SHA-256:	9382AAED2DB19CD75A70E38964F06C63F19F63C9DFB5A33B0C2D445BB41B6E46
SHA-512:	E06064EB95A2AB9C3343672072F5B3F5983FC8EA9E5C92F79E50BA2E259D6D5FA8ED97170DEA6D0D032EA6C01E074EEFAAB850D28965C7522FB7E03D9C65EAE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...yLYJ...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`..................P....p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\s.txt

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	7694F4A66316E53C8CDD9D9954BD611D
SHA1:	22EA1C649C82946AA6E479E1FFD321E4A318B1B0
SHA-256:	8E35C2CD3BF6641BDB0E2050B76932CBB2E6034A0DDACC1D9BEA82A6BA57F7CF
SHA-512:	2E96772232487FB3A058D58F2C310023E07E4017C94D56CC5FAE4B54B44605F42A75B0B1F358991F8C6CBE9B68B64E5B2A09D0AD23FCAC07EE9A9198A745E1D5
Malicious:	false
Preview:	q

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RaftelibeGasrss\RaftelibeGasrss.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\Updwork.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 29 23:23:19 2024, mtime=Fri Nov 29 23:23:19 2024, atime=Thu Nov 28 17:56:30 2024, length=506816, window=hide
Category:	dropped
Size (bytes):	857
Entropy (8bit):	4.562163452871634
Encrypted:	false
SSDEEP:	12:8S3HlF01xcXyoWHesX0+2Y3ZwiS4YZwUFjEjAgip+Ub9Yw/wUx1bhmV:8iFF0m98pAQwccw4QAgo59Yw/wM1bhm
MD5:	C40295A6F06ABABFB7498929238531BE
SHA1:	60CDA507AF3CD8F02A5822188A2E3B0DECA3C299
SHA-256:	473FF66C98C29E537762DC33700DA76492237D4A0FBBF1D6207748522FDDA670
SHA-512:	473D445F30ABE90614C71E9CEE8DDCBF79FEC368A22E0958B2208E833ED0D6286B8A2EB581EA6B056C22129781B2EF47C0212D4F90A6B58D4F7A1D225C16B08D
Malicious:	false
Preview:	L..................F.... ..}:...B..}:...B.....<.A..........................k....P.O. .:i.....+00.../C:\...................`.1.....~Y... PROGRA~3..H......O.I~Y......g.......................c.P.r.o.g.r.a.m.D.a.t.a.....h.1.....~Y... RAFTEL~1..P......~Y..~Y..............................D.R.a.f.t.e.l.i.b.e.G.a.s.r.s.s.....t.2.....\|Y.. RAFTEL~1.EXE..X......~Y..~Y................................R.a.f.t.e.l.i.b.e.G.a.s.r.s.s...e.x.e.......a...............-.......`...........L........C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe..J.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.R.a.f.t.e.l.i.b.e.G.a.s.r.s.s.\.R.a.f.t.e.l.i.b.e.G.a.s.r.s.s...e.x.e.`.......X.......128757...........hT..CrF.f4... .".2=.b...,...W..hT..CrF.f4... .".2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Windows\Installer\6b430b.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {02DCC2F2-67E6-46B0-92E0-2CB394AB055F}, Number of Words: 10, Subject: dermys, Author: Germys, Name of Creating Application: dermys, Template: ;1036, Comments: Cette base de donnes d'installation contient le code et les donnes ncessaires l'installation de dermys., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	3581440
Entropy (8bit):	7.741428780274999
Encrypted:	false
SSDEEP:	49152:vm5X8r6F5mCmR+juZZZL+H9IyKficUAG595WpZsNAaudSIuvLZ8:co6wZLSIX6cZGZWUNAaudgZ
MD5:	6F92F923D8F87AFE5FE757FF2FF56951
SHA1:	44780713A7026B9B0FF3CADEAFFACB3CC3584ECA
SHA-256:	6ED0C218B751EC93293B5922E783B7A9B147A3C7CD6070022CD707050108D321
SHA-512:	100DF666E8C5B4C2E21DE703FE7210A41DAEDF1480E1FE4B7388AA63DD51ECCBE46E141A275EF61061C97CF3CD268A129CFD5FA0E290E4525B07915789713F0A
Malicious:	false
Preview:	......................>...................7...................................H.......d.......q.......................................r.......T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y.......................................................................................................................................................................................................................................................#.../........................................................................................... ...!..."...-.......%...&...'...(...)...*...+...,.......0...5...B...1...2...3...4...7...6...>...8...9...:...;...<...=...@...?...A...........C...D...E...F...G...........J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI4434.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI44A2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI44C3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4502.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4561.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3786
Entropy (8bit):	5.257059889753939
Encrypted:	false
SSDEEP:	96:PTYT2hTt3bg/whb2Z+1h3h3hpiiyrrT67sOjKpcz6:PTo8Ttrhb2ZWxxOpcz6
MD5:	F0A55A7675923293065428048368FC87
SHA1:	CA5DAEB48B3926F3B490C695B2466AC2BC3BDBA3
SHA-256:	1E6A0285045712744AB2CE9E661E59D5670D83F3581CC9788CA585D966B845EA
SHA-512:	5ED2759761C90F2A7008F5A42031BD89CCA42057C9B74A7DE176AFE3A58BB1976546446ED6FDFBE3A31D84CFAA04B1CF4A3BFF0FDEBB8A2B2752E18F8728B780
Malicious:	false
Preview:	...@IXOS.@.....@.}Y.@.....@.....@.....@.....@.....@......&.{BB2F3E18-3F04-450F-B8B5-60A9665181A8}..dermys..Slf.msi.@.....@.....@.....@........&.{02DCC2F2-67E6-46B0-92E0-2CB394AB055F}.....@.....@.....@.....@.......@.....@.....@.......@......dermys......Rollback..Annulation de l'action: ....RollbackCleanup%.Effacement des fichiers de sauvegarde..Fichier: [1]...@.......@........ProcessComponents9.M.i.s.e. ... .j.o.u.r. .d.e.s. .i.n.f.o.r.m.a.t.i.o.n. .d.'.e.n.r.e.g.i.s.t.r.e.m.e.n.t. .d.u. .c.o.m.p.o.s.a.n.t....@.....@.....@.]....&.{0E0C50F8-B210-4B4D-91B3-D1FB7FE78CFA}..C:\Users\user\AppData\Roaming\Germys\dermys\.@.......@.....@.....@......&.{BA5264B4-F3AE-4F52-99B5-3968C5A81E6A}".01:\Software\Germys\dermys\Version.@.......@.....@.....@......&.{6B83B1C9-08BB-4AEA-A6A8-8797A2558FDB}".C:\Users\user\AppData\Local\All\.@.......@.....@.....@......&.{F74533CE-84F1-400D-ABB3-76E2590644A5}'.C:\Users\user\AppData\Local\All\Form\.@.......@.....@.....@......&.{80922E60-CA5C-47B6-8B4C-D47FFA

C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.161605741342405
Encrypted:	false
SSDEEP:	12:JSbX72FjgAGiLIlHVRpqh/7777777777777777777777777vDHFppZl0i8Q:JeQI56SF
MD5:	CA500157ADA200B48E0B53B046B9A49D
SHA1:	FF94E552582FB67F19C42A1BA31F4B62F0115610
SHA-256:	AB9DDED34D58AAB9EB1DDFF7C90A638B6B4EE55D782A0917DC11B29E763BC077
SHA-512:	BD13EDC10E83EA672DB70F641E443FDB76AF254408AE5C5D4D9988ACA1E7FF93BA6970850BBAD5E84290F6D62D2F322692085F0CC6F2F940AB1E98587A2080EB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.515635551806019
Encrypted:	false
SSDEEP:	48:UW8Phj7uRc06WXOgjT5Kh8SCAErCyNbS4T:Whj71ujT8W4wCq
MD5:	D6F688643BC80E43A0B372894696826D
SHA1:	77A9F38E618BEEAB9715DBE4036F04EB4CCD7D4F
SHA-256:	7D2E5D74B86247C2421B046AAECE41FD385A0FECB858A20FCA9AD765AF32C75B
SHA-512:	9D2EDC4089670FB6CECCFD6876FFC9F9F0C811E41D8B31848375E05B732F11771A7843AF8AC596A3896F01DE8C382B07F9E589ADD02CC22A0459D2701AD095C3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364484
Entropy (8bit):	5.365489153115125
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaui:zTtbmkExhMJCIpEx
MD5:	B12C76FC3A7A1B2152CC41AE2CF50C46
SHA1:	325EC677E0A7F91C3A85F0F1A1B14CAAC5A97DEE
SHA-256:	648AFF6AA5FE18ED901787C1FC1E381F5D2B02D3BF426E399AF01DABA422A91C
SHA-512:	2C1EC96E81075A8CDF3F2A18B15006366F38A7F424170B176C933A3B51DBC6D5C590619F2A0A7666F0D556B6006E6FD896973F0F171C0035697AD436BE7C9EFB
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF510B5445854C40A6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5898F5A3433F521F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06877225069817593
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOcHmch6Vky6lZ:2F0i8n0itFzDHFwZ
MD5:	08CDF08292E7AFE2F52E837F5027AD9D
SHA1:	7872074D88FEC9456DDFDC091DCE186ECB09A5FD
SHA-256:	E5C60E95D9C65AF639EE63A87476564EF4CFFF610D1CE88E49E06F8794445075
SHA-512:	AD1D8ABDC68DA725FF79095D06966A326D3F154190B68EAE18CB459D57DD9B455854B88B8436095C37AAFA6D07075932EB6FFE78F7F172DE8CC036ED45ADA0A1
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8377DD5D4CE191EE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF83C2BC48B26BF06C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.515635551806019
Encrypted:	false
SSDEEP:	48:UW8Phj7uRc06WXOgjT5Kh8SCAErCyNbS4T:Whj71ujT8W4wCq
MD5:	D6F688643BC80E43A0B372894696826D
SHA1:	77A9F38E618BEEAB9715DBE4036F04EB4CCD7D4F
SHA-256:	7D2E5D74B86247C2421B046AAECE41FD385A0FECB858A20FCA9AD765AF32C75B
SHA-512:	9D2EDC4089670FB6CECCFD6876FFC9F9F0C811E41D8B31848375E05B732F11771A7843AF8AC596A3896F01DE8C382B07F9E589ADD02CC22A0459D2701AD095C3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9AD2120CD054B0D6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA8E7B38FB39A9CA3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2182753151009802
Encrypted:	false
SSDEEP:	24:JIh53Mr7uxbiEipKx2xza2t4hAZZZagUMClXti8dOtV+skO0ZipV0XAEV0yjCyNr:YMr7upJvcFXODT5ah8SCAErCyNbS4T
MD5:	1BE0B35EC39ADE7215E0E41265083B6C
SHA1:	B01B98E43FA0DBE0CD0486F12E59D59696B900AF
SHA-256:	52F1A921F1B2E4AA3B889FABC01BFE5D1F3F9C004B1C4AA1CC8629E02FE14934
SHA-512:	735A1AE62446FE8DFEEBEA55A5548179AF4A2FF5486A535A3BCC6A1BC8C0E1E34B0D4951F1C4BB15ED395ACD04F60C40BB088B746469BA81669F955A40CA30DA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFADD05C1BDFB8AFDD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.515635551806019
Encrypted:	false
SSDEEP:	48:UW8Phj7uRc06WXOgjT5Kh8SCAErCyNbS4T:Whj71ujT8W4wCq
MD5:	D6F688643BC80E43A0B372894696826D
SHA1:	77A9F38E618BEEAB9715DBE4036F04EB4CCD7D4F
SHA-256:	7D2E5D74B86247C2421B046AAECE41FD385A0FECB858A20FCA9AD765AF32C75B
SHA-512:	9D2EDC4089670FB6CECCFD6876FFC9F9F0C811E41D8B31848375E05B732F11771A7843AF8AC596A3896F01DE8C382B07F9E589ADD02CC22A0459D2701AD095C3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCFF8C7A7110206C1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD207BB6CFBDC6558.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2182753151009802
Encrypted:	false
SSDEEP:	24:JIh53Mr7uxbiEipKx2xza2t4hAZZZagUMClXti8dOtV+skO0ZipV0XAEV0yjCyNr:YMr7upJvcFXODT5ah8SCAErCyNbS4T
MD5:	1BE0B35EC39ADE7215E0E41265083B6C
SHA1:	B01B98E43FA0DBE0CD0486F12E59D59696B900AF
SHA-256:	52F1A921F1B2E4AA3B889FABC01BFE5D1F3F9C004B1C4AA1CC8629E02FE14934
SHA-512:	735A1AE62446FE8DFEEBEA55A5548179AF4A2FF5486A535A3BCC6A1BC8C0E1E34B0D4951F1C4BB15ED395ACD04F60C40BB088B746469BA81669F955A40CA30DA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD996213084129C97.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2182753151009802
Encrypted:	false
SSDEEP:	24:JIh53Mr7uxbiEipKx2xza2t4hAZZZagUMClXti8dOtV+skO0ZipV0XAEV0yjCyNr:YMr7upJvcFXODT5ah8SCAErCyNbS4T
MD5:	1BE0B35EC39ADE7215E0E41265083B6C
SHA1:	B01B98E43FA0DBE0CD0486F12E59D59696B900AF
SHA-256:	52F1A921F1B2E4AA3B889FABC01BFE5D1F3F9C004B1C4AA1CC8629E02FE14934
SHA-512:	735A1AE62446FE8DFEEBEA55A5548179AF4A2FF5486A535A3BCC6A1BC8C0E1E34B0D4951F1C4BB15ED395ACD04F60C40BB088B746469BA81669F955A40CA30DA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDACF9E8D146EB959.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF2855CB50F67355D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.11922299710253378
Encrypted:	false
SSDEEP:	24:8Tx0ZipV0H0ZipV0XAEV0yjCyNVQwGI0+skn:8T0SDSCAErCyNQh
MD5:	BA14B5FC2E8D37461F2483406F76C959
SHA1:	BD867C397309637BE9289F253EEBF93C760195D0
SHA-256:	9CE207995E31B0708D562236B9176F57FB6E97439A5FE28E8CEE5170901065A8
SHA-512:	CB28A8685D20E212CF3E0046BCFB1829615E6FED05C13B33227235E30357739DC6933DA48BF2087176F1AFEB2CCDF4E77AE8E1697314EDF64656AA703A5502B8
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {02DCC2F2-67E6-46B0-92E0-2CB394AB055F}, Number of Words: 10, Subject: dermys, Author: Germys, Name of Creating Application: dermys, Template: ;1036, Comments: Cette base de donnes d'installation contient le code et les donnes ncessaires l'installation de dermys., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.741428780274999
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	Slf.msi
File size:	3'581'440 bytes
MD5:	6f92f923d8f87afe5fe757ff2ff56951
SHA1:	44780713a7026b9b0ff3cadeaffacb3cc3584eca
SHA256:	6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
SHA512:	100df666e8c5b4c2e21de703fe7210a41daedf1480e1fe4b7388aa63dd51eccbe46e141a275ef61061c97cf3cd268a129cfd5fa0e290e4525b07915789713f0a
SSDEEP:	49152:vm5X8r6F5mCmR+juZZZL+H9IyKficUAG595WpZsNAaudSIuvLZ8:co6wZLSIX6cZGZWUNAaudgZ
TLSH:	37F5F115B3C3C922C15D027BF459FE0E5438EEA3473451E7BAF5799F88B08C1A2B9A52
File Content Preview:	........................>...................7...................................H.......d.......q.......................................r.......T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o..

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	19:22:59
Start date:	29/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Slf.msi"
Imagebase:	0x7ff70b650000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:22:59
Start date:	29/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff70b650000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	19:23:00
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding CCD88EF77E0BFA64C5AD6E35B211C368
Imagebase:	0x440000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:23:00
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\EHttpSrv.exe"
Imagebase:	0x400000
File size:	20'680 bytes
MD5 hash:	9329BA45C8B97485926A171E34C2ABB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2106063393.0000000002356000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:23:00
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\Updwork.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Updwork.exe"
Imagebase:	0x400000
File size:	506'816 bytes
MD5 hash:	253C52411B256E4AF301CBA58DCB6CEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000005.00000003.2219955750.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000005.00000003.2219955750.0000000002AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000005.00000003.2220074790.0000000002230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000005.00000003.2220074790.0000000002230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:23:02
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.2374708080.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2374195522.00000000051F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:23:02
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:23:19
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WerFault.exe"
Imagebase:	0xc30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 0000000B.00000002.4482449704.0000000000421000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 0000000B.00000002.4482449704.0000000000421000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	19:23:26
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
Imagebase:	0x400000
File size:	20'680 bytes
MD5 hash:	9329BA45C8B97485926A171E34C2ABB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2373788093.0000000000469000.00000002.00000001.01000000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2374138657.0000000002536000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:23:28
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\EHttpSrv.exe"
Imagebase:	0x400000
File size:	20'680 bytes
MD5 hash:	9329BA45C8B97485926A171E34C2ABB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2359524245.0000000002390000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:23:28
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2422716456.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2422932577.0000000005683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:23:28
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:23:36
Start date:	29/11/2024
Path:	C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\RaftelibeGasrss\RaftelibeGasrss.exe"
Imagebase:	0x400000
File size:	506'816 bytes
MD5 hash:	253C52411B256E4AF301CBA58DCB6CEF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000010.00000003.2574423454.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000010.00000003.2574423454.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000010.00000003.2574373433.0000000002370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000010.00000003.2574373433.0000000002370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	19:23:40
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\EHttpSrv.exe"
Imagebase:	0x400000
File size:	20'680 bytes
MD5 hash:	9329BA45C8B97485926A171E34C2ABB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2479071731.0000000002302000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	19:23:40
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2658852776.0000000005278000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.2658386547.0000000002EB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:23:40
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a5670000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	19:23:55
Start date:	29/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WerFault.exe"
Imagebase:	0xc30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000018.00000002.4482451053.0000000000421000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MicroClip, Description: Yara detected MicroClip, Source: 00000018.00000002.4482451053.0000000000421000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	19:23:59
Start date:	29/11/2024
Path:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\EHttpSrv.exe
Imagebase:	0x400000
File size:	20'680 bytes
MD5 hash:	9329BA45C8B97485926A171E34C2ABB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.2658388133.0000000000469000.00000002.00000001.01000000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.2658827316.0000000002589000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.6%
Total number of Nodes:	229
Total number of Limit Nodes:	6

Executed Functions

Function 00401000 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017C0: wcscpy_s.MSVCR80 ref: 00401803
Part of subcall function 004017C0: wcscpy_s.MSVCR80 ref: 00401859
Part of subcall function 004017C0: wcscpy_s.MSVCR80 ref: 004018B5

GetCommandLineW.KERNEL32 ref: 00401016
wcsstr.MSVCR80 ref: 00401024
GetCommandLineW.KERNEL32 ref: 00401039
wcsstr.MSVCR80 ref: 00401041

Part of subcall function 00401580: GetModuleFileNameW.KERNEL32(00000000,?,00000104,75921D70), ref: 004015B6
Part of subcall function 00401580: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 004015C3
Part of subcall function 00401580: CreateServiceW.ADVAPI32(00000000,EHttpSrv,ESET HTTP Server,000F01FF,00000010,00000003,00000001,?,00000000,00000000,00000000,?,00000000,6C990C0A), ref: 004015FB
Part of subcall function 00401580: CloseServiceHandle.ADVAPI32(00000000), ref: 00401610
Part of subcall function 00401580: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,0002001F,?), ref: 00401645
Part of subcall function 00401580: RegSetValueExW.ADVAPI32(?,Description,00000000,00000001,ESET HTTP Server,?), ref: 0040167C
Part of subcall function 00401580: RegCreateKeyExW.ADVAPI32(?,Parameters,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0040169F
Part of subcall function 00401580: RegCloseKey.ADVAPI32(?), ref: 004016B4

Strings

-app, xrefs: 0040108B
http_dll.dll, xrefs: 00401057
StopHttpServer, xrefs: 00401077
StartHttpServer, xrefs: 0040106F

Memory Dump Source

Source File: 00000004.00000002.2100931682.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2100904881.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2100945274.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2101171580.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2103472997.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_s$CloseCommandCreateLineOpenServicewcsstr$FileHandleManagerModuleNameValue
String ID: -app$StartHttpServer$StopHttpServer$http_dll.dll
API String ID: 2068747329-304233262
Opcode ID: bfff211ea4cdc9cc23a97f7a1dfe9e4cd21386795f217708e710b657fbf56fc9
Instruction ID: e3be212c131674410c1c2ebee6bc56352eccad3693de89cbbe7196e95990011f
Opcode Fuzzy Hash: bfff211ea4cdc9cc23a97f7a1dfe9e4cd21386795f217708e710b657fbf56fc9
Instruction Fuzzy Hash: 02119E326022046BC700BFF66D4AE4B7B8C9A857627144837FD00F61E1EABDE614957D

Function 20404160 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 271
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 20404190
GlobalAlloc.KERNELBASE(00000040,00000001), ref: 204041B6
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 204041C5
CloseHandle.KERNELBASE(00000000), ref: 204041CD

Strings

?, xrefs: 204042EC
?, xrefs: 204042CA
?, xrefs: 204042DB
?, xrefs: 204042BA
?, xrefs: 204042AA

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: File$AllocCloseCreateGlobalHandleRead
String ID: ?$?$?$?$?
API String ID: 388571530-3425934482
Opcode ID: 67d4ce6f76d59dcfc2f5265d94f6543ac42eb0e7de045181e51dacb0bff6f7ca
Instruction ID: 1d9fecc048d5ebdea5e256a55a120de2506068c49cdc505e27952ee320c8127c
Opcode Fuzzy Hash: 67d4ce6f76d59dcfc2f5265d94f6543ac42eb0e7de045181e51dacb0bff6f7ca
Instruction Fuzzy Hash: 62A1AFB0608341ABD719CFA4C484B5ABBE2AFC5744F44CA7CF994A7342D778DA04CB52

Function 204044D0 Relevance: 3.0, APIs: 2, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,00000000,?,00000000), ref: 204044D9
VirtualProtect.KERNELBASE(?,00000000,?,?), ref: 204044F5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b0b461f4361be4dee5a55f635670ca515baf644bca3db06e136deeb1515ee1e8
Instruction ID: 830f1ece4cab85104a5116d0d9e9e41a1ea74eebd5cf8276e133c103f1593903
Opcode Fuzzy Hash: b0b461f4361be4dee5a55f635670ca515baf644bca3db06e136deeb1515ee1e8
Instruction Fuzzy Hash: B4F01DB2508344AFD7019B88DD4186FFBE9FF88704F40482EF59482120E776D9248B92

Function 20404010 Relevance: 1.7, APIs: 1, Instructions: 175
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000), ref: 20404486

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5951aa6c9f8a438f153127fcd9a9f3ee10ee28293eb90f2eab6fdb5f8755e8f9
Instruction ID: c18f9c85a66ec3f790252471dd21006197b5acf5d9a27bf5ee6111b8c4cc0023
Opcode Fuzzy Hash: 5951aa6c9f8a438f153127fcd9a9f3ee10ee28293eb90f2eab6fdb5f8755e8f9
Instruction Fuzzy Hash: 874181B02043019FD718DF64C491B2AB7E6FFC8314F41893DEA8AA7391E778A905CB52

Function 20404060 Relevance: 1.6, APIs: 1, Instructions: 103
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000), ref: 20404486

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ad88f8b07a3075c5fb51b8329be8ff086f78926237761a80a17b9aee6eef6861
Instruction ID: 0ee044101d6d02e9337f6b7c62f6bf65ce1bd520952ddccff6895c4f292aa369
Opcode Fuzzy Hash: ad88f8b07a3075c5fb51b8329be8ff086f78926237761a80a17b9aee6eef6861
Instruction Fuzzy Hash: E52137B01083019FD314CF24C885B2AB7F6BFC8324F45866CE689A7392E778A901CB52

Function 20404410 Relevance: 1.6, APIs: 1, Instructions: 80
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00000000), ref: 20404486

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 28c0e0c1c0e0989bdf65198ffae234c81b4255d7b9b0891e5899f52016e814b7
Instruction ID: 97bcd7a7d3ee4d16da48454221c5b769e84301d7cc6fa58145fe6bcf158dcb16
Opcode Fuzzy Hash: 28c0e0c1c0e0989bdf65198ffae234c81b4255d7b9b0891e5899f52016e814b7
Instruction Fuzzy Hash: 6011A0B16053019FD354CF24C485F2AB3FABF98314F85C56CE589A7351E7B8A905CB52

Non-executed Functions

Function 204660B0 Relevance: 295.4, APIs: 153, Strings: 15, Instructions: 1444COMMON

Download Yara Rule

APIs

Part of subcall function 20420AE0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 20420AF7
Part of subcall function 20420AE0: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 20420B18

#310.MFC80U(A1C94593,?,?,?), ref: 2046611E
#310.MFC80U ref: 20466133
#776.MFC80U(20485878), ref: 2046614A
#776.MFC80U(20485878), ref: 20466159
#4026.MFC80U(00000084), ref: 20466168
#4026.MFC80U(000000A2,?), ref: 20466183
#896.MFC80U(?), ref: 20466192
#899.MFC80U(204924A8), ref: 204661A1
#4026.MFC80U(000000A8), ref: 204661C4
#4026.MFC80U(000000EF), ref: 204661F5
#896.MFC80U(?), ref: 20466204
#899.MFC80U( ), ref: 20466213
#4026.MFC80U(000000A3), ref: 20466222
#896.MFC80U(?), ref: 20466231
#899.MFC80U(204924A8), ref: 20466240
#4026.MFC80U(000000AA), ref: 20466262
#4026.MFC80U(000000AC), ref: 2046627D
#4026.MFC80U(000000EF), ref: 20466293
#896.MFC80U(?), ref: 204662A2
#899.MFC80U(2048678C), ref: 204662BD
#4026.MFC80U(00000102), ref: 204662CC
#896.MFC80U(?), ref: 204662DB
#899.MFC80U(2048678C), ref: 204662F0
#4026.MFC80U(00000103), ref: 204662FF
#896.MFC80U(?), ref: 2046630E
#899.MFC80U( ), ref: 2046631D
#4026.MFC80U(000000B4), ref: 2046632C
#896.MFC80U(?), ref: 2046633B
#899.MFC80U(204924A8), ref: 2046634A
#4026.MFC80U(0000010B), ref: 20466361
#4026.MFC80U(000000EF), ref: 20466380
#776.MFC80U(00000000), ref: 20466397
#896.MFC80U(?), ref: 204663A6
#5869.MFC80U(00000000,00000001,?), ref: 204663B7
#776.MFC80U(20485878,00000000,00000001,?), ref: 204663CD
#776.MFC80U(20485878), ref: 204663DC
#4026.MFC80U(00000086), ref: 204663EB
#4026.MFC80U(0000010C,?), ref: 20466434
#896.MFC80U(?), ref: 20466443
#5869.MFC80U(00000001,00000001,?), ref: 20466456
#4026.MFC80U(000000C8,?), ref: 20466487
#896.MFC80U(?), ref: 20466496
#900.MFC80U(20488130), ref: 204664A5
#4026.MFC80U(0000010C), ref: 204664B4
#896.MFC80U(?), ref: 204664C3
#5869.MFC80U(00000001,00000001,?), ref: 204664D6
#4026.MFC80U(0000010D,?), ref: 2046650C
#896.MFC80U(?), ref: 2046651B
#899.MFC80U(?,?), ref: 2046654C
#776.MFC80U(20492490), ref: 20466569
#896.MFC80U(?), ref: 20466578
#5869.MFC80U(00000001,00000001,?,?), ref: 2046659A
#776.MFC80U(20485878,00000001,00000001,?,?), ref: 204665B0
#4026.MFC80U(0000010E,?), ref: 204665DB
#896.MFC80U(?), ref: 204665EA
#899.MFC80U(?,?,?,?), ref: 2046662B
#900.MFC80U( - ), ref: 2046663A
#899.MFC80U(?), ref: 2046664C
#776.MFC80U(20492490), ref: 20466669
#776.MFC80U(20485878,?,?), ref: 20466E8C
#776.MFC80U(20485878), ref: 20466E9B
#4026.MFC80U(00000111), ref: 20466EB4
#896.MFC80U(?), ref: 20466EC3
#4026.MFC80U(0000010B), ref: 20466ED2
#896.MFC80U(?), ref: 20466EE1
#5869.MFC80U(?,00000001,?), ref: 20466EF3
#4026.MFC80U(00000111), ref: 20466F1D
#896.MFC80U(?), ref: 20466F2C
#2311.MFC80U(?,2048587C,?), ref: 20466FB9
#896.MFC80U(?,?,?,?), ref: 20466FCB
#776.MFC80U(20492490,?,?,?), ref: 20466FE4
#896.MFC80U(?,?,?,?), ref: 20466FF3
#5869.MFC80U(?,00000001,?,?,?,?), ref: 2046701C
#776.MFC80U(20485878), ref: 2046703B
#2311.MFC80U(?,%s (%d),-204A39A4,?), ref: 2046708A
#4026.MFC80U(00000112), ref: 2046709D
#896.MFC80U(?), ref: 204670AC
#2311.MFC80U(?,%d - %d,?,?), ref: 20467107
#896.MFC80U(?,?,?,?,?), ref: 20467119
#776.MFC80U(20492490,?,?,?,?), ref: 20467132
#896.MFC80U(?,?,?,?,?), ref: 20467141
#5869.MFC80U(?,00000001,?,?,?,?,?), ref: 204671E5
#776.MFC80U(20485878), ref: 204671FC
#776.MFC80U(20485878), ref: 2046720B
#4026.MFC80U(00000085), ref: 2046721A
#4026.MFC80U(0000010C,?), ref: 204672B7
#896.MFC80U(?), ref: 20467731

Strings

%d - %d, xrefs: 20467101, 2046753E
/ , xrefs: 20466744
xXH , xrefs: 20466D7F
xXH , xrefs: 2046669F
, xrefs: 2046620A, 20466314
xXH , xrefs: 2046716B
xXH , xrefs: 20466930
xXH , xrefs: 204675B4
xXH , xrefs: 204667B2
%s (%d), xrefs: 20467084, 204674AF
- , xrefs: 20466631
xXH , xrefs: 2046764C
xXH , xrefs: 20466E11
xXH , xrefs: 20466B04
ID: %X, xrefs: 20466C86, 20466D05

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026$#896$#776$#899$#5869$#2311$#310#900MessageSend
String ID: $ - $ / $%d - %d$%s (%d)$ID: %X$xXH $xXH $xXH $xXH $xXH $xXH $xXH $xXH $xXH
API String ID: 37426512-947018009
Opcode ID: cabc2dbee85e4aba3fd63b2958040dc1ad44c8bd5ea43a03926384743e42d822
Instruction ID: a5ad9d8399a16f30ac34dc57339c248370c21395f96e8a4d18e51e0fa3845928
Opcode Fuzzy Hash: cabc2dbee85e4aba3fd63b2958040dc1ad44c8bd5ea43a03926384743e42d822
Instruction Fuzzy Hash: 46D26AB15087429FC314DF94CC94B9AB7E4FF98709F008D2DF58693291EB78A949CB92

Function 20413950 Relevance: 239.0, APIs: 127, Strings: 9, Instructions: 972
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#310.MFC80U(A1C94593,?,?,?,75A85540), ref: 204139A7
#310.MFC80U ref: 204139BC

Part of subcall function 20420AE0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 20420AF7
Part of subcall function 20420AE0: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 20420B18

#777.MFC80U(20485874), ref: 204139DA
#777.MFC80U(20485874), ref: 204139E9
#4026.MFC80U(000000FD), ref: 204139F8
#896.MFC80U(?), ref: 20413A07
#900.MFC80U(20488130), ref: 20413A16
#777.MFC80U(20485874,?), ref: 20413A31
#777.MFC80U(20485874), ref: 20413A40
#4026.MFC80U(000000EF), ref: 20413A59
#776.MFC80U(?), ref: 20413A67
#896.MFC80U(?), ref: 20413A76
#900.MFC80U( - ), ref: 20413A8C
#4026.MFC80U(00000089), ref: 20413A9B
#896.MFC80U(?), ref: 20413AAA
#5869.MFC80U(00000000,00000001,?), ref: 20413ABB
#777.MFC80U(20485874,00000000,00000001,?), ref: 20413AC9
#777.MFC80U(20485874), ref: 20413AD8
#4026.MFC80U(00000084), ref: 20413AE7
#4026.MFC80U(000000A2,?), ref: 20413B05
#896.MFC80U(?), ref: 20413B14
#900.MFC80U(20488130), ref: 20413B23
#4026.MFC80U(000000A8), ref: 20413B46
#4026.MFC80U(000000A9), ref: 20413B61
#4026.MFC80U(000000EF), ref: 20413B77
#896.MFC80U(?), ref: 20413B86
#900.MFC80U( ), ref: 20413B95
#4026.MFC80U(000000A3), ref: 20413BA4
#896.MFC80U(?), ref: 20413BB3
#900.MFC80U(20488130), ref: 20413BC2
#4026.MFC80U(000000AA), ref: 20413BE4
#4026.MFC80U(000000AC), ref: 20413BFF
#4026.MFC80U(000000EF), ref: 20413C15
#896.MFC80U(?), ref: 20413C24
#900.MFC80U(2048813C), ref: 20413C3F
#4026.MFC80U(00000102), ref: 20413C4E
#896.MFC80U(?), ref: 20413C5D
#900.MFC80U(2048813C), ref: 20413C72
#4026.MFC80U(00000103), ref: 20413C81
#896.MFC80U(?), ref: 20413C90
#900.MFC80U( ), ref: 20413C9F
#4026.MFC80U(000000B4), ref: 20413CAE
#896.MFC80U(?), ref: 20413CBD
#900.MFC80U(20488130), ref: 20413CCC
#4026.MFC80U(000000BA), ref: 20413CE3
#4026.MFC80U(000000EF), ref: 20413D02
#776.MFC80U(00000000), ref: 20413D19
#896.MFC80U(?), ref: 20413D28
#5869.MFC80U(00000001,00000001,?), ref: 20413D39
#777.MFC80U(20485874,00000001,00000001,?), ref: 20413D4F
#777.MFC80U(20485874), ref: 20413D5E
#4026.MFC80U(00000086), ref: 20413D6D
#4026.MFC80U(000000BA,?), ref: 20413DB6
#896.MFC80U(?), ref: 20413DC5
#4026.MFC80U(000000C8,?), ref: 20413DD7
#896.MFC80U(?), ref: 20413DE6
#900.MFC80U(20488130), ref: 20413DF5
#4026.MFC80U(000000BA), ref: 20413E29
#896.MFC80U(?), ref: 20413E38
_snwprintf_s.MSVCR80 ref: 20413E89
#899.MFC80U(?,?,?,?,?,?,?,?,75A85540), ref: 20413EA3
#900.MFC80U(20488140,?,?,?,?,?,?,?,75A85540), ref: 20413EB2
#899.MFC80U(?,00000002,?), ref: 20413EF7
#900.MFC80U( - ), ref: 20413F06
#899.MFC80U(?), ref: 20413F18
#900.MFC80U(20488140), ref: 20413F27
#5869.MFC80U(?,00000001,?), ref: 204143EC

Strings

/ , xrefs: 20413F6D
%d - %d; , xrefs: 204143B8, 204145AE
- , xrefs: 20413A83, 20413EFD
%ls / %d;, xrefs: 204140E7
%d; , xrefs: 20414349, 2041452B
, xrefs: 20413B8C, 20413C96
xXH , xrefs: 204145ED
xXH , xrefs: 20414265
%d.%d.%d.%d, xrefs: 20413E78

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026$#896$#900$#777$#5869#899$#310#776MessageSend$_snwprintf_s
String ID: $ - $ / $%d - %d; $%d.%d.%d.%d$%d; $%ls / %d;$xXH $xXH
API String ID: 2650775939-1412730413
Opcode ID: e3b0b1cbae6526f139b746ec2c712949ead39f22e1a82209597108467d04682c
Instruction ID: 169cefda1df22826ce657370b19dc22772120cb55ed47d989d93c792faa39f45
Opcode Fuzzy Hash: e3b0b1cbae6526f139b746ec2c712949ead39f22e1a82209597108467d04682c
Instruction Fuzzy Hash: 03926B721083419FC714DF94CC88B9EB7F5BB98709F40C92DF586972A1EB38A649CB52

Function 204276C0 Relevance: 77.6, APIs: 42, Strings: 2, Instructions: 621
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4574.MFC80U(A1C94593), ref: 20427706
#2155.MFC80U(00000000,A1C94593), ref: 20427750
#2155.MFC80U(?,00000000,A1C94593), ref: 2042776C
#2155.MFC80U(?,00000000,A1C94593), ref: 204277AB
InvalidateRect.USER32(?,00000000,00000001), ref: 204277FF
#310.MFC80U(000001C4,000001C6,000001C3,000001C5,00000000,A1C94593), ref: 20427816
_snwprintf_s.MSVCR80 ref: 2042788E
#2310.MFC80U(?,000000F7,?), ref: 204278BA
SendMessageW.USER32(?,00000181,00000000,?), ref: 204278D5
SendMessageW.USER32(?,0000019A,00000000,00000000), ref: 204278E6
#2310.MFC80U(?,000000F8,?,?,?,?), ref: 20427958
SendMessageW.USER32(?,00000181,00000000,?), ref: 20427977
SendMessageW.USER32(?,0000019A,00000000,00000001), ref: 20427988
#2310.MFC80U(?,000000F9,?,?,?,?), ref: 204279F7
SendMessageW.USER32(?,00000181,00000000,?), ref: 20427A16
SendMessageW.USER32(?,0000019A,00000000,00000002), ref: 20427A27
#2310.MFC80U(00000000,000001AB,?,?,?), ref: 20427ACD
SendMessageW.USER32(?,00000181,00000000,?), ref: 20427AE8
SendMessageW.USER32(?,0000019A,00000000,00000003), ref: 20427AF9
#2310.MFC80U(?,000001B5,?,?,?,?), ref: 20427BEC
SendMessageW.USER32(?,00000181,00000000,?), ref: 20427C07
SendMessageW.USER32(?,0000019A,00000000,00000004), ref: 20427C18
#2311.MFC80U(?,2048A5C0,?), ref: 20427CAF
SendMessageW.USER32(?,00000181,00000000,?), ref: 20427D16
SendMessageW.USER32(?,0000019A,00000000,00000005), ref: 20427D27

Strings

%d.%d.%d.%d, xrefs: 2042787D
, xrefs: 20427F36

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#2310$#2155$#2311#310#4574InvalidateRect_snwprintf_s
String ID: $%d.%d.%d.%d
API String ID: 3043057548-2915810652
Opcode ID: 6da49143dbddd625081548b6f17276a95ca0a4c8e12fae0d74d201b9092ad2c1
Instruction ID: 3481f979ec22c93b63359bec9ef62fccf64b0c2134cbc51f481e68d95ae59acf
Opcode Fuzzy Hash: 6da49143dbddd625081548b6f17276a95ca0a4c8e12fae0d74d201b9092ad2c1
Instruction Fuzzy Hash: 5F428A70208742AFD318CF64C895FAAB7E5BF88704F048A6DF59997391DB34E904CB92

Function 20462D50 Relevance: 36.8, APIs: 24, Instructions: 815COMMON

Download Yara Rule

APIs

Part of subcall function 20420040: #764.MFC80U(?,?,?,20462BF8,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?,?,00000000), ref: 20420074

Part of subcall function 2041B640: #764.MFC80U(?,?,?,20462C00,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?,?,00000000), ref: 2041B674

Part of subcall function 20412B10: #1176.MFC80U(A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89), ref: 20412B3D
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B64
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B74
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B84
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B94
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412BAD

Part of subcall function 2040F390: #764.MFC80U(?,?,00000000,?,20462C12,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?), ref: 2040F3AF
Part of subcall function 2040F390: #764.MFC80U(?,00000000,?,20462C12,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?), ref: 2040F3C7

Part of subcall function 20412B10: #265.MFC80U(00000000,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412BF3
Part of subcall function 20412B10: memset.MSVCR80 ref: 20412C00

Part of subcall function 2040FCE0: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD2D
Part of subcall function 2040FCE0: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD3D
Part of subcall function 2040FCE0: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD51

#280.MFC80U(?,?,00000001,00000000,00000000), ref: 20462E3B

Part of subcall function 20462BC0: #2461.MFC80U(00000000,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?,?,00000000,?,?), ref: 20462C27
Part of subcall function 20462BC0: #578.MFC80U ref: 20462C6E

#764.MFC80U(?,?,?,?,?,?,00000000,?,?,00000001,00000000,00000000), ref: 20462F5E
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,00000001,00000000,00000000), ref: 20462F72
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,00000001,00000000,00000000), ref: 20462F86
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,00000001,00000000,00000000), ref: 20462F9A
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 20462FE8
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 20462FF9
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 2046300A

Part of subcall function 20412B10: memset.MSVCR80 ref: 20412C7E

Part of subcall function 2040FCE0: #265.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD8F
Part of subcall function 2040FCE0: memset.MSVCR80 ref: 2040FD9C

#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 2046301E
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 204630D6
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 204630E7
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 204630F8
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 20463109
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 20463122
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 20463133
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 20463144
#764.MFC80U(?,?,?,?,?,?,00000000,?,?,?,?,?,00000000,?,?,00000001), ref: 20463155
#1176.MFC80U(?,?,00000001,00000000,00000000), ref: 2046321A
#620.MFC80U(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000,?,?), ref: 2046363C
#620.MFC80U(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000,?,?), ref: 20463650
#605.MFC80U(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000,?,?), ref: 20463663
#620.MFC80U(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000,?,?), ref: 204636E1
#620.MFC80U(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000,?,?), ref: 204636F5
#605.MFC80U(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000,?,?), ref: 20463708

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#620$memset$#1176#265#605$#2461#280#578
String ID:
API String ID: 3532419128-0
Opcode ID: f6923c6f791e5853eaf6ab76b2eefd295e5d6ffe9b49acd0faa6d025e7341149
Instruction ID: 960057be93a2f085ab90d871999a437e563e96a6fd75a6c40616e5d940da2715
Opcode Fuzzy Hash: f6923c6f791e5853eaf6ab76b2eefd295e5d6ffe9b49acd0faa6d025e7341149
Instruction Fuzzy Hash: 2D72FFB15083818BC731CF94C8C1BCFB3E5AF94709F04C95DE99997251EB78AA49CB92

Function 2041C9A0 Relevance: 27.3, APIs: 18, Instructions: 307COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041C9D0
#764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041C9E0
#764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041C9F0
#764.MFC80U(00000000,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA09
#764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA22
#764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA3B
#764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA57
#764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA70
qsort.MSVCR80 ref: 2041CAA0
qsort.MSVCR80 ref: 2041CAE0
qsort.MSVCR80 ref: 2041CB0A
qsort.MSVCR80 ref: 2041CB34
qsort.MSVCR80 ref: 2041CB75
#265.MFC80U(00000000,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CBB3
#265.MFC80U(00000000,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CC14

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$qsort$#265
String ID:
API String ID: 1244314208-0
Opcode ID: 7c709b07dfba37b4dc4c9307eebcb5279ea5313f7d186075e51f952b3fc88257
Instruction ID: ecd76e829027cae471c9e580738ce7b99bde1b95d902c318f8ba6eef2ec4f2fd
Opcode Fuzzy Hash: 7c709b07dfba37b4dc4c9307eebcb5279ea5313f7d186075e51f952b3fc88257
Instruction Fuzzy Hash: 2BB190B16002059BCB14DFA8CC82A9AB7A1FF48304B94C52DF91997751D739FE85DBC0

Function 20433600 Relevance: 25.7, APIs: 17, Instructions: 155windowkeyboardCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 20433624
#2366.MFC80U(00000000), ref: 2043362B
GetAsyncKeyState.USER32(00000011), ref: 2043363C
GetAsyncKeyState.USER32(00000010), ref: 20433645
GetFocus.USER32 ref: 20433686
#2366.MFC80U(00000000), ref: 2043368D
GetParent.USER32(?), ref: 204336BE
#2366.MFC80U(00000000), ref: 204336C5
#2648.MFC80U(00000000), ref: 204336D5
SendMessageW.USER32(?,00000111,?,?), ref: 204336ED
InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 2043372C
InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 20433739
InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 20433746
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?), ref: 2043377A
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?), ref: 20433787
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?), ref: 20433794
#5210.MFC80U(?), ref: 204337BC

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: InvalidateRect$#2366$AsyncFocusState$#2648#5210MessageParentSend
String ID:
API String ID: 2236022434-0
Opcode ID: e5f8472163658a24f54d053860e28f8de9d25d1832441840bc4068e4f68ef6cb
Instruction ID: d6c53d04e4ebd45af699540442615d6d0114f1a843398b458d8cfd05320b64f5
Opcode Fuzzy Hash: e5f8472163658a24f54d053860e28f8de9d25d1832441840bc4068e4f68ef6cb
Instruction Fuzzy Hash: EB4151B2204700ABD210DBB4CCC1FA7B3A8BB88709F50DA5DF689C7241DA75E945C761

Function 2040EE60 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 20402090: _wcsicmp.MSVCR80 ref: 204020FE

free.MSVCR80 ref: 2040EF8C
malloc.MSVCR80 ref: 2040EFA3
#1176.MFC80U ref: 2040F19F
free.MSVCR80 ref: 2040F1BB
malloc.MSVCR80 ref: 2040F1CF

Part of subcall function 20401EC0: _wcsicmp.MSVCR80 ref: 20401F2E

#764.MFC80U(?), ref: 2040F2DD

Strings

PE_MODULE, xrefs: 2040EEFA, 2040F0CC
EXCLUDE, xrefs: 2040F00A
BROWSERS, xrefs: 2040F0EC
BROWSER, xrefs: 2040F10E, 2040F2EB
PATH, xrefs: 2040EF51, 2040EFC4, 2040F165, 2040F1EE
PE_MODULES, xrefs: 2040EED8
APP_FLAGS, xrefs: 2040F234

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _wcsicmpfreemalloc$#1176#764
String ID: APP_FLAGS$BROWSER$BROWSERS$EXCLUDE$PATH$PE_MODULE$PE_MODULES
API String ID: 794166511-2182823657
Opcode ID: d3f1f10bb759c6654089e1c046311acb2bc1d16ab627f953fef81cf91d9bdb57
Instruction ID: 2a6e87a75f8b3fc6c74a09f9cae7ecbd177b1ae4e2273b2d026749da02545a81
Opcode Fuzzy Hash: d3f1f10bb759c6654089e1c046311acb2bc1d16ab627f953fef81cf91d9bdb57
Instruction Fuzzy Hash: 4AE172B15083419FC714CF99C880A5BB7E6BF98718F408A3DF999A7341D739EA05CB92

Function 20464B40 Relevance: 9.3, APIs: 6, Instructions: 282COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?), ref: 20464BC8

Part of subcall function 20464AB0: #2461.MFC80U(00010001,?,?,?,?,20464BD4,?), ref: 20464AF8

LeaveCriticalSection.KERNEL32(?), ref: 20464C3F
#764.MFC80U(?,?,?,?,00000000,00000000), ref: 20464CA7
#764.MFC80U(?,?), ref: 20464D50
#764.MFC80U(?,?,A1C94593,?,?,?), ref: 20464E2D
#764.MFC80U(?,?,?), ref: 20464F19

Part of subcall function 2041C9A0: #764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041C9D0
Part of subcall function 2041C9A0: #764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041C9E0
Part of subcall function 2041C9A0: #764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041C9F0
Part of subcall function 2041C9A0: #764.MFC80U(00000000,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA09
Part of subcall function 2041C9A0: #764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA22
Part of subcall function 2041C9A0: #764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA3B
Part of subcall function 2041C9A0: #764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA57
Part of subcall function 2041C9A0: #764.MFC80U(?,?,?,?,00000000,2041EEEA,?,?,?,?,?,?), ref: 2041CA70
Part of subcall function 2041C9A0: qsort.MSVCR80 ref: 2041CAA0

Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C441
Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C45A
Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C473
Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C48C
Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4A5
Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4BE
Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4CE
Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4DE
Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4FA
Part of subcall function 2041C400: #764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C516

Part of subcall function 204677F0: EnterCriticalSection.KERNEL32(?), ref: 20467887
Part of subcall function 204677F0: LeaveCriticalSection.KERNEL32(?), ref: 2046789B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$CriticalSection$EnterLeave$#2461qsort
String ID:
API String ID: 3166723043-0
Opcode ID: 6fc30c7af073cabd18ac7b3964380b98f00c32fa149624f82ab689f31ac1673f
Instruction ID: e8b5675c7224ba4e7748d1bd8268b0e2504bea7d3dd32206b2339b0d9384b6ac
Opcode Fuzzy Hash: 6fc30c7af073cabd18ac7b3964380b98f00c32fa149624f82ab689f31ac1673f
Instruction Fuzzy Hash: A3C16A715083818BC735CF94C884B9BF7E8BFD8704F448D2EE99997255E734A904CB92

Function 20478952 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

_crt_debugger_hook.MSVCR80(00000001), ref: 20478FD5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 20478FDD
UnhandledExceptionFilter.KERNEL32(20483C84), ref: 20478FE8
_crt_debugger_hook.MSVCR80(00000001), ref: 20478FF9
GetCurrentProcess.KERNEL32(C0000409), ref: 20479004
TerminateProcess.KERNEL32(00000000), ref: 2047900B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentTerminate
String ID:
API String ID: 1952319052-0
Opcode ID: 860ed5c6a1f2dbeceea49a0963ff88d4ebbc692b8e68553eadb04c93b2242d31
Instruction ID: 8bac57b613e01f3e289521a234b69ccc3e518c181047f61f5409c8e065ca41fd
Opcode Fuzzy Hash: 860ed5c6a1f2dbeceea49a0963ff88d4ebbc692b8e68553eadb04c93b2242d31
Instruction Fuzzy Hash: FB21C476809A01AFD300DF54DEA47987FB2BB08309F50C5AAE908963B1EF7D5580AF45

Function 2043AC00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00000251,GIF,?,?,00000000,?,2047270C,00000000), ref: 2043AC0B
LoadResource.KERNEL32(00000000,00000000,?,2047270C,00000000), ref: 2043AC20
LockResource.KERNEL32(00000000,?,2047270C,00000000), ref: 2043AC2B
SizeofResource.KERNEL32(00000000,00000000,?,2047270C,00000000), ref: 2043AC39

Strings

GIF, xrefs: 2043AC04

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: GIF
API String ID: 3473537107-881873598
Opcode ID: fda190d25d19b3bb4f23aa5c4472a95b8498435cac0136f821365612f0d413f3
Instruction ID: 25fb0802ef857b1b8cfa482b96e02b8801164d38fb912450ba75ea80aa748c93
Opcode Fuzzy Hash: fda190d25d19b3bb4f23aa5c4472a95b8498435cac0136f821365612f0d413f3
Instruction Fuzzy Hash: AFF0E27220A2182F56002BA5ACCC97B7B9CEB4A06B720A57EFA02D2200DF19CC04A1B1

Function 204211A0 Relevance: 7.9, APIs: 5, Instructions: 395windowCOMMON

Download Yara Rule

APIs

#1176.MFC80U(?,?,00000000,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 20421292
SendMessageW.USER32(?,00001023,00000000,00000000), ref: 204212A4
SendMessageW.USER32(?,00001025,00000000,00000000), ref: 20421333
#1176.MFC80U(?,00000000,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 204213D8

Part of subcall function 20421820: #762.MFC80U(00000008,A1C94593,00000000,?), ref: 2042189B
Part of subcall function 20421820: CreateFontIndirectW.GDI32(?), ref: 204218C6
Part of subcall function 20421820: #1271.MFC80U(00000000), ref: 204218CF

#1176.MFC80U(?,00000000,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 204215B3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176$MessageSend$#1271#762CreateFontIndirect
String ID:
API String ID: 3567125150-0
Opcode ID: c596b150b123cf0fb824b19fe029bece8b1c90fbd336ebc5bc2a6d5d738775bf
Instruction ID: ab8655cf033fe74e562ce33e514001b9a1a4960ed1ab2b43dd18b84213ffceff
Opcode Fuzzy Hash: c596b150b123cf0fb824b19fe029bece8b1c90fbd336ebc5bc2a6d5d738775bf
Instruction Fuzzy Hash: 87D13435309B858FD714CE94E180B96B7E1AFA4708F14C58CEE895B762C339ED4ACB91

Function 2043D840 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 2043D86A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: e5cb0f8d09211db32fa36cb3dd6a5409fb1ca09698d5fb2ad83bfec6907384d3
Instruction ID: f47e5d62cc04de8b2256f5f769aa09903e1a3ab051587a23db139a3c626e4246
Opcode Fuzzy Hash: e5cb0f8d09211db32fa36cb3dd6a5409fb1ca09698d5fb2ad83bfec6907384d3
Instruction Fuzzy Hash: CCF090706046058FD768DF74C8433EA37E56B98704F81C93CA669C21D1EB3C95049783

Function 20403A70 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772e8142fe3a3ce92b283449413c2f34e5d542bc5b1622f8da163ca8858429ba
Instruction ID: 13f0373110e8bc8474aed2d1245a2fc90ebe293577a033205e891d16d3017eec
Opcode Fuzzy Hash: 772e8142fe3a3ce92b283449413c2f34e5d542bc5b1622f8da163ca8858429ba
Instruction Fuzzy Hash: 9EF12C746087018FC718CF58C590A2ABBE6BF8C719F04896DE98AE7352D738EC05CB46

Function 20405DB0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _snwprintf_s
String ID:
API String ID: 2338360151-0
Opcode ID: 5edb0150b19be3b253c3e5bc146e12c1adbb77941c162d5ba67b7834c83c78da
Instruction ID: 2bf30c187b0b980205b1f57df9a8e394672104b84b515bf37f1867684d20818b
Opcode Fuzzy Hash: 5edb0150b19be3b253c3e5bc146e12c1adbb77941c162d5ba67b7834c83c78da
Instruction Fuzzy Hash: 474196B15042014BC308DFA9C8516BBB7E5EFB8604F80C93EF58AE6651EA39DA44C796

Function 20405C10 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868a662ae6dd30aa4f31b376f3b35005072d25e9c95b802d47fb07b9ae0c49d1
Instruction ID: 6a1103ddd9c18026c880f096e47f46a186ed588ba1783c199cf0829f1bbf6f7b
Opcode Fuzzy Hash: 868a662ae6dd30aa4f31b376f3b35005072d25e9c95b802d47fb07b9ae0c49d1
Instruction Fuzzy Hash: 4D019E717029225BB38CCD2F98A41B7E2D3DBD8211380C53EA4DEC7799DE35945ADB90

Function 204046ED Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9b7770267b3d5b48ccefccea6582f5a03e6425513fd26b549b964dc6858191
Instruction ID: 073012663a3370ed39832b2886ff9c91f14f0fb60ba6ce6617fc78564014522d
Opcode Fuzzy Hash: 2e9b7770267b3d5b48ccefccea6582f5a03e6425513fd26b549b964dc6858191
Instruction Fuzzy Hash: 53D0A732420560CFC7108F58E440541B3F0FF84620B068C7DE48567921D334BC80CB80

Function 20469880 Relevance: 106.9, APIs: 71, Instructions: 447
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#4574.MFC80U ref: 2046988F
#2151.MFC80U(00000001), ref: 204698A4
SendMessageW.USER32(?,00000403,00000000,000001F4), ref: 204698DB
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 204698ED
#2651.MFC80U(00000428,?,00000000,00000001), ref: 204698F6
#1005.MFC80U(00000000,000000BB,00000000,00000000,00000428,?,00000000,00000001), ref: 2046990B
#2651.MFC80U(0000049A,00000428,?,00000000,00000001), ref: 20469917
#1005.MFC80U(00000000,000000BC,00000000,00000000,0000049A,00000428,?,00000000,00000001), ref: 2046992C
#2651.MFC80U(000004CB,0000049A,00000428,?,00000000,00000001), ref: 20469938
#1005.MFC80U(00000000,000000BD,00000000,00000000,000004CB,0000049A,00000428,?,00000000,00000001), ref: 2046994D
#2651.MFC80U(000004D2,000004CB,0000049A,00000428,?,00000000,00000001), ref: 20469959
#1005.MFC80U(00000000,0000023A,00000000,00000000,000004D2,000004CB,0000049A,00000428,?,00000000,00000001), ref: 2046996E
SendMessageW.USER32(?,00000418,00000000,000000A0), ref: 20469986
GetClientRect.USER32(?,?), ref: 20469991
#2651.MFC80U ref: 204699CF
#2651.MFC80U(0000047A,0000000F), ref: 204699E4

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2651$#1005$MessageSend$#2151#4574ClientRect
String ID:
API String ID: 806976987-0
Opcode ID: ddff58e188b93c9b881f87ea9df218667311f3c7bd73662f24d4051d249f027a
Instruction ID: 8c1e3e0cc8fe1bc8adb1f39f175fefed62f22db3fdfe838432a3ad339b57430a
Opcode Fuzzy Hash: ddff58e188b93c9b881f87ea9df218667311f3c7bd73662f24d4051d249f027a
Instruction Fuzzy Hash: 0AE146707407027BE6189BB48C82FAAB799BF94F04F40861CB7499B6D0DFB9EC118795

Function 20464370 Relevance: 82.6, APIs: 45, Strings: 2, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#310.MFC80U(A1C94593,?,?,?,?), ref: 204643C1
#310.MFC80U ref: 204643D6
#776.MFC80U(?), ref: 204643F5
#5149.MFC80U(00000104), ref: 20464409
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000104), ref: 20464418
#5398.MFC80U(00000000), ref: 20464473
#5149.MFC80U(00000000), ref: 20464482
#5398.MFC80U(000000FF), ref: 2046449D
#776.MFC80U(?), ref: 204644B0
#2461.MFC80U(?,00000104), ref: 204644C4
GetShortPathNameW.KERNEL32(00000000), ref: 204644D1
#2461.MFC80U(\\?\,00000004), ref: 204644EE
wcsncmp.MSVCR80 ref: 204644F5
#2461.MFC80U(system), ref: 2046450B
_wcsicmp.MSVCR80 ref: 20464512
#310.MFC80U ref: 20464523
#776.MFC80U(\\?\), ref: 2046453A
#896.MFC80U(?), ref: 20464549
#2461.MFC80U(?,00000104), ref: 2046455D
GetShortPathNameW.KERNEL32(00000000), ref: 20464564
#578.MFC80U ref: 20464574
#578.MFC80U ref: 20464782
#578.MFC80U ref: 20464797

Strings

system, xrefs: 20464502, 20464670
\\?\, xrefs: 204644E5, 20464531, 20464653, 204646AE

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2461$#310#578#776$#5149#5398NamePathShort$#896EnvironmentExpandStrings_wcsicmpwcsncmp
String ID: \\?\$system
API String ID: 4018035189-175627492
Opcode ID: a074a2f78dff0d93a8659069b863debc981802d3ff8d68cffb1b4b2f6dede247
Instruction ID: fb7a9633b7aa5802037cce5318f5ab08ddcb74c0a92cf58fb4973bae68b118f5
Opcode Fuzzy Hash: a074a2f78dff0d93a8659069b863debc981802d3ff8d68cffb1b4b2f6dede247
Instruction Fuzzy Hash: 77C197715087019BC710EF90CCC9B9A77E4FF94716F40892CFA52922A5EF7C9A44CB92

Function 2041BE00 Relevance: 75.6, APIs: 39, Strings: 4, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#310.MFC80U(A1C94593), ref: 2041BE49
#310.MFC80U ref: 2041BE5E
#4026.MFC80U(000000CF), ref: 2041BE75
#896.MFC80U(?), ref: 2041BE84
#900.MFC80U(20488184), ref: 2041BE93
#4026.MFC80U(000000EF), ref: 2041BEA9

Part of subcall function 2041E0F0: _snwprintf_s.MSVCR80 ref: 2041E145
Part of subcall function 2041E0F0: _snwprintf_s.MSVCR80 ref: 2041E179

#776.MFC80U(?), ref: 2041BEB7
#896.MFC80U(?), ref: 2041BEC6
#900.MFC80U(20488188), ref: 2041BED5
#4026.MFC80U(000000D0), ref: 2041BEEA
#896.MFC80U(?), ref: 2041BEF9
#776.MFC80U(00000000), ref: 2041BF07
#896.MFC80U(?), ref: 2041BF16
#900.MFC80U(20488188), ref: 2041BF25
#4026.MFC80U(000000C8), ref: 2041BF34
#896.MFC80U(?), ref: 2041BF43
#900.MFC80U(20488130), ref: 2041BF52
#4026.MFC80U(000000BA), ref: 2041BF7A
#896.MFC80U(?), ref: 2041BF89
_snwprintf_s.MSVCR80 ref: 2041BFD9
#899.MFC80U(?), ref: 2041BFF0
#900.MFC80U(20488140), ref: 2041BFFF
#899.MFC80U(?,?,?), ref: 2041C035
#900.MFC80U( - ), ref: 2041C044
#899.MFC80U(?), ref: 2041C056
#900.MFC80U(20488140), ref: 2041C065
#899.MFC80U(?,?,?), ref: 2041C0A1
#900.MFC80U( / ), ref: 2041C0B0
#899.MFC80U(?), ref: 2041C0C2
#900.MFC80U(20488140), ref: 2041C0D1
#899.MFC80U(?,?,?), ref: 2041C140
#900.MFC80U(20488140), ref: 2041C14F
#2311.MFC80U(?,%ls / %d;,?,?,?,?), ref: 2041C200
#896.MFC80U(?), ref: 2041C20E
#6063.MFC80U(?), ref: 2041C22C
#578.MFC80U(?), ref: 2041C23D
#578.MFC80U ref: 2041C252
#1176.MFC80U ref: 2041C281
#4347.MFC80U(?), ref: 2041C293

Strings

/ , xrefs: 2041C0A7
- , xrefs: 2041C03B
%ls / %d;, xrefs: 2041C1FA
%d.%d.%d.%d, xrefs: 2041BFCB

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #900$#896$#899$#4026$_snwprintf_s$#310#578#776$#1176#2311#4347#6063
String ID: - $ / $%d.%d.%d.%d$%ls / %d;
API String ID: 428142261-2105336867
Opcode ID: ac90e034d3ae0310e7a85c5f209786e44ff2bca9ce7db78bb364263f96657bb2
Instruction ID: 90043ed17399e709728619cef2eeb1962bfa68706d0e13c2d55a6fd07870de37
Opcode Fuzzy Hash: ac90e034d3ae0310e7a85c5f209786e44ff2bca9ce7db78bb364263f96657bb2
Instruction Fuzzy Hash: 16E139715087019FC314DF94CC84A9AB7F5FF98709F008D2DF586976A0EB38AA49DB62

Function 20452110 Relevance: 69.2, APIs: 46, Instructions: 204windowCOMMON

Download Yara Rule

APIs

#2651.MFC80U(000004D8,00000000), ref: 20452145
#2155.MFC80U(000004D8,00000000), ref: 2045214C
#2651.MFC80U(000003EE,00000000,000004D8,00000000), ref: 20452159
#2155.MFC80U(000003EE,00000000,000004D8,00000000), ref: 20452160
#2651.MFC80U(000004D0,00000000,000003EE,00000000,000004D8,00000000), ref: 2045216D
#2155.MFC80U(000004D0,00000000,000003EE,00000000,000004D8,00000000), ref: 20452174
#2651.MFC80U(00000504,00000000,000004D0,00000000,000003EE,00000000,000004D8,00000000), ref: 20452181
#2155.MFC80U(00000504,00000000,000004D0,00000000,000003EE,00000000,000004D8,00000000), ref: 20452188
#2651.MFC80U(0000050A,00000000,00000504,00000000,000004D0,00000000,000003EE,00000000,000004D8,00000000), ref: 20452195
#2155.MFC80U(0000050A,00000000,00000504,00000000,000004D0,00000000,000003EE,00000000,000004D8,00000000), ref: 2045219C
#2651.MFC80U(00000505,00000000), ref: 204521E7
#2155.MFC80U(00000505,00000000), ref: 204521EE
#2651.MFC80U(000004D9,00000000,00000505,00000000), ref: 204521FB
#2155.MFC80U(000004D9,00000000,00000505,00000000), ref: 20452202
#2651.MFC80U(00000509,00000000,000004D9,00000000,00000505,00000000), ref: 2045220F
#2155.MFC80U(00000509,00000000,000004D9,00000000,00000505,00000000), ref: 20452216
#2651.MFC80U(000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 20452223
#2155.MFC80U(000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 2045222A
#2651.MFC80U(00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 20452237
#2155.MFC80U(00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 2045223E
#2651.MFC80U(0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 2045224B
#2155.MFC80U(0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 20452252
#2651.MFC80U(00000499,00000000,0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 2045225F
#2155.MFC80U(00000499,00000000,0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 20452266
#2651.MFC80U(000004D4,00000000,00000499,00000000,0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 20452273
#2155.MFC80U(000004D4,00000000,00000499,00000000,0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000,00000505,00000000), ref: 2045227A
#2651.MFC80U(000003F7,00000000,000004D4,00000000,00000499,00000000,0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000), ref: 20452287
#2155.MFC80U(000003F7,00000000,000004D4,00000000,00000499,00000000,0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000,000004D9,00000000), ref: 2045228E
#2651.MFC80U(000003F8,00000000,000003F7,00000000,000004D4,00000000,00000499,00000000,0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000), ref: 2045229B
#2155.MFC80U(000003F8,00000000,000003F7,00000000,000004D4,00000000,00000499,00000000,0000049A,00000000,00000428,00000000,000004BF,00000000,00000509,00000000), ref: 204522A2
SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 204522E1
#2651.MFC80U(00000499,00000000,?,2045120B,00000001,00000000), ref: 204522EF
#2155.MFC80U(00000499,00000000,?,2045120B,00000001,00000000), ref: 204522F6
#2651.MFC80U(0000049A,00000000,00000499,00000000,?,2045120B,00000001,00000000), ref: 20452304
#2155.MFC80U(0000049A,00000000,00000499,00000000,?,2045120B,00000001,00000000), ref: 2045230B
#2651.MFC80U(000003F7,00000000,0000049A,00000000,00000499,00000000,?,2045120B,00000001,00000000), ref: 20452319
#2155.MFC80U(000003F7,00000000,0000049A,00000000,00000499,00000000,?,2045120B,00000001,00000000), ref: 20452320
#2651.MFC80U(000004D4,00000001,000003F7,00000001,0000049A,00000001,00000499,00000001,?,2045120B,00000001,00000000), ref: 2045232E
#2155.MFC80U(000004D4,00000001,000003F7,00000001,0000049A,00000001,00000499,00000001,?,2045120B,00000001,00000000), ref: 20452335
#1176.MFC80U(?,2045120B,00000001,00000000), ref: 2045233F
#2651.MFC80U(00000499,00000001,?,2045120B,00000001,00000000), ref: 2045237E
#2155.MFC80U(00000499,00000001,?,2045120B,00000001,00000000), ref: 20452385
#2651.MFC80U(0000049A,00000001,00000499,00000001,?,2045120B,00000001,00000000), ref: 20452393
#2155.MFC80U(0000049A,00000001,00000499,00000001,?,2045120B,00000001,00000000), ref: 2045239A
#2651.MFC80U(000003F7,00000001,0000049A,00000001,00000499,00000001,?,2045120B,00000001,00000000), ref: 204523A8
#2155.MFC80U(000003F7,00000001,0000049A,00000001,00000499,00000001,?,2045120B,00000001,00000000), ref: 204523AF

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2155#2651$#1176MessageSend
String ID:
API String ID: 3597693756-0
Opcode ID: bc34519fbc58735ceab56caef8684ec06317434b7573c2e777f47df328bb0116
Instruction ID: 5b3ee57f764aaf6637235102a7c02bb01dbd315285f2a9fc9a3a034b04cf5d66
Opcode Fuzzy Hash: bc34519fbc58735ceab56caef8684ec06317434b7573c2e777f47df328bb0116
Instruction Fuzzy Hash: 4F514070380741AAD91657B14C66FBF26AA8BE2F08F80C52DB6416FAE0CE7C9D03C745

Function 20426920 Relevance: 68.6, APIs: 37, Strings: 2, Instructions: 321windowCOMMON

Download Yara Rule

APIs

#4112.MFC80U(00000000,00000400,00000000), ref: 20426994
SendMessageW.USER32(?,00000474,00000000,00000000), ref: 204269C4
#2366.MFC80U(00000000), ref: 204269C7
GetWindowRect.USER32(?,?), ref: 204269DB
#5609.MFC80U(?), ref: 204269E4
GetWindowRect.USER32(?,?), ref: 204269F2
#4119.MFC80U(?,?,?,?,00000001), ref: 20426A17
#5609.MFC80U(?,?,?,?,?,00000001), ref: 20426A23
GetWindowRect.USER32(?,?), ref: 20426A34
#5609.MFC80U(?), ref: 20426A3D
#762.MFC80U(00000054,?), ref: 20426A66
#1545.MFC80U(50800844,?,?,00000003), ref: 20426AA9
#6086.MFC80U(00000000,50800844,?,?,00000003), ref: 20426AB5
#2651.MFC80U(00000001,00000000,50800844,?,?,00000003), ref: 20426ACE
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 20426ADB
#2362.MFC80U(00000000,?,00000003), ref: 20426ADE
SendMessageW.USER32(?,00000030,?,00000001), ref: 20426AFD
#762.MFC80U(000000DC,?,00000003), ref: 20426B04
#1562.MFC80U(50804005,?,?,00000004), ref: 20426B49
memset.MSVCR80 ref: 20426BAD
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 20426BC5
#2362.MFC80U(00000000), ref: 20426BC8
GetObjectW.GDI32(?,0000005C,?), ref: 20426BDB
CreateFontIndirectW.GDI32(?), ref: 20426BEF
#1271.MFC80U(00000000), ref: 20426BF8
CreateFontIndirectW.GDI32 ref: 20426C16
#1271.MFC80U(00000000), ref: 20426C1F

Strings

n, xrefs: 20426B6F
Column 0, xrefs: 20426B4E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#5609RectWindow$#1271#2362#762CreateFontIndirect$#1545#1562#2366#2651#4112#4119#6086Objectmemset
String ID: Column 0$n
API String ID: 1214218300-1629151783
Opcode ID: 849847efee924b196100a539a41ceb1258c5fa91bf222e3bd34c776a2636ad2f
Instruction ID: bedc3ba552ba0a2bd24c9c4beb38efaea4eda69a7990d98176306c8c26aa3678
Opcode Fuzzy Hash: 849847efee924b196100a539a41ceb1258c5fa91bf222e3bd34c776a2636ad2f
Instruction Fuzzy Hash: 76C152B16047409FD724CBB4CC85FEBB7E9BB98B04F108A1DF19997290DBB9A9018B51

Function 2042DD40 Relevance: 64.8, APIs: 43, Instructions: 270windowCOMMON

Download Yara Rule

APIs

#4577.MFC80U(A1C94593,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DD67
#4112.MFC80U(00000000,00000400,00000000,A1C94593,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DD77
#6063.MFC80U(?,00000000,00000400,00000000,A1C94593,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DD85
#310.MFC80U(?,00000000,00000400,00000000,A1C94593,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DD8E
#2651.MFC80U(00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DDA0
#776.MFC80U(?,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DDB6
#6063.MFC80U(?,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DDC9
#2651.MFC80U(00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DDD2
#776.MFC80U(?,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DDE8
#6063.MFC80U(?,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DDFB
#2651.MFC80U(00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DE07
#776.MFC80U(?,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DE1D
#6063.MFC80U(?,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DE30
#2651.MFC80U(00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DE3C
#776.MFC80U(?,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DE52
#6063.MFC80U(?,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DE65
#2651.MFC80U(00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DE71
#776.MFC80U(?,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DE87
#6063.MFC80U(?,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042DE9A
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 2042DED5
#2651.MFC80U(00000001,?,00000000,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF), ref: 2042DEDF
#776.MFC80U(?,00000001,?,00000000,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9), ref: 2042DEF5
#1006.MFC80U(00000000,?,00000000,00000000,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DF0D
#2651.MFC80U(00000002,00000001,?,00000000,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9), ref: 2042DF16
#776.MFC80U(?,00000002,00000001,?,00000000,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?), ref: 2042DF2C
#1006.MFC80U(00000000,?,00000000,00000000,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DF44
#2651.MFC80U(00003023,00000002,00000001,?,00000000,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?), ref: 2042DF50
#776.MFC80U(?,00003023,00000002,00000001,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DF66
#1006.MFC80U(00000000,?,00000000,00000000,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DF7E
#2651.MFC80U(00003024,00003023,00000002,00000001,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DF8A
#776.MFC80U(?,00003024,00003023,00000002,00000001,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DFA0
#1006.MFC80U(00000000,?,00000000,00000000,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DFB8
#2651.MFC80U(00003025,00003024,00003023,00000002,00000001,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DFC4
#776.MFC80U(?,00003025,00003024,00003023,00000002,00000001,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DFDA
#1006.MFC80U(00000000,?,00000000,00000000,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042DFF2
GetNextDlgTabItem.USER32(?,00000000,00000000), ref: 2042DFFF
#2366.MFC80U(00000000,?,00000000,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF), ref: 2042E006
#2648.MFC80U(00000000,?,00000000,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF), ref: 2042E015
#1005.MFC80U(00000000,00000000,00000000,00000000,00000000,?,00000000,00003025,00003024,00003023,00000002,00000001), ref: 2042E02B
GetNextDlgTabItem.USER32(?,?,00000000), ref: 2042E03A
#2366.MFC80U(00000000,?,00000000,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF), ref: 2042E041
SetForegroundWindow.USER32(?), ref: 2042E054
#578.MFC80U(?,00000000,00003025,00003024,00003023,00000002,00000001,?,?,?,?,?,?,2047CCA9,000000FF,20426985), ref: 2042E066

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2651#776$#6063$#1006$#2366ItemNext$#1005#2648#310#4112#4577#578ForegroundMessageSendWindow
String ID:
API String ID: 1760983415-0
Opcode ID: abc1e75d1e78bcdaa42f523bd2ec47a1bbf9349a3717bca76796ed268893b230
Instruction ID: 736d7076bb40e73f9e1b27985b82545e162d865dc7067139393270ec5b5eae04
Opcode Fuzzy Hash: abc1e75d1e78bcdaa42f523bd2ec47a1bbf9349a3717bca76796ed268893b230
Instruction Fuzzy Hash: 19919B71304B019FD311DBA4CC59BAEB2EAAB90B45F40C82CF2529B6E0DF78AD05CB55

Function 20437980 Relevance: 58.8, APIs: 39, Instructions: 339windowCOMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 204379CC
#310.MFC80U(?,?,?,?), ref: 204379D6
SendMessageW.USER32(00000020,00001200,00000000,00000000), ref: 20437A02
#578.MFC80U ref: 20437A18
SendMessageW.USER32(00000020,00001207,-000000FF,?), ref: 20437A37
#2468.MFC80U ref: 20437A5D
SendMessageW.USER32(?,?,?,00000020), ref: 20437A84
#5398.MFC80U(000000FF,?,?,?,00000020,0000120B,?,?), ref: 20437A90
#347.MFC80U ref: 20437AE3
#1270.MFC80U(?), ref: 20437AF5
#347.MFC80U(?), ref: 20437AFE
CreateCompatibleDC.GDI32(?), ref: 20437B10
#1270.MFC80U(00000000), ref: 20437B1B
#5633.MFC80U(?,?,00000000), ref: 20437B6E
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 20437BA8
#5633.MFC80U(?,00000000,?,?,00000000), ref: 20437BE8
#5633.MFC80U(?,?,?,00000000,?,?,00000000), ref: 20437C39
BitBlt.GDI32(?,00000100,?,?,?,?,00000000,00000000,00CC0020), ref: 20437C6B
#5633.MFC80U(?,00000000), ref: 20437C7E
InflateRect.USER32(?,000000F7,000000FD), ref: 20437CB6
GetCurrentObject.GDI32(?,00000006), ref: 20437CC3
#2362.MFC80U(00000000), ref: 20437CCA
GetObjectW.GDI32(?,0000005C,?), ref: 20437CFC

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #5633$MessageSend$#1270#347ObjectRect$#2362#2468#310#5398#578CompatibleCopyCreateCurrentInflate
String ID:
API String ID: 2914055605-0
Opcode ID: 83ae490c0e33038c8937393e5beb0e7bd944c651b64bba942306a94834426b83
Instruction ID: 45bf28f37d71678c5795a452685a6bbd76352e7e5ba656948005ded63e917d8a
Opcode Fuzzy Hash: 83ae490c0e33038c8937393e5beb0e7bd944c651b64bba942306a94834426b83
Instruction Fuzzy Hash: AAD107711087459FC324DFA4C884FABB7F8BB88714F10CA1CF595972A0DB78A905CB62

Function 20450CD0 Relevance: 56.4, APIs: 31, Strings: 1, Instructions: 377windowCOMMON

Download Yara Rule

APIs

#1176.MFC80U ref: 20450D82
GetWindowRect.USER32(?,?), ref: 20450D93
#5609.MFC80U(?), ref: 20450DA1
#3395.MFC80U(?), ref: 20450DAE
#2713.MFC80U(?), ref: 20450DB9
GetParent.USER32(?), ref: 20450DC9
#2366.MFC80U(00000000), ref: 20450DD0
#2648.MFC80U(00000000), ref: 20450DDB
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 20450DF1
#2362.MFC80U(00000000), ref: 20450DF8
memmove_s.MSVCR80 ref: 20450E75
#762.MFC80U(00000054,00000000), ref: 20450E91
#4109.MFC80U(00000000,?,00000020), ref: 20450EF6
SendMessageW.USER32(?,00000030,?,00000001), ref: 20450F0F
#4112.MFC80U(00000000,?,00000020), ref: 20450F20
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 20450F7C
SendMessageW.USER32(?,00000184,00000000,00000000), ref: 20450FD3
#6086.MFC80U(00000000), ref: 20450FF2
#2155.MFC80U(00000000,00000000), ref: 20451010
SendMessageW.USER32(?,0000014A,00000000,?), ref: 2045105C
SendMessageW.USER32 ref: 20451083
#6086.MFC80U(00000005), ref: 204510A8
#2155.MFC80U(00000001,00000005), ref: 204510C6
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 204510DD
#6735.MFC80U(?), ref: 2045110D
#2260.MFC80U(0000007C,00000000), ref: 20451127
#4101.MFC80U(?,00000000,00000000), ref: 20451159
SendMessageW.USER32(?,00000180,00000000), ref: 2045118F
#578.MFC80U ref: 2045119E
#578.MFC80U ref: 204511C2
#6232.MFC80U(00000000), ref: 204511F8

Strings

(, xrefs: 204511CE

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#2155#578#6086$#1176#2260#2362#2366#2648#2713#3395#4101#4109#4112#5609#6232#6735#762ParentRectWindowmemmove_s
String ID: (
API String ID: 108199104-3887548279
Opcode ID: 060ed452582c12643f33fb5744c78ed1fb589be9d0fad5b5a129ed56d525e140
Instruction ID: aa4d5a303be5df6e6a358187d511004a39c7ace117a392d3b63d25a9527070c8
Opcode Fuzzy Hash: 060ed452582c12643f33fb5744c78ed1fb589be9d0fad5b5a129ed56d525e140
Instruction Fuzzy Hash: DCF180716042019FD714CF94C8C5FAA7BB5BF98708F04C6ACF9488B292DB78E949CB61

Function 2045D6F0 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 248windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 2045D71E
GetSystemMetrics.USER32(00000031), ref: 2045D723
#1555.MFC80U(00000000), ref: 2045D728
GetSysColor.USER32(00000005), ref: 2045D72F
#1079.MFC80U(?,00000000), ref: 2045D73D

Part of subcall function 20427250: #1079.MFC80U(?,A1C94593), ref: 2042728B
Part of subcall function 20427250: #6749.MFC80U(?,?,A1C94593), ref: 20427297

LoadIconW.USER32(00000000,00007F00), ref: 2045D756
DestroyCursor.USER32(00000000), ref: 2045D77F
#1079.MFC80U(?,000000FF,00000000), ref: 2045D76C

Part of subcall function 204353D0: #1079.MFC80U(?,A1C94593), ref: 2043540B
Part of subcall function 204353D0: #6749.MFC80U(?,?,A1C94593), ref: 20435417
Part of subcall function 204353D0: #1176.MFC80U(?,?,A1C94593), ref: 20435444

#4574.MFC80U ref: 2045D787
#4109.MFC80U(00000000,00040000,00000000), ref: 2045D797
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 2045D7AF
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 2045D7BE
#3869.MFC80U(00000000,Column_0,00000000,00000064,000000FF), ref: 2045D7D3
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 2045D7E8
SendMessageW.USER32(?,0000104E,00000000,00000000), ref: 2045D7FA
#2366.MFC80U(00000000), ref: 2045D7FD
SendMessageW.USER32(?,00000418,00000000,000000A0), ref: 2045D816
GetClientRect.USER32(?,0000000A), ref: 2045D821
#2651.MFC80U ref: 2045D85C
#2651.MFC80U(00000001,0000000A), ref: 2045D86E
#2651.MFC80U(00000002,0000000A,00000001,0000000A), ref: 2045D880
SendMessageW.USER32(?,00001003,00000001,?), ref: 2045D8A2
#2364.MFC80U(00000000), ref: 2045D8A9

Strings

Column_0, xrefs: 2045D7C6

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#1079$#2651$#6749MetricsSystem$#1176#1555#2364#2366#3869#4109#4574ClientColorCursorDestroyIconLoadRect
String ID: Column_0
API String ID: 2103283411-1630879286
Opcode ID: 5d6fa8bb70667fd672e0d5e94e862f5e3e0c697cce582e92b5d20558c6df8bb8
Instruction ID: dd8e0921d3901aff80e3a421ab691459f02cf68530f25cea5a982d83c5e6769e
Opcode Fuzzy Hash: 5d6fa8bb70667fd672e0d5e94e862f5e3e0c697cce582e92b5d20558c6df8bb8
Instruction Fuzzy Hash: 8281D671780705BBE224DBA4CC86F6AB7A4BF54B08F10C61CF7596B2D1DBB8B8448791

Function 204582D0 Relevance: 54.1, APIs: 36, Instructions: 147windowCOMMON

Download Yara Rule

APIs

#2651.MFC80U(000004E9,00000000,?,20458068,?,00000000), ref: 204582EA
#2155.MFC80U(000004E9,00000000,?,20458068,?,00000000), ref: 204582F1
#2651.MFC80U(000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 204582FE
#2155.MFC80U(000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 20458305
#2651.MFC80U(000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 20458312
#2155.MFC80U(000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 20458319
#2651.MFC80U(000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 20458326
#2155.MFC80U(000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 2045832D
#2651.MFC80U(000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 2045833A
#2155.MFC80U(000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 20458341
#2651.MFC80U(000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 2045834E
#2155.MFC80U(000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068,?,00000000), ref: 20458355
#2651.MFC80U(000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068), ref: 20458362
#2155.MFC80U(000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000,?,20458068), ref: 20458369
#2651.MFC80U(000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000), ref: 20458376
#2155.MFC80U(000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000,000004E9,00000000), ref: 2045837D
#2651.MFC80U(00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000), ref: 2045838A
#2155.MFC80U(00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000,000004EA,00000000), ref: 20458391
#2651.MFC80U(00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000), ref: 2045839E
#2155.MFC80U(00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000,000004EB,00000000), ref: 204583A5
#2651.MFC80U(00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000), ref: 204583B2
#2155.MFC80U(00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000,000004F0,00000000), ref: 204583B9
#2651.MFC80U(00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000), ref: 204583C6
#2155.MFC80U(00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000,000003EE,00000000), ref: 204583CD
#2651.MFC80U(000004EF,00000000,00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000), ref: 204583DA
#2155.MFC80U(000004EF,00000000,00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA,00000000), ref: 204583E1
#2651.MFC80U(00000481,000004EF,?,?,00000000,00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB), ref: 2045840D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 20458425
#2651.MFC80U(00000480,?,00000000,00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA), ref: 20458432
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 20458444
#2651.MFC80U(00000485,?,00000000,00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB,00000000,000004DA), ref: 20458451
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 20458463
#2651.MFC80U(00000503,00000000,?,?,00000000,00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB), ref: 20458474
#2155.MFC80U(00000503,00000000,?,?,00000000,00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8,00000000,000004DB), ref: 2045847B
#2651.MFC80U(00000502,00000000,00000503,00000000,?,?,00000000,00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8), ref: 20458488
#2155.MFC80U(00000502,00000000,00000503,00000000,?,?,00000000,00000414,00000000,00000485,00000000,00000481,00000000,00000480,00000000,000004E8), ref: 2045848F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2651$#2155$MessageSend
String ID:
API String ID: 2554225707-0
Opcode ID: 2a91c41e58a9239e0cf9fb06e0310c7268f69ef36e89a5c0e7b838b5ee56a8b0
Instruction ID: 77c20bd14644053fe35fb93ba4e152a15ee534d5efd993665a1fbf02ccc77aa3
Opcode Fuzzy Hash: 2a91c41e58a9239e0cf9fb06e0310c7268f69ef36e89a5c0e7b838b5ee56a8b0
Instruction Fuzzy Hash: 2B41EDB07C06516AD91963F14C67FBF156ADBE2E08F80C52CB2426FAE0DDAC9D038759

Function 204223F0 Relevance: 51.3, APIs: 34, Instructions: 298windowCOMMON

Download Yara Rule

APIs

#347.MFC80U(A1C94593), ref: 20422439
#1270.MFC80U(?), ref: 20422451
#5584.MFC80U(?), ref: 2042245A
CopyRect.USER32(?,?), ref: 2042246C
CreateRectRgnIndirect.GDI32(?), ref: 2042249F
#1271.MFC80U(00000000), ref: 204224AA
#5635.MFC80U(20488C48,00000000), ref: 204224B8
#1925.MFC80U(20488C48,00000000), ref: 204224C1
GetSysColor.USER32(0000000F), ref: 204224C8
#326.MFC80U(00000000), ref: 204224D3
FillRect.USER32(?,?,?), ref: 204224EF
SendMessageW.USER32(?,0000120B,?,?), ref: 2042252B
CopyRect.USER32(?,?), ref: 20422577
DrawTextW.USER32(?,?,000000FF,?,00008924), ref: 204225D8
GetSysColor.USER32(00000014), ref: 204225FC
#502.MFC80U(00000000,00000001,00000000), ref: 20422607
GetSysColor.USER32(00000010), ref: 20422616
#502.MFC80U(00000000,00000001,00000000), ref: 20422621
#5638.MFC80U(?,00000000,00000001,00000000), ref: 20422637
#4117.MFC80U(?,?,?,?,00000000,00000001,00000000), ref: 2042265E
#3995.MFC80U(?,?,?,?,?,?,00000000,00000001,00000000), ref: 20422678
#3995.MFC80U(?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 20422698
#5638.MFC80U(?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 204226A6
#4117.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 204226C8
#3995.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 20422765
#5638.MFC80U(00008924,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 20422773
#5519.MFC80U(?), ref: 204227A3
#1957.MFC80U(?), ref: 204227AC

Part of subcall function 20414A70: #1925.MFC80U(A1C94593,?,?,?,00000000,2047B9E9,000000FF), ref: 20414AB9

#602.MFC80U(?), ref: 20422802

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$#3995#5638Color$#1925#4117#502Copy$#1270#1271#1957#326#347#5519#5584#5635#602CreateDrawFillIndirectMessageSendText
String ID:
API String ID: 1715972708-0
Opcode ID: 9fca55ed4a40095a3227d01100ba49ce01f027b267da5f4119c3224918b91aad
Instruction ID: d666b1c84b9d6d69ff095b1d7bad3806f02d2e1acc2ac58b3e1f69ded9572eef
Opcode Fuzzy Hash: 9fca55ed4a40095a3227d01100ba49ce01f027b267da5f4119c3224918b91aad
Instruction Fuzzy Hash: 7FC14D71108381AFC354CF64C995BABBBF4FF94704F408A1CF195872A4DB38A949CB92

Function 2046A870 Relevance: 51.3, APIs: 34, Instructions: 262windowCOMMON

Download Yara Rule

APIs

#1058.MFC80U(00000082,00000004,00000082), ref: 2046A8BC
LoadMenuW.USER32(00000000,00000082), ref: 2046A8C2
#1274.MFC80U(00000000), ref: 2046A8CD
GetSubMenu.USER32(?,00000000), ref: 2046A8D8
#2365.MFC80U(00000000), ref: 2046A8DF
GetCursorPos.USER32(?), ref: 2046A8EB
ScreenToClient.USER32(?,?), ref: 2046A913
ClientToScreen.USER32(?,?), ref: 2046A931
ScreenToClient.USER32(?,?), ref: 2046A943
#3793.MFC80U(?,?,00000000), ref: 2046A957
RemoveMenu.USER32(?,00000000,00000400,?,?,00000000), ref: 2046A972
RemoveMenu.USER32(?,00000000,00000400), ref: 2046A97F
RemoveMenu.USER32(?,00000000,00000400), ref: 2046A98C
RemoveMenu.USER32(?,00000000,00000400), ref: 2046A999
RemoveMenu.USER32(?,00000000,00000400), ref: 2046A9A6
RemoveMenu.USER32(?,0000807C,00000000), ref: 2046A9B3
RemoveMenu.USER32(?,0000807D,00000000), ref: 2046A9C0
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 2046A9DE
#2861.MFC80U(00000000), ref: 2046A9EB
RemoveMenu.USER32(?,?,0000807C,00000000,00000000), ref: 2046AA42
DeleteMenu.USER32(?,00008062,00000000), ref: 2046AB54
SetMenuDefaultItem.USER32(?,00000000,00000001), ref: 2046AB68
SetMenuDefaultItem.USER32(?,00008028,00000000), ref: 2046AB75
#6140.MFC80U(00000002,?,?,?,00000000), ref: 2046AB88
#1946.MFC80U(00000002,?,?,?,00000000), ref: 2046AB91
#1946.MFC80U(?,?,?,?,?,?,?,?,00000000), ref: 2046ABB3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Menu$Remove$ClientScreen$#1946DefaultItem$#1058#1274#2365#2861#3793#6140CursorDeleteLoadMessageSend
String ID:
API String ID: 767751519-0
Opcode ID: 82c60b0c20b236145a63b32bd7739e8769bf28903223530e297fbf786c04fd1b
Instruction ID: 2a932d91ae884308cf159f5a4071c14f2711c1ffe6b8672c0a980d615ff8d383
Opcode Fuzzy Hash: 82c60b0c20b236145a63b32bd7739e8769bf28903223530e297fbf786c04fd1b
Instruction Fuzzy Hash: 3E916B71248701ABD324CBA4CCC5F5BB7E8BB88B04F10C91DF69A976D0DAB8E944CB55

Function 204131F0 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 253windowCOMMON

Download Yara Rule

APIs

#4574.MFC80U(A1C94593), ref: 20413232
#6086.MFC80U(00000000,A1C94593), ref: 20413240
#6086.MFC80U(00000000,00000000,A1C94593), ref: 2041324C
GetWindowRect.USER32(?,?), ref: 20413263
GetWindowRect.USER32(?,?), ref: 20413271
#5609.MFC80U(?), ref: 2041327A
#5609.MFC80U(?,?), ref: 20413286
#762.MFC80U(000000DC,?,?), ref: 20413290
#1562.MFC80U(50804005,?,?,00000004), ref: 204132D0
#762.MFC80U(000000DC,50804005,?,?,00000004), ref: 204132DA
#1562.MFC80U(50804005,?,?,00000004), ref: 2041331B
memset.MSVCR80 ref: 2041338D
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 204133A9
#2362.MFC80U(00000000,?,?,?,00000004), ref: 204133AC
GetObjectW.GDI32(?,0000005C,?), ref: 204133BC
CreateFontIndirectW.GDI32(?), ref: 204133CD
#1271.MFC80U(00000000,?,?,?,00000004), ref: 204133D6
CreateFontIndirectW.GDI32 ref: 204133F1
#1271.MFC80U(00000000), ref: 204133FA

Part of subcall function 20420530: #764.MFC80U(?,?,A1C94593,00000000,?,00000000,2047CF55,000000FF,204132FB,00000000), ref: 2042059A
Part of subcall function 20420530: #764.MFC80U(?,?,A1C94593,00000000,?,00000000,2047CF55,000000FF,204132FB,00000000), ref: 204205BF
Part of subcall function 20420530: GetSysColor.USER32(0000000E), ref: 204205E4
Part of subcall function 20420530: GetSysColor.USER32(0000000D), ref: 204205EE

Strings

xXH , xrefs: 20413320
n, xrefs: 2041333D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1271#1562#5609#6086#762#764ColorCreateFontIndirectRectWindow$#2362#4574MessageObjectSendmemset
String ID: n$xXH
API String ID: 3384984204-2023183603
Opcode ID: 95b6b9af0db05c157245e0d8950aaf6f032ba2113402e6f7531cd004fb3b278d
Instruction ID: df89eb388f3e077dc8a7648ceea616e3fc8ae983f4d044294edd22d2daf9c446
Opcode Fuzzy Hash: 95b6b9af0db05c157245e0d8950aaf6f032ba2113402e6f7531cd004fb3b278d
Instruction Fuzzy Hash: 34A14F71204700AFD720DBB4CC81FABB7E9BB88708F10891DF69E97291DB79A8458B55

Function 2043BDE0 Relevance: 46.0, APIs: 20, Strings: 6, Instructions: 460COMMON

Download Yara Rule

APIs

wcschr.MSVCR80 ref: 2043BE22
wcschr.MSVCR80 ref: 2043BE3D
_wcsnicmp.MSVCR80 ref: 2043BE66
memmove_s.MSVCR80 ref: 2043BF02
memcpy_s.MSVCR80 ref: 2043BF29
wcschr.MSVCR80 ref: 2043C369

Strings

ScannerVersion, xrefs: 2043C28E
x86\, xrefs: 2043BFAD
InstallDir, xrefs: 2043BE60
ProductName, xrefs: 2043C08B
InstallDir32, xrefs: 2043BF5A
ProductVersion, xrefs: 2043C18E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcschr$_wcsnicmpmemcpy_smemmove_s
String ID: InstallDir$InstallDir32$ProductName$ProductVersion$ScannerVersion$x86\
API String ID: 308510788-164657748
Opcode ID: 9cfe9f924ec3093dbc28e29c1735e63e94f3565b95dd8854a8d1b24b8ed9160a
Instruction ID: 526b51a08f6c597bdb1942fb88777c362074db7fda32dca29dac90f820a139c1
Opcode Fuzzy Hash: 9cfe9f924ec3093dbc28e29c1735e63e94f3565b95dd8854a8d1b24b8ed9160a
Instruction Fuzzy Hash: 5CF117715083059BC7249BACCD49B9B73B4EF89308F09CA58ED4597342EB7CAB48C792

Function 20440590 Relevance: 43.9, APIs: 29, Instructions: 378windowCOMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 204405E0

Part of subcall function 2042C5B0: #4574.MFC80U(?,?,?,00000000,00000000,A1C94593), ref: 2042C5B9
Part of subcall function 2042C5B0: GetWindowRect.USER32(?,?), ref: 2042C5C7
Part of subcall function 2042C5B0: #6063.MFC80U(?,?,?,?,00000000,00000000,A1C94593), ref: 2042C5E7
Part of subcall function 2042C5B0: SendMessageW.USER32(?,00000401,00000001,00000000), ref: 2042C61C
Part of subcall function 2042C5B0: GetNextDlgTabItem.USER32(?,00000000,00000000), ref: 2042C630
Part of subcall function 2042C5B0: #2366.MFC80U(00000000,?,00000000,?,?,?,00000000,00000000,A1C94593), ref: 2042C633
Part of subcall function 2042C5B0: #2648.MFC80U(00000000,?,00000000,?,?,?,00000000,00000000,A1C94593), ref: 2042C642
Part of subcall function 2042C5B0: #1005.MFC80U(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,A1C94593), ref: 2042C65C
Part of subcall function 2042C5B0: GetNextDlgTabItem.USER32(?,?,00000000), ref: 2042C66B
Part of subcall function 2042C5B0: #2366.MFC80U(00000000,?,00000000,?,?,?,00000000,00000000,A1C94593), ref: 2042C66E
Part of subcall function 2042C5B0: SetForegroundWindow.USER32(?), ref: 2042C681

SendMessageW.USER32(?,0000014A,00000000,00000000), ref: 2044062B
SendMessageW.USER32(?,00000151,00000000,00000101), ref: 2044063C
SendMessageW.USER32(?,0000014A,00000001,00000000), ref: 2044065F
SendMessageW.USER32(?,00000151,00000001,?), ref: 2044067D
SendMessageW.USER32(?,0000014A,00000000,00000000), ref: 204406BA
SendMessageW.USER32(?,00000151,00000000,00000102), ref: 204406CB
SendMessageW.USER32(?,0000014A,00000001,00000000), ref: 2044070A
SendMessageW.USER32(?,00000151,?,?), ref: 2044078A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 204407A2
#310.MFC80U ref: 204407C3
SendMessageW.USER32(?,0000014A,00000000,?), ref: 20440800
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 20440812
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 20440824
#6232.MFC80U(00000000), ref: 20440848
#776.MFC80U(?,?,?,00000000), ref: 2044098A
SendMessageW.USER32(?,0000014A,00000001,?), ref: 204409AC
SendMessageW.USER32(?,00000151,00000001,?), ref: 204409C0
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 20440A37
SendMessageW.USER32(?,00000150,00000001,00000000), ref: 20440A4F
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 20440A6B
SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 20440A8F
#6232.MFC80U(00000000), ref: 20440A95
#578.MFC80U(00000000), ref: 20440AAD
#6751.MFC80U(00000000,?), ref: 20440ADB

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#2366#6232ItemNextWindow$#1005#2648#310#314#4574#578#6063#6751#776ForegroundRect
String ID:
API String ID: 3253409394-0
Opcode ID: 1601a06762cacad1e8cbc559b100bd4cc02e4ed356e226a3da2df0017a5cfbef
Instruction ID: bc79db77f7d5a154e0c58ac83640ed0fa7abcad9e75eb80e817de5e5d5b50a70
Opcode Fuzzy Hash: 1601a06762cacad1e8cbc559b100bd4cc02e4ed356e226a3da2df0017a5cfbef
Instruction Fuzzy Hash: D1E17D71644301AFE304DF64CC95FA6B7E5BF98704F04896CFA889B291CA79F845CB91

Function 2045E570 Relevance: 42.4, APIs: 28, Instructions: 355windowCOMMON

Download Yara Rule

APIs

Part of subcall function 2045DE90: #310.MFC80U(2045E5C1,000000FF,A1C94593,?,?,?,2047A422,000000FF,2045E5C1,?,?,A1C94593), ref: 2045DED5
Part of subcall function 2045DE90: #310.MFC80U(?,?,?,2047A422,000000FF,2045E5C1,?), ref: 2045DEE3

Part of subcall function 2042D2E0: #359.MFC80U(00000000,A1C94593), ref: 2042D320
Part of subcall function 2042D2E0: memset.MSVCR80 ref: 2042D33C
Part of subcall function 2042D2E0: #3998.MFC80U(?,00000000,A1C94593), ref: 2042D370
Part of subcall function 2042D2E0: #6735.MFC80U(?,?,00000000,A1C94593), ref: 2042D382
Part of subcall function 2042D2E0: #5832.MFC80U(?,?), ref: 2042D39F
Part of subcall function 2042D2E0: #578.MFC80U(?,?), ref: 2042D3B0
Part of subcall function 2042D2E0: #3828.MFC80U(?,00000000), ref: 2042D3C6
Part of subcall function 2042D2E0: #2011.MFC80U(00000000,A1C94593), ref: 2042D3CD
Part of subcall function 2042D2E0: #607.MFC80U(?,00000000), ref: 2042D3E3

#6735.MFC80U(?,?,?,A1C94593), ref: 2045E60D
#1476.MFC80U(?), ref: 2045E625
#578.MFC80U ref: 2045E63C
wcscpy_s.MSVCR80 ref: 2045E6A4
#310.MFC80U ref: 2045E6D9
#4026.MFC80U(00000074), ref: 2045E6EE
#310.MFC80U ref: 2045E6F8
#4026.MFC80U(00000075), ref: 2045E70C
#4098.MFC80U(A1C94593,?,00000030), ref: 2045E720
#578.MFC80U(A1C94593,?,00000030), ref: 2045E730
#578.MFC80U ref: 2045E742
wcscpy_s.MSVCR80 ref: 2045E7A5
wcsncpy_s.MSVCR80 ref: 2045E7C3
wcscpy_s.MSVCR80 ref: 2045E81F
wcsncpy_s.MSVCR80 ref: 2045E836
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 2045E87D
#3873.MFC80U(00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 2045E897
#5869.MFC80U(00000000,00000001,?,00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 2045E8B6
#5869.MFC80U(00000000,00000002,?,00000000,00000001,?,00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 2045E8C8
#5862.MFC80U(00000000,00000000,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000002,?,00000000,00000001,?,00000001,00000000), ref: 2045E8E1
wcscpy_s.MSVCR80 ref: 2045E944
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 2045E9CF
#3873.MFC80U(00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 2045E9E9
#5869.MFC80U(00000000,00000001,?,00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 2045EA08
#5869.MFC80U(00000000,00000002,?,00000000,00000001,?,00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 2045EA1A
#5862.MFC80U(00000000,00000000,00000004,00000000,00000000,00000000,00000000,?,00000000,00000002,?,00000000,00000001,?,00000001,00000000), ref: 2045EA33

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#578#5869wcscpy_s$#3873#4026#5862#6735MessageSendwcsncpy_s$#1476#2011#359#3828#3998#4098#5832#607memset
String ID:
API String ID: 620450143-0
Opcode ID: be2954b327063b7d8bab526f765a60996450f9a67c5c262b95022e75a6c224ab
Instruction ID: 2ace1d11d9b7c476054775e1a2a1a61a5e23e676c5184643b28d972a46399677
Opcode Fuzzy Hash: be2954b327063b7d8bab526f765a60996450f9a67c5c262b95022e75a6c224ab
Instruction Fuzzy Hash: B5D1C0712487409BE324CB54CC82F9BB7E5FF98B04F14891CF69A9B2D1DB78A908C756

Function 2045FDC0 Relevance: 42.2, APIs: 28, Instructions: 176windowCOMMON

Download Yara Rule

APIs

#516.MFC80U(00000257,00000000,00000038,A1C94593,00000000,-00003AB4,?,00000000,?,2047DBB6,000000FF,204708CB,?,?,?,?), ref: 2045FDF4

Part of subcall function 20421B70: #572.MFC80U(A1C94593,?,?,2047A038,000000FF,2042055C,?,A1C94593,00000000,?,00000000,2047CF55,000000FF,204132FB,00000000), ref: 20421B97

#416.MFC80U(?,?,00000004,00000002,6C854310,6C8560B9,00000257,00000000,00000038,A1C94593,00000000,-00003AB4,?,00000000,?,2047DBB6), ref: 2045FE3E
#416.MFC80U(?,?,00000004,00000002,6C854310,6C8560B9,00000257,00000000,00000038,A1C94593,00000000,-00003AB4,?,00000000,?,2047DBB6), ref: 2045FE50

Part of subcall function 2045CF80: #530.MFC80U(A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593,?,?,?,2047BED4), ref: 2045CFB1
Part of subcall function 2045CF80: #6003.MFC80U(00000000,000000FF,A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593), ref: 2045CFCD

Part of subcall function 20430DC0: #310.MFC80U(?,A1C94593,00000000,?,00000000,?,2047AE6F,000000FF,20472632,?), ref: 20430DFC
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E0A
Part of subcall function 20430DC0: #310.MFC80U ref: 20430E17
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E25
Part of subcall function 20430DC0: LoadCursorW.USER32(00000000,00007F89), ref: 20430EA4
Part of subcall function 20430DC0: SetRectEmpty.USER32(?), ref: 20430F17

GetSystemMetrics.USER32(00000032), ref: 2045FEB5
GetSystemMetrics.USER32(00000031), ref: 2045FEBA
#1555.MFC80U(00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FEBF
GetSysColor.USER32(00000005), ref: 2045FEC6
#1079.MFC80U(?,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FED4

Part of subcall function 20427250: #1079.MFC80U(?,A1C94593), ref: 2042728B
Part of subcall function 20427250: #6749.MFC80U(?,?,A1C94593), ref: 20427297

LoadIconW.USER32(00000000,00007F00), ref: 2045FEF3
DestroyCursor.USER32(?), ref: 2045FF1E
#1079.MFC80U(?,000000FF,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FF07

Part of subcall function 204353D0: #1079.MFC80U(?,A1C94593), ref: 2043540B
Part of subcall function 204353D0: #6749.MFC80U(?,?,A1C94593), ref: 20435417
Part of subcall function 204353D0: #1176.MFC80U(?,?,A1C94593), ref: 20435444

GetSystemMetrics.USER32(00000032), ref: 2045FF2F
GetSystemMetrics.USER32(00000031), ref: 2045FF34
#1555.MFC80U(00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FF39
GetSysColor.USER32(00000005), ref: 2045FF40
#1079.MFC80U(?,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FF4E
#1079.MFC80U(?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FF60
#1058.MFC80U(00000171,0000000E,00000171,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FF71
LoadIconW.USER32(00000000,00000171), ref: 2045FF77
#1079.MFC80U(?,000000FF,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FF83
#1079.MFC80U(?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FF95
#1058.MFC80U(0000016F,0000000E,0000016F,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FFA6
LoadIconW.USER32(00000000,0000016F), ref: 2045FFAC
#1079.MFC80U(?,000000FF,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FFB8
#1079.MFC80U(?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FFCA
#1058.MFC80U(00000172,0000000E,00000172,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FFDB
LoadIconW.USER32(00000000,00000172), ref: 2045FFE1
#1079.MFC80U(?,000000FF,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FFED

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1079$Load$IconMetricsSystem$#1058$#1555#310#416#557#6749ColorCursor$#1176#516#530#572#6003DestroyEmptyRect
String ID:
API String ID: 365691172-0
Opcode ID: b68f33bef7c4b2d6117d4029ba62b2bec84fb5b55f27a9dde17b4a188a7d711b
Instruction ID: fed8fed39bf988fa6bdc90078e62ecdff316e1d07a83c31df6cb4852490efdad
Opcode Fuzzy Hash: b68f33bef7c4b2d6117d4029ba62b2bec84fb5b55f27a9dde17b4a188a7d711b
Instruction Fuzzy Hash: 8951D670244741AFD220DBB4CC42FAB77E9AF99B18F01C91CF6555B2D1DEB8A804CB61

Function 204249B0 Relevance: 40.7, APIs: 27, Instructions: 248windowCOMMON

Download Yara Rule

APIs

#4574.MFC80U(A1C94593), ref: 204249E5
#310.MFC80U(A1C94593), ref: 204249F5
#4026.MFC80U(000000C5), ref: 20424A0D
SendMessageW.USER32(?,0000014A,00000000,?), ref: 20424A2B
SendMessageW.USER32(?,0000014A,00000000,?), ref: 20424A3F
SendMessageW.USER32(?,0000014A,00000001,?), ref: 20424A80
SendMessageW.USER32(?,0000014A,00000001,?), ref: 20424AB2
#310.MFC80U ref: 20424AF4
#2311.MFC80U(?,2048587C,?), ref: 20424B10
#6063.MFC80U(?), ref: 20424B24
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 20424B7F
#6063.MFC80U(20485878), ref: 20424B8C
#2311.MFC80U(?,2048587C,?,20485878), ref: 20424B9F
#6063.MFC80U(?), ref: 20424BB3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 20424C0F
#6063.MFC80U(20485878), ref: 20424C1C
#578.MFC80U ref: 20424C2D
SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 20424C4D
#6063.MFC80U(?), ref: 20424C79
SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 20424C9B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 20424CD6
#6063.MFC80U(20485878), ref: 20424CE3
#6063.MFC80U(20485878,20485878), ref: 20424CF3
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 20424D08
#6063.MFC80U(20485878), ref: 20424D15
#6063.MFC80U(20485878,20485878), ref: 20424D25
#578.MFC80U(20485878,20485878), ref: 20424D3C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#6063$#2311#310#578$#4026#4574
String ID:
API String ID: 862278329-0
Opcode ID: 33ffcb5ef148fcbb47d6eda2bfc9d0609dc9160fafeb3dc740121320e5d8c93d
Instruction ID: 9710f64e217feda51601e01967b19a54b8f6438b9182b9ff69744ec8206c4091
Opcode Fuzzy Hash: 33ffcb5ef148fcbb47d6eda2bfc9d0609dc9160fafeb3dc740121320e5d8c93d
Instruction Fuzzy Hash: 13A1F172A086459FDB24CF50CC80FEB77A9FB94708F40CA2DF9445B2A0DB78A904CB81

Function 2044A220 Relevance: 37.8, APIs: 25, Instructions: 251COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 2044A282
free.MSVCR80 ref: 2044A295
#310.MFC80U ref: 2044A2A9
#310.MFC80U ref: 2044A2BB
#578.MFC80U ref: 2044A2DA
#578.MFC80U ref: 2044A2EB
memset.MSVCR80 ref: 2044A314
free.MSVCR80 ref: 2044A321
#578.MFC80U(?), ref: 2044A355
#578.MFC80U ref: 2044A366

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578$#310freememset
String ID:
API String ID: 2345624133-0
Opcode ID: c5c49032eacd65ffb0fba4c6bfb47e0403574072856f95f4a8a5a6116a251bd9
Instruction ID: 2dc2b5980879ddb9e75c8cf977c6fce2ff5e67cbf9f60d5e2776d79c249a8b46
Opcode Fuzzy Hash: c5c49032eacd65ffb0fba4c6bfb47e0403574072856f95f4a8a5a6116a251bd9
Instruction Fuzzy Hash: 51A160715087409FD321DF64CC85A9FBBE8BF98748F10892DF59597290DB78AA08CF92

Function 2045BC90 Relevance: 37.7, APIs: 25, Instructions: 169COMMON

Download Yara Rule

APIs

#6232.MFC80U(00000001,?,2045BB76,00000000), ref: 2045BC95
#2651.MFC80U(000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BCAA
#2155.MFC80U(000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BCB1
#2651.MFC80U(000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BCDD
#2155.MFC80U(000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BCE4
#2651.MFC80U(000004DA,00000000,000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BD0D
#2155.MFC80U(000004DA,00000000,000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BD14
#2651.MFC80U(0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BD3D
#2155.MFC80U(0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BD44
#2651.MFC80U(0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BD6D
#2155.MFC80U(0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BD74
#2651.MFC80U(000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BD9D
#2155.MFC80U(000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA,?,00000001,?,2045BB76,00000000), ref: 2045BDA4
#2651.MFC80U(000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA,?,00000001), ref: 2045BDCD
#2155.MFC80U(000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA,?,00000001), ref: 2045BDD4
#2651.MFC80U(00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA), ref: 2045BDFD
#2155.MFC80U(00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000,000004FA), ref: 2045BE04
#2651.MFC80U(0000041A,00000000,00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000), ref: 2045BE2D
#2155.MFC80U(0000041A,00000000,00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000,000004E7,00000000), ref: 2045BE34
#2651.MFC80U(00000511,00000000,0000041A,00000000,00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000), ref: 2045BE5D
#2155.MFC80U(00000511,00000000,0000041A,00000000,00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000,000004DA,00000000), ref: 2045BE64
#2651.MFC80U(000004D9,00000000,00000511,00000000,0000041A,00000000,00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000), ref: 2045BE8D
#2155.MFC80U(000004D9,00000000,00000511,00000000,0000041A,00000000,00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000,0000042B,00000000), ref: 2045BE94
#2651.MFC80U(000003F7,00000000,000004D9,00000000,00000511,00000000,0000041A,00000000,00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000), ref: 2045BEBD
#2155.MFC80U(000003F7,00000000,000004D9,00000000,00000511,00000000,0000041A,00000000,00000418,00000000,000004FC,00000000,000004FB,00000000,0000042C,00000000), ref: 2045BEC4

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2155#2651$#6232
String ID:
API String ID: 793604035-0
Opcode ID: ca8e1ed99d81f434f37c292f8f8f875fe7784e7371d240e8cad493a35e0ae36c
Instruction ID: 38f6c668d6cd52d4b7cd920b451560f76b3907829b54d84714045b9418710d8b
Opcode Fuzzy Hash: ca8e1ed99d81f434f37c292f8f8f875fe7784e7371d240e8cad493a35e0ae36c
Instruction Fuzzy Hash: 77510EB0744600DFEA1287A48812BFE35F5EBA1B04F40C57DB6468B6E0DBBC9C86C785

Function 20414DF0 Relevance: 36.5, APIs: 24, Instructions: 481COMMON

Download Yara Rule

APIs

#764.MFC80U(CCCCCCCC,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 20414FB3
#764.MFC80U(CCCCCCCC,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 20414FCF
#764.MFC80U(B27AE934,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 20414FF1
#764.MFC80U(E95CC083,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 2041500A
#764.MFC80U(E8C833FC,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 20415026
#764.MFC80U(84050445,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 20415048
#764.MFC80U(F9B36FE9,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 20415061
#764.MFC80U(00C00504,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 2041507D
#764.MFC80U(FFF9B4F8,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 204150A2
#764.MFC80U(49BA00B8,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 204150C7
qsort.MSVCR80 ref: 20415100
qsort.MSVCR80 ref: 2041515C
qsort.MSVCR80 ref: 20415186
qsort.MSVCR80 ref: 204151AE
qsort.MSVCR80 ref: 20415212
qsort.MSVCR80 ref: 2041523C
qsort.MSVCR80 ref: 20415266
qsort.MSVCR80 ref: 2041529D
qsort.MSVCR80 ref: 204152D4
#265.MFC80U(00000000,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 20415326
#265.MFC80U(00000000,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 20415393
#265.MFC80U(00000000,A1C94593,?,00000001,?,?,?,00000000,2047D118,000000FF), ref: 20415403
wcscpy_s.MSVCR80 ref: 20415468
wcsncpy_s.MSVCR80 ref: 20415479

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$qsort$#265$wcscpy_swcsncpy_s
String ID:
API String ID: 1349739470-0
Opcode ID: 0d64cb7775e3551ef22c9dbd3f46ef24d3e0b69c6ce68da3e20f114f03e825c8
Instruction ID: a5f4eebaf3f9ca9ad693deaebe895098fcba689132a65306b19b38adc85e5150
Opcode Fuzzy Hash: 0d64cb7775e3551ef22c9dbd3f46ef24d3e0b69c6ce68da3e20f114f03e825c8
Instruction Fuzzy Hash: 96224AB0500288CBDB24CF69CC81BDAFBE5FF94304F548A1AE8599B361D779A944CF51

Function 2044A6E0 Relevance: 36.4, APIs: 24, Instructions: 360COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?), ref: 2044A728
#2310.MFC80U(?,00000251,00000000,?,00000022), ref: 2044A7C2
#2310.MFC80U(?,00000252,?), ref: 2044A7D8
#896.MFC80U(?), ref: 2044A7E9
EnterCriticalSection.KERNEL32(?), ref: 2044A7F6
#2310.MFC80U(?,00000253,?,?,00000001), ref: 2044A894
#2310.MFC80U(?,0000025A,00000000,00000001), ref: 2044A8B1
#896.MFC80U(?), ref: 2044A8C2
#2310.MFC80U(?,00000254,-00000022,?,00000001), ref: 2044A96C
#896.MFC80U(?), ref: 2044A99C
LeaveCriticalSection.KERNEL32(?), ref: 2044A9A9
#2310.MFC80U(?,00000255,00000000,?,00000022), ref: 2044A9E7
#2310.MFC80U(?,00000256,?), ref: 2044AA08
#896.MFC80U(?), ref: 2044AA18
#2310.MFC80U(?,00000257,00000000,?,00000022), ref: 2044AA58
#2310.MFC80U(?,00000258,?), ref: 2044AA75
#896.MFC80U(?), ref: 2044AA8B
#2310.MFC80U(00000000,0000024F,?,?,?,00000000,?,00000040,00000000,?,?,00000040), ref: 2044AAEE
#896.MFC80U(?), ref: 2044AAFA
#2310.MFC80U(00000000,0000025C,?,?,?,00000000,?,00000040,?,A1C94593,?,00000040), ref: 2044AB5D
#896.MFC80U(?), ref: 2044AB69
#899.MFC80U(2048E708), ref: 2044AB87
#578.MFC80U ref: 2044ABA1

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2310$#896$CriticalSection$#310#578#899EnterLeave
String ID:
API String ID: 4130951986-0
Opcode ID: b1147bb1563f37cf7285035b7fd7db4f8b55f7d2235472b3e4c9c79b311805a9
Instruction ID: a811e24446e8cac0382d96524549a7915c51330605ecd9f09f3ceb3af9ebd86a
Opcode Fuzzy Hash: b1147bb1563f37cf7285035b7fd7db4f8b55f7d2235472b3e4c9c79b311805a9
Instruction Fuzzy Hash: C2E180B15083419FD714DF54CC88AABB7E9FF88705F00892DF98597291EB78E908DB92

Function 204124A0 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 346COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,20462D02), ref: 204127D9
#764.MFC80U(?,?,20462D02), ref: 204127EA
#764.MFC80U(?,?,20462D02), ref: 204127FB
#764.MFC80U(?,?,20462D02), ref: 2041280C
#764.MFC80U(?,?,?), ref: 204128D9
#764.MFC80U(?,?,?), ref: 204128EA
#764.MFC80U(?,?,?), ref: 204128FB
#764.MFC80U(?,?,?), ref: 20412910
#1176.MFC80U ref: 2041291D

Part of subcall function 20402000: wcscpy_s.MSVCR80 ref: 20402038

Part of subcall function 20402000: wcsncpy_s.MSVCR80 ref: 20402049

Part of subcall function 20411460: #764.MFC80U(2040FAB2,OPTNAME,?,2041266B,?,?,?,?,?,?,?,?,?,00000000), ref: 2041146E
Part of subcall function 20411460: #265.MFC80U(00000000,OPTNAME,?,2041266B,?,?,?,?,?,?,?,?,?,00000000), ref: 204114A9

Part of subcall function 204115E0: #764.MFC80U(?,GROUP,?,2041268F,?,?,?,?,?,?,?,?,?,?,00000000), ref: 204115EE
Part of subcall function 204115E0: #265.MFC80U(00000000,GROUP,?,2041268F,?,?,?,?,?,?,?,?,?,?,00000000), ref: 20411629

Strings

GROUP, xrefs: 20412673
RULES, xrefs: 20412544
OPTION, xrefs: 2041257F, 2041281E
OPTNAME, xrefs: 2041262C
VALUE, xrefs: 204126E0
DESC, xrefs: 20412697
SETTINGS, xrefs: 20412506
TYPE, xrefs: 204126BF
ZONES, xrefs: 20412530
OPTIONS, xrefs: 2041251C, 2041255A
HIDDEN, xrefs: 204125CE

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#265$#1176wcscpy_swcsncpy_s
String ID: DESC$GROUP$HIDDEN$OPTION$OPTIONS$OPTNAME$RULES$SETTINGS$TYPE$VALUE$ZONES
API String ID: 3313864260-3008686698
Opcode ID: 98939082490f85a1252ed007cb1178642c6058a1864723474fc795d27a62f70c
Instruction ID: cb406057bfc46c322035887182083016b808ff50fb98b63f0dd9d78b873e5502
Opcode Fuzzy Hash: 98939082490f85a1252ed007cb1178642c6058a1864723474fc795d27a62f70c
Instruction Fuzzy Hash: 3FC1B2B16043409BD710DBA4C981B4BF7E8AF94A48F00C92DFD89D7351E639EA95CB93

Function 20447510 Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 288networkCOMMON

Download Yara Rule

APIs

#310.MFC80U(?,A1C94593,?,?,00000001,A1C94593), ref: 2044757B
#4026.MFC80U(000000B8,?,00000001,A1C94593), ref: 2044758D

Part of subcall function 20426370: #416.MFC80U(?,?,?,?,000000B8,A1C94593,?,?,?), ref: 20426431
Part of subcall function 20426370: #762.MFC80U(00000120,?,?,?,?,000000B8,A1C94593,?,?,?), ref: 20426474
Part of subcall function 20426370: #977.MFC80U(?), ref: 204264C2
Part of subcall function 20426370: #977.MFC80U(?,?), ref: 204264CA
Part of subcall function 20426370: #977.MFC80U(?,?,?), ref: 204264D8

socket.WS2_32(00000017,00000001,00000006), ref: 204475B6
closesocket.WS2_32(00000000), ref: 204475C2

Part of subcall function 20416820: #764.MFC80U(C483FFFF,NAME,?,2041A524,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 20416833
Part of subcall function 20416820: #265.MFC80U(00000000,?,NAME,?,2041A524,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 2041688A

Part of subcall function 20417B70: #764.MFC80U(?,75A85540,2044727B), ref: 20417B7E
Part of subcall function 20417B70: #764.MFC80U(?,75A85540,2044727B), ref: 20417BA3

#2461.MFC80U(00000000), ref: 2044761E
#5524.MFC80U(0000005C), ref: 20447635
#310.MFC80U ref: 20447640
#5558.MFC80U(?,-00000001), ref: 2044765E
#2310.MFC80U(?,0000011C), ref: 20447674
#578.MFC80U(?,?,00000001,A1C94593), ref: 20447687
#3990.MFC80U(?,000000FF,?,?,00000001,A1C94593), ref: 204476A9
#774.MFC80U(00000000,?,?,00000001,A1C94593), ref: 204476B7
#578.MFC80U(?,?,00000001,A1C94593), ref: 204476C7
#578.MFC80U(?,?,?,00000001,A1C94593), ref: 204476E3
#764.MFC80U(?,A1C94593), ref: 20447733
#764.MFC80U(?,A1C94593), ref: 20447758
EnterCriticalSection.KERNEL32(?,?,?), ref: 204478D9
#578.MFC80U(00000000,?,?,?), ref: 20447913
#578.MFC80U(?,?), ref: 20447949

Part of subcall function 20416AE0: #1176.MFC80U(?,?,20447806,?), ref: 20416AF4

Strings

xXH , xrefs: 204476F2

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578#764$#977$#310$#1176#2310#2461#265#3990#4026#416#5524#5558#762#774CriticalEnterSectionclosesocketsocket
String ID: xXH
API String ID: 2808855026-4004433314
Opcode ID: be78bb7b9a857b3a1417f9c2a055df57425b8afb2c5c391a166f3f04f36433a0
Instruction ID: 06c91e4a488b285b61ffe3b64dbe23a10200509f49b006a6806328fc123c4a12
Opcode Fuzzy Hash: be78bb7b9a857b3a1417f9c2a055df57425b8afb2c5c391a166f3f04f36433a0
Instruction Fuzzy Hash: 63D1C171900288DFDB20DFA4CD85BEE77B5AF50704F108169EC0AAB291DB786F46DB91

Function 204423D0 Relevance: 34.9, APIs: 23, Instructions: 369COMMON

Download Yara Rule

APIs

Part of subcall function 20439510: #314.MFC80U(00000000,A1C94593), ref: 20439547
Part of subcall function 20439510: #6751.MFC80U(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,2047DED8), ref: 20439588

#314.MFC80U(00000000,A1C94593), ref: 20442452

Part of subcall function 2042E670: #6751.MFC80U(00000000,?,2042E5B8,00000000,A1C94593), ref: 2042E688

EnterCriticalSection.KERNEL32(?,A1C94593), ref: 2044253B
LeaveCriticalSection.KERNEL32(?), ref: 2044254A
#310.MFC80U ref: 20442703
#310.MFC80U ref: 20442718
#310.MFC80U ref: 2044272A
#314.MFC80U(00000000), ref: 20442742
#4026.MFC80U(00000101,00000000), ref: 20442758
#4026.MFC80U(00000123), ref: 20442767
#4026.MFC80U(00000214), ref: 20442776
#578.MFC80U ref: 204427B9
#578.MFC80U ref: 204427CB
#578.MFC80U ref: 204427E0

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#314#4026#578$#6751CriticalSection$EnterLeave
String ID:
API String ID: 1393448212-0
Opcode ID: a06811e997a4cc11b27affd7d612fee91356a553c5247e14fad2327ef2611812
Instruction ID: e2d4fec908829ee6fa6f350fe3cd3d5545ec75d492f97970bbd7c4ea08f16d57
Opcode Fuzzy Hash: a06811e997a4cc11b27affd7d612fee91356a553c5247e14fad2327ef2611812
Instruction Fuzzy Hash: B3E1E17260C3408FD320DF68D8C579AF7E0FBA4715F508A2EE985873A0DB399944CB92

Function 204154B0 Relevance: 34.7, APIs: 23, Instructions: 212COMMON

Download Yara Rule

APIs

#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 204154F4
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415507
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 2041551A
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 2041552A
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415546
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415568
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415581
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 2041559D
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 204155BF
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 204155D8
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 204155F4
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415619
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 2041563E
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415672
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415694
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 204156B6
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 204156D8
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 204156FA
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415716
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415732
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 2041574E
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415769
#764.MFC80U(?,A1C94593,?,00000000,?,00000000,2047D078,000000FF,2041A38A,20462D01,?), ref: 20415788

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: fb2261f334a4a593381616409003b7e7e79ccf1b339d4001bd330d7b823fe08f
Instruction ID: 3603d576dc4a89bf409d8259811608ecf062b6af5d605e23716ffd047f693520
Opcode Fuzzy Hash: fb2261f334a4a593381616409003b7e7e79ccf1b339d4001bd330d7b823fe08f
Instruction Fuzzy Hash: 1781C7F1900B90DBD721DFA988C1B97FBE5BB14204F908D2DE19EC7650D739E9488B92

Function 20457900 Relevance: 34.7, APIs: 23, Instructions: 166COMMON

Download Yara Rule

APIs

#6232.MFC80U(00000001,?,?,204577D1,00000000), ref: 20457906
#2651.MFC80U(00000429,?,00000001,?,?,204577D1,00000000), ref: 2045791B
#2155.MFC80U(00000429,?,00000001,?,?,204577D1,00000000), ref: 20457922
#2651.MFC80U(00000402,00000000,00000429,?,00000001,?,?,204577D1,00000000), ref: 20457937
#2155.MFC80U(00000402,00000000,00000429,?,00000001,?,?,204577D1,00000000), ref: 2045793E
#2651.MFC80U(0000040A,00000000,00000402,00000000,00000429,?,00000001,?,?,204577D1,00000000), ref: 2045796E
#2155.MFC80U(0000040A,00000000,00000402,00000000,00000429,?,00000001,?,?,204577D1,00000000), ref: 20457975
#2651.MFC80U(00001771,00000000,0000040A,00000000,00000402,00000000,00000429,?,00000001,?,?,204577D1,00000000), ref: 204579A5
#2155.MFC80U(00001771,00000000,0000040A,00000000,00000402,00000000,00000429,?,00000001,?,?,204577D1,00000000), ref: 204579AC
#2651.MFC80U(0000042A,00000000,00001771,00000000,0000040A,00000000,00000402,00000000,00000429,?,00000001,?,?,204577D1,00000000), ref: 204579D8
#2155.MFC80U(0000042A,00000000,00001771,00000000,0000040A,00000000,00000402,00000000,00000429,?,00000001,?,?,204577D1,00000000), ref: 204579DF
#2651.MFC80U(000004F8,00000000,0000042A,00000000,00001771,00000000,0000040A,00000000,00000402,00000000,00000429,?,00000001,?,?,204577D1), ref: 20457A08
#2155.MFC80U(000004F8,00000000,0000042A,00000000,00001771,00000000,0000040A,00000000,00000402,00000000,00000429,?,00000001,?,?,204577D1), ref: 20457A0F
#2651.MFC80U(000004F4,00000000,000004F8,00000000,0000042A,00000000,00001771,00000000,0000040A,00000000,00000402,00000000,00000429,?,00000001), ref: 20457A38
#2155.MFC80U(000004F4,00000000,000004F8,00000000,0000042A,00000000,00001771,00000000,0000040A,00000000,00000402,00000000,00000429,?,00000001), ref: 20457A3F
#2651.MFC80U(000004F5,00000000,000004F4,00000000,000004F8,00000000,0000042A,00000000,00001771,00000000,0000040A,00000000,00000402,00000000,00000429), ref: 20457A68
#2155.MFC80U(000004F5,00000000,000004F4,00000000,000004F8,00000000,0000042A,00000000,00001771,00000000,0000040A,00000000,00000402,00000000,00000429), ref: 20457A6F
#2651.MFC80U(000004F6,00000000), ref: 20457AA7
#2155.MFC80U(000004F6,00000000), ref: 20457AAE
#2651.MFC80U(0000040B,00000000), ref: 20457AE9
#2155.MFC80U(0000040B,00000000), ref: 20457AF0
#2651.MFC80U(00001772,00000000,0000040B,00000000), ref: 20457B2B
#2155.MFC80U(00001772,00000000,0000040B,00000000), ref: 20457B32

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2155#2651$#6232
String ID:
API String ID: 793604035-0
Opcode ID: 7b131bb64eadba3e5fa5159a75593343cac0b0a380c6cea5956b75b585b271ca
Instruction ID: 31a62825f2c348fbaeb05f40bdc2f9674bc9d37cbd3f08f150b7f628851502f9
Opcode Fuzzy Hash: 7b131bb64eadba3e5fa5159a75593343cac0b0a380c6cea5956b75b585b271ca
Instruction Fuzzy Hash: 32512970344600CFEB2687A49805FFE36E5EB62B44F40C57DA6468B6E1DBBC9E86C711

Function 20458C30 Relevance: 34.7, APIs: 23, Instructions: 164COMMON

Download Yara Rule

APIs

#6232.MFC80U(00000001,?,?,20458B01,00000000), ref: 20458C36
#2651.MFC80U(00000429,?,00000001,?,?,20458B01,00000000), ref: 20458C4B
#2155.MFC80U(00000429,?,00000001,?,?,20458B01,00000000), ref: 20458C52
#2651.MFC80U(00000401,00000000,00000429,?,00000001,?,?,20458B01,00000000), ref: 20458C67
#2155.MFC80U(00000401,00000000,00000429,?,00000001,?,?,20458B01,00000000), ref: 20458C6E
#2651.MFC80U(00001771,00000000,00000401,00000000,00000429,?,00000001,?,?,20458B01,00000000), ref: 20458C98
#2155.MFC80U(00001771,00000000,00000401,00000000,00000429,?,00000001,?,?,20458B01,00000000), ref: 20458C9F
#2651.MFC80U(0000040A,00000000,00001771,00000000,00000401,00000000,00000429,?,00000001,?,?,20458B01,00000000), ref: 20458CCF
#2155.MFC80U(0000040A,00000000,00001771,00000000,00000401,00000000,00000429,?,00000001,?,?,20458B01,00000000), ref: 20458CD6
#2651.MFC80U(0000042A,00000000,0000040A,00000000,00001771,00000000,00000401,00000000,00000429,?,00000001,?,?,20458B01,00000000), ref: 20458D02
#2155.MFC80U(0000042A,00000000,0000040A,00000000,00001771,00000000,00000401,00000000,00000429,?,00000001,?,?,20458B01,00000000), ref: 20458D09
#2651.MFC80U(000004F7,00000000,0000042A,00000000,0000040A,00000000,00001771,00000000,00000401,00000000,00000429,?,00000001,?,?,20458B01), ref: 20458D32
#2155.MFC80U(000004F7,00000000,0000042A,00000000,0000040A,00000000,00001771,00000000,00000401,00000000,00000429,?,00000001,?,?,20458B01), ref: 20458D39
#2651.MFC80U(000004F1,00000000,000004F7,00000000,0000042A,00000000,0000040A,00000000,00001771,00000000,00000401,00000000,00000429,?,00000001), ref: 20458D62
#2155.MFC80U(000004F1,00000000,000004F7,00000000,0000042A,00000000,0000040A,00000000,00001771,00000000,00000401,00000000,00000429,?,00000001), ref: 20458D69
#2651.MFC80U(000004F2,00000000,000004F1,00000000,000004F7,00000000,0000042A,00000000,0000040A,00000000,00001771,00000000,00000401,00000000,00000429), ref: 20458D92
#2155.MFC80U(000004F2,00000000,000004F1,00000000,000004F7,00000000,0000042A,00000000,0000040A,00000000,00001771,00000000,00000401,00000000,00000429), ref: 20458D99
#2651.MFC80U(000004F3,00000000), ref: 20458DD1
#2155.MFC80U(000004F3,00000000), ref: 20458DD8
#2651.MFC80U(0000040B,00000000), ref: 20458E13
#2155.MFC80U(0000040B,00000000), ref: 20458E1A
#2651.MFC80U(00001772,00000000,0000040B,00000000), ref: 20458E55
#2155.MFC80U(00001772,00000000,0000040B,00000000), ref: 20458E5C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2155#2651$#6232
String ID:
API String ID: 793604035-0
Opcode ID: bb6037c50241223fbd7e8c3347ad34d8d324fba55ace37c8542ed0f19dfd06de
Instruction ID: 949a63b86c2facbe1e4c267be29fcaf67d256d5a06d32d8d12ce164099b2909d
Opcode Fuzzy Hash: bb6037c50241223fbd7e8c3347ad34d8d324fba55ace37c8542ed0f19dfd06de
Instruction Fuzzy Hash: AF511D30340600CBEA1687A48816BFA36F5EB71B04F40C57DE6469BAE0DFBC5D8AC751

Function 20440B10 Relevance: 34.7, APIs: 23, Instructions: 159COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593,75A85540,?), ref: 20440B41
#6232.MFC80U(00000001), ref: 20440B52
#2651.MFC80U(00000481,00000000,00000001), ref: 20440B85
#2155.MFC80U(00000481,00000000,00000001), ref: 20440B8C
#2651.MFC80U(000003EF,00000000,00000481,00000000,00000001), ref: 20440BBB
#2155.MFC80U(000003EF,00000000,00000481,00000000,00000001), ref: 20440BC2
#2651.MFC80U(00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440BCF
#2155.MFC80U(00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440BD6
#2651.MFC80U(00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440BF9
#2155.MFC80U(00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440C00
#2651.MFC80U(00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440C23
#2155.MFC80U(00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440C2A
#2651.MFC80U(0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440C56
#2155.MFC80U(0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440C5D
#2651.MFC80U(00000480,00000000,0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440C80
#2155.MFC80U(00000480,00000000,0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000,00000001), ref: 20440C87
#2651.MFC80U(0000048D,00000000,00000480,00000000,0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000), ref: 20440CB3
#2155.MFC80U(0000048D,00000000,00000480,00000000,0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000,00000481,00000000), ref: 20440CBA
#2651.MFC80U(00000493,?,0000048D,00000000,00000480,00000000,0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000), ref: 20440CC7
#2155.MFC80U(00000493,?,0000048D,00000000,00000480,00000000,0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?,000003EF,00000000), ref: 20440CCE
#2651.MFC80U(00000488,?,00000493,?,0000048D,00000000,00000480,00000000,0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?), ref: 20440CDB
#2155.MFC80U(00000488,?,00000493,?,0000048D,00000000,00000480,00000000,0000048C,00000000,00000485,00000000,00000415,00000000,00000414,?), ref: 20440CE2
#6751.MFC80U(00000000,?,00000488,?,00000493,?,0000048D,00000000,00000480,00000000,0000048C,00000000,00000485,00000000,00000415,00000000), ref: 20440D0C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2155#2651$#314#6232#6751
String ID:
API String ID: 4250440665-0
Opcode ID: 1d070f6378b8014c016d1c576663556e4a03c37731633ca55db6d18dc55688bf
Instruction ID: 7ccf6fe6ad885201f560ca1b0cb57e30665e492daf65b9dd9f5484799068d034
Opcode Fuzzy Hash: 1d070f6378b8014c016d1c576663556e4a03c37731633ca55db6d18dc55688bf
Instruction Fuzzy Hash: 34519E70B447409AF71987F08856BFE61A5DB90F08F40CA2DB6918B7E0DE7DAC828745

Function 20468600 Relevance: 33.7, APIs: 12, Strings: 7, Instructions: 429memorywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 20401670: malloc.MSVCR80 ref: 2040169E
Part of subcall function 20401670: malloc.MSVCR80 ref: 204016B0
Part of subcall function 20401670: free.MSVCR80 ref: 204016BD

#310.MFC80U(00000001), ref: 2046875C
#310.MFC80U ref: 2046876E
#4026.MFC80U(000000B6), ref: 20468782
#4026.MFC80U(000000B2), ref: 20468791
MessageBoxW.USER32(00000000,?,?,00000010), ref: 204687A5
#578.MFC80U ref: 204687B4
#578.MFC80U ref: 204687C6
#1176.MFC80U(?,-00003AB4,?,?), ref: 204687D1
realloc.MSVCR80 ref: 20468AAA

Part of subcall function 2041B690: memmove_s.MSVCR80 ref: 2041B6E2

GlobalAlloc.KERNEL32(00000000,?), ref: 20468B8A
GlobalFree.KERNEL32(00000000), ref: 20468BC7

Strings

RULE, xrefs: 204688A5
<?xml version="1.0" encoding="utf-8"?>, xrefs: 20468AE2
ALL, xrefs: 20468803
NAME, xrefs: 20468952, 20468A5F
<?xml version="1.0"?>, xrefs: 2046882A
ZONE, xrefs: 204689B5
REMOVED, xrefs: 204687ED, 2046886D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#4026#578Globalmalloc$#1176AllocFreeMessagefreememmove_srealloc
String ID: <?xml version="1.0" encoding="utf-8"?>$<?xml version="1.0"?>$ALL$NAME$REMOVED$RULE$ZONE
API String ID: 3761394589-1430527591
Opcode ID: a74c6a03c573ab209a753c9af0f6d51fd380f11e6a6ff1b28efef78ec990bb88
Instruction ID: 6e10fa3624d86319f28baa58daf9d5af0a5b43c5a6595124e08bec108179230f
Opcode Fuzzy Hash: a74c6a03c573ab209a753c9af0f6d51fd380f11e6a6ff1b28efef78ec990bb88
Instruction Fuzzy Hash: 3F029AB06047419FD720CF94CC80B5AB7E5BF84708F108A2EF98587B92E779AA45CF52

Function 2041F880 Relevance: 33.6, APIs: 3, Strings: 16, Instructions: 372COMMON

Download Yara Rule

Strings

MODIFIED, xrefs: 2041F9FD
IP6_SUBNET, xrefs: 2041FC9D
VALUE, xrefs: 2041FA77, 2041FAAF
NAME, xrefs: 2041F95A
FLAGS, xrefs: 2041F91D
IP_SUBNET, xrefs: 2041FBBC
END, xrefs: 2041FB94
IP6_ADDR, xrefs: 2041FC3C
ADDRESS, xrefs: 2041FB16, 2041FBF7, 2041FC77, 2041FCD8
MASKBITS, xrefs: 2041FCF1
DESCRIPTION, xrefs: 2041FA39
IP_RANGE, xrefs: 2041FB3C
BEGIN, xrefs: 2041FB77
IP_ADDR, xrefs: 2041FADB
MASK, xrefs: 2041FC14
USER_NAME, xrefs: 2041F9D9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID:
String ID: ADDRESS$BEGIN$DESCRIPTION$END$FLAGS$IP6_ADDR$IP6_SUBNET$IP_ADDR$IP_RANGE$IP_SUBNET$MASK$MASKBITS$MODIFIED$NAME$USER_NAME$VALUE
API String ID: 0-527909642
Opcode ID: 3c82f5f2b4f892e01918e5e7548164b6407f9121cbc584f50f4c4988bbfc1e02
Instruction ID: 4aef6be7a0691e11aa97e6274f853f735ab2d7b604b450da3e5b0da1a6f65dab
Opcode Fuzzy Hash: 3c82f5f2b4f892e01918e5e7548164b6407f9121cbc584f50f4c4988bbfc1e02
Instruction Fuzzy Hash: BDD1F6B210830197C710DFE4D840B5AF391AF64668F94CB1DE946A7342E72EEE87C792

Function 20442030 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,?,00000001,00000000,?), ref: 2044216C
#310.MFC80U(00000000,?,00000001,00000000,?), ref: 20442180
#310.MFC80U(?,00000001,00000000,?), ref: 20442192
#4026.MFC80U(00000218,?,00000001,00000000,?), ref: 204421A9
#4026.MFC80U(000000B2,?,00000001,00000000,?), ref: 204421B8
#578.MFC80U ref: 204421E3
#578.MFC80U ref: 204421F5
#6751.MFC80U(00000000,?), ref: 20442223
#314.MFC80U(00000000,?,00000000), ref: 20442280
#310.MFC80U(00000000,?,00000000), ref: 20442294
#310.MFC80U(?,00000000), ref: 204422A5
#4026.MFC80U(000002B0,?,00000000), ref: 204422BC
#4026.MFC80U(000000B2,?,00000000), ref: 204422CB
#578.MFC80U ref: 204422FE
#578.MFC80U ref: 20442310
#6751.MFC80U(00000000,?), ref: 2044233E

Part of subcall function 2043E1B0: memcpy_s.MSVCR80 ref: 2043E218
Part of subcall function 2043E1B0: memcpy_s.MSVCR80 ref: 2043E242
Part of subcall function 2043E1B0: memcpy_s.MSVCR80 ref: 2043E272
Part of subcall function 2043E1B0: memcpy_s.MSVCR80 ref: 2043E29F

#578.MFC80U ref: 20442353
#578.MFC80U ref: 20442365

Strings

, xrefs: 204420F4

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578$#310#4026memcpy_s$#314#6751
String ID:
API String ID: 1842428633-3916222277
Opcode ID: 3632554ad2964c357690e4290160f4c997d73ee3802bf68369c0139166bea1fb
Instruction ID: c312dbba11933494abf222c39655f6629bf2428d9f4299d1424d63f91545401a
Opcode Fuzzy Hash: 3632554ad2964c357690e4290160f4c997d73ee3802bf68369c0139166bea1fb
Instruction Fuzzy Hash: BA91BF305083859FD320DF54CC85BDABBE4BFA4719F508A2CF989572E0DB789A44CB92

Function 20456E10 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 136windowCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 20456E81
#310.MFC80U ref: 20456E93
#4026.MFC80U(000000AD), ref: 20456EAA
#4026.MFC80U(000000AE), ref: 20456EB9
#900.MFC80U( (*.exe)|*.exe|), ref: 20456EC8
#896.MFC80U(?), ref: 20456ED7
#900.MFC80U( (*.*)|*.*|), ref: 20456EE6
#385.MFC80U(00000001,00000000,00000000,00881001,?,?,00000000), ref: 20456F00
#2012.MFC80U(00000001,00000000,00000000,00881001,?,?,00000000), ref: 20456F11
#3082.MFC80U(?,00000001,00000000,00000000,00881001,?,?,00000000), ref: 20456F28

Part of subcall function 2040E820: #764.MFC80U(?,00000000,?,2040F224,?,00000001), ref: 2040E830
Part of subcall function 2040E820: #265.MFC80U(00000000,?,00000000,?,2040F224,?,00000001), ref: 2040E876
Part of subcall function 2040E820: _wcsupr_s.MSVCR80 ref: 2040E896

#578.MFC80U(?,00000001,?,00000001,00000000,00000000,00881001,?,?,00000000), ref: 20456F4F
SendMessageW.USER32(?,0000101E,00000000,0000FFFF), ref: 20456FAF
#630.MFC80U(00000001,00000000,00000000,00881001,?,?,00000000), ref: 20456FCE
#578.MFC80U(00000001,00000000,00000000,00881001,?,?,00000000), ref: 20456FDF
#578.MFC80U(?,00000000), ref: 20456FF1
#764.MFC80U(00000000,?,00000000), ref: 20457007

Strings

(*.exe)|*.exe|, xrefs: 20456EBF
@, xrefs: 20456F5E
(*.*)|*.*|, xrefs: 20456EDD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578$#310#4026#764#900$#2012#265#3082#385#630#896MessageSend_wcsupr_s
String ID: (*.*)|*.*|$ (*.exe)|*.exe|$@
API String ID: 4155270257-2039417011
Opcode ID: 95a512bd18d49e5b41d9fd54168a7648ccddea19e9f514ca4a0a111cf68669ff
Instruction ID: 5275b61e0ee0031b6ecf05bdd452a348e85caa2ed6d8c871efa71e3b98f74fc1
Opcode Fuzzy Hash: 95a512bd18d49e5b41d9fd54168a7648ccddea19e9f514ca4a0a111cf68669ff
Instruction Fuzzy Hash: 43515171108780AFD325DF54CC85B9BBBE8FF94B15F408A2DF49592290DB799508CB93

Function 2045C410 Relevance: 33.3, APIs: 22, Instructions: 282windowCOMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2045C44D
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 2045C48D
#310.MFC80U ref: 2045C499
#3985.MFC80U(00000000), ref: 2045C4B7
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 2045C4D3
#2861.MFC80U(00000000), ref: 2045C4F0
#776.MFC80U(?,00000000), ref: 2045C525
#2490.MFC80U(00000000,?,?), ref: 2045C5C7
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 2045C773

Part of subcall function 204110E0: #764.MFC80U(?,?,?,?,204127C5,?,20462D02), ref: 2041110A
Part of subcall function 204110E0: #764.MFC80U(20462D01,?,?,?,204127C5,?,20462D02), ref: 2041111A
Part of subcall function 204110E0: #764.MFC80U(?,?,?,?,204127C5,?,20462D02), ref: 2041112A
Part of subcall function 204110E0: #764.MFC80U(?,?,?,?,204127C5,?,20462D02), ref: 2041113A
Part of subcall function 204110E0: #265.MFC80U(00000000,?,?,?,204127C5,?,20462D02), ref: 20411183
Part of subcall function 204110E0: #265.MFC80U(00000000,?,?,?,204127C5,?,20462D02), ref: 204111E3

#764.MFC80U(?,00000000,?,00000000,?,?), ref: 2045C614
#764.MFC80U(?,00000000,?,00000000,?,?), ref: 2045C625
#764.MFC80U(?,00000000,?,00000000,?,?), ref: 2045C636
#764.MFC80U(?,00000000,?,00000000,?,?), ref: 2045C647
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 2045C666
#2490.MFC80U(00000000), ref: 2045C6AB
#2490.MFC80U(00000000,?,?,00000000), ref: 2045C6D8
#764.MFC80U(?,?,00000000,?,?,00000000), ref: 2045C710
#764.MFC80U(?,?,00000000,?,?,00000000), ref: 2045C721
#764.MFC80U(?,?,00000000,?,?,00000000), ref: 2045C732
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 2045C752
#578.MFC80U ref: 2045C795
#6751.MFC80U(00000000,?), ref: 2045C7C3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$MessageSend$#2490$#265$#2861#310#314#3985#578#6751#776
String ID:
API String ID: 127330169-0
Opcode ID: c2c1206fa169155401c6923bab718468637c0c69534597cf16fa5b64ca2c6bdd
Instruction ID: 5fde8703c6c66e609bc096ed0fb25f270494e9225abf0c7c4514f78428edfbf5
Opcode Fuzzy Hash: c2c1206fa169155401c6923bab718468637c0c69534597cf16fa5b64ca2c6bdd
Instruction Fuzzy Hash: 0FB161716043019FD710DFA4C881F9BBBE4BFA8648F04C91CF95987251EB79EA48CB91

Function 20438070 Relevance: 33.2, APIs: 22, Instructions: 153windowCOMMON

Download Yara Rule

APIs

#501.MFC80U(?,A1C94593), ref: 204380B5
#2521.MFC80U(?,?,A1C94593), ref: 204380CC
#347.MFC80U(?,?,A1C94593), ref: 204380D5
CreateCompatibleDC.GDI32(?), ref: 204380E7
#1270.MFC80U(00000000), ref: 204380F2
LPtoDP.GDI32(?,?,00000002), ref: 20438103
CreateCompatibleBitmap.GDI32(?,?,?), ref: 20438144
#1271.MFC80U(00000000), ref: 2043814F
#5633.MFC80U(?,?,00000000), ref: 2043815E
GetMapMode.GDI32(?,?,?,00000000), ref: 2043816A
#5884.MFC80U(00000000), ref: 20438175
GetBkColor.GDI32(?), ref: 2043817F
#5723.MFC80U(00000000), ref: 2043818C
GetTextColor.GDI32(?), ref: 20438196
#6033.MFC80U(00000000), ref: 204381A1
DPtoLP.GDI32(?,?,00000002), ref: 204381B2
#6058.MFC80U(?,?,?), ref: 204381CB
#2255.MFC80U(?,00000000,?,?,?), ref: 204381DA
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 20438208
#5633.MFC80U(?,00000000), ref: 2043821B
#602.MFC80U(?,00000000), ref: 2043824D
#709.MFC80U(?,00000000), ref: 20438261

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #5633ColorCompatibleCreate$#1270#1271#2255#2521#347#501#5723#5884#602#6033#6058#709BitmapModeText
String ID:
API String ID: 2901122701-0
Opcode ID: 078ad46cc0a4d2776df4ddafef8a383dcd76b06343dead18b5f7682e13ee46c3
Instruction ID: 8ae041d4327c59bec469319d960c77a5f5bff641b4c54045de56944f76c38e2a
Opcode Fuzzy Hash: 078ad46cc0a4d2776df4ddafef8a383dcd76b06343dead18b5f7682e13ee46c3
Instruction Fuzzy Hash: C4511A72118380AFC314CBA4CC85FABBBB8FBD9A14F008A1DF59597250DB35A904CB62

Function 20436160 Relevance: 31.8, APIs: 21, Instructions: 262windowCOMMON

Download Yara Rule

APIs

#2872.MFC80U(00000000,00000002,A1C94593,?,00000000,00000000,?), ref: 204361BF
GetSysColor.USER32(00000005), ref: 2043627F
GetSysColor.USER32(0000000D), ref: 20436295
GetSysColor.USER32(0000000E), ref: 2043629B
#2255.MFC80U(?,00000000,?,00000000,00000000,?), ref: 204362A9
GetCurrentObject.GDI32(?,00000006), ref: 204362F1
#2362.MFC80U(00000000,?,00000000,00000000,?), ref: 204362F8
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 2043630B
#2362.MFC80U(00000000,?,00000000,00000000,?), ref: 20436312
GetObjectW.GDI32(?,0000005C,?), ref: 20436326
#1925.MFC80U(?,00000000,00000000,?), ref: 2043635E
CreateFontIndirectW.GDI32(?), ref: 20436368
#1271.MFC80U(00000000,?,00000000,00000000,?), ref: 20436374
CopyRect.USER32(?,?), ref: 20436392
#5727.MFC80U(00000001,?,00000000,00000000,?), ref: 204363BC
#1079.MFC80U(?,00000000), ref: 204363D4
#1079.MFC80U(?,?,?,?,?,00000001), ref: 20436402
GetSystemMetrics.USER32(00000031), ref: 20436416
#6735.MFC80U(?), ref: 20436434
#578.MFC80U ref: 20436471
#5727.MFC80U(?), ref: 2043647E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Color$#1079#2362#5727Object$#1271#1925#2255#2872#578#6735CopyCreateCurrentFontIndirectMessageMetricsRectSendSystem
String ID:
API String ID: 3417120401-0
Opcode ID: fbb5713d10b500bb0ddd90dabc36e43dcc18d4f2127db6884119fbddb8766d62
Instruction ID: 02342d8d71c409c69d00bd3735ca41ed132bb34a9b4c2763180ef7ad355d78db
Opcode Fuzzy Hash: fbb5713d10b500bb0ddd90dabc36e43dcc18d4f2127db6884119fbddb8766d62
Instruction Fuzzy Hash: 8FA16A716043419FD724DFA4C894FABB7E9BF88714F11CA6DF9499B391DA38A800CB52

Function 20432000 Relevance: 31.7, APIs: 21, Instructions: 242windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 20432013
GetParent.USER32(?), ref: 2043201D
#2366.MFC80U(00000000), ref: 20432024
SendMessageW.USER32(?,00000138,?,?), ref: 20432053
GetBkColor.GDI32(?), ref: 2043205F
GetTextColor.GDI32(?), ref: 20432076
#2362.MFC80U(00000000), ref: 20432085
FillRect.USER32(?,?,00000000), ref: 2043209C
FillRect.USER32(?,?,?), ref: 204320B1

Part of subcall function 2043BAC0: GetCurrentObject.GDI32(?,00000006), ref: 2043BAF1
Part of subcall function 2043BAC0: GetObjectW.GDI32(00000000,0000005C,?), ref: 2043BB01
Part of subcall function 2043BAC0: CreateFontIndirectW.GDI32(?), ref: 2043BB0C
Part of subcall function 2043BAC0: SelectObject.GDI32(?,00000000), ref: 2043BB14
Part of subcall function 2043BAC0: SelectObject.GDI32(?,00000000), ref: 2043BB3C
Part of subcall function 2043BAC0: DeleteObject.GDI32(00000000), ref: 2043BB43

InflateRect.USER32(?,000000FE,00000000), ref: 204320DC
#5727.MFC80U(00000001), ref: 20432108
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 20432129
#2362.MFC80U(00000000), ref: 20432130
#764.MFC80U(?), ref: 2043214F
#5727.MFC80U(?), ref: 204321EA

Part of subcall function 204316C0: SetRectEmpty.USER32(?), ref: 204316D3
Part of subcall function 204316C0: SetRectEmpty.USER32(?), ref: 204316DA
Part of subcall function 204316C0: SetRectEmpty.USER32(?), ref: 204316DD
Part of subcall function 204316C0: CopyRect.USER32(?,?), ref: 20431721
Part of subcall function 204316C0: CopyRect.USER32(?,?), ref: 2043172F

GetFocus.USER32 ref: 20432230
#2366.MFC80U(00000000,?,?,?), ref: 20432237
DrawFocusRect.USER32(?,?), ref: 2043224D
DrawFocusRect.USER32(?,?), ref: 20432262
DrawFocusRect.USER32(?,?), ref: 20432277

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$Object$Focus$DrawEmpty$#2362#2366#5727ColorCopyFillMessageSelectSend$#764ClientCreateCurrentDeleteFontIndirectInflateParentText
String ID:
API String ID: 2675783874-0
Opcode ID: b180d1408771614da0c1c48bec4abd0d5b74ec03b1dbede2c11c350b72fa5edf
Instruction ID: cd54de75ae23a6b363c5d34842b5dadbeaba6e3f888a96cf96408ed18cc99268
Opcode Fuzzy Hash: b180d1408771614da0c1c48bec4abd0d5b74ec03b1dbede2c11c350b72fa5edf
Instruction Fuzzy Hash: 64912C71604240AFCB44DFA8CD84EAA77B9BFC8704F24866DFD498B255DA38ED05CB61

Function 2046C0B0 Relevance: 31.7, APIs: 21, Instructions: 193windowCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,00000000,75A91AC0,75A84A40), ref: 2046C0DB
#310.MFC80U(?,00000000,75A91AC0,75A84A40), ref: 2046C0F5
#4026.MFC80U(00000283), ref: 2046C109
#4026.MFC80U(0000026E), ref: 2046C169
#899.MFC80U(20492730), ref: 2046C178
#899.MFC80U(75A91AC0), ref: 2046C194

Part of subcall function 2046C340: #6700.MFC80U(A1C94593,?,?,00000000,204798CA,000000FF,2046C1A8,?), ref: 2046C378
Part of subcall function 2046C340: #299.MFC80U(00000000), ref: 2046C381
Part of subcall function 2046C340: #1479.MFC80U(?,?,?,=15,=15), ref: 2046C3BD

#896.MFC80U(00000000), ref: 2046C1B5
#578.MFC80U ref: 2046C1C4
#4026.MFC80U(0000026F), ref: 2046C1D1
#899.MFC80U(20492730), ref: 2046C1E0
#899.MFC80U(?), ref: 2046C1FC
#896.MFC80U(00000000), ref: 2046C219
#578.MFC80U ref: 2046C228
#578.MFC80U ref: 2046C25D
#578.MFC80U ref: 2046C26F
#1176.MFC80U ref: 2046C28B
GetParent.USER32(?), ref: 2046C308
#2366.MFC80U(00000000), ref: 2046C30B
GetParent.USER32(?), ref: 2046C318
#2366.MFC80U(00000000), ref: 2046C31B
SendMessageW.USER32(?,00000421,00000000,00000000), ref: 2046C331

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578#899$#4026$#2366#310#896Parent$#1176#1479#299#6700MessageSend
String ID:
API String ID: 2655187225-0
Opcode ID: 2f6fc9b179e40aec9dec6dd9fe3cbdea7b1817cac4a4a3c8f9923a910fab0667
Instruction ID: 6058fedef0a65e0c41b0eab122de4fd581de9bbf6bdd0aed3f797d48b292874a
Opcode Fuzzy Hash: 2f6fc9b179e40aec9dec6dd9fe3cbdea7b1817cac4a4a3c8f9923a910fab0667
Instruction Fuzzy Hash: 29618E715087408FC314DFA4CC94B6AB7E4FB94709F44C9ACF446972A1EB39EA49CB91

Function 204546F0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 138windowCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 20454761
#310.MFC80U ref: 20454773
#4026.MFC80U(000000AD), ref: 2045478A
#4026.MFC80U(000000AE), ref: 20454799
#900.MFC80U( (*.exe)|*.exe|), ref: 204547A8
#896.MFC80U(?), ref: 204547B7
#900.MFC80U( (*.*)|*.*|), ref: 204547C6
#385.MFC80U(00000001,00000000,00000000,00881001,?,?,00000000), ref: 204547E0
#2012.MFC80U(00000001,00000000,00000000,00881001,?,?,00000000), ref: 204547F1
#3082.MFC80U(?,00000001,00000000,00000000,00881001,?,?,00000000), ref: 20454808

Part of subcall function 2040E820: #764.MFC80U(?,00000000,?,2040F224,?,00000001), ref: 2040E830
Part of subcall function 2040E820: #265.MFC80U(00000000,?,00000000,?,2040F224,?,00000001), ref: 2040E876
Part of subcall function 2040E820: _wcsupr_s.MSVCR80 ref: 2040E896

#578.MFC80U(?,00000001,?,00000001,00000000,00000000,00881001,?,?,00000000), ref: 20454833
SendMessageW.USER32(?,0000101E,00000001,0000FFFF), ref: 20454897
#630.MFC80U(00000001,00000000,00000000,00881001,?,?,00000000), ref: 204548B6
#578.MFC80U(00000001,00000000,00000000,00881001,?,?,00000000), ref: 204548C7
#578.MFC80U(?,00000000), ref: 204548D9
#764.MFC80U(00000000,?,00000000), ref: 204548EF

Strings

(*.exe)|*.exe|, xrefs: 2045479F
(*.*)|*.*|, xrefs: 204547BD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578$#310#4026#764#900$#2012#265#3082#385#630#896MessageSend_wcsupr_s
String ID: (*.*)|*.*|$ (*.exe)|*.exe|
API String ID: 4155270257-1718033337
Opcode ID: 1cddeaf09556f71b27d46462ae54488118dae2c83bbfc0590247355c0c1c9202
Instruction ID: c93757d751d0b7f6ce5e584a57ba34fd33dfaff37aad5596ab69ee7b61a1648e
Opcode Fuzzy Hash: 1cddeaf09556f71b27d46462ae54488118dae2c83bbfc0590247355c0c1c9202
Instruction Fuzzy Hash: 8D517371108780AFC325DF54CC85B9BBBE8FF94B19F408A2DF495922A0DB759508CB93

Function 20458820 Relevance: 30.2, APIs: 20, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 2042C250: #4574.MFC80U(?,20457514), ref: 2042C253

#2651.MFC80U(000004F3), ref: 2045884D
GetWindowRect.USER32(?,?), ref: 20458863
#2155.MFC80U(00000000), ref: 20458871
#6086.MFC80U(00000000,00000000), ref: 2045887A
#2651.MFC80U(0000042A,00000000,00000000), ref: 20458886
GetWindowRect.USER32(?,?), ref: 20458896
#5609.MFC80U(?), ref: 2045889F
#4119.MFC80U(?,?,?,?,00000001,?), ref: 204588C6
#2651.MFC80U(000004F7,?,?,?,?,00000001,?), ref: 204588D2
GetWindowRect.USER32(?,?), ref: 204588E2
#5609.MFC80U(?), ref: 204588EB
#4119.MFC80U(?,?,?,?,00000001,?), ref: 20458912
#2651.MFC80U(0000040B,?,?,?,?,00000001,?), ref: 2045891E
GetWindowRect.USER32(?,?), ref: 2045892E
#5609.MFC80U(?), ref: 20458937
#4119.MFC80U(?,?,?,?,00000001,?), ref: 20458964
#2651.MFC80U(00001772,?,?,?,?,00000001,?), ref: 20458970
GetWindowRect.USER32(?,?), ref: 20458980
#5609.MFC80U(?), ref: 20458989
#4119.MFC80U(?,?,?,?,00000001,?), ref: 204589B6

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2651RectWindow$#4119#5609$#2155#4574#6086
String ID:
API String ID: 1988953342-0
Opcode ID: c13e60bc6c3f0ce5ac8287fcc5224fca9e2dc996d1ea6a8cbbada187e44eb291
Instruction ID: 459a22ac6ff8665e4377593c6da4157b1f8012e2bbd72c92c5f2a2fa9f544e88
Opcode Fuzzy Hash: c13e60bc6c3f0ce5ac8287fcc5224fca9e2dc996d1ea6a8cbbada187e44eb291
Instruction Fuzzy Hash: 29515FB13043069FD704DFA8CC55EBFB7E9EBC8A08F008A2DB58597291DA78EC058795

Function 20457500 Relevance: 30.2, APIs: 20, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 2042C250: #4574.MFC80U(?,20457514), ref: 2042C253

#2651.MFC80U(000004F6), ref: 2045754D
GetWindowRect.USER32(?,?), ref: 20457563
#2155.MFC80U(00000000), ref: 20457571
#6086.MFC80U(00000000,00000000), ref: 2045757A
#2651.MFC80U(0000042A,00000000,00000000), ref: 20457586
GetWindowRect.USER32(?,?), ref: 20457596
#5609.MFC80U(?), ref: 2045759F
#4119.MFC80U(?,?,?,?,00000001,?), ref: 204575C6
#2651.MFC80U(000004F8,?,?,?,?,00000001,?), ref: 204575D2
GetWindowRect.USER32(?,?), ref: 204575E2
#5609.MFC80U(?), ref: 204575EB
#4119.MFC80U(?,?,?,?,00000001,?), ref: 20457612
#2651.MFC80U(0000040B,?,?,?,?,00000001,?), ref: 2045761E
GetWindowRect.USER32(?,?), ref: 2045762E
#5609.MFC80U(?), ref: 20457637
#4119.MFC80U(?,?,?,?,00000001,?), ref: 20457664
#2651.MFC80U(00001772,?,?,?,?,00000001,?), ref: 20457670
GetWindowRect.USER32(?,?), ref: 20457680
#5609.MFC80U(?), ref: 20457689
#4119.MFC80U(?,?,?,?,00000001,?), ref: 204576B6

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2651RectWindow$#4119#5609$#2155#4574#6086
String ID:
API String ID: 1988953342-0
Opcode ID: e1965dff9c50a29cb80de7048452725fb93de9bb5d2244790109066319457e8f
Instruction ID: 0654eef182be6b3dd22a090d9fa8510fa7f27e5aa5ffc964efdf0b45828594fc
Opcode Fuzzy Hash: e1965dff9c50a29cb80de7048452725fb93de9bb5d2244790109066319457e8f
Instruction Fuzzy Hash: 4D515FB13043069FD704DF68CC55E7FB7E9EBD8A08F008A2CB59597291EA78EC058B95

Function 20430770 Relevance: 30.2, APIs: 20, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 204307BC
#310.MFC80U ref: 204307CC
#1053.MFC80U(?,?,00000000,0000002C), ref: 204307DF
#310.MFC80U(?,?,00000000,0000002C), ref: 204307F0
#1053.MFC80U(?,?,00000000,0000003D), ref: 20430809
#774.MFC80U(?,?,?,00000000,0000003D), ref: 2043081B
#310.MFC80U(?,?,00000000,0000003D), ref: 20430828
#1053.MFC80U(?,?,00000001,0000003D), ref: 20430841
_wtol.MSVCR80 ref: 2043084F
#3869.MFC80U(00000000,?,00000000,?,000000FF,?,?,00000001,0000003D), ref: 20430896
#578.MFC80U(00000000,?,00000000,?,000000FF,?,?,00000001,0000003D), ref: 204308A7
#578.MFC80U ref: 204308B6
#1053.MFC80U(?,?,-00000001,0000002C), ref: 204308C8
#3395.MFC80U(?,?,00000000,0000002C), ref: 204308E8
#2788.MFC80U(?,?,00000000,0000002C), ref: 204308F6
SendMessageW.USER32(?,00001200), ref: 20430918
SendMessageW.USER32(?,0000120B,-00000001,?), ref: 2043092E
GetSystemMetrics.USER32(00000002), ref: 20430936
SendMessageW.USER32(?,0000120C,-00000001,?), ref: 2043094F
#578.MFC80U ref: 2043095D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1053$#310#578MessageSend$#2788#3395#3869#774ClientMetricsRectSystem_wtol
String ID:
API String ID: 4280695641-0
Opcode ID: 676eb742b4dfb1185c0e4fb7d7c19ae165f7a604b4f69baca16d50a8ddea98de
Instruction ID: d3306c2dc2b6d7d4adad176fa29cd68a2cf19bfba0a0eb39b50f631a340e2902
Opcode Fuzzy Hash: 676eb742b4dfb1185c0e4fb7d7c19ae165f7a604b4f69baca16d50a8ddea98de
Instruction Fuzzy Hash: A751A071508701ABE314DB65CC94F5BBBE4FB98B54F108B1CF595922E0DB78E904CB92

Function 2046A200 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,00000000,?), ref: 2046A24A
#4026.MFC80U(00000219,?,00000000,?), ref: 2046A2DD
#1472.MFC80U(?,00000000,?), ref: 2046A31B
#310.MFC80U ref: 2046A373
memset.MSVCR80 ref: 2046A395
#2461.MFC80U(204868EC,00000002,?,?,?,?,00000000,?), ref: 2046A3C0
wcsncmp.MSVCR80 ref: 2046A3C7
GetSystemMetrics.USER32(00000031), ref: 2046A3DA

Part of subcall function 204647D0: #776.MFC80U(?,A1C94593,?,?,?,00000000), ref: 20464813

#1176.MFC80U(00000000,?), ref: 2046A40D
#774.MFC80U(?,?,?,?,00000000,?), ref: 2046A41B
DestroyCursor.USER32(?), ref: 2046A484
#774.MFC80U(00000000,?,00000000,?,00000000,?,?,00000000,00000000,204A3260,?,?,?,?,00000000,?), ref: 2046A4D4
#578.MFC80U ref: 2046A4F9
#5864.MFC80U(00000000,00000004,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 2046A551
#578.MFC80U(?,00000000,00000000,204A3470), ref: 2046A5B3
#578.MFC80U ref: 2046A5CC

Strings

p2J , xrefs: 2046A445

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578$#310#774$#1176#1472#2461#4026#5864#776CursorDestroyMetricsSystemmemsetwcsncmp
String ID: p2J
API String ID: 3633228290-1550633273
Opcode ID: af3863b70f0876a1cfa7f5f15a3c71e95aa69a8722da6f8f0fa941b0f0ccbd51
Instruction ID: 996cf94eff1e2cf2217b6a6a120249018248d24efa4061d6daff425b6e2006cf
Opcode Fuzzy Hash: af3863b70f0876a1cfa7f5f15a3c71e95aa69a8722da6f8f0fa941b0f0ccbd51
Instruction Fuzzy Hash: AEB19171208741ABD314CFA4C895B9AB7E4BF94709F00CA2DF55A97291EB38A944CF92

Function 20442A00 Relevance: 28.7, APIs: 19, Instructions: 215COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,?,?,?,00000000,2047A999,000000FF,2044102C), ref: 20442A28
memset.MSVCR80 ref: 20442A41
#4026.MFC80U ref: 20442A67
wcscpy_s.MSVCR80 ref: 20442A9D
wcsncpy_s.MSVCR80 ref: 20442AB4
#4026.MFC80U ref: 20442AF6
wcscpy_s.MSVCR80 ref: 20442B2D
memset.MSVCR80 ref: 20442B71
#4026.MFC80U ref: 20442B97
wcscpy_s.MSVCR80 ref: 20442BCD
#4026.MFC80U ref: 20442C2B
wcscpy_s.MSVCR80 ref: 20442C5D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026wcscpy_s$memset$#310wcsncpy_s
String ID:
API String ID: 2764536694-0
Opcode ID: ebad0841af5831171d73bf8388fe049bd1bd72ce455b8242ac7a8760335e44c4
Instruction ID: e37fd1f3625893c1c44e5bcf08bd10de1f0668e815bcb2f4157593aa8b119332
Opcode Fuzzy Hash: ebad0841af5831171d73bf8388fe049bd1bd72ce455b8242ac7a8760335e44c4
Instruction Fuzzy Hash: 3881A3B0504B02ABE311CF24CC85BA7B7B8FF48709F408D1DE9A657391D7B976489B51

Function 2044D4A0 Relevance: 28.7, APIs: 19, Instructions: 212COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2044D4D8
#776.MFC80U(20483CF0), ref: 2044D53D
#6751.MFC80U(00000000,?), ref: 2044D750

Part of subcall function 2042E670: #6751.MFC80U(00000000,?,2042E5B8,00000000,A1C94593), ref: 2042E688

#6751.MFC80U(00000000,?), ref: 2044D791

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6751$#314#776
String ID:
API String ID: 527024662-0
Opcode ID: 74c24d0cb461f308b201a75516ed458f182609a21cb2372e90b48c6f5989f4f3
Instruction ID: 8dd999ad99c8cdfa40ad9653db68ec9141ca0acd8cbb1f7ca18c7e41612e3f41
Opcode Fuzzy Hash: 74c24d0cb461f308b201a75516ed458f182609a21cb2372e90b48c6f5989f4f3
Instruction Fuzzy Hash: 5681F271A08A41AFE704DFA4CC44B9ABBE0FB85719F00C61DF59593290DB3CA905CB92

Function 20437750 Relevance: 27.2, APIs: 18, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 2043776B
GetSystemMetrics.USER32(00000003), ref: 20437773
GetClientRect.USER32(?,?), ref: 20437780
GetWindowRect.USER32(?,?), ref: 2043778F
#5609.MFC80U(?), ref: 2043779C
SetRect.USER32(?,?,?,?,?), ref: 204377CA
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 204377DD
#6061.MFC80U(00000000,?,?,?,?,00000014), ref: 20437817
#6061.MFC80U(00000000,?,?,?,?,00000014,00000000,?,?,?,?,00000014), ref: 20437840
InvalidateRect.USER32(75A85540,00000000,00000001,00000000,?,?,?,?,00000014,00000000,?,?,?,?,00000014), ref: 2043785E
#6086.MFC80U(00000000), ref: 20437875
#2155.MFC80U(00000000,00000000), ref: 2043787E
SendMessageW.USER32(?,00001207,00000000,?), ref: 2043789A
SendMessageW.USER32(?,00001207,-000000FF,?), ref: 204378B2
#3395.MFC80U ref: 204378EB
#6061.MFC80U(00000000,?,?,?,00000000,00000054), ref: 2043791F
#5981.MFC80U(00000002,00000007,00000001), ref: 20437966
#2155.MFC80U(00000001,00000002,00000007,00000001), ref: 2043796F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$#6061MessageSend$#2155MetricsSystem$#3395#5609#5981#6086ClientInvalidateWindow
String ID:
API String ID: 3645718903-0
Opcode ID: 21ccb586117c78da2a23b02a06aaa101c8c2654ad8c76e7f71005bc749b1e17f
Instruction ID: 6873d10806194d77a4cfca0b4f43bae2f31d94951606afd11c3252bb2f2f83c1
Opcode Fuzzy Hash: 21ccb586117c78da2a23b02a06aaa101c8c2654ad8c76e7f71005bc749b1e17f
Instruction Fuzzy Hash: CC613C71648700AFD304CB64CD85F6BB7E9ABC8B08F008A1DF69597290DAB4E905CB52

Function 2046ACC0 Relevance: 27.2, APIs: 18, Instructions: 183fileCOMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 2046AD24
free.MSVCR80 ref: 2046AD31
#310.MFC80U ref: 2046AD49
#776.MFC80U(20485878), ref: 2046AD96
#310.MFC80U ref: 2046ADC1

Part of subcall function 204647D0: #776.MFC80U(?,A1C94593,?,?,?,00000000), ref: 20464813

#2461.MFC80U ref: 2046ADF1
#2310.MFC80U(?,00000094,?,00000100), ref: 2046AE4A
#896.MFC80U(?), ref: 2046AE5C
#2461.MFC80U(00000080,00000003,00000000,00000003,00000080,00000000), ref: 2046AE89
CreateFileW.KERNEL32(00000000), ref: 2046AE90
GetFileInformationByHandle.KERNEL32(00000000,?), ref: 2046AEA7
CloseHandle.KERNEL32(00000000), ref: 2046AED9
#578.MFC80U ref: 2046AEEB

Part of subcall function 20410DF0: memset.MSVCR80 ref: 20410E35
Part of subcall function 20410DF0: memset.MSVCR80 ref: 20410E4D
Part of subcall function 20410DF0: wsprintfW.USER32 ref: 20410E69
Part of subcall function 20410DF0: VerQueryValueW.VERSION(?,?,?,?), ref: 20410E8F
Part of subcall function 20410DF0: lstrcpynW.KERNEL32(00000000,?,?,?,?,?,?), ref: 20410EA7

#578.MFC80U ref: 2046AEFC
#1176.MFC80U ref: 2046AF18
#578.MFC80U ref: 2046AF28
memset.MSVCR80 ref: 2046AF51
free.MSVCR80 ref: 2046AF5E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: memset$#578$#2461#310#776FileHandlefree$#1176#2310#896CloseCreateInformationQueryValuelstrcpynwsprintf
String ID:
API String ID: 3114194095-0
Opcode ID: bae151055dfc82e9f6e5f8243db1830b93ad008603c433816424715529aacda6
Instruction ID: 299edd9703621aa63c558c508e10403511056ad100b833bcae6599695a625164
Opcode Fuzzy Hash: bae151055dfc82e9f6e5f8243db1830b93ad008603c433816424715529aacda6
Instruction Fuzzy Hash: E771A2715087409FC310DF64CC89A5AB7E4FF94708F408E2DF599972A0EB38A989CF92

Function 20406540 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 20406591
wcsncpy_s.MSVCR80 ref: 204065A7
wcschr.MSVCR80 ref: 204065BA
wcscpy_s.MSVCR80 ref: 204065E6
wcschr.MSVCR80 ref: 204065F2
wcsncpy_s.MSVCR80 ref: 2040660A
wcschr.MSVCR80 ref: 2040661D
_snwprintf_s.MSVCR80 ref: 2040668D
wcscpy_s.MSVCR80 ref: 204066C2
wcsncpy_s.MSVCR80 ref: 204066D8
wcschr.MSVCR80 ref: 204066EB

Strings

IP6_ADDR, xrefs: 20406541

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcschr$wcscpy_swcsncpy_s$_snwprintf_s
String ID: IP6_ADDR
API String ID: 2905155339-1561260847
Opcode ID: 47e3fe825613e1b6450fc5c50a4a0ad2b13a8b7b0fc8793c4d52f362dca36199
Instruction ID: e2a72aac4db4876480e7d1603feb0957049e14262460354dd65782d59b7c11bc
Opcode Fuzzy Hash: 47e3fe825613e1b6450fc5c50a4a0ad2b13a8b7b0fc8793c4d52f362dca36199
Instruction Fuzzy Hash: 9A412D30404B22BBC310AB98CC89E1F76AAEFC131AF14CA3DF51263295DB6E651586D6

Function 20445A50 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 106librarystringloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 20445AB2
strcpy_s.MSVCR80 ref: 20445AD8
strcat_s.MSVCR80 ref: 20445AEF
LoadLibraryA.KERNEL32(?,?,?,?,-00000001,?,00000008), ref: 20445AFF
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 20445B0D
FreeLibrary.KERNEL32(00000000,?,?,?,-00000001,?,00000008), ref: 20445B18
strcpy_s.MSVCR80 ref: 20445B30
strcat_s.MSVCR80 ref: 20445B41
LoadLibraryA.KERNEL32(?), ref: 20445B4B
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 20445B5F
FreeLibrary.KERNEL32(00000000), ref: 20445B66
GetProcAddress.KERNEL32(00000000,?), ref: 20445B7C

Strings

getaddrinfo, xrefs: 20445A6F, 20445B07, 20445B59
\wship6, xrefs: 20445B32
\ws2_32, xrefs: 20445AE0

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Library$AddressProc$FreeLoadstrcat_sstrcpy_s$DirectorySystem
String ID: \ws2_32$\wship6$getaddrinfo
API String ID: 1002071407-3078833738
Opcode ID: 7049ffa7209eaf4601507fc619209b423472e0dc5b36286b745ed577acdaf74b
Instruction ID: 11f288673e82c687b43bf6052560b49ad4e3b1d551902d6b513d8f73b389c7dc
Opcode Fuzzy Hash: 7049ffa7209eaf4601507fc619209b423472e0dc5b36286b745ed577acdaf74b
Instruction Fuzzy Hash: 8A4191715097419BD310EFA5CCC4A9BBBE8EBC8744F40CD2DE54497251EB7CEA048B96

Function 2045AEB0 Relevance: 25.8, APIs: 17, Instructions: 319windowencryptionCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 2045AEFE
malloc.MSVCR80 ref: 2045AF09
#1176.MFC80U(?,?,?,00000000), ref: 2045AF89
free.MSVCR80 ref: 2045B00D
malloc.MSVCR80 ref: 2045B01D
#3873.MFC80U(00000001,000000FF,?,00000000,00000000,00000000,00000000), ref: 2045B090
#5862.MFC80U(000000FF,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000001,000000FF,?,00000000,00000000,00000000,00000000), ref: 2045B0AB
#5862.MFC80U(000000FF,00000000,00000004,00000000,00000000,00000000,00000000,?,000000FF,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 2045B0C3
CertGetNameStringW.CRYPT32(?,00000004,00000001,00000000,00000000,00000000), ref: 2045B14E
free.MSVCR80 ref: 2045B184
malloc.MSVCR80 ref: 2045B191
CertGetNameStringW.CRYPT32(?,00000004,00000001,00000000,00000000,00000080), ref: 2045B1DA
#5862.MFC80U(000000FF,00000001,00000001,00000000,00000000,00000000,00000000,00000000), ref: 2045B1FE
free.MSVCR80 ref: 2045B25E
SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 2045B280
SendMessageW.USER32(?,0000101E,00000001,0000FFFE), ref: 2045B295
SendMessageW.USER32(?,0000101E,00000002,0000FFFE), ref: 2045B2AA

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#5862freemalloc$CertNameString$#1176#3873
String ID:
API String ID: 2005483445-0
Opcode ID: f6091f5a1c2f201371206002669792c78905fec26cb7a3506b44a1ce23e23444
Instruction ID: 7aa81ce3c81966263314b35946536dfc2b25f7b097feda67f60f561cf53201e5
Opcode Fuzzy Hash: f6091f5a1c2f201371206002669792c78905fec26cb7a3506b44a1ce23e23444
Instruction Fuzzy Hash: 18C161B1B40605ABDB10CF94CC85FED7BB5AF58708F148169FA04AF391C7B9A945CBA0

Function 20420E10 Relevance: 25.8, APIs: 17, Instructions: 307windowCOMMON

Download Yara Rule

APIs

#762.MFC80U(00000040,A1C94593,?,?,75A85540,?,00000000,2047CE6B,000000FF,2041340D,00000000,?,00000000), ref: 20420E6E
#764.MFC80U(?), ref: 20420EBE
#764.MFC80U(?), ref: 20420ED7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 20420F4E
SendMessageW.USER32(?,00001015,00000000,00000000), ref: 20420F5B
UpdateWindow.USER32(?), ref: 20420F61
#1176.MFC80U(A1C94593,?,?,75A85540,?,00000000,2047CE6B,000000FF,2041340D,00000000,?,00000000), ref: 20420F7C
#2361.MFC80U(?,?,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 20420FE7
GetCurrentObject.GDI32(?,00000006), ref: 20421006
#2362.MFC80U(00000000,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 2042100D
GetObjectW.GDI32(?,0000005C,?), ref: 2042101F
SendMessageW.USER32(?,0000102C,?,00000002), ref: 2042103C
#5867.MFC80U(?,00000000,00000002,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 2042105C
#2361.MFC80U(?,?,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 204210A1
#5867.MFC80U(?,00000002,00000002,?,?,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 204210D9
#2361.MFC80U(?,?,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 204210EE
#2361.MFC80U(?,?,?,?,00000000,?,?,00000000,?,?,?,00000004), ref: 2042111E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2361$MessageSend$#5867#764Object$#1176#2362#762CurrentUpdateWindow
String ID:
API String ID: 2351648720-0
Opcode ID: 672f647bf08ec23234bc2087f0e45b13ee6fb693e93c213341d5d513fe22b25d
Instruction ID: 9e60b9e9ee0762daa73f16079c96528702c899e64c1e2e01d0807964c78369a3
Opcode Fuzzy Hash: 672f647bf08ec23234bc2087f0e45b13ee6fb693e93c213341d5d513fe22b25d
Instruction Fuzzy Hash: ECB1A171604B809FD324CFA9D980B67BBE4BF58704F40891DE68A87B61D778F944CBA1

Function 20434EB0 Relevance: 25.6, APIs: 17, Instructions: 144windowCOMMON

Download Yara Rule

APIs

#501.MFC80U(?,A1C94593), ref: 20434EF7
#2521.MFC80U(?,?,A1C94593), ref: 20434F0E
#347.MFC80U(?,?,A1C94593), ref: 20434F17
CreateCompatibleDC.GDI32(?), ref: 20434F29
#1270.MFC80U(00000000), ref: 20434F34
LPtoDP.GDI32(?,?,00000002), ref: 20434F45
CreateCompatibleBitmap.GDI32(?,?,?), ref: 20434F86
#1271.MFC80U(00000000), ref: 20434F91
#5633.MFC80U(?,?,00000000), ref: 20434FA0
GetMapMode.GDI32(?,?,?,00000000), ref: 20434FAC
#5884.MFC80U(00000000), ref: 20434FB7
DPtoLP.GDI32(?,?,00000002), ref: 20434FC8
#6058.MFC80U(?,?,?), ref: 20434FE1
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 20435023
#5633.MFC80U(?,00000000), ref: 20435036
#602.MFC80U(?,00000000), ref: 20435068
#709.MFC80U(?,00000000), ref: 2043507C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #5633CompatibleCreate$#1270#1271#2521#347#501#5884#602#6058#709BitmapMode
String ID:
API String ID: 1373658176-0
Opcode ID: c34cfe65f2e81302b6606f60459f7e002a2ad8293115252f17f7a2094577e07d
Instruction ID: a83816640fc43899ab8bedff050c7f80ea9979f3e0078e773df583a019831a82
Opcode Fuzzy Hash: c34cfe65f2e81302b6606f60459f7e002a2ad8293115252f17f7a2094577e07d
Instruction Fuzzy Hash: 63510A71108380AFC314CBA4C895FABBBF9FBD9614F408A1DF59597290DB35A904CBA2

Function 20454EF0 Relevance: 25.6, APIs: 17, Instructions: 141windowCOMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20454F37
#2651.MFC80U(000004DD), ref: 20454FB1
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 20454FC9
#2651.MFC80U(00000418), ref: 20454FD2
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 20454FE4
#2651.MFC80U(00000418), ref: 20454FFA
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 20455012
#2651.MFC80U(000004DD), ref: 2045501B
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 2045502D
#2651.MFC80U(00000419), ref: 2045503B
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 20455053
#2651.MFC80U(000004DD), ref: 2045505C
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 2045506E
#2651.MFC80U(00000418), ref: 20455077
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 20455089
#6232.MFC80U(00000000), ref: 2045508F
#6751.MFC80U(00000000,?,00000000), ref: 204550C3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2651MessageSend$#314#6232#6751
String ID:
API String ID: 2120556010-0
Opcode ID: 00c5c4d9388734689ff230a2c2ad7f1d8935393552846ac86e096f6d73856075
Instruction ID: 400493f18f7f61b9d9f6c8aa757d2f0e415e25ab5d97b307948fb031a99fd79b
Opcode Fuzzy Hash: 00c5c4d9388734689ff230a2c2ad7f1d8935393552846ac86e096f6d73856075
Instruction Fuzzy Hash: CC519371384706AFD724DB608C52FAA7BA4AB94F04F50861CF2542F6D0CFB8A805CB95

Function 20459B80 Relevance: 25.6, APIs: 17, Instructions: 65COMMON

Download Yara Rule

APIs

#6232.MFC80U(00000001,20459A70,00000000), ref: 20459B84
#2651.MFC80U(000003FE), ref: 20459BB5
#2155.MFC80U(000003FE), ref: 20459BBC
#2651.MFC80U(0000049F,?,000003FE), ref: 20459BC9
#2155.MFC80U(0000049F,?,000003FE), ref: 20459BD0
#2651.MFC80U(00000479,?,0000049F,?,000003FE), ref: 20459BDD
#2155.MFC80U(00000479,?,0000049F,?,000003FE), ref: 20459BE4
#2651.MFC80U(000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459BF1
#2155.MFC80U(000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459BF8
#2651.MFC80U(000004A0,?,000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459C05
#2155.MFC80U(000004A0,?,000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459C0C
#2651.MFC80U(000004CE,?,000004A0,?,000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459C19
#2155.MFC80U(000004CE,?,000004A0,?,000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459C20
#2651.MFC80U(000004CF,?,000004CE,?,000004A0,?,000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459C2D
#2155.MFC80U(000004CF,?,000004CE,?,000004A0,?,000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459C34
#2651.MFC80U(000003F7,?,000004CF,?,000004CE,?,000004A0,?,000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459C41
#2155.MFC80U(000003F7,?,000004CF,?,000004CE,?,000004A0,?,000004A1,?,00000479,?,0000049F,?,000003FE), ref: 20459C48

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2155#2651$#6232
String ID:
API String ID: 793604035-0
Opcode ID: f18dba61e3397a45a84501a188c387c4ade9fb1771f5a5cd87d6bd45c25fe1b6
Instruction ID: b5f15e1a3d2d9f20017a06a8e2974cef47318a9224f4a602365c315b078bc4fe
Opcode Fuzzy Hash: f18dba61e3397a45a84501a188c387c4ade9fb1771f5a5cd87d6bd45c25fe1b6
Instruction Fuzzy Hash: EB11A8607C065157D95A23B15C2AFBF15AA8BE2E0CF80C52CB2425FAF0DE6C8D068355

Function 2045D190 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 335COMMON

Download Yara Rule

APIs

#3395.MFC80U ref: 2045D1B0
GetClientRect.USER32(?,?), ref: 2045D1C5
BeginDeferWindowPos.USER32(00000000), ref: 2045D1DB
EndDeferWindowPos.USER32(00000000), ref: 2045D1F9

Strings

, xrefs: 2045D2AF

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: DeferWindow$#3395BeginClientRect
String ID:
API String ID: 3239882827-3916222277
Opcode ID: fc394b92ffa3647cce4dac8b4896ce4752b666bd29a0a9cdc9c3fc3ebb51db73
Instruction ID: 034aadabd89f1504db7cc2445e4d788f2b944d61817344f63716ab64c38942e8
Opcode Fuzzy Hash: fc394b92ffa3647cce4dac8b4896ce4752b666bd29a0a9cdc9c3fc3ebb51db73
Instruction Fuzzy Hash: 3BC158716047019FC714CF68C984A5ABBF1BF99258F04CA2CF98997755D738EC49CB82

Function 20412180 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 222COMMON

Download Yara Rule

Strings

OPTION;OPTNAME=%s, xrefs: 20412339
OPTNAME, xrefs: 20412370
VALUE, xrefs: 204123D9
DESC, xrefs: 2041238F
SETTINGS, xrefs: 20412228
DWORD, xrefs: 204123BB
TYPE, xrefs: 204123B3
xXH , xrefs: 20412397
OPTIONS, xrefs: 2041223C, 20412284, 2041229F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID: DESC$DWORD$OPTION;OPTNAME=%s$OPTIONS$OPTNAME$SETTINGS$TYPE$VALUE$xXH
API String ID: 441403673-3842691247
Opcode ID: 44759ae7967cd5d754631de882d4850044f044f1689e997cc1386254ff75ca69
Instruction ID: bb8fcba937c8b7826b6e61e985063486853f44c02f1705573b680c95f00d62d2
Opcode Fuzzy Hash: 44759ae7967cd5d754631de882d4850044f044f1689e997cc1386254ff75ca69
Instruction Fuzzy Hash: 0B71A1B06043009BC320CFA5CD81B5BF7E4AF94A48F40CA2DF999D7391E73DD9958A52

Function 2044E2C0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2044E2F8
#776.MFC80U(20485878), ref: 2044E331
#776.MFC80U(20483CF0), ref: 2044E351
#2310.MFC80U(?,00000212,-0000002E), ref: 2044E37F
#4026.MFC80U(00000236), ref: 2044E3D9
#2311.MFC80U(?,"%s",?), ref: 2044E3F0
#4026.MFC80U(00000237), ref: 2044E402
#5149.MFC80U(00000028), ref: 2044E421
#5398.MFC80U(000000FF,00000000), ref: 2044E43F
#6751.MFC80U(00000000,?), ref: 2044E4C3

Strings

"%s", xrefs: 2044E3EA

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026#776$#2310#2311#314#5149#5398#6751
String ID: "%s"
API String ID: 349887472-3297466227
Opcode ID: a16b56dffb77aa759c24ceb2f07e91822a11aa3424924b61ba93bdb9948eb8f5
Instruction ID: d2cfaa41a95424281d7d24f1a67dfd6e071f8f898d974065d71e4609338fcf78
Opcode Fuzzy Hash: a16b56dffb77aa759c24ceb2f07e91822a11aa3424924b61ba93bdb9948eb8f5
Instruction Fuzzy Hash: CE518B71A087019BE310CFA6CC89B5BB7A4FB44319F00CA2DFA46572D1DA79A904DB92

Function 2045BED0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136encryptionCOMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2045BF06
CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,00070007,ESET_RootSslCert,00000000), ref: 2045BF4C
#310.MFC80U ref: 2045BF6A
#310.MFC80U ref: 2045BF78
#4026.MFC80U(00000217), ref: 2045BF8A
#4026.MFC80U(00000216), ref: 2045BF98
#4098.MFC80U(?,?,00000030), ref: 2045BFAA
#578.MFC80U(?,?,00000030), ref: 2045BFB5
#578.MFC80U ref: 2045BFC2
memset.MSVCR80 ref: 2045BFFA
#6751.MFC80U(00000000,?), ref: 2045C088

Strings

Root, xrefs: 2045BF12
ESET_RootSslCert, xrefs: 2045BF3A
H, xrefs: 2045C002

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#4026#578$#314#4098#6751CertCertificateFindStorememset
String ID: ESET_RootSslCert$H$Root
API String ID: 91189364-3528139168
Opcode ID: 0678abf56a7a3d1e0d72c8b167023fc8ff6b7b06c889aa8113efb5d68817ad2b
Instruction ID: 50884617386e7d724cd1282ccc776c095777ed97c0775213a395e720bce9dbe1
Opcode Fuzzy Hash: 0678abf56a7a3d1e0d72c8b167023fc8ff6b7b06c889aa8113efb5d68817ad2b
Instruction Fuzzy Hash: 9A514A70945609EFCB10DFE4CD89BEEBBB4AB18B05F20C229E501B72D0DB795A05DB60

Function 20424060 Relevance: 24.1, APIs: 16, Instructions: 146windowCOMMON

Download Yara Rule

APIs

#4574.MFC80U(A1C94593), ref: 20424095
#310.MFC80U(A1C94593), ref: 204240A2
#4026.MFC80U(000000C5), ref: 204240BA
SendMessageW.USER32(?,0000014A,00000000,?), ref: 204240D2
SendMessageW.USER32(?,0000014A,00000001,?), ref: 2042410D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 2042413D
#6063.MFC80U(20485878), ref: 2042414E
#6063.MFC80U(20485878,20485878), ref: 2042415E
#310.MFC80U ref: 2042416C
#2311.MFC80U(?,2048587C,000000FF), ref: 20424188
#6063.MFC80U(?), ref: 2042419C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 204241E7
#6063.MFC80U(20485878), ref: 204241F8
#578.MFC80U ref: 20424209
#578.MFC80U ref: 20424222
SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 20424256

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#6063$#310#578$#2311#4026#4574
String ID:
API String ID: 41856079-0
Opcode ID: 1edb12446993ca98173a7668d1f0b0277ab47e324ba7c68fac4df549d923e01e
Instruction ID: 687126907702a7e443bdc3775094fafe2b3e18f5a04f559aed56f15db4042a3c
Opcode Fuzzy Hash: 1edb12446993ca98173a7668d1f0b0277ab47e324ba7c68fac4df549d923e01e
Instruction Fuzzy Hash: 3D5123316086459FD724CF60CC84FAB77A9FB94309F40CA2CF945576E0DB799904CB52

Function 20478B91 Relevance: 24.1, APIs: 16, Instructions: 141sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?,00000001,?,20478DBB,00000001,?,?,20498100,00000010,20478E87,?), ref: 20478BEE
InterlockedCompareExchange.KERNEL32(204A57F4,?,00000000), ref: 20478BF7
_amsg_exit.MSVCR80 ref: 20478C15
_initterm_e.MSVCR80 ref: 20478C30
_initterm.MSVCR80 ref: 20478C4C
InterlockedExchange.KERNEL32(204A57F4,00000000), ref: 20478C61
Sleep.KERNEL32(000003E8,?,?,00000001,?,20478DBB,00000001,?,?,20498100,00000010,20478E87,?), ref: 20478CB2
InterlockedCompareExchange.KERNEL32(204A57F4,00000001,00000000), ref: 20478CBC
_amsg_exit.MSVCR80 ref: 20478CCE
_decode_pointer.MSVCR80(?,?,00000001,?,20478DBB,00000001,?,?,20498100,00000010,20478E87,?), ref: 20478CE2
_decode_pointer.MSVCR80(?,00000001,?,20478DBB,00000001,?,?,20498100,00000010,20478E87,?), ref: 20478CF1
_encoded_null.MSVCR80(00000001,?,20478DBB,00000001,?,?,20498100,00000010,20478E87,?), ref: 20478D03
_decode_pointer.MSVCR80(?,?,20478DBB,00000001,?,?,20498100,00000010,20478E87,?), ref: 20478D13
free.MSVCR80 ref: 20478D20
_encoded_null.MSVCR80(?,20498100,00000010,20478E87,?), ref: 20478D27
InterlockedExchange.KERNEL32(204A57F4,00000000), ref: 20478D44

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: ExchangeInterlocked$_decode_pointer$CompareSleep_amsg_exit_encoded_null$_initterm_initterm_efree
String ID:
API String ID: 2174737765-0
Opcode ID: e17a9ff4fe9a01e9f66dbe4c43903dcfb7005e81e7626672a228798f566fa08a
Instruction ID: 182727d0421b49ffdac12668d794a1d59ea721c2da4f447e0c6feb1164b7796b
Opcode Fuzzy Hash: e17a9ff4fe9a01e9f66dbe4c43903dcfb7005e81e7626672a228798f566fa08a
Instruction Fuzzy Hash: E641C175549601EFD2119FA0CD84EA97BB5EB1470AF20C82EF901966B2CF7C9C44EAA1

Function 20460190 Relevance: 24.1, APIs: 16, Instructions: 110windowCOMMON

Download Yara Rule

APIs

#4574.MFC80U ref: 204601A5
GetClientRect.USER32(?,?), ref: 204601B3
#2651.MFC80U(000004C6,0000000F), ref: 204601E4

Part of subcall function 2045D0A0: GetParent.USER32(?), ref: 2045D0B0
Part of subcall function 2045D0A0: #2366.MFC80U(00000000), ref: 2045D0B7
Part of subcall function 2045D0A0: #4109.MFC80U(00000000,02000000,00000000), ref: 2045D0D7
Part of subcall function 2045D0A0: GetClientRect.USER32(?,?), ref: 2045D0F1
Part of subcall function 2045D0A0: GetWindowRect.USER32(?,00000000), ref: 2045D116
Part of subcall function 2045D0A0: #5609.MFC80U(00000000), ref: 2045D123
Part of subcall function 2045D0A0: malloc.MSVCR80 ref: 2045D12A
Part of subcall function 2045D0A0: #5713.MFC80U(?,00000000), ref: 2045D177

#2651.MFC80U(00000428,00000009,000004C6,0000000F), ref: 204601F9
#2651.MFC80U(00000499,00000009,00000428,00000009,000004C6,0000000F), ref: 2046020E
SendMessageW.USER32(?,00001003,00000001,?), ref: 2046023C
#2364.MFC80U(00000000), ref: 2046023F
SendMessageW.USER32(?,00001037,00000000,00000000), ref: 20460254
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 20460268
#3869.MFC80U(00000000,20485878,00000000,00000019,000000FF), ref: 2046027F
#3869.MFC80U(00000001,20486940,00000000,000000C8,000000FF,00000000,20485878,00000000,00000019,000000FF), ref: 20460296
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 204602AB
#2651.MFC80U(00000428,00000000), ref: 204602BF
#2155.MFC80U(00000428,00000000), ref: 204602C6
#2651.MFC80U(00000499,00000000,00000428,00000000), ref: 204602D4
#2155.MFC80U(00000499,00000000,00000428,00000000), ref: 204602DB

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2651$MessageSend$Rect$#2155#3869Client$#2364#2366#4109#4574#5609#5713ParentWindowmalloc
String ID:
API String ID: 1725614514-0
Opcode ID: b4f2627a347d5a81c19f3b90ed9b67b099448da426e5a52dbe35c8c8a3e56190
Instruction ID: 8bc0d5fc76cd60e7e419bd58047b3fc9abc88ffc0ab25ff98c7cafe0d2c59eeb
Opcode Fuzzy Hash: b4f2627a347d5a81c19f3b90ed9b67b099448da426e5a52dbe35c8c8a3e56190
Instruction Fuzzy Hash: 2D31E6703803057BE62897B48C87FEEB699AB54F08F40C61CB3586B6D0DFA8BC458794

Function 2045B6F0 Relevance: 24.1, APIs: 16, Instructions: 109windowCOMMON

Download Yara Rule

APIs

#2651.MFC80U(000003EE,00000000,?,?), ref: 2045B719
#2155.MFC80U(000003EE,00000000,?,?), ref: 2045B720
#2651.MFC80U(000004C6,00000000,000003EE,00000000,?,?), ref: 2045B72D
#2155.MFC80U(000004C6,00000000,000003EE,00000000,?,?), ref: 2045B734
#2651.MFC80U(000003F7,00000000,000004C6,00000000,000003EE,00000000,?,?), ref: 2045B745
#2155.MFC80U(000003F7,00000000,000004C6,00000000,000003EE,00000000,?,?), ref: 2045B74C
#2651.MFC80U(000004F9,00000000,000003F7,00000000,000004C6,00000000,000003EE,00000000,?,?), ref: 2045B759
#2155.MFC80U(000004F9,00000000,000003F7,00000000,000004C6,00000000,000003EE,00000000,?,?), ref: 2045B760
#2651.MFC80U(000004F9,?,000004C6,00000000), ref: 2045B778
#2651.MFC80U(000003F7,000004F9,?,000004C6,00000000), ref: 2045B78A
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 2045B7B1
#2860.MFC80U(00000000,?,?,000004C6,00000000), ref: 2045B7D5
#2155.MFC80U(00000001,?,000004C6,00000000), ref: 2045B813
#2155.MFC80U(00000000,00000001,?,000004C6,00000000), ref: 2045B823
#2155.MFC80U(00000000,?,000004C6,00000000), ref: 2045B832
#2155.MFC80U(00000000,00000000,?,000004C6,00000000), ref: 2045B83E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2155$#2651$#2860MessageSend
String ID:
API String ID: 1451778098-0
Opcode ID: ce393c04e2335226a34f455cef0e272eb4f0d1c9f16b51af7167b89965d3b120
Instruction ID: 67a8ca9e0ab85399b09c8d6d91a4dc5d329e4d14118fc57435a7ce78afcd73f5
Opcode Fuzzy Hash: ce393c04e2335226a34f455cef0e272eb4f0d1c9f16b51af7167b89965d3b120
Instruction Fuzzy Hash: 1131C5713846019BDA01ABA48856BBE77BADBE0F08F40C53CF5464B7E0CE7C990AC752

Function 2040DD80 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 376COMMON

Download Yara Rule

APIs

Part of subcall function 20402090: _wcsicmp.MSVCR80 ref: 204020FE

#1176.MFC80U(?,?,?,?,?,?,?,?,?,?,?,00000000,ADAPTER_NAME,?,?,?), ref: 2040E29E

Part of subcall function 20401EC0: _wcsicmp.MSVCR80 ref: 20401F2E

Part of subcall function 2040C930: #764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C964
Part of subcall function 2040C930: #764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C974
Part of subcall function 2040C930: #764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C990
Part of subcall function 2040C930: #764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C9AC
Part of subcall function 2040C930: #764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C9C8
Part of subcall function 2040C930: #764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C9E7

Strings

(, xrefs: 2040E1A4
ADAPTERS, xrefs: 2040DDCE
ADAPTER_NAME, xrefs: 2040DE34
NAME, xrefs: 2040DE8D
SUBNET_MASK, xrefs: 2040DF98
IP6_ADDR, xrefs: 2040DF20, 2040DF7B, 2040E02D, 2040E08B, 2040E172, 2040E1CB
ADDRESSES_DNS, xrefs: 2040E0A1
ADDRESSES_MULTICAST, xrefs: 2040E011
IP_ADDR, xrefs: 2040DED5, 2040DFB2, 2040E0C1, 2040E158
ADDRESS, xrefs: 2040DEFC, 2040DF4D, 2040DFD9, 2040E05D, 2040E0ED, 2040E19D
ADDRESSES_UNICAST, xrefs: 2040DEB5
ADAPTER, xrefs: 2040DDF6, 2040E228

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$_wcsicmp$#1176
String ID: ($ADAPTER$ADAPTERS$ADAPTER_NAME$ADDRESS$ADDRESSES_DNS$ADDRESSES_MULTICAST$ADDRESSES_UNICAST$IP6_ADDR$IP_ADDR$NAME$SUBNET_MASK
API String ID: 1024906901-1100604650
Opcode ID: d62074c8ca693871cca77507b0ef0936bf118cca2e6a1637b2bf2ea5ef87f241
Instruction ID: aca5af3c6637ef0e943cc87965f3c7281b4ae4fd47ceedf4ca17f81ce8ee28a1
Opcode Fuzzy Hash: d62074c8ca693871cca77507b0ef0936bf118cca2e6a1637b2bf2ea5ef87f241
Instruction Fuzzy Hash: 18D1A6B14153449BC314DB95CC81FAFB3EABBD4608F408E3DF989A6241E73DA6098B53

Function 20450000 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 197registryCOMMON

Download Yara Rule

APIs

Part of subcall function 2043CE80: wcscpy_s.MSVCR80 ref: 2043CEAD
Part of subcall function 2043CE80: wcscpy_s.MSVCR80 ref: 2043CEF9
Part of subcall function 2043CE80: wcscpy_s.MSVCR80 ref: 2043CF39
Part of subcall function 2043CE80: wcscpy_s.MSVCR80 ref: 2043CF98

Part of subcall function 2043D210: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000008,-00000023,6C954B78,?), ref: 2043D266

EnterCriticalSection.KERNEL32(?), ref: 2045009D
wcscpy_s.MSVCR80 ref: 204500E5
wcsncpy_s.MSVCR80 ref: 20450103
LeaveCriticalSection.KERNEL32(?), ref: 20450140
RegCloseKey.ADVAPI32(?), ref: 2045014B
RegEnumKeyW.ADVAPI32(?,00000000,?,0000000E), ref: 2045016F
wcsncmp.MSVCR80 ref: 20450190
RegCloseKey.ADVAPI32(?), ref: 2045020D
RegEnumKeyW.ADVAPI32(?,-00000001,?,0000000E), ref: 20450238
LeaveCriticalSection.KERNEL32(?), ref: 20450250
RegCloseKey.ADVAPI32(?), ref: 20450261
RegCloseKey.ADVAPI32(?), ref: 20450268

Strings

Node_, xrefs: 20450183

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_s$Close$CriticalSection$EnumLeave$EnterOpenwcsncmpwcsncpy_s
String ID: Node_
API String ID: 1802429796-3995354651
Opcode ID: d14b8de77c63ef39d49a351c681705719c90754a08a61d834a833efde99d88db
Instruction ID: bc35a6ce19b864aa4decf253173c78be40daf2bb1fb0ca7fd91c94ece76f0322
Opcode Fuzzy Hash: d14b8de77c63ef39d49a351c681705719c90754a08a61d834a833efde99d88db
Instruction Fuzzy Hash: 0B61A1B5108704ABD714DFA4CC85BABB7E8BF9C708F108D1CF99597241DA39EA098B52

Function 2041C590 Relevance: 22.8, APIs: 15, Instructions: 345COMMON

Download Yara Rule

APIs

#764.MFC80U(FF9A6AE8,A1C94593,00000000,00000001,?,?,?,00000000,2047EED7,000000FF), ref: 2041C662
#764.MFC80U(458BFFF9,A1C94593,00000000,00000001,?,?,?,00000000,2047EED7,000000FF), ref: 2041C67B
#764.MFC80U(CCCCCCCC,A1C94593,00000000,00000001,?,?,?,00000000,2047EED7,000000FF), ref: 2041C694
#764.MFC80U(83F0458B,A1C94593,00000000,00000001,?,?,?,00000000,2047EED7,000000FF), ref: 2041C6AD
#764.MFC80U(FFF99779,A1C94593,00000000,00000001,?,?,?,00000000,2047EED7,000000FF), ref: 2041C6C6
qsort.MSVCR80 ref: 2041C6FB
qsort.MSVCR80 ref: 2041C756
qsort.MSVCR80 ref: 2041C77C
qsort.MSVCR80 ref: 2041C7A4
qsort.MSVCR80 ref: 2041C7F4
#265.MFC80U(00000000,A1C94593,00000000,00000001,?,?,?,00000000,2047EED7,000000FF), ref: 2041C826
#265.MFC80U(00000000,A1C94593,00000000,00000001,?,?,?,00000000,2047EED7,000000FF), ref: 2041C893
#265.MFC80U(00000000,A1C94593,00000000,00000001,?,?,?,00000000,2047EED7,000000FF), ref: 2041C8F3
wcscpy_s.MSVCR80 ref: 2041C94E
wcsncpy_s.MSVCR80 ref: 2041C95F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764qsort$#265$wcscpy_swcsncpy_s
String ID:
API String ID: 2630380505-0
Opcode ID: 527e4a909f8d4ab2249d358f0f897bcfc00e09c81ee43996ef5b6378b076cdce
Instruction ID: 7d6139fbdda4d1cc13a014d33e862f6533b6a53d91e9fdf6e56a956c0eee08b0
Opcode Fuzzy Hash: 527e4a909f8d4ab2249d358f0f897bcfc00e09c81ee43996ef5b6378b076cdce
Instruction Fuzzy Hash: DCD18AB19003088BCB14CF69CC81A9AFBE5FF98304F548A1EED559B361D7B9E945CB81

Function 20446460 Relevance: 22.7, APIs: 15, Instructions: 195COMMON

Download Yara Rule

APIs

#776.MFC80U(?,A1C94593,00000000,?,?,00000000), ref: 204464AA
#4026.MFC80U(?,?,?,00000000), ref: 20446504
#4026.MFC80U(?,?,?,?,00000000), ref: 2044651E
memset.MSVCR80 ref: 2044654F
free.MSVCR80 ref: 2044655C
#5149.MFC80U(00000080,?,?,?,00000000), ref: 20446590
#5398.MFC80U(000000FF,00000080,?,?,?,00000000), ref: 204465B0
#774.MFC80U(?,?,?,?,00000000), ref: 204465D0
#4026.MFC80U(000001D2,?,?,?,00000000), ref: 204465E1
#762.MFC80U(0000044C,?,?,?,00000000), ref: 204465EC
memset.MSVCR80 ref: 20446654
free.MSVCR80 ref: 20446661
#2461.MFC80U(?,?,?,00000000,?,?,?,?,00000000), ref: 204466DA
#774.MFC80U ref: 20446707
#774.MFC80U(?), ref: 20446714

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026#774$freememset$#2461#5149#5398#762#776
String ID:
API String ID: 581628281-0
Opcode ID: 98a892b8d0df8cd6ef370fa9880814b123266298d9cd77d375af763eb087fec2
Instruction ID: f67a0cb9749c766af282978b63d155dd4df52af9296faa6f0a75167341ba6a5e
Opcode Fuzzy Hash: 98a892b8d0df8cd6ef370fa9880814b123266298d9cd77d375af763eb087fec2
Instruction Fuzzy Hash: AD8180719043849FDB24CF94CC95BDEB7A4BF44704F00C92EFA4A9B250DB79AA09CB52

Function 20461490 Relevance: 22.6, APIs: 15, Instructions: 102windowCOMMON

Download Yara Rule

APIs

#4574.MFC80U ref: 204614A5
GetClientRect.USER32(?,?), ref: 204614B3
#2651.MFC80U(000004C6,0000000F), ref: 204614E4

Part of subcall function 2045D0A0: GetParent.USER32(?), ref: 2045D0B0
Part of subcall function 2045D0A0: #2366.MFC80U(00000000), ref: 2045D0B7
Part of subcall function 2045D0A0: #4109.MFC80U(00000000,02000000,00000000), ref: 2045D0D7
Part of subcall function 2045D0A0: GetClientRect.USER32(?,?), ref: 2045D0F1
Part of subcall function 2045D0A0: GetWindowRect.USER32(?,00000000), ref: 2045D116
Part of subcall function 2045D0A0: #5609.MFC80U(00000000), ref: 2045D123
Part of subcall function 2045D0A0: malloc.MSVCR80 ref: 2045D12A
Part of subcall function 2045D0A0: #5713.MFC80U(?,00000000), ref: 2045D177

#2651.MFC80U(00000428,00000009,000004C6,0000000F), ref: 204614F9
#2651.MFC80U(00000499,00000009,00000428,00000009,000004C6,0000000F), ref: 2046150E
SendMessageW.USER32(?,00001003,00000001,?), ref: 2046153C
#2364.MFC80U(00000000), ref: 2046153F
SendMessageW.USER32(?,00001037,00000000,00000000), ref: 20461554
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 20461568
#3869.MFC80U(00000000,20485878,00000000,000000C8,000000FF), ref: 20461580
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 20461595
#2651.MFC80U(00000428,00000000), ref: 204615A9
#2155.MFC80U(00000428,00000000), ref: 204615B0
#2651.MFC80U(00000499,00000000,00000428,00000000), ref: 204615BE
#2155.MFC80U(00000499,00000000,00000428,00000000), ref: 204615C5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2651$MessageSend$Rect$#2155Client$#2364#2366#3869#4109#4574#5609#5713ParentWindowmalloc
String ID:
API String ID: 4050641184-0
Opcode ID: e2ca6bff617878acf79874e4f88d9535b3bc8e2d914fbb513a8aadbeaf0642eb
Instruction ID: 8aeb6e7560911261bafd35b6296635efa155aac981d9dbe41764942a1e8cde91
Opcode Fuzzy Hash: e2ca6bff617878acf79874e4f88d9535b3bc8e2d914fbb513a8aadbeaf0642eb
Instruction Fuzzy Hash: 4031D4707803027BE62897B48C42FBEB799AB54F04F40861DB259AB6D0DFA8A8458791

Function 20441920 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 368COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,A1C94593), ref: 20441990
LeaveCriticalSection.KERNEL32(?), ref: 204419A5
#762.MFC80U(000002DC), ref: 204419CF

Part of subcall function 20445C00: #310.MFC80U(00000000,A1C94593,00000000,?,?,00000000,00000000,20480B9B,000000FF,204419EB,00000000), ref: 20445C40
Part of subcall function 20445C00: #310.MFC80U ref: 20445C51
Part of subcall function 20445C00: #310.MFC80U ref: 20445C62
Part of subcall function 20445C00: #310.MFC80U ref: 20445C73
Part of subcall function 20445C00: #310.MFC80U ref: 20445C84
Part of subcall function 20445C00: #310.MFC80U ref: 20445C95
Part of subcall function 20445C00: #310.MFC80U ref: 20445CA6
Part of subcall function 20445C00: #310.MFC80U ref: 20445CB7
Part of subcall function 20445C00: #310.MFC80U ref: 20445CC8
Part of subcall function 20445C00: #310.MFC80U ref: 20445CD9
Part of subcall function 20445C00: #310.MFC80U ref: 20445CEA
Part of subcall function 20445C00: EnterCriticalSection.KERNEL32(00003FC8,00000104), ref: 20445D13
Part of subcall function 20445C00: LeaveCriticalSection.KERNEL32(00003FC8), ref: 20445D21
Part of subcall function 20445C00: memset.MSVCR80 ref: 20445D2E

GetTickCount.KERNEL32 ref: 20441A95
#762.MFC80U(000005D4), ref: 20441AAD
GetTickCount.KERNEL32 ref: 20441AF1
EnterCriticalSection.KERNEL32(?,00000000), ref: 20441B3A
LeaveCriticalSection.KERNEL32(?), ref: 20441B4F
#762.MFC80U(000000E8), ref: 20441B63
#762.MFC80U(00000058,00000000), ref: 20441BD9
#762.MFC80U(0000007C), ref: 20441C8D

Strings

}, xrefs: 2044197D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310$CriticalSection$#762$EnterLeave$CountTick$memset
String ID: }
API String ID: 2898407527-4239843852
Opcode ID: cc26bdfaaf374ea7267c643fcee85da63826c3592bafba178029d9611c036d8f
Instruction ID: 67782cbd16a6edc87daeac32aed44315c09c759a4b5c5fe1bebd17b21bd0bd1d
Opcode Fuzzy Hash: cc26bdfaaf374ea7267c643fcee85da63826c3592bafba178029d9611c036d8f
Instruction Fuzzy Hash: 3EC1C472A097418FE714CF99D881B6BB7E5FBC4761F10862EF94697390DB39A800CB91

Function 20412B10 Relevance: 21.3, APIs: 14, Instructions: 286COMMON

Download Yara Rule

APIs

#1176.MFC80U(A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89), ref: 20412B3D
#764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B64
#764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B74
#764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B84
#764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B94
#764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412BAD
#265.MFC80U(00000000,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412BF3
memset.MSVCR80 ref: 20412C00
memset.MSVCR80 ref: 20412C7E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$memset$#1176#265
String ID:
API String ID: 2140225662-0
Opcode ID: cced180ea473a5b1e1e367befc32688df4333c8617c2ef4c693b935e30686c1a
Instruction ID: 318eaf825227baa4e4400ef08250b981e21bef2880d11851eeb8ef97de00dd19
Opcode Fuzzy Hash: cced180ea473a5b1e1e367befc32688df4333c8617c2ef4c693b935e30686c1a
Instruction Fuzzy Hash: 09A1ADB1A006159FC314CFA8DA84B56FBA4BB54A14F04C62EE819C7751E738E9A4CFD1

Function 20430AA0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 20430AC1
#2788.MFC80U ref: 20430ACD
IsWindow.USER32(?), ref: 20430AE0
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20430B1B
SendMessageW.USER32(?,0000120B), ref: 20430B38
SendMessageW.USER32(?,0000120C,00000000,?), ref: 20430B74
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20430B86
SendMessageW.USER32(?,0000120B), ref: 20430BB3
SendMessageW.USER32(?,0000120C,?,?), ref: 20430CC7
SendMessageW.USER32(?,00001030,?,20430980), ref: 20430CFB

Strings

$, xrefs: 20430CB6

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$Window$#2788
String ID: $
API String ID: 170428694-3993045852
Opcode ID: fa24ff3485e0c19831be8faee70d1698d032d1fc723f849b0ec9068bbd055843
Instruction ID: 5ac11d6b472a672f92059aeb1bc39d0abadbed3282ae6fcfb5d0dcd038441f01
Opcode Fuzzy Hash: fa24ff3485e0c19831be8faee70d1698d032d1fc723f849b0ec9068bbd055843
Instruction Fuzzy Hash: 8E61B4B19083549BD714CF98C850F9BBBE4AF88754F219B1DFA949B281C779EC04CB92

Function 2044BA50 Relevance: 21.2, APIs: 14, Instructions: 165COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2044BA88
#4026.MFC80U(00000203), ref: 2044BAC8
#4026.MFC80U(00000262), ref: 2044BB0D
#4026.MFC80U(00000210), ref: 2044BB1D
#6735.MFC80U(20485878), ref: 2044BB38
#4026.MFC80U(00000205), ref: 2044BB86
#2310.MFC80U(?,00000263,?), ref: 2044BB9A
#4026.MFC80U(00000209), ref: 2044BBAD
#578.MFC80U ref: 2044BBC6
#4026.MFC80U(00000264), ref: 2044BBDB
#4026.MFC80U(0000026C), ref: 2044BBEB
#4026.MFC80U(00000207), ref: 2044BC23
#4026.MFC80U(0000020A), ref: 2044BC33
#6751.MFC80U(00000000,?), ref: 2044BC7B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026$#2310#314#578#6735#6751
String ID:
API String ID: 1152340505-0
Opcode ID: aea3eb7ab47aaac884afba9da9087e3c5bd6c835ab55cae6a36f454c8326b254
Instruction ID: 8f5a687574ce4ce5ad568c4f72d1fdae622d59998485b5505ef5895051a5d4f4
Opcode Fuzzy Hash: aea3eb7ab47aaac884afba9da9087e3c5bd6c835ab55cae6a36f454c8326b254
Instruction Fuzzy Hash: CD619875A08700DFD704CF94C884B5AB7B5FB88719F10C62EEA516B390DB79A909CB92

Function 20445C00 Relevance: 21.1, APIs: 14, Instructions: 88COMMON

Download Yara Rule

APIs

#310.MFC80U(00000000,A1C94593,00000000,?,?,00000000,00000000,20480B9B,000000FF,204419EB,00000000), ref: 20445C40
#310.MFC80U ref: 20445C51
#310.MFC80U ref: 20445C62
#310.MFC80U ref: 20445C73
#310.MFC80U ref: 20445C84
#310.MFC80U ref: 20445C95
#310.MFC80U ref: 20445CA6
#310.MFC80U ref: 20445CB7
#310.MFC80U ref: 20445CC8
#310.MFC80U ref: 20445CD9
#310.MFC80U ref: 20445CEA

Part of subcall function 20440280: #6735.MFC80U ref: 204402E6
Part of subcall function 20440280: #6735.MFC80U(20485878,0000011F), ref: 2044030D
Part of subcall function 20440280: #6735.MFC80U(20485878), ref: 20440323

EnterCriticalSection.KERNEL32(00003FC8,00000104), ref: 20445D13
LeaveCriticalSection.KERNEL32(00003FC8), ref: 20445D21
memset.MSVCR80 ref: 20445D2E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310$#6735$CriticalSection$EnterLeavememset
String ID:
API String ID: 3143921478-0
Opcode ID: 2157d352ddc2455e798fedfbc3618833a5aa07da9aa986f8a3d86055a92f27a7
Instruction ID: 24daf216aa99d7273f657a96e9add7aef185053559727ef4d998557eda13c0bf
Opcode Fuzzy Hash: 2157d352ddc2455e798fedfbc3618833a5aa07da9aa986f8a3d86055a92f27a7
Instruction Fuzzy Hash: AB415E31008B81DFC311DF65CC8879BBBE4EB65719F048D2DE4A682291DB79660DCFA2

Function 2045F330 Relevance: 19.7, APIs: 13, Instructions: 231windowCOMMON

Download Yara Rule

APIs

#4109.MFC80U(00000000,00000120,00000000,?,000004C3,0000000F), ref: 2045F349
SendMessageW.USER32(?), ref: 2045F36E
#3877.MFC80U(00000001,00000000,00000000,00000000,00000000,00000000,00000000,FFFF0000,FFFF0000,?,00000000), ref: 2045F3FD
#5864.MFC80U(00000000,00000008,00000000,00000000,00000000,00000010,00000010,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,FFFF0000), ref: 2045F419
#5864.MFC80U(00000000,00000004,00000000,00000000,00000000,00000000,00000000,?,00000000,00000008,00000000,00000000,00000000,00000010,00000010,00000000), ref: 2045F42E
#3877.MFC80U(00000001,?,00000000,00000000,00000000,00000000,00000000,FFFF0000,FFFF0002,00000000,00000004,00000000,00000000,00000000,00000000,00000000), ref: 2045F512
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 2045F528
#3877.MFC80U(00000001,?,00000000,00000000,00000000,00000000,00000000,FFFF0000,FFFF0002,00000000,00000004,00000000,00000000,00000000,00000000,00000000), ref: 2045F55B
#5864.MFC80U(00000000,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00000000,FFFF0000), ref: 2045F57A
#5747.MFC80U(00000000,?,00000000,00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000), ref: 2045F59D
SendMessageW.USER32(?,00001102,00000002,FFFF0000), ref: 2045F5DE
SendMessageW.USER32(?,00001101,00000000,00000000), ref: 2045F5F9
#5982.MFC80U(00000001,00000000,00000001,?,00000000), ref: 2045F626

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#3877#5864$#4109#5747#5982
String ID:
API String ID: 3275147637-0
Opcode ID: 9dd212be45086d75f6ae4a172555495b67a5b5979c489670bcb928c4cd8918b4
Instruction ID: e9f79f5a2f50c667ce6c69e562628473a29d41ef9b7a263904081b92f45a8f23
Opcode Fuzzy Hash: 9dd212be45086d75f6ae4a172555495b67a5b5979c489670bcb928c4cd8918b4
Instruction Fuzzy Hash: 6D818F70784302AFD318CF50C895F6ABBA4FB54B04F14865CF6455B2E2D7B8AC4ACB96

Function 204541F0 Relevance: 19.7, APIs: 13, Instructions: 193COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 20454236
wcsncmp.MSVCR80 ref: 204542A2

Part of subcall function 2043AB10: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,204542B6), ref: 2043AB2A
Part of subcall function 2043AB10: GetLastError.KERNEL32 ref: 2043AB35

wcsncmp.MSVCR80 ref: 204542EB
GetSystemMetrics.USER32(00000031), ref: 20454325
#1079.MFC80U(?,000000FF,?), ref: 20454368
DestroyCursor.USER32(?), ref: 20454383
#1176.MFC80U ref: 2045438B
#776.MFC80U(?), ref: 204543A1
#3873.MFC80U(00000003,00000000,?,00000000,00000000,?,00000000), ref: 204543C3
#5862.MFC80U(00000000,00000001,00000003,00000000,?,00000000,00000000,00000000,00000003,00000000,?,00000000,00000000,?,00000000), ref: 204543E6
#5862.MFC80U(00000000,00000000,00000004,00000000,00000000,00000000,00000000,?,00000000,00000001,00000003,00000000,?,00000000,00000000,00000000), ref: 20454402
#5742.MFC80U(00000000,?,00000000,00000000,00000004,00000000,00000000,00000000,00000000,?,00000000,00000001,00000003,00000000,?,00000000), ref: 20454430
#578.MFC80U ref: 20454444

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #5862wcsncmp$#1079#1176#310#3873#5742#578#776CreateCursorDestroyErrorFileLastMetricsSystem
String ID:
API String ID: 1150038964-0
Opcode ID: 9f5206003f6ed2973ce07917a7ff6ec924d8b96aed58063a2543852da7b61b2e
Instruction ID: 479ed0915f2eeaa8b574ac43a3881d8b8663088f3cfef44c723c3c907148f41c
Opcode Fuzzy Hash: 9f5206003f6ed2973ce07917a7ff6ec924d8b96aed58063a2543852da7b61b2e
Instruction Fuzzy Hash: 0561D0713046009FD320CF58CC85F6EBBE4AFE4B18F50852CF545AB2E1DA75A94ACB91

Function 20432E50 Relevance: 19.6, APIs: 13, Instructions: 134windowCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 20432E63
VariantChangeType.OLEAUT32(?,?,00000000,00000003), ref: 20432E80
VariantCopy.OLEAUT32(?,?), ref: 20432E93
GetFocus.USER32 ref: 20432ED5
#2366.MFC80U(00000000), ref: 20432EDC
#5829.MFC80U(00000000), ref: 20432EE7
InvalidateRect.USER32(?,?,00000001,?,?,?,00000000), ref: 20432F15
InvalidateRect.USER32(?,?,00000001,?,?,?,00000000), ref: 20432F22
InvalidateRect.USER32(?,?,00000001,?,?,?,00000000), ref: 20432F2F
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 20432F57
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 20432F64
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 20432F71
#931.MFC80U(?), ref: 20432FA0

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: InvalidateRect$Variant$#2366#5829#931ChangeCopyFocusInitType
String ID:
API String ID: 955593151-0
Opcode ID: c5e2da395930f61b844a44f2bc0d0ae6e1df8a7d97cae30f990c223835d46e9f
Instruction ID: 54aef1c164e554c70e00ceb81e3176a7b1b36d9b59236c1140e2668beb021dd4
Opcode Fuzzy Hash: c5e2da395930f61b844a44f2bc0d0ae6e1df8a7d97cae30f990c223835d46e9f
Instruction Fuzzy Hash: 29415072204704ABC310DFA8CC85EABB7E8FB88754F40CA1DFA45C7250E675E904CBA1

Function 2041C400 Relevance: 19.6, APIs: 13, Instructions: 127COMMON

Download Yara Rule

APIs

#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C441
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C45A
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C473
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C48C
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4A5
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4BE
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4CE
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4DE
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C4FA
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C516
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C532
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C54D
#764.MFC80U(?,A1C94593,00000000,?,?,00000000,2047EF37,000000FF,204141E8), ref: 2041C56C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 65d4c250b3c0ed55533833a044512dbb364082f86e0d1659ee375bc80d9dcd08
Instruction ID: 26c75929185dbee3c79399b8a997fa1e10c0bedbbae0da6622dbb3a9f327ec5c
Opcode Fuzzy Hash: 65d4c250b3c0ed55533833a044512dbb364082f86e0d1659ee375bc80d9dcd08
Instruction Fuzzy Hash: 8841F8F1904B909BC721DFA98CC1A56FBF5BB14604B90CD2DE18AC3B50D37DF9488A91

Function 2042FDE0 Relevance: 19.6, APIs: 13, Instructions: 117COMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(?,00000001), ref: 2042FE0D
#2362.MFC80U(00000000,?,?,?,?,?,?,?,?,?,A1C94593), ref: 2042FE14
GetSysColor.USER32(00000008), ref: 2042FE1D
#502.MFC80U(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,A1C94593), ref: 2042FE2C
#5638.MFC80U(00000001), ref: 2042FE40
GetObjectW.GDI32(?,00000010,?), ref: 2042FE50
SetPixel.GDI32(?,?,?,?), ref: 2042FE88
#4117.MFC80U(?,?,?), ref: 2042FE9D
#3995.MFC80U(?,?,?,?,?), ref: 2042FEAF
#4117.MFC80U(?,?,?,?,?,?,?,?), ref: 2042FEC3
#3995.MFC80U(?,?,?,?,?,?,?,?,?,?), ref: 2042FED5
#4117.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 2042FEE9
#3995.MFC80U(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 2042FEF9

Part of subcall function 20414A70: #1925.MFC80U(A1C94593,?,?,?,00000000,2047B9E9,000000FF), ref: 20414AB9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #3995#4117$Object$#1925#2362#502#5638ColorCurrentPixel
String ID:
API String ID: 4087137754-0
Opcode ID: 59ecc4f7dc50ed9334732aeb286dce247e3e1767718eeb872eea6448c82c6914
Instruction ID: ec0158209c5d8f9ca73e8296061b28e5e4782f84f5fcd26e68bdf0d698a588a5
Opcode Fuzzy Hash: 59ecc4f7dc50ed9334732aeb286dce247e3e1767718eeb872eea6448c82c6914
Instruction Fuzzy Hash: 6A417FB2604640ABC714CF68CC84E9BB7F9BB98608F058A2CF55AD7694DB38D908CB51

Function 20446750 Relevance: 19.6, APIs: 13, Instructions: 108COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,?,?,?,?,2047A999,000000FF,2044623F,00000000,A1C94593), ref: 2044677A
#2121.MFC80U(?,?,?,?,?,2047A999), ref: 20446790
#2310.MFC80U(?,?,?,?,?,?,?,?,2047A999), ref: 204467B7
#2310.MFC80U(?,000001DA,?,?), ref: 204467DC
#896.MFC80U(?), ref: 204467E8
#2310.MFC80U(?,000001DB,?), ref: 204467FF
#896.MFC80U(?), ref: 2044680B
#2310.MFC80U(?,000001DC,?), ref: 20446822
#896.MFC80U(?), ref: 2044682E
#2310.MFC80U(?,000001DE,?), ref: 20446855
#2310.MFC80U(?,000001DD,?), ref: 2044687C
#896.MFC80U(?), ref: 20446888
#578.MFC80U ref: 2044689A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2310$#896$#2121#310#578
String ID:
API String ID: 431348084-0
Opcode ID: bb7dfcbb9b7668d064920e543f2ee97a59a3c71183495b1994f31b68b67a5ed3
Instruction ID: 0c633ed7679663834bfc047448413ef689003df879677da101246363d70b1b80
Opcode Fuzzy Hash: bb7dfcbb9b7668d064920e543f2ee97a59a3c71183495b1994f31b68b67a5ed3
Instruction Fuzzy Hash: 65415EB1504741AFD314DF54DC84FAAB3E8FB88711F048D1DF95693290EB78A909DBA2

Function 2043AC60 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 271stringwindowCOMMON

Download Yara Rule

APIs

strncmp.MSVCR80 ref: 2043AC97
strncmp.MSVCR80 ref: 2043ACA8

Part of subcall function 2043B0D0: memset.MSVCR80 ref: 2043B0DB

memset.MSVCR80 ref: 2043ACE7
malloc.MSVCR80 ref: 2043AE0E
CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 2043B04E
free.MSVCR80 ref: 2043B05B
free.MSVCR80 ref: 2043B06D

Strings

, xrefs: 2043AD49
GIF87a, xrefs: 2043AC8D
(, xrefs: 2043AD36
GIF89a, xrefs: 2043ACA2

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: freememsetstrncmp$BitmapCreatemalloc
String ID: $($GIF87a$GIF89a
API String ID: 1939045392-356550005
Opcode ID: 71fa5580beabcd1dabac6851f2e8876cd4e4eda3ac63b9501a9d6b289ff0ad2b
Instruction ID: ef79255f5f6de689009efff0cf3e7f7263fda85f1c023c6d4836178b47eac9f2
Opcode Fuzzy Hash: 71fa5580beabcd1dabac6851f2e8876cd4e4eda3ac63b9501a9d6b289ff0ad2b
Instruction Fuzzy Hash: D4B1D3B05083508BD724EF94C8817AFB3F1AFC9708F14992DEAC547251E779A948CB97

Function 2040EB80 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 236COMMON

Download Yara Rule

APIs

#1176.MFC80U ref: 2040EE4B

Strings

TiH , xrefs: 2040ED6F
PE_MODULE, xrefs: 2040ED0A
EXCLUDE, xrefs: 2040ED62
BROWSERS, xrefs: 2040EBEA, 2040EC72
SETTINGS, xrefs: 2040EBBC
BROWSER, xrefs: 2040EDBF
PATH, xrefs: 2040ED36, 2040EDE7
PE_MODULES, xrefs: 2040EBD2, 2040EC28, 2040EC4B
APP_FLAGS, xrefs: 2040EE10
@iH , xrefs: 2040ED68

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176
String ID: @iH $APP_FLAGS$BROWSER$BROWSERS$EXCLUDE$PATH$PE_MODULE$PE_MODULES$SETTINGS$TiH
API String ID: 1925220103-915843508
Opcode ID: 8098f5034abc53fda062f54d5dafdde4ef46e030ae61e6a9d3936b0f0386461b
Instruction ID: 314205e89080464e6a841eb27309699c97788495f9a784f3d35cc126bff08289
Opcode Fuzzy Hash: 8098f5034abc53fda062f54d5dafdde4ef46e030ae61e6a9d3936b0f0386461b
Instruction Fuzzy Hash: A371A0B06146068BD318CBD6D980B1AB3D7AF50608F05C47DEA49A7342E73DED65CBD2

Function 20468340 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 184windowCOMMON

Download Yara Rule

APIs

Part of subcall function 20420040: #764.MFC80U(?,?,?,20462BF8,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?,?,00000000), ref: 20420074

Part of subcall function 2041B640: #764.MFC80U(?,?,?,20462C00,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?,?,00000000), ref: 2041B674

Part of subcall function 20412B10: #1176.MFC80U(A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89), ref: 20412B3D
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B64
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B74
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B84
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B94
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412BAD

Part of subcall function 2040F390: #764.MFC80U(?,?,00000000,?,20462C12,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?), ref: 2040F3AF
Part of subcall function 2040F390: #764.MFC80U(?,00000000,?,20462C12,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?), ref: 2040F3C7

EnterCriticalSection.KERNEL32(?,00000000,A1C94593,00000003,-00003AB4,?,?,?,00000000,20481C82,000000FF,204624F9,-00003AB4,?,?,00000000), ref: 204683BA

Part of subcall function 20412B10: #265.MFC80U(00000000,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412BF3
Part of subcall function 20412B10: memset.MSVCR80 ref: 20412C00

Part of subcall function 2040FCE0: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD2D
Part of subcall function 2040FCE0: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD3D
Part of subcall function 2040FCE0: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD51

LeaveCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,00000000,20481C82,000000FF,204624F9), ref: 20468556
#310.MFC80U(?,?,?,00000000,20481C82,000000FF,204624F9,-00003AB4,?,?,00000000), ref: 20468568
#310.MFC80U(?,?,?,00000000,20481C82,000000FF,204624F9,-00003AB4,?,?,00000000), ref: 2046857A
#4026.MFC80U(000000B7,?,?,?,00000000,20481C82,000000FF,204624F9,-00003AB4,?,?,00000000), ref: 2046858E
#4026.MFC80U(000000B2,?,?,?,00000000,20481C82,000000FF,204624F9,-00003AB4,?,?,00000000), ref: 2046859D
MessageBoxW.USER32(00000000,?,00000001,00000010), ref: 204685B1
#578.MFC80U(?,?,?,00000000,20481C82,000000FF,204624F9,-00003AB4,?,?,00000000), ref: 204685C0

Part of subcall function 20401670: malloc.MSVCR80 ref: 2040169E
Part of subcall function 20401670: malloc.MSVCR80 ref: 204016B0
Part of subcall function 20401670: free.MSVCR80 ref: 204016BD

#578.MFC80U(?,?,?,00000000,20481C82,000000FF,204624F9,-00003AB4,?,?,00000000), ref: 204685D2

Strings

ALL, xrefs: 204684BE
REMOVED, xrefs: 20468499

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#310#4026#578CriticalSectionmalloc$#1176#265EnterLeaveMessagefreememset
String ID: ALL$REMOVED
API String ID: 217918462-2702759755
Opcode ID: a013223bbd1a5acbed5b7c5a7ddfba7f9a8956f06be30daa9be0da43713f8b23
Instruction ID: cd4611c72566d2ff1785ef4a9288bc029c4182c3f19a60ae6c62f54ef4cad2ea
Opcode Fuzzy Hash: a013223bbd1a5acbed5b7c5a7ddfba7f9a8956f06be30daa9be0da43713f8b23
Instruction Fuzzy Hash: FB71A4311183448BC725DFA4CC85BDE77A8AF54B18F448A2DFD49A7251EF38AB09CB52

Function 2044BCC0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,00000060,00000000,?), ref: 2044BD00
#776.MFC80U(20485878), ref: 2044BD1B
_snwprintf_s.MSVCR80 ref: 2044BD6A
_snwprintf_s.MSVCR80 ref: 2044BDB0
#2310.MFC80U(0000005C,0000025D,?,?), ref: 2044BDC5
#2310.MFC80U(0000005C,0000025E,?,?,?,?), ref: 2044BE5B
#578.MFC80U ref: 2044BF17

Strings

%d.%d.%d.%d, xrefs: 2044BD5C, 2044BD9F, 2044BE8C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2310_snwprintf_s$#310#578#776
String ID: %d.%d.%d.%d
API String ID: 3047567187-3491811756
Opcode ID: 711c0d1743466385d14677d78091ab1b0e3b370ab87f57eda0f6f6fb23002789
Instruction ID: 64d5185aea64a231b12683cea7eaeca9a7e724b78cc2e952a1de70f8f02ff7a7
Opcode Fuzzy Hash: 711c0d1743466385d14677d78091ab1b0e3b370ab87f57eda0f6f6fb23002789
Instruction Fuzzy Hash: 0E7129B5508700DFD324CF65C885F6AB7F5AF89215F008A1EF5DA93390D738AA08DB52

Function 204725C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 2042C340: #356.MFC80U(A1C94593,00000000,0000000B,?,000000FF,2047EBCB,000000FF,204402AC,0000000B,A1C94593,00000000,00000000,00000104,2047FA81,000000FF,20445D01), ref: 2042C369
Part of subcall function 2042C340: #310.MFC80U(A1C94593,00000000,0000000B,?,000000FF), ref: 2042C3B1
Part of subcall function 2042C340: #563.MFC80U(?,000000FF), ref: 2042C3C2

Part of subcall function 20430DC0: #310.MFC80U(?,A1C94593,00000000,?,00000000,?,2047AE6F,000000FF,20472632,?), ref: 20430DFC
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E0A
Part of subcall function 20430DC0: #310.MFC80U ref: 20430E17
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E25
Part of subcall function 20430DC0: LoadCursorW.USER32(00000000,00007F89), ref: 20430EA4
Part of subcall function 20430DC0: SetRectEmpty.USER32(?), ref: 20430F17

#310.MFC80U(?), ref: 2047263D
#4026.MFC80U(00000134), ref: 20472676
#1925.MFC80U ref: 2047267E

Part of subcall function 2043D740: FindResourceW.KERNEL32(00000000,?,GIF,00000000,?,?,20472692,0000024F), ref: 2043D766
Part of subcall function 2043D740: #1058.MFC80U(?,GIF), ref: 2043D77A

GetDC.USER32(00000000), ref: 2047269D
ReleaseDC.USER32(00000000,00000000), ref: 204726BC
#1271.MFC80U(00000000,00000000,?,?), ref: 204726C7
#1925.MFC80U(00000000,00000000,?,?), ref: 204726D2
GetDC.USER32(00000000), ref: 204726F1
ReleaseDC.USER32(00000000,00000000), ref: 20472714

Part of subcall function 2043AC00: FindResourceW.KERNEL32(00000000,00000251,GIF,?,?,00000000,?,2047270C,00000000), ref: 2043AC0B

#1271.MFC80U(00000000,00000000,00000000,?,?), ref: 20472721

Strings

GIF, xrefs: 20472688, 204726DC

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310$#1271#1925#557FindReleaseResource$#1058#356#4026#563CursorEmptyLoadRect
String ID: GIF
API String ID: 1177867380-881873598
Opcode ID: b7200a02f795109c7e3eb7b4e087aaed166f4e15dd9ffb2c75fad47bf353b740
Instruction ID: 828355b6802e1fa0bfbb646ce676a9dde5f4986e1d25ae84e4f5a662b53f8f16
Opcode Fuzzy Hash: b7200a02f795109c7e3eb7b4e087aaed166f4e15dd9ffb2c75fad47bf353b740
Instruction Fuzzy Hash: E3410671104B008FC314DBA4CD86B87BBE4ABA4B09F00C93DF95A97390DBBCA9088752

Function 20425A90 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 20425AD3
#3756.MFC80U(?), ref: 20425AED
#1472.MFC80U(?,?), ref: 20425B21
#6063.MFC80U(20485878,?), ref: 20425B4D
#6063.MFC80U(20485878,20485878,?), ref: 20425B61
#578.MFC80U ref: 20425B7C
SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 20425BAB
#2311.MFC80U(?,2048587C,?), ref: 20425BDF
#6063.MFC80U(?), ref: 20425BF3
#6063.MFC80U(?,?), ref: 20425C18

Strings

xXH , xrefs: 20425B78

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6063$#1472#2311#310#3756#578MessageSend
String ID: xXH
API String ID: 2921591435-4004433314
Opcode ID: 20ee8d277595217f224ac11ba57411c7c1efebbf3dd559737b910e1f0afa3dc6
Instruction ID: 7ec89fc532f9ed1773e2f76ecb9491f977f3ba89ceb0169c2ac635186d8c60f8
Opcode Fuzzy Hash: 20ee8d277595217f224ac11ba57411c7c1efebbf3dd559737b910e1f0afa3dc6
Instruction Fuzzy Hash: 8641D2711087459FC724CF54CC90BEBBBE9FB58314F008A2DF959576A1EB38A609CB51

Function 20436BB0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

#3793.MFC80U(?,?,?), ref: 20436BCD
#2870.MFC80U(00000000,?,00000001,?,?), ref: 20436BE5
PtInRect.USER32(?,?,?), ref: 20436BF4
SendMessageW.USER32(?,00001102,00000003,00000000), ref: 20436C10
GetParent.USER32(?), ref: 20436C16
#2366.MFC80U(00000000), ref: 20436C1D
#2648.MFC80U(00000000), ref: 20436C31
#2648.MFC80U ref: 20436C44
SendMessageW.USER32(?,0000004E,00000000,00000000), ref: 20436C55
#1894.MFC80U(?,?), ref: 20436C59

Strings

n, xrefs: 20436BD2

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2648MessageSend$#1894#2366#2870#3793ParentRect
String ID: n
API String ID: 3451452917-2013832146
Opcode ID: 8e907037b50fc14d0f54713da9c73fca789de84a615d102d6b827bd69ab568b9
Instruction ID: b227bfd30f0165713bd93f83064325098b5a49957d0074c773c577a7dac5abfd
Opcode Fuzzy Hash: 8e907037b50fc14d0f54713da9c73fca789de84a615d102d6b827bd69ab568b9
Instruction Fuzzy Hash: 321166B22047056BC314DBA9CC95E6F77EDBB8CA14F00CA1CF699C7690DA74D9448BA1

Function 20468C10 Relevance: 18.5, APIs: 12, Instructions: 466windowCOMMON

Download Yara Rule

APIs

Part of subcall function 204725C0: #310.MFC80U(?), ref: 2047263D
Part of subcall function 204725C0: #4026.MFC80U(00000134), ref: 20472676
Part of subcall function 204725C0: #1925.MFC80U ref: 2047267E
Part of subcall function 204725C0: GetDC.USER32(00000000), ref: 2047269D
Part of subcall function 204725C0: ReleaseDC.USER32(00000000,00000000), ref: 204726BC
Part of subcall function 204725C0: #1271.MFC80U(00000000,00000000,?,?), ref: 204726C7
Part of subcall function 204725C0: #1925.MFC80U(00000000,00000000,?,?), ref: 204726D2
Part of subcall function 204725C0: GetDC.USER32(00000000), ref: 204726F1
Part of subcall function 204725C0: #1271.MFC80U(00000000,00000000,00000000,?,?), ref: 20472721

Part of subcall function 20468200: EnterCriticalSection.KERNEL32(-00003A84,A1C94593,?,-00003AB4,?,00000000), ref: 20468254
Part of subcall function 20468200: LeaveCriticalSection.KERNEL32(-00003A84,?,00000000), ref: 20468305

#310.MFC80U(?), ref: 20468CD1
#310.MFC80U ref: 20468CE4
#4026.MFC80U(00000271), ref: 20468CFB
#4026.MFC80U(00000270), ref: 20468D0A
MessageBoxW.USER32(?,A1C94593,?,00000040), ref: 20468D1D
#578.MFC80U ref: 20468D2E
#578.MFC80U ref: 20468D40
EnterCriticalSection.KERNEL32(A1C945DB,?,?,00000000,?), ref: 20468E59
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?), ref: 20468ED5
EnterCriticalSection.KERNEL32(?,?,?,00000000,?), ref: 20468EF5
#1176.MFC80U(?), ref: 20468FE9
LeaveCriticalSection.KERNEL32(?,?), ref: 20469322

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CriticalSection$#310#4026EnterLeave$#1271#1925#578$#1176MessageRelease
String ID:
API String ID: 1322123760-0
Opcode ID: 7078abcdab72a5927a4393b918f6e8bfa50432065ef7b6eb6b3f10c921c9fd8d
Instruction ID: 88d285f7ef9232bd13c2742594fa65263f5fded8ba666aec868e8f2817e94b27
Opcode Fuzzy Hash: 7078abcdab72a5927a4393b918f6e8bfa50432065ef7b6eb6b3f10c921c9fd8d
Instruction Fuzzy Hash: 71226D706087419FC328CF54C884B9EB7E5BFC8718F148A1DE589973A1EB39E945CB92

Function 20456B30 Relevance: 18.2, APIs: 12, Instructions: 183COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 20456B76
wcsncmp.MSVCR80 ref: 20456BE7
wcsncmp.MSVCR80 ref: 20456C30
GetSystemMetrics.USER32(00000031), ref: 20456C6A
#1079.MFC80U(?,000000FF,?), ref: 20456CAD
DestroyCursor.USER32(?), ref: 20456CC8
#1176.MFC80U ref: 20456CD0
#776.MFC80U(?), ref: 20456CE6
#3873.MFC80U(00000003,00000000,?,00000000,00000000,?,00000000), ref: 20456D08
#5862.MFC80U(00000000,00000000,00000004,00000000,00000000,00000000,00000000,?,00000003,00000000,?,00000000,00000000,?,00000000), ref: 20456D2B
#5742.MFC80U(00000000,?,00000000,00000000,00000004,00000000,00000000,00000000,00000000,?,00000003,00000000,?,00000000,00000000,?), ref: 20456D54
#578.MFC80U ref: 20456D68

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcsncmp$#1079#1176#310#3873#5742#578#5862#776CursorDestroyMetricsSystem
String ID:
API String ID: 2983318147-0
Opcode ID: df40070d9e11cebbc4bc20e8484811a6a1918f87f31f53d7c45df4982caf299f
Instruction ID: 0f5dce3006ddcc1ef1741309668cc9dd9b75293bf3990993e7b0e2430c6244d5
Opcode Fuzzy Hash: df40070d9e11cebbc4bc20e8484811a6a1918f87f31f53d7c45df4982caf299f
Instruction Fuzzy Hash: 8B61AC702046409FD325CF58CC85FAABBF4FFA4708F14C92CF5899B2A1DA79A949CB51

Function 2044C310 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

#310.MFC80U ref: 2044C375
#310.MFC80U ref: 2044C383
malloc.MSVCR80 ref: 2044C3C4
memcpy.MSVCR80(00000000,?,?,?), ref: 2044C3DA
malloc.MSVCR80 ref: 2044C418
#5149.MFC80U(00000080), ref: 2044C45A
#5398.MFC80U(000000FF,00000080), ref: 2044C479
#776.MFC80U(?), ref: 2044C490
#314.MFC80U(00000000), ref: 2044C4E9
#4026.MFC80U(0000028A,00000000), ref: 2044C4FB
#4026.MFC80U(-0000028B), ref: 2044C513
#6751.MFC80U(00000000,6C8560B9), ref: 2044C539

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#4026malloc$#314#5149#5398#6751#776memcpy
String ID:
API String ID: 1514184627-0
Opcode ID: e0af06da38e8e88c1d8ed24109c85972f927e8b9e46c05c85569cbfc213e785a
Instruction ID: a3871e1fa572c28fd4509d55f6bb605b9d4f9b45c5f3229d0466ee6b1d63206c
Opcode Fuzzy Hash: e0af06da38e8e88c1d8ed24109c85972f927e8b9e46c05c85569cbfc213e785a
Instruction Fuzzy Hash: 8861AD715087809FD710DFA5CC85BAAB7E5FB88704F10C92DFA55832A0DB78A904CF62

Function 204603A0 Relevance: 18.2, APIs: 12, Instructions: 166COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,00000000,?,75A85540), ref: 204603E6
#578.MFC80U ref: 20460435
wcsncmp.MSVCR80 ref: 2046047D
GetSystemMetrics.USER32(00000031), ref: 204604B3
#1079.MFC80U(?,000000FF,?,?,?,?,75A85540), ref: 204604F5
DestroyCursor.USER32(?), ref: 20460510
#1176.MFC80U(?,00000000,?,75A85540), ref: 20460518
#776.MFC80U(?,?,00000000,?,75A85540), ref: 2046052E
#3873.MFC80U(00000003,00000000,?,00000000,00000000,?,00000000,?,00000000,?,75A85540), ref: 2046054C
#5862.MFC80U(00000000,00000001,00000003,00000000,?,00000000,00000000,00000000,00000003,00000000,?,00000000,00000000,?,00000000), ref: 20460573
#5862.MFC80U(00000000,00000000,00000004,00000000,00000000,00000000,00000000,?,00000000,00000001,00000003,00000000,?,00000000,00000000,00000000), ref: 2046058F
#5742.MFC80U(00000000,?,00000000,00000000,00000004,00000000,00000000,00000000,00000000,?,00000000,00000001,00000003,00000000,?,00000000), ref: 204605BD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #5862$#1079#1176#310#3873#5742#578#776CursorDestroyMetricsSystemwcsncmp
String ID:
API String ID: 3302704164-0
Opcode ID: 3af1b515dbe88e41baed38889e6274dd96d1c0b63390f4931c7d397ec4fd712e
Instruction ID: e655a11d792ebcd762c5dd361449a7858fca1bb5e6c4c7b92106669b91eedbf7
Opcode Fuzzy Hash: 3af1b515dbe88e41baed38889e6274dd96d1c0b63390f4931c7d397ec4fd712e
Instruction Fuzzy Hash: 23519D71204200AFD720DF58CC85FABB7E4EB94B18F10852CF55A9B2E1EA74A905CB92

Function 20422830 Relevance: 18.2, APIs: 12, Instructions: 156windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20422860

Part of subcall function 204229E0: #1172.MFC80U(00000002,?,20422877,00000000), ref: 204229EF
Part of subcall function 204229E0: #2297.MFC80U(20422877,00000000), ref: 20422A01

memset.MSVCR80 ref: 20422880
SendMessageW.USER32(?,0000120B,00000000,00000001), ref: 204228A9
#2297.MFC80U ref: 204228CA
#1172.MFC80U(00000002,?), ref: 204228F0
#1172.MFC80U(00000004,?), ref: 204228FF
#2250.MFC80U(?), ref: 20422919
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 2042293A
memset.MSVCR80 ref: 2042294D
#2250.MFC80U(?), ref: 20422982
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 204229A9
#1172.MFC80U(00000004,?), ref: 204229C5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1172MessageSend$#2250#2297memset
String ID:
API String ID: 3378238609-0
Opcode ID: afb921a6bfa35ca6af43e91272ea4f8e23dea9fb3b4ca6c89f579d6df1a2ef5b
Instruction ID: ee6b70ef37af77f9597e7430c461b6aaa80c611ab22c3ef0fc82afac96ed4d41
Opcode Fuzzy Hash: afb921a6bfa35ca6af43e91272ea4f8e23dea9fb3b4ca6c89f579d6df1a2ef5b
Instruction Fuzzy Hash: C651B0B1700701AFD324DF94DD81F5AB3E5AF98B14F008A1CFA85973A1C679E845CB91

Function 204639F0 Relevance: 18.2, APIs: 12, Instructions: 156windowCOMMON

Download Yara Rule

APIs

Part of subcall function 20462D50: #280.MFC80U(?,?,00000001,00000000,00000000), ref: 20462E3B

Part of subcall function 20464070: #764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 2046407B
Part of subcall function 20464070: #764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 20464094
Part of subcall function 20464070: #764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 204640B3
Part of subcall function 20464070: #764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 204640D8
Part of subcall function 20464070: #764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 204640FD
Part of subcall function 20464070: #764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 20464122

LeaveCriticalSection.KERNEL32(A1C945DB,A1C94593,?), ref: 20463AB0
#310.MFC80U(?,?,?), ref: 20463AE1
#310.MFC80U ref: 20463AF4
#4026.MFC80U(0000010A), ref: 20463B0B
#4026.MFC80U(000000B2), ref: 20463B1A
MessageBoxW.USER32(?,?,?,00000010), ref: 20463B30
#578.MFC80U ref: 20463B41
#578.MFC80U ref: 20463B53
#764.MFC80U(?,?,?,?,?), ref: 20463B81
#764.MFC80U(?,?,?,?,?), ref: 20463B9E
#764.MFC80U(?), ref: 20463BE9
#764.MFC80U(?), ref: 20463C06

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#310#4026#578$#280CriticalLeaveMessageSection
String ID:
API String ID: 2973313494-0
Opcode ID: 9e43e74d3b180e849e7b8f271b79c6a4d1b3ee825b3198810ae2759cbfd07b9a
Instruction ID: ee1d5e9c90d640d4341dbb6dcc14695c9230ec3ee3bf4f8633e53d7b4d4977cd
Opcode Fuzzy Hash: 9e43e74d3b180e849e7b8f271b79c6a4d1b3ee825b3198810ae2759cbfd07b9a
Instruction Fuzzy Hash: 7E5160B150D3809FD360DF68C885B9BBBE4BF95B14F408E2DF49983291EB399508CB52

Function 20437E40 Relevance: 18.1, APIs: 12, Instructions: 144windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 20437E75
#2362.MFC80U(00000000), ref: 20437E7C
SendMessageW.USER32(?,00000030,?,00000001), ref: 20437ED1
GetDC.USER32(?), ref: 20437EDB
#2361.MFC80U(00000000,?,00000000,00000000), ref: 20437EE2
#6735.MFC80U(2048BFA8,00000000,?,00000000,00000000), ref: 20437EF2
GetTextExtentPoint32W.GDI32(?,00000000,?,?), ref: 20437F0E
#578.MFC80U ref: 20437F20
ReleaseDC.USER32(?,?), ref: 20437F2E
#1589.MFC80U(56000000,?,?,00000001), ref: 20437F6F
#4109.MFC80U(00000000,00001037,00000000,56000000,?,?,00000001), ref: 20437F7D
SendMessageW.USER32(?,00000030,?,00000001), ref: 20437F9D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#1589#2361#2362#4109#578#6735ExtentPoint32ReleaseText
String ID:
API String ID: 1012144733-0
Opcode ID: e50f7c94212ff6f5d697219102073ff2318caf2ec7eb8580bd8e728f966c0eac
Instruction ID: 3c6159516b36b2f4c95998dc5ab0c2ea471dd7729f0dd008a82ae6d364e421e3
Opcode Fuzzy Hash: e50f7c94212ff6f5d697219102073ff2318caf2ec7eb8580bd8e728f966c0eac
Instruction Fuzzy Hash: F65125B1508701AFD314DFA4C8C4E6AB7E8FB88718F508A2DF59A97650DB78E904CB51

Function 204258D0 Relevance: 18.1, APIs: 12, Instructions: 121windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 2042591B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20425935
#310.MFC80U ref: 20425963
#2311.MFC80U(?,2048587C,?), ref: 2042597F
#6063.MFC80U(20485878), ref: 2042599F
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 204259B4
#6063.MFC80U(?), ref: 204259DB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 204259F0
#6063.MFC80U(?), ref: 20425A1D
#578.MFC80U ref: 20425A35
#6063.MFC80U(20485878), ref: 20425A5D
#6063.MFC80U(20485878,20485878), ref: 20425A6D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6063$MessageSend$#2311#310#578
String ID:
API String ID: 2015696880-0
Opcode ID: f6d7724b27683941b8b5eada9326c8c590702085192de9e58ad1dd4513675fa0
Instruction ID: 582b9dc04473b64b519ac912cf7b71737fc35bebc9d7e7eb96b471d9d28eae63
Opcode Fuzzy Hash: f6d7724b27683941b8b5eada9326c8c590702085192de9e58ad1dd4513675fa0
Instruction Fuzzy Hash: E74124312483869BD734DF54CC91FDA77A8FB84714F108A2DF9899BAE0DB79A904CB41

Function 204364E0 Relevance: 18.1, APIs: 12, Instructions: 116windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20436504
SendMessageW.USER32(?,0000110A,00000005,00000000), ref: 20436517
GetClientRect.USER32(?,?), ref: 2043652C
#2870.MFC80U(00000000,?,00000001,?,00000000), ref: 20436540
SendMessageW.USER32(?,0000120B), ref: 2043656A

Part of subcall function 20436160: #2872.MFC80U(00000000,00000002,A1C94593,?,00000000,00000000,?), ref: 204361BF
Part of subcall function 20436160: GetSysColor.USER32(00000005), ref: 2043627F
Part of subcall function 20436160: GetSysColor.USER32(0000000E), ref: 2043629B
Part of subcall function 20436160: #2255.MFC80U(?,00000000,?,00000000,00000000,?), ref: 204362A9
Part of subcall function 20436160: GetCurrentObject.GDI32(?,00000006), ref: 204362F1
Part of subcall function 20436160: #2362.MFC80U(00000000,?,00000000,00000000,?), ref: 204362F8

SendMessageW.USER32(?,0000110A,00000006,00000000), ref: 204365A9
GetFocus.USER32 ref: 204365BF
#2366.MFC80U(00000000,?,00000000), ref: 204365C6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 204365DC
#2870.MFC80U(00000000,?,00000001,?,00000000), ref: 204365EC
SendMessageW.USER32(?,00001207,-000000FE,?), ref: 2043660A
DrawFocusRect.USER32(?,?), ref: 20436621

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#2870ColorFocusRect$#2255#2362#2366#2872ClientCurrentDrawObject
String ID:
API String ID: 1541409541-0
Opcode ID: b40490253f37213525eb9d32132aba65a2ad5db0a5ce1d1269bff6341410bc55
Instruction ID: c517e2def2d85d5d604394ba5021e36b664c3c92d93ee0bf02585ee706479133
Opcode Fuzzy Hash: b40490253f37213525eb9d32132aba65a2ad5db0a5ce1d1269bff6341410bc55
Instruction Fuzzy Hash: A2413EB1604306AFD704DFA4CC85F6BBBA9FB88B05F10891DF68597681DBB5E804CB91

Function 20425720 Relevance: 18.1, APIs: 12, Instructions: 111windowCOMMON

Download Yara Rule

APIs

#4574.MFC80U(A1C94593), ref: 20425755
#310.MFC80U(A1C94593), ref: 20425769
#4026.MFC80U(00000082), ref: 20425781
SendMessageW.USER32(?,0000014A,00000000,?), ref: 20425799
SendMessageW.USER32(?,0000014A,00000001,?), ref: 204257DB
#310.MFC80U ref: 204257FF
SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 2042581D
#2311.MFC80U(?,2048587C,?), ref: 20425846
#6063.MFC80U(?), ref: 2042585A
#6063.MFC80U(?,?), ref: 2042587D
#578.MFC80U ref: 2042588E
#578.MFC80U ref: 204258A3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#310#578#6063$#2311#4026#4574
String ID:
API String ID: 3542734806-0
Opcode ID: 78384c6e0946633d7676bbfd93b0f125e38c0116b58ab90867058bc92283b960
Instruction ID: 42403b73f26213ef6e87cd317a585e460af4d5e690aa4c1b2616b82490cc4c81
Opcode Fuzzy Hash: 78384c6e0946633d7676bbfd93b0f125e38c0116b58ab90867058bc92283b960
Instruction Fuzzy Hash: 714113311487419FC724DF10CC94BAB7BE8FB88319F008A2DF959976E0DB39A908CB51

Function 20433F60 Relevance: 18.1, APIs: 12, Instructions: 99windowCOMMON

Download Yara Rule

APIs

#1894.MFC80U ref: 20433F6E
SetCapture.USER32(?), ref: 20433F84
#2366.MFC80U(00000000), ref: 20433F8B
GetFocus.USER32 ref: 20433F90
#2366.MFC80U(00000000), ref: 20433F97
#5829.MFC80U(00000000), ref: 20433FAE
InvalidateRect.USER32(?,?,00000001,?,?,?,00000000), ref: 20433FED
InvalidateRect.USER32(?,?,00000001,?,?,?,00000000), ref: 20433FFA
InvalidateRect.USER32(?,?,00000001,?,?,?,00000000), ref: 20434007
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 2043402E
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 2043403B
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,00000000), ref: 20434048

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: InvalidateRect$#2366$#1894#5829CaptureFocus
String ID:
API String ID: 1167244330-0
Opcode ID: 068da07438faabc6f6d6ae5bffaeecf7222d5a751c470430f498ef03d4065304
Instruction ID: 7faf8ccecfcd7332bc059641ffefd81bea4cb990eec4ec3de1a958530146c04d
Opcode Fuzzy Hash: 068da07438faabc6f6d6ae5bffaeecf7222d5a751c470430f498ef03d4065304
Instruction Fuzzy Hash: 9B316071204700ABD214DBB5CC85FA7B3E9FBC8704F948A0CF69A97290EA75F905CB61

Function 20401150 Relevance: 16.9, APIs: 5, Strings: 6, Instructions: 355COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCR80 ref: 20401205
_wcsicmp.MSVCR80 ref: 20401230
_wcsicmp.MSVCR80 ref: 2040125C
_wcsicmp.MSVCR80 ref: 204012E1
_wcsicmp.MSVCR80 ref: 204012F2

Strings

<, xrefs: 204014CB
VERSION, xrefs: 2040122A
XML, xrefs: 204011FF
1.0, xrefs: 20401256
ENCODING, xrefs: 204012DB
UTF-8, xrefs: 204012EC

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _wcsicmp
String ID: 1.0$<$ENCODING$UTF-8$VERSION$XML
API String ID: 2081463915-2306877985
Opcode ID: c7f5506fce8cae5a84be547d077c7318a93c7e49eb3425ea1b743a19214ccfad
Instruction ID: 1d0823a0a285932af6489363e0feb85522811e26584ceb1749aba48eb4484664
Opcode Fuzzy Hash: c7f5506fce8cae5a84be547d077c7318a93c7e49eb3425ea1b743a19214ccfad
Instruction Fuzzy Hash: FDD17E71A083428BD718DFA4C88079A77E6BF84258F40C93DFC95A7761E738DD458B82

Function 2043A480 Relevance: 16.8, APIs: 11, Instructions: 259registryCOMMON

Download Yara Rule

APIs

Part of subcall function 2043A1C0: free.MSVCR80 ref: 2043A200

RegQueryValueExW.ADVAPI32 ref: 2043A504
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 2043A535
malloc.MSVCR80 ref: 2043A566

Part of subcall function 2043D430: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,00000000,2043F01E,00000000,00000001,00000000), ref: 2043D466

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?), ref: 2043A5FB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?), ref: 2043A639
free.MSVCR80 ref: 2043A652
malloc.MSVCR80 ref: 2043A678
memcpy.MSVCR80(?,?,?,?,?,?,?,?,?), ref: 2043A69B
free.MSVCR80 ref: 2043A6BE
RegQueryValueExW.ADVAPI32 ref: 2043A6F4
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000), ref: 2043A720

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: QueryValue$free$malloc$memcpy
String ID:
API String ID: 236868670-0
Opcode ID: 36469199be2fc4294bb0f29db453580350ffecaf771399cc54a00d94b3cd08aa
Instruction ID: 5a313df643740f4e31eff7ce4a5d45c12dc0293d2de4af8accc6272d7ce1a5ed
Opcode Fuzzy Hash: 36469199be2fc4294bb0f29db453580350ffecaf771399cc54a00d94b3cd08aa
Instruction Fuzzy Hash: 50914A71644306AFD300DFA5C884B6BB7E8BF88704F14891EF59987341E778E969CB92

Function 204026D0 Relevance: 16.7, APIs: 11, Instructions: 240COMMON

Download Yara Rule

APIs

Part of subcall function 20402090: _wcsicmp.MSVCR80 ref: 204020FE

_wcsicmp.MSVCR80 ref: 204027EA
realloc.MSVCR80 ref: 20402824
_wcsicmp.MSVCR80 ref: 20402877
free.MSVCR80 ref: 204028E5
free.MSVCR80 ref: 204028F8
free.MSVCR80 ref: 20402927
free.MSVCR80 ref: 20402936
free.MSVCR80 ref: 2040294C
free.MSVCR80 ref: 20402981
free.MSVCR80 ref: 20402990
free.MSVCR80 ref: 204029A2

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: free$_wcsicmp$realloc
String ID:
API String ID: 2732086526-0
Opcode ID: c31a5d5e8833dbd2c4ad275c96db9c2fd158b6a8639ebb0e1260efbe0684881c
Instruction ID: 510f4b816378c81cdf23e68cf9a9b2965e75cf173a2ffd1b7ce18075a4390d9e
Opcode Fuzzy Hash: c31a5d5e8833dbd2c4ad275c96db9c2fd158b6a8639ebb0e1260efbe0684881c
Instruction Fuzzy Hash: F28180B55083859BD304DF95C980B2BBBE9BF84714F048A3DFD9593390E7B9E9048B92

Function 204461C0 Relevance: 16.7, APIs: 11, Instructions: 166COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 204461F8
#4026.MFC80U(000001DF), ref: 204462CE
#4026.MFC80U(000001E1), ref: 204462E8
#4026.MFC80U(000001E2), ref: 204462FB
#4026.MFC80U(0000006B), ref: 20446321
#4026.MFC80U(0000006C), ref: 2044632F
#4026.MFC80U(0000006D), ref: 20446375
#4026.MFC80U(0000006E), ref: 20446387
#4026.MFC80U(000001E3), ref: 204463D2
#4026.MFC80U(000001E8), ref: 204463E5
#6751.MFC80U(00000000,?), ref: 2044641A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026$#314#6751
String ID:
API String ID: 624441723-0
Opcode ID: 7639eca9ec8cf7fa67a00069b6f69e1fb63530fbf32c397b7fdbab8c2ed0f492
Instruction ID: a9490e028f835bd30253005466e77ed39ab977ce8c7d87d1f14cffa540b6269b
Opcode Fuzzy Hash: 7639eca9ec8cf7fa67a00069b6f69e1fb63530fbf32c397b7fdbab8c2ed0f492
Instruction Fuzzy Hash: F161E571A48B42AFD318CF68C884B9AF7E1FB84314F10C62DE55647790DB39E909DB52

Function 20461690 Relevance: 16.7, APIs: 11, Instructions: 153COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,00000000,?,75A85540), ref: 204616D6
#578.MFC80U ref: 20461721
wcsncmp.MSVCR80 ref: 20461769
GetSystemMetrics.USER32(00000031), ref: 2046179F
#1079.MFC80U(?,000000FF,?,?,?,?,75A85540), ref: 204617E2
DestroyCursor.USER32(?), ref: 204617FB
#1176.MFC80U(?,00000000,?,75A85540), ref: 20461803
#776.MFC80U(?,?,00000000,?,75A85540), ref: 20461819
#3873.MFC80U(00000003,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,75A85540), ref: 20461837
#5862.MFC80U(00000000,00000000,00000004,00000000,00000000,00000000,00000000,?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 2046185E
#5742.MFC80U(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000,?,00000003,00000000,?,00000000,00000000,00000000), ref: 20461888

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1079#1176#310#3873#5742#578#5862#776CursorDestroyMetricsSystemwcsncmp
String ID:
API String ID: 3476607945-0
Opcode ID: c3c9437011b63458bf720ad2ca5c69a012f88d62e895b64de5979d9264fff577
Instruction ID: c609bfa9d73d1ddc3338c9e3a7b4b4835114118346bc65253926fe962d1c947b
Opcode Fuzzy Hash: c3c9437011b63458bf720ad2ca5c69a012f88d62e895b64de5979d9264fff577
Instruction Fuzzy Hash: 2751BF716042009FD320DFA8CC89FAA77E4FB84B05F15852DF50A9B2E1EB78AC04CB91

Function 2042FCB0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 2042FCE3
GetSysColor.USER32(00000010), ref: 2042FD0A
#502.MFC80U(00000000,00000001,00000000,?,?,?,?), ref: 2042FD19
#5638.MFC80U(?), ref: 2042FD2D
#4117.MFC80U(?,?,?,?), ref: 2042FD3B
#3995.MFC80U(?,?,?,?,?,?), ref: 2042FD46
GetSysColor.USER32(00000014), ref: 2042FD55
#502.MFC80U(00000000,00000001,00000000), ref: 2042FD64
#5638.MFC80U(?,00000000,00000001,00000000), ref: 2042FD75
#4117.MFC80U(?,?,?,?,00000000,00000001,00000000), ref: 2042FD83
#3995.MFC80U(00000001,?,?,?,?,?,00000000,00000001,00000000), ref: 2042FD90

Part of subcall function 20414A70: #1925.MFC80U(A1C94593,?,?,?,00000000,2047B9E9,000000FF), ref: 20414AB9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #3995#4117#502#5638Color$#1925CopyRect
String ID:
API String ID: 808909417-0
Opcode ID: d5369b7e757a126f934308db32a224220a0138f8980baaedaffd951340689f7c
Instruction ID: e14f29e5b98e428c45963c121036ff52c7d2d09c527758921efcaa37d713eb00
Opcode Fuzzy Hash: d5369b7e757a126f934308db32a224220a0138f8980baaedaffd951340689f7c
Instruction Fuzzy Hash: EE316271148380AFC300DF94C841BAFBBE8FB98B58F008A1DF545976A0DBB99908C752

Function 2042C5B0 Relevance: 16.6, APIs: 11, Instructions: 82windowCOMMON

Download Yara Rule

APIs

#4574.MFC80U(?,?,?,00000000,00000000,A1C94593), ref: 2042C5B9
GetWindowRect.USER32(?,?), ref: 2042C5C7
#6063.MFC80U(?,?,?,?,00000000,00000000,A1C94593), ref: 2042C5E7
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 2042C61C
GetNextDlgTabItem.USER32(?,00000000,00000000), ref: 2042C630
#2366.MFC80U(00000000,?,00000000,?,?,?,00000000,00000000,A1C94593), ref: 2042C633
#2648.MFC80U(00000000,?,00000000,?,?,?,00000000,00000000,A1C94593), ref: 2042C642
#1005.MFC80U(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000,A1C94593), ref: 2042C65C
GetNextDlgTabItem.USER32(?,?,00000000), ref: 2042C66B
#2366.MFC80U(00000000,?,00000000,?,?,?,00000000,00000000,A1C94593), ref: 2042C66E
SetForegroundWindow.USER32(?), ref: 2042C681

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2366ItemNextWindow$#1005#2648#4574#6063ForegroundMessageRectSend
String ID:
API String ID: 1497975009-0
Opcode ID: 268c60eebd982fa3f4b46541aedd3ff19783a7c4c468af2f59a84b9d4125b4fd
Instruction ID: 4d4ed609ef2d3e0d73337d0b3a77375e0715c24aa2a2a879cd85335ae41d2d06
Opcode Fuzzy Hash: 268c60eebd982fa3f4b46541aedd3ff19783a7c4c468af2f59a84b9d4125b4fd
Instruction Fuzzy Hash: 5C219C71740A01AFD6149BB4CC85FAAB3A8BB44A04F00CA18FA1497690DB78F9158BA4

Function 20455200 Relevance: 16.5, APIs: 11, Instructions: 45COMMON

Download Yara Rule

APIs

#6232.MFC80U(00000001,?,2045509B,00000000), ref: 20455205
#2651.MFC80U(000004DD,?,00000001,?,2045509B,00000000), ref: 20455218
#2155.MFC80U(000004DD,?,00000001,?,2045509B,00000000), ref: 2045521F
#2651.MFC80U(00000418,?,000004DD,?,00000001,?,2045509B,00000000), ref: 20455232
#2155.MFC80U(00000418,?,000004DD,?,00000001,?,2045509B,00000000), ref: 20455239
#2651.MFC80U(00000419,?,00000418,?,000004DD,?,00000001,?,2045509B,00000000), ref: 2045524C
#2155.MFC80U(00000419,?,00000418,?,000004DD,?,00000001,?,2045509B,00000000), ref: 20455253
#2651.MFC80U(000004DE,00000419,?,00000418,?,000004DD,?,00000001,?,2045509B,00000000), ref: 2045525F
#2155.MFC80U(?,000004DE,00000419,?,00000418,?,000004DD,?,00000001,?,2045509B,00000000), ref: 20455271
#2651.MFC80U(000004E0,000004DE,00000419,?,00000418,?,000004DD,?,00000001,?,2045509B,00000000), ref: 2045527D
#2155.MFC80U(?,000004E0,000004DE,00000419,?,00000418,?,000004DD,?,00000001,?,2045509B,00000000), ref: 2045528F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2155#2651$#6232
String ID:
API String ID: 793604035-0
Opcode ID: 32b24fc6810e55448ecad773b48f44faf7bf5a8371575952047a1bcdeaf18501
Instruction ID: d9462817ed0175571ba0e8da9ac5a690567f16914b54dad8b74cc5d71aa63388
Opcode Fuzzy Hash: 32b24fc6810e55448ecad773b48f44faf7bf5a8371575952047a1bcdeaf18501
Instruction Fuzzy Hash: F6F031703806145BDD1993F05923BFF22AA8BA5F08F80C52C73465FAE0DD7C9D4283A5

Function 204119E0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

#764.MFC80U(?), ref: 20411B95

Strings

GROUP, xrefs: 20411A62, 20411BB4, 20411C09, 20411C3A
GROUPNAME, xrefs: 20411AA5, 20411ADA
DESC, xrefs: 20411B04, 20411B34
OPTION_GROUPS, xrefs: 20411A44

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID: DESC$GROUP$GROUPNAME$OPTION_GROUPS
API String ID: 441403673-1081468104
Opcode ID: 5caa866b5bec255260ff46eacaaadd1735a882438c88b8a4e964155054608e62
Instruction ID: 3bf162d876ada341dd8acd80099372fd476f95245a112324419e4c9907aadb9c
Opcode Fuzzy Hash: 5caa866b5bec255260ff46eacaaadd1735a882438c88b8a4e964155054608e62
Instruction Fuzzy Hash: 817192714083459BC320DFA4CC81F9BF7E8EF94658F408E2DF58992251E739E689CB92

Function 2043A250 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

swprintf_s.MSVCR80 ref: 2043A2E4
swprintf_s.MSVCR80 ref: 2043A3A1

Strings

NODE;NAME=%s;TYPE=STRING, xrefs: 2043A2D5
VALUE, xrefs: 2043A33F, 2043A444
DELETE, xrefs: 2043A296
NODE;NAME=%s;TYPE=DWORD, xrefs: 2043A40D
NODE;NAME=%s;TYPE=BINARY, xrefs: 2043A392
xXH , xrefs: 2043A30E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: swprintf_s
String ID: DELETE$NODE;NAME=%s;TYPE=BINARY$NODE;NAME=%s;TYPE=DWORD$NODE;NAME=%s;TYPE=STRING$VALUE$xXH
API String ID: 3896565401-115358340
Opcode ID: 5c7fc1777b5df919b25d2c8d4360ef07eecc68e31c29cbc3e4a9f56370462f45
Instruction ID: eb93d34df94da4c78f8e7e54604ab15d5e5f00135a11c63df88e6c2d678df026
Opcode Fuzzy Hash: 5c7fc1777b5df919b25d2c8d4360ef07eecc68e31c29cbc3e4a9f56370462f45
Instruction Fuzzy Hash: AB51A1B1640205AFD714DF94CC81BABB3AAFFD8604F10842DFD058B342DA79EE558BA1

Function 204416A0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

APIs

Part of subcall function 20401670: malloc.MSVCR80 ref: 2040169E
Part of subcall function 20401670: malloc.MSVCR80 ref: 204016B0
Part of subcall function 20401670: free.MSVCR80 ref: 204016BD

malloc.MSVCR80 ref: 2044183E
free.MSVCR80 ref: 2044188C
#1176.MFC80U(?,A1C9462F,-00003AB4,00000000), ref: 204418AC
free.MSVCR80 ref: 204418B6

Strings

RULE, xrefs: 20441723
<?xml version="1.0" encoding="utf-8"?>, xrefs: 204417F4
<?xml version="1.0"?>, xrefs: 204417ED
ZONE, xrefs: 20441783
REMOVED, xrefs: 204416FC

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: freemalloc$#1176
String ID: <?xml version="1.0" encoding="utf-8"?>$<?xml version="1.0"?>$REMOVED$RULE$ZONE
API String ID: 4268895495-836254500
Opcode ID: e7cd42a809f30050df726940a87ca4e810be6a939bacf1d33c9071cf72ae487f
Instruction ID: 9f0b7d97f9eb5a94f0670fd3c6cc8665c0975a643be5f1e627de16da5e0c2e04
Opcode Fuzzy Hash: e7cd42a809f30050df726940a87ca4e810be6a939bacf1d33c9071cf72ae487f
Instruction Fuzzy Hash: 0951D4B1E007009BE310AF95D881B1BB3E6AF94648F14C93DF949A7361E739ED45C792

Function 20455DC0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,?,?,00000000,?,?,?,?,?,?,?,00000000,A1C94593), ref: 20455DEB
#764.MFC80U(?,?), ref: 20455EA1
#265.MFC80U(00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,A1C94593), ref: 20455EE5
wcscpy_s.MSVCR80 ref: 20455F16
wcsncpy_s.MSVCR80 ref: 20455F28
#764.MFC80U(?,?), ref: 20455F6F
#578.MFC80U ref: 20455FA6
#1176.MFC80U(?,?,?,00000000,?,?,?,?,?,?,?,00000000,A1C94593), ref: 20455FC2

Part of subcall function 20464370: #310.MFC80U(A1C94593,?,?,?,?), ref: 204643C1
Part of subcall function 20464370: #310.MFC80U ref: 204643D6
Part of subcall function 20464370: #776.MFC80U(?), ref: 204643F5
Part of subcall function 20464370: #578.MFC80U ref: 20464782
Part of subcall function 20464370: #578.MFC80U ref: 20464797

Part of subcall function 2040E760: #764.MFC80U(000000FF,?,?,2040F2C9,?), ref: 2040E7A2
Part of subcall function 2040E760: #265.MFC80U(00000000,?,?,?,2040F2C9,?), ref: 2040E7E4

Strings

, xrefs: 20455F85

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#578#764$#265$#1176#776wcscpy_swcsncpy_s
String ID:
API String ID: 3470009779-3916222277
Opcode ID: c17d74e14d23b0267385888c91c65e9388fc123ff68b39543be46123bcf6997a
Instruction ID: b1d30187408b73940ea762bb02ff348248dda659718feac6957b8044c00cc79c
Opcode Fuzzy Hash: c17d74e14d23b0267385888c91c65e9388fc123ff68b39543be46123bcf6997a
Instruction Fuzzy Hash: 1F519C725082019FC310CF99C895A6BFBF5FF99708F458A2DF58997251D739EA08CB82

Function 20436680 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

#3793.MFC80U(?,?,?), ref: 2043669D
#2870.MFC80U(00000000,?,00000001,?,?,?), ref: 204366B9
SendMessageW.USER32(?,00001108,00000000,00000000), ref: 204366D1
#2364.MFC80U(00000000), ref: 204366D4
#1079.MFC80U(?,?,00000000), ref: 204366E6

Part of subcall function 204359A0: #1079.MFC80U(?,A1C94593), ref: 204359DB
Part of subcall function 204359A0: #6749.MFC80U(?,?,A1C94593), ref: 204359E7

SendMessageW.USER32(?,00001108,00000002,00000000), ref: 20436712
#2364.MFC80U(00000000), ref: 20436715
#1079.MFC80U(?,?,00000000), ref: 20436727

Strings

F, xrefs: 204366A2

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1079$#2364MessageSend$#2870#3793#6749
String ID: F
API String ID: 2991566221-1304234792
Opcode ID: b0febab9a186303612cc836f932a8f5a4e86fbd80f5503988fade0af5c6a8c80
Instruction ID: a57e960a392a3614f539fb0410070a3646e4a01412dfdebd22928052e10d9277
Opcode Fuzzy Hash: b0febab9a186303612cc836f932a8f5a4e86fbd80f5503988fade0af5c6a8c80
Instruction Fuzzy Hash: BA316BB16043019FD304CF68C985E6AB7E9AFD8728F11C65DF9598B2A1DB74EC04CBA1

Function 2040F4C0 Relevance: 15.2, APIs: 10, Instructions: 249COMMON

Download Yara Rule

APIs

#764.MFC80U(?,A1C94593,20462D01,?,?,20462D02,00000000,2047F1AF,000000FF,2040F2B9), ref: 2040F50D
#764.MFC80U(?,A1C94593,20462D01,?,?,20462D02,00000000,2047F1AF,000000FF,2040F2B9), ref: 2040F524

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 0808462cedbabd20b5884375498f88a71f44ad62655173eaff27d5a7e5eb23c8
Instruction ID: fb1f7dcdb237026851db330bbe5e016a424827fed1d1daf3b3ce9def077ef7e9
Opcode Fuzzy Hash: 0808462cedbabd20b5884375498f88a71f44ad62655173eaff27d5a7e5eb23c8
Instruction Fuzzy Hash: E391C0B16007058FC318CFAAC984A16B7E6FF80A04F45CA3DE16597B62EB39F905CB55

Function 2040FCE0 Relevance: 15.2, APIs: 10, Instructions: 238COMMON

Download Yara Rule

APIs

#764.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD2D
#764.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD3D
#764.MFC80U(?,A1C94593,?,?,00000000,00000000,00000000,2047F1AF,000000FF,20462C1C,00000000,A1C94593,?,?,?,00000000), ref: 2040FD51

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 0de0c594c89703949700b21e89ff34eb91559637fc9680df67ca391849712aa0
Instruction ID: fdd57cf25368fd12ac0ddc96e475a35c4369463dd417ef0d554794686523e5e5
Opcode Fuzzy Hash: 0de0c594c89703949700b21e89ff34eb91559637fc9680df67ca391849712aa0
Instruction Fuzzy Hash: F281AFB16006069BC718DFA4C880B6AB3A2FF44618F14CB3DE41A97B51E739F916CBC1

Function 204316C0 Relevance: 15.2, APIs: 10, Instructions: 171COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 204316D3
SetRectEmpty.USER32(?), ref: 204316DA
SetRectEmpty.USER32(?), ref: 204316DD
CopyRect.USER32(?,?), ref: 20431721
CopyRect.USER32(?,?), ref: 2043172F
SetRect.USER32(?,?,?,?,?), ref: 20431777
#1176.MFC80U(?,?,?,?,20432F06,?,?,?,00000000), ref: 204317A2
PtInRect.USER32(?,?,?), ref: 204317F9
PtInRect.USER32(?,?,?), ref: 20431806
PtInRect.USER32(?,?,?), ref: 20431813

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$Empty$Copy$#1176
String ID:
API String ID: 3074543335-0
Opcode ID: ee704bc4c26287894365f49b23ae69fd390b09f900afee5ad19f807f09f047d3
Instruction ID: 6425a5c70b000b646e18035584e1580514c672a8c1e379eec86ee53e247cd090
Opcode Fuzzy Hash: ee704bc4c26287894365f49b23ae69fd390b09f900afee5ad19f807f09f047d3
Instruction Fuzzy Hash: F45147B69093059FC304DF55C88095BF7E8FFC8664F148A2EF99993350C735E9058BA2

Function 20469E30 Relevance: 15.1, APIs: 10, Instructions: 121COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,00000000,00000000,?,00000002), ref: 20469E81
memset.MSVCR80 ref: 20469EB3
#4026.MFC80U(00000170,?,?,00000002), ref: 20469EE2
#4026.MFC80U(00000171,?,?,00000002), ref: 20469EF8
#4026.MFC80U(00000172,?,?,00000002), ref: 20469F0E
wcscpy_s.MSVCR80 ref: 20469F61
wcsncpy_s.MSVCR80 ref: 20469F7C
#578.MFC80U ref: 20469FC3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026$#310#578memsetwcscpy_swcsncpy_s
String ID:
API String ID: 1548130533-0
Opcode ID: 198cb95a2910506c245898bd1bd57b4bd8ddbdd15f9fe754787f7c2b5f8f345f
Instruction ID: bb346622b5a8a8770558921c07e868177cbea9a1ef5e3f1b0b27346f9bcdab0d
Opcode Fuzzy Hash: 198cb95a2910506c245898bd1bd57b4bd8ddbdd15f9fe754787f7c2b5f8f345f
Instruction Fuzzy Hash: 6641B6B150C341ABD324DF94CC89B9BB7E8FB88755F11892DF58993290E77C9904CB52

Function 204611D0 Relevance: 15.1, APIs: 10, Instructions: 102windowCOMMON

Download Yara Rule

APIs

#516.MFC80U(00000258,00000000,00000038,A1C94593,00000000,-00003AB4,?,?,2047DA78,000000FF,204708E1,?,?,?,?,?), ref: 20461202

Part of subcall function 20421B70: #572.MFC80U(A1C94593,?,?,2047A038,000000FF,2042055C,?,A1C94593,00000000,?,00000000,2047CF55,000000FF,204132FB,00000000), ref: 20421B97

#416.MFC80U(?,?,00000004,00000002,6C854310,6C8560B9,00000258,00000000,00000038,A1C94593,00000000,-00003AB4,?,?,2047DA78,000000FF), ref: 20461250

Part of subcall function 2045CF80: #530.MFC80U(A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593,?,?,?,2047BED4), ref: 2045CFB1
Part of subcall function 2045CF80: #6003.MFC80U(00000000,000000FF,A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593), ref: 2045CFCD

Part of subcall function 20430DC0: #310.MFC80U(?,A1C94593,00000000,?,00000000,?,2047AE6F,000000FF,20472632,?), ref: 20430DFC
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E0A
Part of subcall function 20430DC0: #310.MFC80U ref: 20430E17
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E25
Part of subcall function 20430DC0: LoadCursorW.USER32(00000000,00007F89), ref: 20430EA4
Part of subcall function 20430DC0: SetRectEmpty.USER32(?), ref: 20430F17

GetSystemMetrics.USER32(00000032), ref: 204612B9
GetSystemMetrics.USER32(00000031), ref: 204612BE
#1555.MFC80U(00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 204612C3
GetSysColor.USER32(00000005), ref: 204612CA
#1079.MFC80U(?,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 204612D8

Part of subcall function 20427250: #1079.MFC80U(?,A1C94593), ref: 2042728B
Part of subcall function 20427250: #6749.MFC80U(?,?,A1C94593), ref: 20427297

LoadIconW.USER32(00000000,00007F00), ref: 204612F1
#1079.MFC80U(?,000000FF,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 20461307

Part of subcall function 204353D0: #1079.MFC80U(?,A1C94593), ref: 2043540B
Part of subcall function 204353D0: #6749.MFC80U(?,?,A1C94593), ref: 20435417
Part of subcall function 204353D0: #1176.MFC80U(?,?,A1C94593), ref: 20435444

DestroyCursor.USER32(00000000), ref: 2046131A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1079$#310#557#6749CursorLoadMetricsSystem$#1176#1555#416#516#530#572#6003ColorDestroyEmptyIconRect
String ID:
API String ID: 2674052439-0
Opcode ID: 6c3ad7c6844278bfe69c59069823307c7561817536c503d72985468cfee20c1e
Instruction ID: 60706b079a469166a33850902dd76e6fd3e2fd33c4e96a0a9432f240cfdcbeb6
Opcode Fuzzy Hash: 6c3ad7c6844278bfe69c59069823307c7561817536c503d72985468cfee20c1e
Instruction Fuzzy Hash: 9B41F8702487419FD310DBB4CC45FAB7BE8AB95B48F00891CF295972D1DF786508C7A2

Function 20424290 Relevance: 15.1, APIs: 10, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 204242E9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20424303
#310.MFC80U ref: 20424331
#2311.MFC80U(?,2048587C,?), ref: 2042434D
#6063.MFC80U(?), ref: 20424361
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20424376
#6063.MFC80U(?), ref: 204243A3
#578.MFC80U ref: 204243B7
#6063.MFC80U(20485878), ref: 204243CA
#6063.MFC80U(20485878,20485878), ref: 204243DA

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6063$MessageSend$#2311#310#578
String ID:
API String ID: 2015696880-0
Opcode ID: 447ab1278b4aef991080f4fe1f8f17b9d9c23f78e00517a53a2437dfbeeb8acc
Instruction ID: 533cb2f4fa421d0b21f496b9031ee3f598897521844714d2ed33fa21755c82f0
Opcode Fuzzy Hash: 447ab1278b4aef991080f4fe1f8f17b9d9c23f78e00517a53a2437dfbeeb8acc
Instruction Fuzzy Hash: 0D31FE712082859BD734DF64CC81FDA77A8FB84714F108A2CF9996B6E1DB78AA04CB41

Function 20424D60 Relevance: 15.1, APIs: 10, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20424DBF
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20424DD9
#310.MFC80U ref: 20424E07
#2311.MFC80U(?,2048587C,?), ref: 20424E23
#6063.MFC80U(?), ref: 20424E37
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20424E4C
#6063.MFC80U(?), ref: 20424E79
#578.MFC80U ref: 20424E8D
#6063.MFC80U(20485878), ref: 20424EA0
#6063.MFC80U(20485878,20485878), ref: 20424EB0

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6063$MessageSend$#2311#310#578
String ID:
API String ID: 2015696880-0
Opcode ID: 12ec6e357741f612d219a2ba16293cc838421ccef7c7c8107f3ccfdece8e47a5
Instruction ID: 89d52809d9a14359d67d6ded87461b4adf0d1e0f6513ed5cbe667fd8efaedc71
Opcode Fuzzy Hash: 12ec6e357741f612d219a2ba16293cc838421ccef7c7c8107f3ccfdece8e47a5
Instruction Fuzzy Hash: D631D2712082859BE724DF54CC81FDA77A9FB84714F008A2DF9496B6E0DB78AA05CB51

Function 20424EE0 Relevance: 15.1, APIs: 10, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20424F3F
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20424F59
#310.MFC80U ref: 20424F87
#2311.MFC80U(?,2048587C,?), ref: 20424FA3
#6063.MFC80U(?), ref: 20424FB7
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20424FCC
#6063.MFC80U(?), ref: 20424FF9
#578.MFC80U ref: 2042500D
#6063.MFC80U(20485878), ref: 20425020
#6063.MFC80U(20485878,20485878), ref: 20425030

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6063$MessageSend$#2311#310#578
String ID:
API String ID: 2015696880-0
Opcode ID: 14f1f0fcab9bc9b5c70a4e5ae6aa5f785e57cda8b9646d192caa1a601cd87455
Instruction ID: 072dcf0d97579acd5ff3c96ee20a3bddb1ae043b046fb552480c49fb4609d388
Opcode Fuzzy Hash: 14f1f0fcab9bc9b5c70a4e5ae6aa5f785e57cda8b9646d192caa1a601cd87455
Instruction Fuzzy Hash: D531EE712082859FD730DF64CC91FDA77A8FB84714F008A2CF9895B6D0DB78AA04CB82

Function 20462A10 Relevance: 15.1, APIs: 10, Instructions: 96windowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,A1C94593,?,?,?,?), ref: 20462A3F
#280.MFC80U(?,?,00000000,?,?), ref: 20462A55

Part of subcall function 20462BC0: #2461.MFC80U(00000000,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?,?,00000000,?,?), ref: 20462C27
Part of subcall function 20462BC0: #578.MFC80U ref: 20462C6E

LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 20462AD0
#310.MFC80U(?,00000000,?,?), ref: 20462ADE
#310.MFC80U(?,00000000,?,?), ref: 20462AF0
#4026.MFC80U(000000B7,?,00000000,?,?), ref: 20462B04
#4026.MFC80U(000000B2,?,00000000,?,?), ref: 20462B13
MessageBoxW.USER32(00000000,?,?,00000010), ref: 20462B2A
#578.MFC80U(?,00000000,?,?), ref: 20462B39
#578.MFC80U(?,00000000,?,?), ref: 20462B4B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578$#310#4026CriticalSection$#2461#280EnterLeaveMessage
String ID:
API String ID: 2040390599-0
Opcode ID: d1b394b6afb7cd036319fbe9f8089974728a8d545961154ede2f0d74acfe459a
Instruction ID: 7f7c7edbce6c7c3cccd2b4e9f3a8d610b0c3661ec1a5eaa841b80973db8cca01
Opcode Fuzzy Hash: d1b394b6afb7cd036319fbe9f8089974728a8d545961154ede2f0d74acfe459a
Instruction Fuzzy Hash: 6A3185B5118B00AFC310DF64CC85B9BB7E8FF54B15F008E2DF55692290DB39A509CB62

Function 20426DF0 Relevance: 15.1, APIs: 10, Instructions: 96windowCOMMON

Download Yara Rule

APIs

Part of subcall function 204660B0: #310.MFC80U(A1C94593,?,?,?), ref: 2046611E
Part of subcall function 204660B0: #310.MFC80U ref: 20466133
Part of subcall function 204660B0: #776.MFC80U(20485878), ref: 2046614A
Part of subcall function 204660B0: #776.MFC80U(20485878), ref: 20466159
Part of subcall function 204660B0: #4026.MFC80U(00000084), ref: 20466168
Part of subcall function 204660B0: #4026.MFC80U(000000A2,?), ref: 20466183
Part of subcall function 204660B0: #896.MFC80U(?), ref: 20466192
Part of subcall function 204660B0: #899.MFC80U(204924A8), ref: 204661A1
Part of subcall function 204660B0: #4026.MFC80U(000000EF), ref: 204661F5
Part of subcall function 204660B0: #896.MFC80U(?), ref: 20466204
Part of subcall function 204660B0: #899.MFC80U( ), ref: 20466213
Part of subcall function 204660B0: #4026.MFC80U(000000A3), ref: 20466222
Part of subcall function 204660B0: #896.MFC80U(?), ref: 20466231
Part of subcall function 204660B0: #899.MFC80U(204924A8), ref: 20466240
Part of subcall function 204660B0: #4026.MFC80U(000000EF), ref: 20466293
Part of subcall function 204660B0: #896.MFC80U(?), ref: 204662A2

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 20426E28
#2362.MFC80U(00000000,?,?,?,20426D14,?,?,?,?,00000001,?,?), ref: 20426E2B
#2788.MFC80U(00000000,?,?,?,20426D14,?,?,?,?,00000001,?,?), ref: 20426E3A
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20426E4A
SendMessageW.USER32(?,00000030,?,00000001), ref: 20426E7E
SendMessageW.USER32(?,0000101E,?,0000FFFF), ref: 20426E95
#2788.MFC80U(?,?,?,20426D14,?,?,?,?,00000001,?,?), ref: 20426EA0
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20426EB2
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 20426ECD
SendMessageW.USER32(?,00000030,?,00000001), ref: 20426EE5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#4026$#896$#899$#2788#310#776$#2362
String ID:
API String ID: 1710774582-0
Opcode ID: 5296d30a1ecec7ac4013f8fc71894d4989160fccefc2a84b823980d7497a5206
Instruction ID: aa4b9502e60422c1e52898dc15779102af38bc0d2ac35246eb695f8f2cc4fd3e
Opcode Fuzzy Hash: 5296d30a1ecec7ac4013f8fc71894d4989160fccefc2a84b823980d7497a5206
Instruction Fuzzy Hash: D8319C75300A11BFE628CBA4CD91FE6B369BF48B44F018259BA089B3D1DB65FC0187A4

Function 20459360 Relevance: 15.1, APIs: 10, Instructions: 71COMMON

Download Yara Rule

APIs

#2651.MFC80U(00000411,00000000,2045921F,00000000), ref: 20459382
#2155.MFC80U(00000411,00000000,2045921F,00000000), ref: 20459389
#2651.MFC80U(000003EF,00000000,00000411,00000000,2045921F,00000000), ref: 204593B0
#2155.MFC80U(000003EF,00000000,00000411,00000000,2045921F,00000000), ref: 204593B7
#2651.MFC80U(000003F0,00000000,000003EF,00000000,00000411,00000000,2045921F,00000000), ref: 204593DE
#2155.MFC80U(000003F0,00000000,000003EF,00000000,00000411,00000000,2045921F,00000000), ref: 204593E5
#2651.MFC80U(00000412,00000000,000003F0,00000000,000003EF,00000000,00000411,00000000,2045921F,00000000), ref: 2045940C
#2155.MFC80U(00000412,00000000,000003F0,00000000,000003EF,00000000,00000411,00000000,2045921F,00000000), ref: 20459413
#2651.MFC80U(00000413,00000000,00000412,00000000,000003F0,00000000,000003EF,00000000,00000411,00000000,2045921F,00000000), ref: 2045943A
#2155.MFC80U(00000413,00000000,00000412,00000000,000003F0,00000000,000003EF,00000000,00000411,00000000,2045921F,00000000), ref: 20459441

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2155#2651
String ID:
API String ID: 2951104937-0
Opcode ID: f6fe9348ba186353032b6a423a2cf5a7871d0b0adf2b203f1672f05baf4be3ad
Instruction ID: 31b31d011d396547114fe7106fc17d19e087b2da80e5e9793571ca5a8f19b2ec
Opcode Fuzzy Hash: f6fe9348ba186353032b6a423a2cf5a7871d0b0adf2b203f1672f05baf4be3ad
Instruction Fuzzy Hash: FC21D830344640DFEB1647B48815BFE26E5EB66B45F80843CA9428F6E1DBBC9DCAC701

Function 20452630 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 387COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 20452794
wcscpy_s.MSVCR80 ref: 20452834

Strings

(, xrefs: 20452896
xXH , xrefs: 20452761
xXH , xrefs: 204527FE
gfff, xrefs: 20452AD0

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_s
String ID: ($gfff$xXH $xXH
API String ID: 4009619764-2999701029
Opcode ID: f8be013a59c073a9477da2c2178c16b20343a47a63ff652c588ab1520a4f70e6
Instruction ID: 0ee759234e8851a67771f0f2326596c5f277068ebb508eaa214141bf9a411ff3
Opcode Fuzzy Hash: f8be013a59c073a9477da2c2178c16b20343a47a63ff652c588ab1520a4f70e6
Instruction Fuzzy Hash: BBF1B5702087018FC325CF94C580B9BBBE1AF99708F54CA5EE9598B352D735E94ACB92

Function 2041FDB0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 2041FEB6

Strings

(%d), xrefs: 2041FF3B
(, xrefs: 2041FF14
), xrefs: 2041FEFF

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_s
String ID: ($(%d)$)
API String ID: 4009619764-2787113179
Opcode ID: 15abf14657b2190d1b5379c0b4c59638615587183744a76d11c00b1c5e8c27ef
Instruction ID: 8a51930926ea8aa904346e78c63c6d9904d9bb4c0cee69b43284e936653d9135
Opcode Fuzzy Hash: 15abf14657b2190d1b5379c0b4c59638615587183744a76d11c00b1c5e8c27ef
Instruction Fuzzy Hash: EF6104716046058BC720CF98D84079BF3E1FF94704F55CA5AE95587256E3B8EAC7CB82

Function 2041B3B0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 193COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 2041B4C2

Strings

), xrefs: 2041B504
(, xrefs: 2041B519
(%d), xrefs: 2041B540

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_s
String ID: ($(%d)$)
API String ID: 4009619764-2787113179
Opcode ID: 018303559dd34487307c3fc249e546da2c14b2a5c1b60a9b5c1aa2dbc6db4a84
Instruction ID: b073d46256fe1c90a32a90c35c6f4af868edfb0916f5bbedaa473bab11a98dca
Opcode Fuzzy Hash: 018303559dd34487307c3fc249e546da2c14b2a5c1b60a9b5c1aa2dbc6db4a84
Instruction Fuzzy Hash: 8F61E4715042059BC720DF9CC88069BF3B6EF98708F45C95DE9499B252E378EAC5CBD2

Function 20446D60 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 20446E11
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000401), ref: 20446E3A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 20446E57
#2311.MFC80U(?,%s (%s),?,?), ref: 20446EE5

Part of subcall function 20445A50: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 20445AB2
Part of subcall function 20445A50: strcpy_s.MSVCR80 ref: 20445AD8
Part of subcall function 20445A50: strcat_s.MSVCR80 ref: 20445AEF
Part of subcall function 20445A50: LoadLibraryA.KERNEL32(?,?,?,?,-00000001,?,00000008), ref: 20445AFF
Part of subcall function 20445A50: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 20445B0D
Part of subcall function 20445A50: FreeLibrary.KERNEL32(00000000,?,?,?,-00000001,?,00000008), ref: 20445B18
Part of subcall function 20445A50: strcpy_s.MSVCR80 ref: 20445B30
Part of subcall function 20445A50: strcat_s.MSVCR80 ref: 20445B41
Part of subcall function 20445A50: LoadLibraryA.KERNEL32(?), ref: 20445B4B
Part of subcall function 20445A50: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 20445B5F
Part of subcall function 20445A50: FreeLibrary.KERNEL32(00000000), ref: 20445B66

#776.MFC80U(?), ref: 20446EEC

Part of subcall function 20404CB0: wcscpy_s.MSVCR80 ref: 20404CD7

#2311.MFC80U(?,%s (%s),?,?), ref: 20446F63
#776.MFC80U(?), ref: 20446F71

Strings

%s (%s), xrefs: 20446EDF, 20446F5D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Library$#2311#776AddressByteCharFreeLoadMultiProcWidestrcat_sstrcpy_s$DirectoryErrorLastSystemwcscpy_s
String ID: %s (%s)
API String ID: 3711615853-1363028141
Opcode ID: f84cf21e986a7fb561d57e1cfd249b6d541893479ae5edc571268b1b06acbe83
Instruction ID: fe1e3b47f3a1e4e914dfd1958567bdeffcd6869a864d07879954a62d86137406
Opcode Fuzzy Hash: f84cf21e986a7fb561d57e1cfd249b6d541893479ae5edc571268b1b06acbe83
Instruction Fuzzy Hash: 5B51E4715083009AE320DBA4CC40BABB3E5EFD4710F51CD2EF69897291EB79A945C7A3

Function 2043C910 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 124COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCR80 ref: 2043C9F3

Part of subcall function 20404CB0: wcscpy_s.MSVCR80 ref: 20404CD7

Strings

Q, xrefs: 2043C928
NAME, xrefs: 2043CA09
@My profile, xrefs: 2043C946
SUBNODE, xrefs: 2043C9ED
NODE, xrefs: 2043C999, 2043CA24
TYPE, xrefs: 2043C9CD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _wcsicmpwcscpy_s
String ID: @My profile$NAME$NODE$Q$SUBNODE$TYPE
API String ID: 3816771565-633031873
Opcode ID: 06e1e4c1ceb70e5b99e5a53d2642d5fac0df99db4c19e5f623fd2b02eb955dc6
Instruction ID: 32ed0e59955420316cd54525bfdcfdc93ea73d8703fee88b1072996f361bdcbb
Opcode Fuzzy Hash: 06e1e4c1ceb70e5b99e5a53d2642d5fac0df99db4c19e5f623fd2b02eb955dc6
Instruction Fuzzy Hash: 863126B13402055BC700EFD5CC81BABB7D8EF99659F50D82DFA09C2350DA6DDA448762

Function 2043CE80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 2043CEAD

Part of subcall function 20404410: LoadLibraryW.KERNELBASE(00000000), ref: 20404486

wcscpy_s.MSVCR80 ref: 2043CEF9
wcsncpy_s.MSVCR80 ref: 2043CF14
wcscpy_s.MSVCR80 ref: 2043CF39
wcscpy_s.MSVCR80 ref: 2043CF98
wcsncpy_s.MSVCR80 ref: 2043CFAF

Strings

${PluginID}=, xrefs: 2043CE9E
Software\ESET\ESET Security\CurrentVersion\Plugins\${PluginID}\Profiles, xrefs: 2043CF27

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_s$wcsncpy_s$LibraryLoad
String ID: ${PluginID}=$Software\ESET\ESET Security\CurrentVersion\Plugins\${PluginID}\Profiles
API String ID: 2742677927-2279858865
Opcode ID: 69c8d6371d800003a0a99ebf7cfdaa8ccaa03bbe307884d5313aff03d248baed
Instruction ID: 31d593b75fe56d50a8bcdc5a2c71d449045a2e827647018fd79083b8966a06ef
Opcode Fuzzy Hash: 69c8d6371d800003a0a99ebf7cfdaa8ccaa03bbe307884d5313aff03d248baed
Instruction Fuzzy Hash: 8731B2721443016BD320DB94CC86FEBB3A5EF8C708F548D2CF68597191EAB8E7498796

Function 2043C3F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

wcsncpy_s.MSVCR80 ref: 2043C417
GetDriveTypeW.KERNEL32(?), ref: 2043C42C
QueryDosDeviceW.KERNEL32(?,?,00000400), ref: 2043C464
_wcsnicmp.MSVCR80 ref: 2043C47A
swscanf_s.MSVCR80 ref: 2043C498
wcschr.MSVCR80 ref: 2043C4AD

Strings

;%c:, xrefs: 2043C492
\Device\LanmanRedirector\, xrefs: 2043C475

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: DeviceDriveQueryType_wcsnicmpswscanf_swcschrwcsncpy_s
String ID: ;%c:$\Device\LanmanRedirector\
API String ID: 2193757491-3518561738
Opcode ID: c43a501eb04d86f05b7fe70faa5bbcd5e9eade08c9e7890deed7aba96727e21b
Instruction ID: 792f914edced5409e40d16dff4cb6fdf5b07593157fae891470c0492212408ca
Opcode Fuzzy Hash: c43a501eb04d86f05b7fe70faa5bbcd5e9eade08c9e7890deed7aba96727e21b
Instruction Fuzzy Hash: E021A272504300ABD310DF94DC46BAB77E8BF98704F80CC2CF695D6251EA79A6498BD3

Function 20422320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

#1558.MFC80U(0000042E,00000010,0000000A,00DBEAEB), ref: 20422347
SendMessageW.USER32(?,00001208,00000000,?), ref: 20422362
#2364.MFC80U(00000000), ref: 20422365
SendMessageW.USER32(?,0000120B,?,?), ref: 20422381
SendMessageW.USER32(?,0000120C,?,?), ref: 204223A1
SendMessageW.USER32(?,0000120C,?,?), ref: 204223CE
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 204223D8

Strings

$, xrefs: 20422379

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#1558#2364InvalidateRect
String ID: $
API String ID: 348224052-3993045852
Opcode ID: 1148c658d442e2151bc7ea04e97a48f2f7aef3d4fec40fc2a9f0050c973db9e7
Instruction ID: 798c43613874377f5c967f85987ebc91dfb3d139841aa2bef4ee4f89f42f74a9
Opcode Fuzzy Hash: 1148c658d442e2151bc7ea04e97a48f2f7aef3d4fec40fc2a9f0050c973db9e7
Instruction Fuzzy Hash: 37216FB1640B05AFD320DB69CC86F97B7ECBF98701F008A1DB696C65D0E7B4E5048B51

Function 2041AE10 Relevance: 13.9, APIs: 9, Instructions: 396COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,00000000,?,?), ref: 2041AE41
#310.MFC80U ref: 2041AE51
#1472.MFC80U(?), ref: 2041AF54
#1176.MFC80U ref: 2041B02A
#578.MFC80U ref: 2041B368
#578.MFC80U ref: 2041B37A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#578$#1176#1472
String ID:
API String ID: 3216390780-0
Opcode ID: 42d95186b08056ccba4a6079f986677ac8a413395eec47168e7852f846eac254
Instruction ID: 2176d355446ba8b8b3d5147e2cf2fe77ce15d9a5be9e2993dc5a5bb217e4cfaa
Opcode Fuzzy Hash: 42d95186b08056ccba4a6079f986677ac8a413395eec47168e7852f846eac254
Instruction Fuzzy Hash: 72E1BD309447058FE7008BACC99475AFBF0AB55398F04C66DEEA482392D77C99C9CBC2

Function 20470840 Relevance: 13.7, APIs: 9, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 2042D850: #524.MFC80U(00000000,00000000,00000000,A1C94593,?,2047ED3A,20479C16,000000FF,204263A6,?,000000B8,A1C94593,?,?,?), ref: 2042D87F
Part of subcall function 2042D850: #563.MFC80U(00000000,00000000,00000000,A1C94593,?,2047ED3A,20479C16,000000FF,204263A6,?,000000B8,A1C94593,?,?,?), ref: 2042D898

Part of subcall function 20462000: #516.MFC80U(0000015E,00000000,00000038,A1C94593,-00003AB4,?,2047D956,000000FF,2047088E,?,?,00000165,A1C94593,00000003,-00003AB4), ref: 20462030

Part of subcall function 2045EF30: #516.MFC80U(0000024A,00000000,00000038,A1C94593,00000000,-00003AB4,?,2047DCBB,000000FF,204708B5,?,?,?,?,?,00000165), ref: 2045EF61

Part of subcall function 2045FDC0: #516.MFC80U(00000257,00000000,00000038,A1C94593,00000000,-00003AB4,?,00000000,?,2047DBB6,000000FF,204708CB,?,?,?,?), ref: 2045FDF4
Part of subcall function 2045FDC0: #416.MFC80U(?,?,00000004,00000002,6C854310,6C8560B9,00000257,00000000,00000038,A1C94593,00000000,-00003AB4,?,00000000,?,2047DBB6), ref: 2045FE3E
Part of subcall function 2045FDC0: #416.MFC80U(?,?,00000004,00000002,6C854310,6C8560B9,00000257,00000000,00000038,A1C94593,00000000,-00003AB4,?,00000000,?,2047DBB6), ref: 2045FE50
Part of subcall function 2045FDC0: GetSystemMetrics.USER32(00000032), ref: 2045FEB5
Part of subcall function 2045FDC0: GetSystemMetrics.USER32(00000031), ref: 2045FEBA
Part of subcall function 2045FDC0: #1555.MFC80U(00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FEBF
Part of subcall function 2045FDC0: GetSysColor.USER32(00000005), ref: 2045FEC6
Part of subcall function 2045FDC0: #1079.MFC80U(?,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FED4
Part of subcall function 2045FDC0: LoadIconW.USER32(00000000,00007F00), ref: 2045FEF3
Part of subcall function 2045FDC0: #1079.MFC80U(?,000000FF,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 2045FF07
Part of subcall function 2045FDC0: DestroyCursor.USER32(?), ref: 2045FF1E

Part of subcall function 204611D0: #516.MFC80U(00000258,00000000,00000038,A1C94593,00000000,-00003AB4,?,?,2047DA78,000000FF,204708E1,?,?,?,?,?), ref: 20461202
Part of subcall function 204611D0: #416.MFC80U(?,?,00000004,00000002,6C854310,6C8560B9,00000258,00000000,00000038,A1C94593,00000000,-00003AB4,?,?,2047DA78,000000FF), ref: 20461250
Part of subcall function 204611D0: GetSystemMetrics.USER32(00000032), ref: 204612B9
Part of subcall function 204611D0: GetSystemMetrics.USER32(00000031), ref: 204612BE
Part of subcall function 204611D0: #1555.MFC80U(00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 204612C3
Part of subcall function 204611D0: GetSysColor.USER32(00000005), ref: 204612CA
Part of subcall function 204611D0: #1079.MFC80U(?,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 204612D8
Part of subcall function 204611D0: LoadIconW.USER32(00000000,00007F00), ref: 204612F1
Part of subcall function 204611D0: #1079.MFC80U(?,000000FF,00000000,?,?,?,204810D4,000000FF,2046250A,?,-00003AB4,?,-00003AB4,?,?,00000000), ref: 20461307
Part of subcall function 204611D0: DestroyCursor.USER32(00000000), ref: 2046131A

#762.MFC80U(00000A00,?,?,?,?,?,?,?,?,?,?,00000165,A1C94593,00000003,-00003AB4), ref: 20470994
#762.MFC80U(0000074C), ref: 204709CB
#762.MFC80U(000004F8), ref: 20470A02
#977.MFC80U(?), ref: 20470A3D
#977.MFC80U(?,?), ref: 20470A4B
#977.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 20470A84
#977.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 20470A9E
#977.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 20470AB2
SetRectEmpty.USER32(?), ref: 20470ABE

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #977$#1079#516MetricsSystem$#416#762$#1555ColorCursorDestroyIconLoad$#524#563EmptyRect
String ID:
API String ID: 3482417175-0
Opcode ID: 712abb72ca72c193c5dcacdc26a3daf60cbf34dc48453cc04d27f88546aabf47
Instruction ID: e834abb8702d319562c4f58ddf1d09b58eb6bf8d53996b5fd876976c9c1fc1e2
Opcode Fuzzy Hash: 712abb72ca72c193c5dcacdc26a3daf60cbf34dc48453cc04d27f88546aabf47
Instruction Fuzzy Hash: 1A817FB05083899FDB25CF69C844BDABBE8AF98704F04852EE5488B250D778A709CF52

Function 20464180 Relevance: 13.6, APIs: 9, Instructions: 140COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 20464207
free.MSVCR80 ref: 20464211
wcscpy_s.MSVCR80 ref: 20464263
#5149.MFC80U(00000080), ref: 204642AC
#5398.MFC80U(00000104,00000080), ref: 204642CD
wcsrchr.MSVCR80 ref: 20464306
#776.MFC80U(-00000002), ref: 20464319

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #5149#5398#776freememsetwcscpy_swcsrchr
String ID:
API String ID: 1906206284-0
Opcode ID: 0a5e136886ec2a0b6f8157a349f8e8cee1f8b5b65f014911f5051c631b74df5a
Instruction ID: c64f6c6f4541aa9597edde046d6cfe801432045dfba55ac3ddfb43287b3a4fdd
Opcode Fuzzy Hash: 0a5e136886ec2a0b6f8157a349f8e8cee1f8b5b65f014911f5051c631b74df5a
Instruction Fuzzy Hash: 8051D2712087009BCB10DF95CC95A6BBBE4FBC4708F50892DF98587390EB7DA944CB52

Function 204375E0 Relevance: 13.6, APIs: 9, Instructions: 116windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 204375F8
CopyRect.USER32(?,?), ref: 20437619
IsWindow.USER32(?), ref: 2043762A
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20437648
#3395.MFC80U ref: 20437662
GetSystemMetrics.USER32(00000002), ref: 20437670
SendMessageW.USER32(?,0000120B,00000000,00000001), ref: 20437704
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 20437723
InvalidateRect.USER32(?,00000000,00000001), ref: 20437740

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$RectWindow$#3395CopyInvalidateMetricsSystem
String ID:
API String ID: 3025489251-0
Opcode ID: 04165a8bd1110d92bdb52082952706d917a94f7124bbfd3a28d5fb72b27ad4e5
Instruction ID: 2874fc8a2a8ffedec40647df49c84152a99f93a404bc40beea944e09dfcd6218
Opcode Fuzzy Hash: 04165a8bd1110d92bdb52082952706d917a94f7124bbfd3a28d5fb72b27ad4e5
Instruction Fuzzy Hash: 50414B71204B419FD320DFA9CC85F5BB7E8AB88754F20992DF5E9C3251DB78E8048B22

Function 20425060 Relevance: 13.6, APIs: 9, Instructions: 115windowCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 204250AD
#3756.MFC80U(?), ref: 204250C9
swscanf_s.MSVCR80 ref: 204250E8
#2311.MFC80U(?,2048587C,0000FFFF), ref: 2042510B
#6063.MFC80U(?), ref: 2042511B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 204251B9
#6063.MFC80U(20485878), ref: 204251CA
#578.MFC80U ref: 204251E5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6063$#2311#310#3756#578MessageSendswscanf_s
String ID:
API String ID: 3210659254-0
Opcode ID: 3c5bde393de6e0bc71d2e7c4a20ddef8a4843513411f941f52a4986c94d93fc3
Instruction ID: 36cab569b6b074d02ee9115f48633608569152ae39f8f4dd4006e701a6c31336
Opcode Fuzzy Hash: 3c5bde393de6e0bc71d2e7c4a20ddef8a4843513411f941f52a4986c94d93fc3
Instruction Fuzzy Hash: FA41E271A087019FC714DF94DC90BAB77E9FB84715F008A3DF8459B291EB399905CB92

Function 20425210 Relevance: 13.6, APIs: 9, Instructions: 115windowCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 2042525D
#3756.MFC80U(?), ref: 20425279
swscanf_s.MSVCR80 ref: 20425298
#2311.MFC80U(?,2048587C,0000FFFF), ref: 204252BB
#6063.MFC80U(?), ref: 204252CB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 20425369
#6063.MFC80U(20485878), ref: 2042537A
#578.MFC80U ref: 20425395

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6063$#2311#310#3756#578MessageSendswscanf_s
String ID:
API String ID: 3210659254-0
Opcode ID: 361499e3e154a1532808e9da758d4fdb2c358d8ef259a3228fe50c12ec43d848
Instruction ID: ea0d6b87ef06e6902964463f505d2c6208afaf29c8ccc4e1efd5cba282a58445
Opcode Fuzzy Hash: 361499e3e154a1532808e9da758d4fdb2c358d8ef259a3228fe50c12ec43d848
Instruction Fuzzy Hash: 5C4112B16087009FC710CF50CC90BAA77E9FB88714F00CA3DF8559B291EB799905CB92

Function 20425C30 Relevance: 13.6, APIs: 9, Instructions: 115windowCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 20425C73
#3756.MFC80U(?), ref: 20425C8F
swscanf_s.MSVCR80 ref: 20425CAE
#2311.MFC80U(?,2048587C,000000FF), ref: 20425CD1
#6063.MFC80U(?), ref: 20425CE1
SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 20425D3A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 20425D7D
#6063.MFC80U(20485878), ref: 20425D92
#578.MFC80U ref: 20425DA6

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6063MessageSend$#2311#310#3756#578swscanf_s
String ID:
API String ID: 858908244-0
Opcode ID: ae47bf82d3adab582be4daf17f427c03ee7253ca502987780ecfada004406175
Instruction ID: 2e8279aa7f0b3b15c5be8a18cd1982fd12598ec58ccc737625e19ed89ef2adb1
Opcode Fuzzy Hash: ae47bf82d3adab582be4daf17f427c03ee7253ca502987780ecfada004406175
Instruction Fuzzy Hash: 6F4123716087419FC714CF50DC84B5B77E9FB88714F00CA2EF9548B2A1EB389905CB81

Function 20424410 Relevance: 13.6, APIs: 9, Instructions: 114windowCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 20424457
#3756.MFC80U(?), ref: 20424473
swscanf_s.MSVCR80 ref: 20424492
#2311.MFC80U(?,2048587C,0000FFFF), ref: 204244B5
#6063.MFC80U(?), ref: 204244C5
SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 2042451A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 20424559
#6063.MFC80U(20485878), ref: 2042456A
#578.MFC80U ref: 20424582

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6063MessageSend$#2311#310#3756#578swscanf_s
String ID:
API String ID: 858908244-0
Opcode ID: 1464e5cfa7a83aa8a59b78d47f766604f1306e9a887bda0a44e5ac2ff66e6f8e
Instruction ID: 69451ac66363ffd69de476115491b617f5135a9de66107f067028f297cf54f98
Opcode Fuzzy Hash: 1464e5cfa7a83aa8a59b78d47f766604f1306e9a887bda0a44e5ac2ff66e6f8e
Instruction Fuzzy Hash: 314103B16087419FC714DF50CC80B6B77E9FB88714F40CA2DF9559B291EB399905CB92

Function 204374C0 Relevance: 13.6, APIs: 9, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 204374D7
GetClientRect.USER32(?,?), ref: 204374EA
IsWindow.USER32(?), ref: 204374FB
free.MSVCR80 ref: 20437510
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20437536
malloc.MSVCR80 ref: 2043754D
#3395.MFC80U ref: 2043756E
GetSystemMetrics.USER32(00000002), ref: 2043757C
SendMessageW.USER32 ref: 204375A9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSendWindow$#3395ClientMetricsRectSystemfreemalloc
String ID:
API String ID: 1711230558-0
Opcode ID: c09c4cddeffb2a4e774a2ad75fe4ebdcd482e17445a0f4d63acbd6b2082bbd6d
Instruction ID: 7c111e8234d5641f4b74ef2d2af4d4f695ebef2d36820c8c541985d8ee9576ad
Opcode Fuzzy Hash: c09c4cddeffb2a4e774a2ad75fe4ebdcd482e17445a0f4d63acbd6b2082bbd6d
Instruction Fuzzy Hash: 47315EB1604706AFD7208BA5CC85F1777E8BB88754F11C92CE9D9C7291DB38E905CB61

Function 2042D2E0 Relevance: 13.6, APIs: 9, Instructions: 76COMMON

Download Yara Rule

APIs

#359.MFC80U(00000000,A1C94593), ref: 2042D320
memset.MSVCR80 ref: 2042D33C
#3998.MFC80U(?,00000000,A1C94593), ref: 2042D370
#6735.MFC80U(?,?,00000000,A1C94593), ref: 2042D382
#5832.MFC80U(?,?), ref: 2042D39F
#578.MFC80U(?,?), ref: 2042D3B0
#3828.MFC80U(?,00000000), ref: 2042D3C6
#2011.MFC80U(00000000,A1C94593), ref: 2042D3CD
#607.MFC80U(?,00000000), ref: 2042D3E3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2011#359#3828#3998#578#5832#607#6735memset
String ID:
API String ID: 126714201-0
Opcode ID: 256313df5807d866f03f49126790f0c027ef40375f6b49a617e38de642894119
Instruction ID: c763532d55a962847b69b75e6bc18a6ddab311bd77bd401084034ad75326b9cc
Opcode Fuzzy Hash: 256313df5807d866f03f49126790f0c027ef40375f6b49a617e38de642894119
Instruction Fuzzy Hash: A23143712087809FD724DBA4C855BEAB7E4AF98714F008A1EF555876D0EB789904C753

Function 2045F240 Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

#4574.MFC80U ref: 2045F24E
GetClientRect.USER32(?,?), ref: 2045F25C
#2651.MFC80U(000004C3,0000000F), ref: 2045F28D

Part of subcall function 2045D0A0: GetParent.USER32(?), ref: 2045D0B0
Part of subcall function 2045D0A0: #2366.MFC80U(00000000), ref: 2045D0B7
Part of subcall function 2045D0A0: #4109.MFC80U(00000000,02000000,00000000), ref: 2045D0D7
Part of subcall function 2045D0A0: GetClientRect.USER32(?,?), ref: 2045D0F1
Part of subcall function 2045D0A0: GetWindowRect.USER32(?,00000000), ref: 2045D116
Part of subcall function 2045D0A0: #5609.MFC80U(00000000), ref: 2045D123
Part of subcall function 2045D0A0: malloc.MSVCR80 ref: 2045D12A
Part of subcall function 2045D0A0: #5713.MFC80U(?,00000000), ref: 2045D177

#2651.MFC80U(000004D7,00000008,000004C3,0000000F), ref: 2045F2A2
#2651.MFC80U(00000499,00000008,000004D7,00000008,000004C3,0000000F), ref: 2045F2B7
#2651.MFC80U(000004D7), ref: 2045F2D3
#2155.MFC80U(00000000,000004D7), ref: 2045F2E0
#2651.MFC80U(00000499,000004D7), ref: 2045F2EC
#2155.MFC80U(00000000,00000499,000004D7), ref: 2045F2F9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2651$Rect$#2155Client$#2366#4109#4574#5609#5713ParentWindowmalloc
String ID:
API String ID: 1533607108-0
Opcode ID: 75b32bee038ec3f055f89b3a77d0f563f2ce60f4c12f110e31d42f17823995c4
Instruction ID: 12caeb71d6cb5cb63b0c79dc7bf450e27fdfd275581a6ec987d697c725427b09
Opcode Fuzzy Hash: 75b32bee038ec3f055f89b3a77d0f563f2ce60f4c12f110e31d42f17823995c4
Instruction Fuzzy Hash: D511C3B03403066BD704ABF4C856BBEB7A5AFA0E08F40C62DB6449B6D0DE68AC058755

Function 2042C250 Relevance: 13.6, APIs: 9, Instructions: 70windowCOMMON

Download Yara Rule

APIs

#4574.MFC80U(?,20457514), ref: 2042C253
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 2042C291
GetNextDlgTabItem.USER32(?,00000000,00000000), ref: 2042C2A5
#2366.MFC80U(00000000), ref: 2042C2A8
#2648.MFC80U(00000000), ref: 2042C2B7
#1005.MFC80U(00000000,00000000,00000000,00000000,00000000), ref: 2042C2D1
GetNextDlgTabItem.USER32(?,?,00000000), ref: 2042C2E0
#2366.MFC80U(00000000), ref: 2042C2E3
SetForegroundWindow.USER32(?), ref: 2042C2F9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2366ItemNext$#1005#2648#4574ForegroundMessageSendWindow
String ID:
API String ID: 183709898-0
Opcode ID: 30d86843a7a0115f8584d825181697ca30c7dfa468d451f1a6c4215dc9c416e6
Instruction ID: 717947ed28c759a126b30f0293c07f5a9e78839d161f282296525fc96fe913fe
Opcode Fuzzy Hash: 30d86843a7a0115f8584d825181697ca30c7dfa468d451f1a6c4215dc9c416e6
Instruction Fuzzy Hash: 8D112231740B01BBD62457F4DC81FAAB368BB45A14F00C668FA08EB2C0DE69FD4183A0

Function 20444810 Relevance: 13.6, APIs: 9, Instructions: 55COMMON

Download Yara Rule

APIs

#310.MFC80U(?,A1C94593,00000000,?,?,00000000,2047E5D1,000000FF,20441B81,00000000), ref: 20444851
#310.MFC80U(?,?,00000000,2047E5D1,000000FF,20441B81,00000000), ref: 20444862
#310.MFC80U(?,?,00000000,2047E5D1,000000FF,20441B81,00000000), ref: 20444873
#310.MFC80U(?,?,00000000,2047E5D1,000000FF,20441B81,00000000), ref: 20444884
#310.MFC80U(?,?,00000000,2047E5D1,000000FF,20441B81,00000000), ref: 20444895
#310.MFC80U(?,?,00000000,2047E5D1,000000FF,20441B81,00000000), ref: 204448A6
#310.MFC80U(?,?,00000000,2047E5D1,000000FF,20441B81,00000000), ref: 204448B7
EnterCriticalSection.KERNEL32(00003FC8,?,?,00000000,2047E5D1,000000FF,20441B81,00000000), ref: 204448CF
LeaveCriticalSection.KERNEL32(00003FC8), ref: 204448DD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310$CriticalSection$EnterLeave
String ID:
API String ID: 2018764849-0
Opcode ID: dc30752cbd3352a4a41d008ae2c0dfec2ecbb15ad48c5c87bc3b5eb03c551049
Instruction ID: 149e7ac79b37164727e2346f3cd882fd213499b13d4c724ad8dea1ca39136e5a
Opcode Fuzzy Hash: dc30752cbd3352a4a41d008ae2c0dfec2ecbb15ad48c5c87bc3b5eb03c551049
Instruction Fuzzy Hash: 5F214730008B81DFC311DF64CC88B96BFE4FB65759F108E2DF496826A1DB396648CB92

Function 2043B8A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetTextMetricsW.GDI32(?,?), ref: 2043B8B1
GetTextExtentPoint32W.GDI32(?,2048B8C8,00000001,?), ref: 2043B8C4
memset.MSVCR80 ref: 2043B8D3

Strings

, xrefs: 2043BA19

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Text$ExtentMetricsPoint32memset
String ID:
API String ID: 2649258116-2735817509
Opcode ID: f818c91ce8229f5eabd7a1dc3580614bf2c4515ec148b0c47a5bae0681ff08b1
Instruction ID: 04d7869c2b87461092ef02d3b1c4d5f8aff85504e6062eabee1153db2eead2da
Opcode Fuzzy Hash: f818c91ce8229f5eabd7a1dc3580614bf2c4515ec148b0c47a5bae0681ff08b1
Instruction Fuzzy Hash: E15148B65083419FC310EFA4C880B5BBBF5AFC9714F10D91DFA9993251D778A909CB92

Function 2045B350 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2045B386
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 2045B3A8
SendMessageW.USER32(?,0000100C,-00000002,00000002), ref: 2045B3E8
#2860.MFC80U(-00000002), ref: 2045B3F1
memset.MSVCR80 ref: 2045B45B
#6751.MFC80U(00000000,?), ref: 2045B4FE

Strings

H, xrefs: 2045B463

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#2860#314#6751memset
String ID: H
API String ID: 1096045933-2852464175
Opcode ID: 46191001adbfb0f823e1850d3ff10f7cd6632487f737781d04927b7d4074ad65
Instruction ID: 8c6d3108348b86b4f4e31ab9c5c9604d9b4c750fb206cd4083dfeed3ef3df40c
Opcode Fuzzy Hash: 46191001adbfb0f823e1850d3ff10f7cd6632487f737781d04927b7d4074ad65
Instruction Fuzzy Hash: 905191B1A04608EFDB14CF94C881BEDBBB4FB58714F10826DE915AB391D779A905CBA0

Function 2044F260 Relevance: 12.3, APIs: 8, Instructions: 348COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2044F299

Part of subcall function 20462A10: EnterCriticalSection.KERNEL32(?,A1C94593,?,?,?,?), ref: 20462A3F
Part of subcall function 20462A10: #280.MFC80U(?,?,00000000,?,?), ref: 20462A55
Part of subcall function 20462A10: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 20462AD0
Part of subcall function 20462A10: #310.MFC80U(?,00000000,?,?), ref: 20462ADE
Part of subcall function 20462A10: #310.MFC80U(?,00000000,?,?), ref: 20462AF0
Part of subcall function 20462A10: #4026.MFC80U(000000B7,?,00000000,?,?), ref: 20462B04
Part of subcall function 20462A10: #4026.MFC80U(000000B2,?,00000000,?,?), ref: 20462B13
Part of subcall function 20462A10: MessageBoxW.USER32(00000000,?,?,00000010), ref: 20462B2A
Part of subcall function 20462A10: #578.MFC80U(?,00000000,?,?), ref: 20462B39
Part of subcall function 20462A10: #578.MFC80U(?,00000000,?,?), ref: 20462B4B

#310.MFC80U(?,?,00003630,00003EFC,-00003E6C), ref: 2044F3C2
#4026.MFC80U(00000077,?), ref: 2044F41C
#4026.MFC80U(00000076,?), ref: 2044F46A

Part of subcall function 20412B10: #1176.MFC80U(A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89), ref: 20412B3D
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B64
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B74
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B84
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B94
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412BAD

Part of subcall function 20412B10: #265.MFC80U(00000000,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412BF3
Part of subcall function 20412B10: memset.MSVCR80 ref: 20412C00

Part of subcall function 204677A0: EnterCriticalSection.KERNEL32(-00003A6C,?,?,?,2044F2EE,?,?,00000000,00000000), ref: 204677A9
Part of subcall function 204677A0: LeaveCriticalSection.KERNEL32(-00003A6C,-00003E44,?,2044F2EE,?,?,00000000,00000000), ref: 204677C0

#1176.MFC80U(?), ref: 2044F531
#4026.MFC80U(00000078,?), ref: 2044F5AE
#578.MFC80U(?), ref: 2044F686
#6751.MFC80U(00000000,?), ref: 2044F6B1

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026#764$CriticalSection$#310#578$#1176EnterLeave$#265#280#314#6751Messagememset
String ID:
API String ID: 3887008047-0
Opcode ID: b2bfdf396d9384adda82f74b60be1817eaeb1267e1407364b462e9108ef9b5fd
Instruction ID: f302d05e3825bd07ca04ebf36d67b8bda39176010dbeb0f07acd231b2700a8da
Opcode Fuzzy Hash: b2bfdf396d9384adda82f74b60be1817eaeb1267e1407364b462e9108ef9b5fd
Instruction Fuzzy Hash: D3D1DF70608305AFD314DF64C880B6BB7A1EF94B08F51CA1CF95587392DB39E906CB92

Function 2042FAF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

#280.MFC80U(?,A1C94593,00000000,2047AEF9,000000FF,2042F9F3,00000000,?), ref: 2042FB2E
#899.MFC80U( ), ref: 2042FB45
#6063.MFC80U(?), ref: 2042FB52
InvalidateRect.USER32(?,00000000,00000001,?), ref: 2042FB5F
#578.MFC80U ref: 2042FB71
#1176.MFC80U(A1C94593,00000000,2047AEF9,000000FF,2042F9F3,00000000,?), ref: 2042FB89

Strings

, xrefs: 2042FB3C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176#280#578#6063#899InvalidateRect
String ID:
API String ID: 3088243248-399585960
Opcode ID: 4d49673be8d75949b1e1a0b5e3412ca3ff7cb27203972ef5d35702515fcf7e24
Instruction ID: b0faaa034b84c1fa1ddc5dff7bf1fca6dd93627ac5db641cbeda2d35d3c9bece
Opcode Fuzzy Hash: 4d49673be8d75949b1e1a0b5e3412ca3ff7cb27203972ef5d35702515fcf7e24
Instruction Fuzzy Hash: 88111C75104A419FC710DFA4CC94B5AB7E4FB88B14F50CA2DF556836A0DB39E905CB52

Function 20404DF0 Relevance: 12.3, APIs: 8, Instructions: 253COMMON

Download Yara Rule

APIs

wcschr.MSVCR80 ref: 20404E4F
wcsncpy_s.MSVCR80 ref: 20404E7F
wcschr.MSVCR80 ref: 20404EAF
wcsncpy_s.MSVCR80 ref: 20404EF8
wcsstr.MSVCR80 ref: 20404F44

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcschrwcsncpy_s$wcsstr
String ID:
API String ID: 3357641305-0
Opcode ID: c59eb458cf4fd7a1e4c4e0c0152fe135a5944002f18257d60f5f10f5d1fa1ffb
Instruction ID: 347d500640f9eb3dd12fb6016f3ea24eee86d6d7e7c2936d64b2d4fc90e8bfb9
Opcode Fuzzy Hash: c59eb458cf4fd7a1e4c4e0c0152fe135a5944002f18257d60f5f10f5d1fa1ffb
Instruction Fuzzy Hash: 9C81EFB25043068FC3289FA8CD45A9B77E6EFC8704F458A2CE985D7345EA78EA04C7D1

Function 2043F3B0 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

#764.MFC80U(?,A1C94593,?,?,?,?,?,2047F1AF,000000FF,2043F70A,A1C94593,?,?,?,00000000,2047A185), ref: 2043F40F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: cb5708c9c9b3ff582acc7c17eab28571bd9283a47c901236fd4fa4bc37ebb7c4
Instruction ID: 3efddf22e9fe88da37ea4736d75f760c28e1615ed373dc71c1ed3eb50ed88554
Opcode Fuzzy Hash: cb5708c9c9b3ff582acc7c17eab28571bd9283a47c901236fd4fa4bc37ebb7c4
Instruction Fuzzy Hash: 4981CF716007068FC324CFA9CCC0B6A73E1EF98618F24CA2DE56687751DB3DE90A8B50

Function 2043FF10 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

#764.MFC80U(?,A1C94593,?,?,?,?,?,2047F1AF,000000FF,2045043A,A1C94593,?,?,?,00000000,2047A185), ref: 2043FF6F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 670edd4a2704a59cf25486175255d64e831be64b76b28695c064baecb1b0dc99
Instruction ID: 8a8ea7dbf020beaef21659d878ac0cab9a0894dbaac0e8260ea0df79ac10f160
Opcode Fuzzy Hash: 670edd4a2704a59cf25486175255d64e831be64b76b28695c064baecb1b0dc99
Instruction Fuzzy Hash: 6A81BCB16007068FD324CF98CCC0B6AB3E5EF84618F14CA2DE96687751EB79F9598B50

Function 2041B840 Relevance: 12.2, APIs: 8, Instructions: 237COMMON

Download Yara Rule

APIs

#764.MFC80U(20462D01,A1C94593,?,?,00000000,?,00000000,2047F1AF,000000FF,2041A362), ref: 2041B8A1

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 49d2aec307422f52fe82b2fe71e12b3385d92964ee4fbef3ff57010bf33b140b
Instruction ID: 20f6c94d0eb08dde5cb7aebfb320af4f62f4f4a5db1246a92f7947175b4701a5
Opcode Fuzzy Hash: 49d2aec307422f52fe82b2fe71e12b3385d92964ee4fbef3ff57010bf33b140b
Instruction Fuzzy Hash: 7D81ADB16007058FD724DFADC8C0B26B3F5EF80644F44CA2DE56687751E739E9898B91

Function 20418BF0 Relevance: 12.2, APIs: 8, Instructions: 228COMMON

Download Yara Rule

APIs

#764.MFC80U(FFF99779,A1C94593,00000000,2047EED7,00000058,2047EF2F,2047CFDF,000000FF,2041C7C6,A1C94593,00000000,00000001,?,?,?,00000000), ref: 20418C28

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: de6f1d873d1550d11978b98a2f5e2c2c68958f76a2d773dc2fb0932f1842c0e0
Instruction ID: 1eb38eaf2c4cb0d48ea11dfeb7b39c37b0f203b6940a2b85bd8f1e0bfc1ecb8c
Opcode Fuzzy Hash: de6f1d873d1550d11978b98a2f5e2c2c68958f76a2d773dc2fb0932f1842c0e0
Instruction Fuzzy Hash: 2A71DFB1604B018FD328CF59DC81B26B7E2EBD4614F14C93DE56AC7BA0E738E9458B44

Function 20430440 Relevance: 12.2, APIs: 8, Instructions: 228COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,?,?,?,2042F9AA,?,?), ref: 2043047D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 2b8b3c20b7c852a384a2a6b9e1c18fd9497dba09e6326f44bdfedfe04e71fe7a
Instruction ID: 8c78ec8261826d180477a07e134413318fae3caf72c57858b2555c50dd82c17d
Opcode Fuzzy Hash: 2b8b3c20b7c852a384a2a6b9e1c18fd9497dba09e6326f44bdfedfe04e71fe7a
Instruction Fuzzy Hash: 887115B1B007058FC720CF99DCD0A6AB3E5EFD4608F24CA3DD55A87A11DA39F9158B10

Function 204201D0 Relevance: 12.2, APIs: 8, Instructions: 225COMMON

Download Yara Rule

APIs

#764.MFC80U(00000000,A1C94593,?,?,00000000,?,00000000,2047F1AF,000000FF,2041F809), ref: 20420231

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 6f19b68813a202126c8553dd222ea916b0fc5c9c56ae0e22d2c2dfc31ac2c452
Instruction ID: 706fc76fea88a4328b3faa778fc8abdf52e572fd22f3af5435c2c6311841ff6c
Opcode Fuzzy Hash: 6f19b68813a202126c8553dd222ea916b0fc5c9c56ae0e22d2c2dfc31ac2c452
Instruction Fuzzy Hash: 6C71CFB1700B028FD324DFA8D985B16B3E5EF80608F04C92DEAA5C7796E67CF9448B51

Function 2040E430 Relevance: 12.2, APIs: 8, Instructions: 221COMMON

Download Yara Rule

APIs

#764.MFC80U(?,A1C94593,?,00000000,00000000,?,00000000,2047F1AF,000000FF,2040E1FC), ref: 2040E48B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 809c24b8e00aee26526680ef55797c1e1d6843585da1861ac648f7d96777122c
Instruction ID: 6f23047bb9867296087faeac3f31555e5892dd6a1e09183eccbdc6bc59c41139
Opcode Fuzzy Hash: 809c24b8e00aee26526680ef55797c1e1d6843585da1861ac648f7d96777122c
Instruction Fuzzy Hash: 467124B16107018FC328DFAACD81B17B7EAEBA0608F44CD3DE166A7750E63DE9158B41

Function 20470580 Relevance: 12.2, APIs: 8, Instructions: 215COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,?,?,2046C438,204A3270,?,2046A4ED,?,?,?,?,00000000,?), ref: 204705B8

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 91e895202fe9b93da151f2ff20d2d8d3d43bceb922bc7c9a280918cbf4565b8e
Instruction ID: ffed9e09394b837c24933bb8fae52088a01a5b746cc5235ed8a720ca0581ebcb
Opcode Fuzzy Hash: 91e895202fe9b93da151f2ff20d2d8d3d43bceb922bc7c9a280918cbf4565b8e
Instruction Fuzzy Hash: 9E61C2B17027058FD724DFA9DC81B9BB3F6EBD0608B14C92DE15AC7621EA38F8558B50

Function 2040D610 Relevance: 12.2, APIs: 8, Instructions: 212COMMON

Download Yara Rule

APIs

#764.MFC80U(458BFFF9,A1C94593,2047EED7,00000000,00000044,2047EF1B,2047CFDF,000000FF,2041C729,A1C94593,00000000,00000001,?,?,?,00000000), ref: 2040D648

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 4617c6d2f57dfa1dbd70defc75ce0c9091f811c6e2ab256ae7822ace62e36467
Instruction ID: 47f74a9446ad1e2dca6a9323ce38793ef61173937e3a7c16fe38d1840842f5f4
Opcode Fuzzy Hash: 4617c6d2f57dfa1dbd70defc75ce0c9091f811c6e2ab256ae7822ace62e36467
Instruction Fuzzy Hash: E871C1B1604B018FE318CF59C881A16F7E6FF84218F54C93DE56A97761E73AE808CB50

Function 2040D940 Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

#764.MFC80U(FF9A6AE8,A1C94593,2047EED7,-00000008,?,2047EEDF,2047CFDF,000000FF,2040D500,00000000,2047EEDF,2041C6E6,A1C94593,00000000,00000001,?), ref: 2040D978

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 117a10ff7036d353de076ce51dc4ca9e8d4431212e94aa7aafedbf15b2ef066e
Instruction ID: 75967449d70f6e69711e089b3a87649a8cff60f4fe63acf095d80d0f0040ecd9
Opcode Fuzzy Hash: 117a10ff7036d353de076ce51dc4ca9e8d4431212e94aa7aafedbf15b2ef066e
Instruction Fuzzy Hash: 9661B3B16047058FD718DFA9C881B2AB7E2EF80614F54C92DE56687B51EB3EF909CB40

Function 2040CCC0 Relevance: 12.2, APIs: 8, Instructions: 188COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,?,00000000,00000000,2040E20D,?,?), ref: 2040CCED
#764.MFC80U(?,?,?,00000000,00000000,2040E20D,?,?), ref: 2040CD06
#764.MFC80U(?,?,?,00000000,00000000,2040E20D,?,?), ref: 2040CD1F
#764.MFC80U(?,?,?,00000000,00000000,2040E20D,?,?), ref: 2040CD38
#764.MFC80U(?,?,?,00000000,00000000,2040E20D,?,?), ref: 2040CDE2
#265.MFC80U(00000000,?,?,00000000,00000000,2040E20D,?,?), ref: 2040CE19
#764.MFC80U(?,?,?,00000000,00000000,2040E20D,?,?), ref: 2040CE53
#265.MFC80U(00000000,?,?,00000000,00000000,2040E20D,?,?), ref: 2040CE93

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#265
String ID:
API String ID: 4171483331-0
Opcode ID: 202ddafeb765ee368af551cb43395fe2e284931c58a5d4b635247606cee89bb1
Instruction ID: d74fc9ed131b597ec5b893aaa673d03ed43e5dc2af2b337a9e3f9e09efffe5ec
Opcode Fuzzy Hash: 202ddafeb765ee368af551cb43395fe2e284931c58a5d4b635247606cee89bb1
Instruction Fuzzy Hash: 906194B2500204CBCB08DF69C88199AB7E7FF94640B55C979ED09AB355D739FE49CB80

Function 204110E0 Relevance: 12.2, APIs: 8, Instructions: 182COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,?,?,204127C5,?,20462D02), ref: 2041110A
#764.MFC80U(20462D01,?,?,?,204127C5,?,20462D02), ref: 2041111A
#764.MFC80U(?,?,?,?,204127C5,?,20462D02), ref: 2041112A
#764.MFC80U(?,?,?,?,204127C5,?,20462D02), ref: 2041113A
#265.MFC80U(00000000,?,?,?,204127C5,?,20462D02), ref: 20411183
#265.MFC80U(00000000,?,?,?,204127C5,?,20462D02), ref: 204111E3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#265
String ID:
API String ID: 4171483331-0
Opcode ID: b0024c4ae3a6811a114333c3da070cb76984e76ce6f3e22c897bc08ae9efce5c
Instruction ID: f85ed80b83d1636cf1b4d5d20a0cd95768f1b4f61d958747549d995c4f053705
Opcode Fuzzy Hash: b0024c4ae3a6811a114333c3da070cb76984e76ce6f3e22c897bc08ae9efce5c
Instruction Fuzzy Hash: 8E51A1726002019BCB18CF64C8527ABB7A2EF88744F59C568ED06DF795E639EE41C7C0

Function 2044DBF0 Relevance: 12.2, APIs: 8, Instructions: 166COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2044DC28
#6751.MFC80U(00000000,?), ref: 2044DC5D
#6751.MFC80U(00000000,?), ref: 2044DCA3
#6751.MFC80U(00000000,?), ref: 2044DCF6
#4026.MFC80U(00000280,00000000,A1C94593), ref: 2044DD53
#4026.MFC80U(00000281), ref: 2044DD7A

Part of subcall function 2042E670: #6751.MFC80U(00000000,?,2042E5B8,00000000,A1C94593), ref: 2042E688

#6751.MFC80U(00000000,?), ref: 2044DDCD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6751$#4026$#314
String ID:
API String ID: 2838678766-0
Opcode ID: 692cc9bb21db07b68e7811fb851dabe5d5df92b517cd9293be954f60f0aa44a1
Instruction ID: 98200cb8d907bf1af1504b7ffa4f8b20505593ed0345a61892d829ef86b1c792
Opcode Fuzzy Hash: 692cc9bb21db07b68e7811fb851dabe5d5df92b517cd9293be954f60f0aa44a1
Instruction Fuzzy Hash: EA518DB2A083019FD304CF58D881A6AB7E1FBD4620F10CA2EF99587790DB39D805CB51

Function 20420B20 Relevance: 12.1, APIs: 8, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001061,00000000,?), ref: 20420B60
#2788.MFC80U(?,?,00000000), ref: 20420B74
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20420B8C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 20420BAD
SendMessageW.USER32 ref: 20420BFE
#762.MFC80U(00000040), ref: 20420C0A
#764.MFC80U(?), ref: 20420C6B
#764.MFC80U(?), ref: 20420C84

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#764$#2788#762
String ID:
API String ID: 94826352-0
Opcode ID: 303d5266d76560b70a859dddbe5445c77b7a3256dd36d6156f144aae68344a2a
Instruction ID: cccce94efbb18c0b116a899b718fa4962595c2b7fd6ca270cb1dbf47a7686ba6
Opcode Fuzzy Hash: 303d5266d76560b70a859dddbe5445c77b7a3256dd36d6156f144aae68344a2a
Instruction Fuzzy Hash: 985106B19087449FD320CF5AC8C0A5BFBE4BB58654F908A2EF59987750D334E844CF56

Function 2040FBA0 Relevance: 12.1, APIs: 8, Instructions: 125COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,?,20420B95,?,?,00000000), ref: 2040FBB7

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 80f0db05304fd9d6823bb3fdc5d65254f79319c78f0f45daf2988447773be1fe
Instruction ID: 2667b74741966b4bc6b088ac4c1c2f5677e93d82a42779522c08319c34846e7a
Opcode Fuzzy Hash: 80f0db05304fd9d6823bb3fdc5d65254f79319c78f0f45daf2988447773be1fe
Instruction Fuzzy Hash: 0141D5F16047088BD3289FA5CC82B2AB3E6EB80614F54C93DE55AD7E50EA3DF8458B50

Function 20434A50 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,?,20431F52), ref: 20434A67

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 54fc8e52c9ad11d0352c6890a50526739e071df378e0acc8d1de1216e089caed
Instruction ID: 8d2cc59dc8edb40c4a55f40b973c5f82235228e467e1daf06889393d0d2ee4c8
Opcode Fuzzy Hash: 54fc8e52c9ad11d0352c6890a50526739e071df378e0acc8d1de1216e089caed
Instruction Fuzzy Hash: 5B31D3B26007045BD3249FA5D985B5BF7EAEBD4A14FB4D83EE05AC7A90D63CF8418B10

Function 20452DD0 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,?,20452885), ref: 20452DE7

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: d9fe5cdd2b2663bd7e67fa88f134ce0ceda9424471f8b88cf63c91e175b127f5
Instruction ID: ea582bc9380f3ed550f0ddff936b639677b4f6806d39c03b11275879b4d4be38
Opcode Fuzzy Hash: d9fe5cdd2b2663bd7e67fa88f134ce0ceda9424471f8b88cf63c91e175b127f5
Instruction Fuzzy Hash: 4A31CBF26007045BD3149F55CA82A1BBBE6EBE1614F50C83FE55AD7A50D63CF8468710

Function 20426370 Relevance: 12.1, APIs: 8, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 2042D850: #524.MFC80U(00000000,00000000,00000000,A1C94593,?,2047ED3A,20479C16,000000FF,204263A6,?,000000B8,A1C94593,?,?,?), ref: 2042D87F
Part of subcall function 2042D850: #563.MFC80U(00000000,00000000,00000000,A1C94593,?,2047ED3A,20479C16,000000FF,204263A6,?,000000B8,A1C94593,?,?,?), ref: 2042D898

Part of subcall function 20429FA0: #516.MFC80U(0000009A,00000000,00000038,A1C94593,?,00000000,20479F3C,000000FF,204263BE,?,?,000000B8,A1C94593,?,?,?), ref: 20429FD0

Part of subcall function 2042A990: #516.MFC80U(00000098,00000000,00000038,A1C94593,?,00000000,20479EBD,000000FF,204263CF,?,?,?,000000B8,A1C94593,?), ref: 2042A9C0
Part of subcall function 2042A990: #6735.MFC80U(20485878,2047EF1E,2047EECA,2047EE76,2047EE22), ref: 2042AA3D

Part of subcall function 20427410: #516.MFC80U(00000099,00000000,00000038,A1C94593,?,00000000,?,2047B309,000000FF,204263E0,?,?,?,?,000000B8,A1C94593), ref: 20427442

#416.MFC80U(?,?,?,?,000000B8,A1C94593,?,?,?), ref: 20426431
#762.MFC80U(00000120,?,?,?,?,000000B8,A1C94593,?,?,?), ref: 20426474
#977.MFC80U(?), ref: 204264C2
#977.MFC80U(?,?), ref: 204264CA
#977.MFC80U(?,?,?), ref: 204264D8
#1555.MFC80U(00000010,00000010,000000FE,00000000,00000004,?,?,?), ref: 20426507
GetSysColor.USER32(00000005), ref: 2042650E
#1079.MFC80U(?,00000000), ref: 2042651C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #516#977$#1079#1555#416#524#563#6735#762Color
String ID:
API String ID: 982528815-0
Opcode ID: 5648d2ac7418de48b8c5000bd49b746fe147b288bb7b03ceb556e51628c86201
Instruction ID: 583975d9903fe4becb5d36a3077c42142cba33229de1660348c340dbb429fb34
Opcode Fuzzy Hash: 5648d2ac7418de48b8c5000bd49b746fe147b288bb7b03ceb556e51628c86201
Instruction Fuzzy Hash: BD516F70504B808FD321CF64D881BDBBBE4BF99748F408A1EF0DA97290D778A504CB66

Function 2044A000 Relevance: 12.1, APIs: 8, Instructions: 121COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 2044A055
#764.MFC80U(?), ref: 2044A0A2
LeaveCriticalSection.KERNEL32(?), ref: 2044A0AF
EnterCriticalSection.KERNEL32(?), ref: 2044A0EE
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000022,00000100,?), ref: 2044A11E
LeaveCriticalSection.KERNEL32(?,?), ref: 2044A13B
EnterCriticalSection.KERNEL32(?), ref: 2044A16D
LeaveCriticalSection.KERNEL32(?), ref: 2044A194

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CriticalSection$EnterLeave$#764ByteCharMultiWide
String ID:
API String ID: 3041980425-0
Opcode ID: 03b9c78566b1dd80389c3f2b36833bf0a1bea24ae9f6d7108f501abc60001dba
Instruction ID: 82b977572f22e7b8bb91f181182a35f75dbe438bf220df568fdc3ecb4b1e28b1
Opcode Fuzzy Hash: 03b9c78566b1dd80389c3f2b36833bf0a1bea24ae9f6d7108f501abc60001dba
Instruction Fuzzy Hash: F651F3715187409FD750CFA8C888B9BBBF8BF89B05F40892EF599C7250E7B4A904CB52

Function 20418A20 Relevance: 12.1, APIs: 8, Instructions: 121COMMON

Download Yara Rule

APIs

#764.MFC80U(?,00000000,?,20416D18,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 20418A37

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 4671958f0ad303c47a6cea02f2b3ca069dbd3f82c4566170932d8e23fa0049ef
Instruction ID: b5e178df7553e5923ded9b5b8ce6b07c4099fafa75c94dcfe441f56e0ece09ee
Opcode Fuzzy Hash: 4671958f0ad303c47a6cea02f2b3ca069dbd3f82c4566170932d8e23fa0049ef
Instruction Fuzzy Hash: 1431A2F16007089BC7249FA5CC81A2BF7E5EF90654B54C92EE15AC7E51EB3DF8858B10

Function 20455C30 Relevance: 12.1, APIs: 8, Instructions: 118windowCOMMON

Download Yara Rule

APIs

#1079.MFC80U(?,?,?,00000000,A1C94593), ref: 20455C4D

Part of subcall function 20435260: #1079.MFC80U(?,A1C94593), ref: 2043529B
Part of subcall function 20435260: #6749.MFC80U(?,?,A1C94593), ref: 204352A7

#1079.MFC80U(?,-00000001,?,?,00000000,A1C94593), ref: 20455C70

Part of subcall function 20438C80: #1079.MFC80U(?,A1C94593), ref: 20438CBB
Part of subcall function 20438C80: #6749.MFC80U(?,?,A1C94593), ref: 20438CC7

ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 20455CF0
#1079.MFC80U(?,000000FF,?,?,?,00000000,A1C94593), ref: 20455D08
DestroyCursor.USER32(?), ref: 20455D21
#3873.MFC80U(00000003,?,?,00000000,00000000,00000000,00000000,?,?,00000000,A1C94593), ref: 20455D53
#5862.MFC80U(00000000,00000000,00000004,00000000,00000000,00000000,00000000,00000000,00000003,?,?,00000000,00000000,00000000,00000000), ref: 20455D71
SendMessageW.USER32(?,0000101E,00000000,0000FFFF), ref: 20455DA8

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1079$#6749$#3873#5862CursorDestroyExtractIconMessageSend
String ID:
API String ID: 3740703228-0
Opcode ID: bc88314e8a2c7bb4b1c66cc2310b991db2a563fcf2a6d5de5453a8f766692c92
Instruction ID: ca98d3bb5e91f5b46d3c0e92cc0e6e070d20d5571afe716a276512f36404c08b
Opcode Fuzzy Hash: bc88314e8a2c7bb4b1c66cc2310b991db2a563fcf2a6d5de5453a8f766692c92
Instruction Fuzzy Hash: 1041BE72204700AFD220CFA8CC85FAA77F6ABD4B18F51C91CF6554B291DB78B9098B91

Function 20457F10 Relevance: 12.1, APIs: 8, Instructions: 112COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20457F58
_time32.MSVCR80 ref: 20457FC6
#777.MFC80U(2048FC58), ref: 20457FEA
#2311.MFC80U(?,2048587C,0000000E), ref: 20458016
#2311.MFC80U(?,2048587C), ref: 20458032
#6232.MFC80U(00000000), ref: 20458042
#6063.MFC80U(?,00000000), ref: 20458057
#6751.MFC80U(00000000,?), ref: 20458090

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2311$#314#6063#6232#6751#777_time32
String ID:
API String ID: 2375346300-0
Opcode ID: 47ccfba3e1fb941079224ed5e546ca3a6837c2b87bdf42400c5254aeb6c8b629
Instruction ID: 047fd8ab0e14bad808cae18b8e573b341801a1b2de1a36cfe5e680196c8a5cba
Opcode Fuzzy Hash: 47ccfba3e1fb941079224ed5e546ca3a6837c2b87bdf42400c5254aeb6c8b629
Instruction Fuzzy Hash: 4941D5712082018BD714CF64CC85BAA7BA5BB94708F04C93DFD49AF6D5DB78A909CB92

Function 2043C6E0 Relevance: 12.1, APIs: 8, Instructions: 106registryCOMMON

Download Yara Rule

APIs

free.MSVCR80 ref: 2043C71E
malloc.MSVCR80 ref: 2043C74B
free.MSVCR80 ref: 2043C781
memcpy.MSVCR80(?,00000000,00000000,-00000023,?,00000000,?,2043F10A,?,?,?,?,?,00000001,00000000), ref: 2043C7AA
free.MSVCR80 ref: 2043C7B3
free.MSVCR80 ref: 2043C7C2
RegCloseKey.ADVAPI32(?,-00000023,?,00000000,?,2043F10A,?,?,?,?,?,00000001,00000000), ref: 2043C7D6
free.MSVCR80 ref: 2043C7DD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: free$Closemallocmemcpy
String ID:
API String ID: 3581950131-0
Opcode ID: f0c7fdecfce2c502539653a6f82cc0022d8f8dea81b92cbdaf8e2dada8b9ab0a
Instruction ID: e8fc556353d8257b0342223d7edd590952b23e1f51f59bb0600cbce124897fe4
Opcode Fuzzy Hash: f0c7fdecfce2c502539653a6f82cc0022d8f8dea81b92cbdaf8e2dada8b9ab0a
Instruction Fuzzy Hash: CB318EB26006035BD6009FA49C85A67B7ACFF09621F149539ED05D3700EB2DFE98DBE2

Function 2045D0A0 Relevance: 12.1, APIs: 8, Instructions: 74COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 2045D0B0
#2366.MFC80U(00000000), ref: 2045D0B7
#4109.MFC80U(00000000,02000000,00000000), ref: 2045D0D7
GetClientRect.USER32(?,?), ref: 2045D0F1
GetWindowRect.USER32(?,00000000), ref: 2045D116
#5609.MFC80U(00000000), ref: 2045D123
malloc.MSVCR80 ref: 2045D12A
#5713.MFC80U(?,00000000), ref: 2045D177

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$#2366#4109#5609#5713ClientParentWindowmalloc
String ID:
API String ID: 3311746519-0
Opcode ID: 713f1deccbfcd25f1fbb48848ab7b5f8e3d11472b31d5a077c9c2f4c7b21a063
Instruction ID: e0f211835fd23e83626e035faf1916a20849807f104068c9a12278701ed8cba4
Opcode Fuzzy Hash: 713f1deccbfcd25f1fbb48848ab7b5f8e3d11472b31d5a077c9c2f4c7b21a063
Instruction Fuzzy Hash: BE3129B06087019FC318CF58C884A6ABBF5BF98704F01CA6DE88A87361DB34E945CB55

Function 2042FF30 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 2042FF4F
PtInRect.USER32(?,?,?), ref: 2042FF7D
GetWindowRect.USER32(?,?), ref: 2042FF90
GetParent.USER32(?), ref: 2042FF9A
#2366.MFC80U(00000000), ref: 2042FFA1
#6140.MFC80U(00000000,?,?,?,00000000,00000000), ref: 2042FFBB
#5829.MFC80U(00000000,?,?,?,00000000,00000000), ref: 2042FFC9
#1894.MFC80U ref: 2042FFD7

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$#1894#2366#5829#6140ClientParentWindow
String ID:
API String ID: 212747824-0
Opcode ID: 6937a4f93c5ea9244e49995fcdc09199884f663bc647000cf4e6ccc2ac0629fa
Instruction ID: 2bf1152b81ae0c4fa8cd025b0b9b50b58acb653149e68ad9b126918eb8fed9ab
Opcode Fuzzy Hash: 6937a4f93c5ea9244e49995fcdc09199884f663bc647000cf4e6ccc2ac0629fa
Instruction Fuzzy Hash: 031130712147059FC314DF64CC85FABB7E8FB84619F008A1DF59686690DB78E844CB91

Function 2044D990 Relevance: 12.1, APIs: 8, Instructions: 56COMMON

Download Yara Rule

APIs

#310.MFC80U(?,A1C94593,?,6C99281E,?,?,00000000,2047E174,000000FF,20441127,00000000), ref: 2044D9D1
#310.MFC80U(?,?,00000000,2047E174,000000FF,20441127,00000000), ref: 2044D9DF
#310.MFC80U(?,?,00000000,2047E174,000000FF,20441127,00000000), ref: 2044D9ED
#310.MFC80U(?,?,00000000,2047E174,000000FF,20441127,00000000), ref: 2044D9FD
#310.MFC80U(?,?,00000000,2047E174,000000FF,20441127,00000000), ref: 2044DA0D
#4026.MFC80U(0000027C,?,?,00000000,2047E174,000000FF,20441127,00000000), ref: 2044DA1F
#4026.MFC80U(0000027D,?,?,00000000,2047E174,000000FF,20441127,00000000), ref: 2044DA2C
#4026.MFC80U(0000027E,?,?,00000000,2047E174,000000FF,20441127,00000000), ref: 2044DA39

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310$#4026
String ID:
API String ID: 3538715513-0
Opcode ID: 9beabf18ad02b9e4f8aeca6623d471602ee941e52d0de1d67d13c8cec5c15a8b
Instruction ID: ae243086d011bdde0d300e658b7e24c8606357b06fdfa419f5f8277fe1726ebc
Opcode Fuzzy Hash: 9beabf18ad02b9e4f8aeca6623d471602ee941e52d0de1d67d13c8cec5c15a8b
Instruction Fuzzy Hash: 4A216375208B409FC310DF15CC8875ABBE5EB85719F008A2DF85283790DB79950DCF52

Function 20427530 Relevance: 12.0, APIs: 8, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 2042F8C0: #1946.MFC80U(A1C94593,?,?,?,2047AF4A,000000FF,2042756F,?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 2042F90A
Part of subcall function 2042F8C0: #578.MFC80U(A1C94593,?,?,?,2047AF4A,000000FF,2042756F,?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 2042F917
Part of subcall function 2042F8C0: #587.MFC80U(?,?,2047B269,000000FF,204268BF,?), ref: 2042F927

#657.MFC80U(?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 2042757A
#657.MFC80U(?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 2042758A
#587.MFC80U(?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 2042759A
#587.MFC80U(?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 204275AA
#587.MFC80U(?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 204275BA
#587.MFC80U(?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 204275CA
#587.MFC80U(?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 204275DA
#718.MFC80U(?,A1C94593,?,?,2047B269,000000FF,204268BF,?), ref: 204275E9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #587$#657$#1946#578#718
String ID:
API String ID: 4135078562-0
Opcode ID: c9782c9832fcb8682713ef34a66ba18d4b6aa73f104265ab85aa5047acdd4a07
Instruction ID: d92657625d66678ccc7935c96932225f3c66df0d070de15a78006974df052bd7
Opcode Fuzzy Hash: c9782c9832fcb8682713ef34a66ba18d4b6aa73f104265ab85aa5047acdd4a07
Instruction Fuzzy Hash: 15114F30008B818BD315DF64C8557EABBE5BF60718F40CE5DE0A6476A1DB78A60CC792

Function 2042AAA0 Relevance: 12.0, APIs: 8, Instructions: 45COMMON

Download Yara Rule

APIs

DestroyCursor.USER32(?), ref: 2042AADE
#578.MFC80U(A1C94593,?,00000000,20479EBD,000000FF,204268D0,?,?), ref: 2042AAEF
#741.MFC80U(?,00000000,20479EBD,000000FF,204268D0,?,?), ref: 2042AB00
#657.MFC80U(?,00000000,20479EBD,000000FF,204268D0,?,?), ref: 2042AB10
#587.MFC80U(?,00000000,20479EBD,000000FF,204268D0,?,?), ref: 2042AB20
#587.MFC80U(?,00000000,20479EBD,000000FF,204268D0,?,?), ref: 2042AB30
#587.MFC80U(?,00000000,20479EBD,000000FF,204268D0,?,?), ref: 2042AB40
#718.MFC80U(?,00000000,20479EBD,000000FF,204268D0,?,?), ref: 2042AB4F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #587$#578#657#718#741CursorDestroy
String ID:
API String ID: 1809897021-0
Opcode ID: 35b0d8bbf7a53fa6ecf621a24b0649546298cb5f07307ed5c26dcae269261dd7
Instruction ID: 977527ab95c424e6832e6ed6def81d3820f7ebedd5a3b3135f79d51513055072
Opcode Fuzzy Hash: 35b0d8bbf7a53fa6ecf621a24b0649546298cb5f07307ed5c26dcae269261dd7
Instruction Fuzzy Hash: E8115E70008B818FD311DF64C855B9ABBE4BF64714F00CE1DE4A6836A1DB78A608C792

Function 2042EB20 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 364COMMON

Download Yara Rule

APIs

Part of subcall function 20404CB0: wcscpy_s.MSVCR80 ref: 20404CD7

wcsncmp.MSVCR80 ref: 2042EC1B
wcsncmp.MSVCR80 ref: 2042EC48

Strings

HKLM\, xrefs: 2042EC43
HKCU\, xrefs: 2042EC16
xXH , xrefs: 2042EF02
xXH , xrefs: 2042EE7C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcsncmp$wcscpy_s
String ID: HKCU\$HKLM\$xXH $xXH
API String ID: 2575004286-3847691091
Opcode ID: 583dbd2c518f6b03a74561c9ecb2ed86324533ed251ee6c2f02ec5990ab2e6b3
Instruction ID: 5fbb683c4cbcbcf1aaa3ba0d5211c586f8c64f9d3f08b135c86883a917ea21da
Opcode Fuzzy Hash: 583dbd2c518f6b03a74561c9ecb2ed86324533ed251ee6c2f02ec5990ab2e6b3
Instruction Fuzzy Hash: 0DE1DE71A006489FDF14CF96E980BEA77B1BF19208F15C1A8ED056B386E738DE45CB60

Function 20448B50 Relevance: 10.8, APIs: 7, Instructions: 291windowCOMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20448B88
SendMessageW.USER32(00000000), ref: 20448BCB
#310.MFC80U ref: 20448C16
#4026.MFC80U(0000022D), ref: 20448C2A
#578.MFC80U ref: 20448C42
#6751.MFC80U(00000000,?), ref: 20448C7B
#6751.MFC80U(00000000,?), ref: 20448F2C

Part of subcall function 2042D000: IsWindow.USER32(?), ref: 2042D037

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6751$#310#314#4026#578MessageSendWindow
String ID:
API String ID: 1613437865-0
Opcode ID: dbbf1c2679c8c57563a73d693fbeded845e95855667f570ce51ce7c4e9b716bd
Instruction ID: aef0371a62a55a85432a202e164e070c81619bdb81af31f70ff8ae9106dbb37a
Opcode Fuzzy Hash: dbbf1c2679c8c57563a73d693fbeded845e95855667f570ce51ce7c4e9b716bd
Instruction Fuzzy Hash: A0B1AB71A097809FE304CFA4C981B5EBBE1FB94714F108A2DF5418B7A0CB79E901DB92

Function 2040C560 Relevance: 10.7, APIs: 7, Instructions: 191COMMON

Download Yara Rule

APIs

malloc.MSVCR80 ref: 2040C597
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 2040C5BB
malloc.MSVCR80 ref: 2040C5E7
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 2040C612
malloc.MSVCR80 ref: 2040C708
free.MSVCR80 ref: 2040C759
free.MSVCR80 ref: 2040C767

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: malloc$ByteCharMultiWidefree
String ID:
API String ID: 707110232-0
Opcode ID: bc2ad66ffb2963f783f2243d38d8883cee7a9bd424fa96275830423f5b417432
Instruction ID: f75eb00dc676f980c803eb227b2ca50fa95ea541d82a1da571b469d9a962dd34
Opcode Fuzzy Hash: bc2ad66ffb2963f783f2243d38d8883cee7a9bd424fa96275830423f5b417432
Instruction Fuzzy Hash: C4614C756043029FC314CF68C884B17BBE5AF88754F14C96DE989A7391E774EA08CB92

Function 2044CA40 Relevance: 10.7, APIs: 7, Instructions: 173encryptionCOMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2044CA82
#310.MFC80U ref: 2044CAED
#5149.MFC80U(000001F4,000001F4), ref: 2044CB18
CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000), ref: 2044CB29
#5398.MFC80U(000000FF), ref: 2044CBEB
#578.MFC80U ref: 2044CBFD
#6751.MFC80U(00000000,?), ref: 2044CC98

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#314#5149#5398#578#6751CertNameString
String ID:
API String ID: 2456080415-0
Opcode ID: 359466542936a10d833dcea9c59399fb0e95c224dc76e324f40d3d4a4dd1047f
Instruction ID: fa41959962371d0794451eda7c1d9808ee06ed86ef66dff3c495645590ad59e6
Opcode Fuzzy Hash: 359466542936a10d833dcea9c59399fb0e95c224dc76e324f40d3d4a4dd1047f
Instruction Fuzzy Hash: 9E617F716087019BD710CFA4C885B5AB7E5FB98718F24C62CF568973E1CB38E945CBA1

Function 20433A10 Relevance: 10.6, APIs: 7, Instructions: 120COMMON

Download Yara Rule

APIs

#1176.MFC80U(?,?,?,?), ref: 20433A82
#280.MFC80U(?,?,?,?,?), ref: 20433A8F
#774.MFC80U(00000001,?,?,?,?), ref: 20433AC4
#578.MFC80U ref: 20433B59

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176#280#578#774
String ID:
API String ID: 2589826963-0
Opcode ID: 3aee841dd4767aa561259c6d97ef28f9627ad1a095f4b03319da11ed7311dfe6
Instruction ID: b412220d2f80d9e6b8f98ad02a641db55c70cde94908a098124107b1af562d9d
Opcode Fuzzy Hash: 3aee841dd4767aa561259c6d97ef28f9627ad1a095f4b03319da11ed7311dfe6
Instruction Fuzzy Hash: AA414B716087059FC314CF59C885A5AF7E5FB88729F108A2EF89687790DB39E904CF91

Function 2043D210 Relevance: 10.6, APIs: 7, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000008,-00000023,6C954B78,?), ref: 2043D266
RegCreateKeyExW.ADVAPI32(?,?,00000000,20485878,00000000,?,00000000,?,00000000,00000008,-00000023,6C954B78,?), ref: 2043D287
wcscpy_s.MSVCR80 ref: 2043D2C1
wcsrchr.MSVCR80 ref: 2043D2F6
RegCloseKey.ADVAPI32(?), ref: 2043D325
RegCreateKeyExW.ADVAPI32(?,?,00000000,20485878,00000000,?,00000000,?,00000000), ref: 2043D33C

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Create$CloseOpenwcscpy_swcsrchr
String ID:
API String ID: 2152705125-0
Opcode ID: 58d862d149c1be47d7913818b6ab24ce32d2019250fc2f80153d569dc36f2dc7
Instruction ID: 73e8dee97a2906a9ac4023fad5512ce7367ed15ae19a3f53bcb8052f95a96eae
Opcode Fuzzy Hash: 58d862d149c1be47d7913818b6ab24ce32d2019250fc2f80153d569dc36f2dc7
Instruction Fuzzy Hash: F731D4712443007BD320DB95EC89F9777ADEF89B05F20881CFA0597185EA7CE504CB62

Function 2043E1B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

memcpy_s.MSVCR80 ref: 2043E218
memcpy_s.MSVCR80 ref: 2043E242
memcpy_s.MSVCR80 ref: 2043E272
memcpy_s.MSVCR80 ref: 2043E29F

Strings

pVJ , xrefs: 2043E2C4
pVJ , xrefs: 2043E297

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: memcpy_s
String ID: pVJ $pVJ
API String ID: 1502251526-1686371878
Opcode ID: b0fd80f6f29a2b4531f7504de39165ae335b15b96e92ffbd8b537b3fe6b44163
Instruction ID: 035c3c3053ea15f29b462dcaff85bb51d9f3f8aa72db6a330897e3da57f46125
Opcode Fuzzy Hash: b0fd80f6f29a2b4531f7504de39165ae335b15b96e92ffbd8b537b3fe6b44163
Instruction Fuzzy Hash: 6D313EB15083049FC750CF65C981B5BBBE4BB98714F40886EFA4DAB280E77999048B66

Function 20469430 Relevance: 10.6, APIs: 7, Instructions: 94COMMON

Download Yara Rule

APIs

#354.MFC80U(000000A7,?,A1C94593,?,?,00000000,00000000,204800D3,000000FF,204709B7,00000000,?,?,?,?), ref: 20469463
#416.MFC80U(000000A7,?,A1C94593,?,?,00000000,00000000,204800D3,000000FF,204709B7,00000000,?,?,?,?), ref: 2046947A

Part of subcall function 20430DC0: #310.MFC80U(?,A1C94593,00000000,?,00000000,?,2047AE6F,000000FF,20472632,?), ref: 20430DFC
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E0A
Part of subcall function 20430DC0: #310.MFC80U ref: 20430E17
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E25
Part of subcall function 20430DC0: LoadCursorW.USER32(00000000,00007F89), ref: 20430EA4
Part of subcall function 20430DC0: SetRectEmpty.USER32(?), ref: 20430F17

#310.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000A7), ref: 204694D4

Part of subcall function 2045CF80: #530.MFC80U(A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593,?,?,?,2047BED4), ref: 2045CFB1
Part of subcall function 2045CF80: #6003.MFC80U(00000000,000000FF,A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593), ref: 2045CFCD

#563.MFC80U(?), ref: 2046951D

Part of subcall function 20423810: #572.MFC80U(A1C94593,20428001,00000000,2047A038,000000FF,20422C5E,20428085,20428001,000000FF,A1C94593,?,?,?,2047B870,000000FF,20428001), ref: 20423837

Part of subcall function 20436CC0: #572.MFC80U(A1C94593,00000000,?,?,?,?,2047FB9B,000000FF,2046954E,?,?,?), ref: 20436CEA
Part of subcall function 20436CC0: #310.MFC80U(A1C94593,00000000,?,?,?,?,2047FB9B,000000FF,2046954E,?,?,?), ref: 20436CFE
Part of subcall function 20436CC0: memset.MSVCR80 ref: 20436DBB

#776.MFC80U(20485878,?,?,?), ref: 20469574
#1079.MFC80U ref: 2046957D
LoadAcceleratorsW.USER32(?,0000008A), ref: 2046958B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310$#557#572Load$#1079#354#416#530#563#6003#776AcceleratorsCursorEmptyRectmemset
String ID:
API String ID: 1543791554-0
Opcode ID: cddfcd618fcc776f6786d7afcf94eb45054a47f4e56a1e55c903af9242f48df2
Instruction ID: a46ccbdb704f9dd8e5b3b3a8ee9067b3fdc2097a17fb0de770ace96f8e92f55f
Opcode Fuzzy Hash: cddfcd618fcc776f6786d7afcf94eb45054a47f4e56a1e55c903af9242f48df2
Instruction Fuzzy Hash: 1B412EB0508B818ED311DF74C48579BFFE5AFA5608F108D1DF4DA87251DB79A108CB92

Function 20458A00 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20458A51
#5149.MFC80U(00000100), ref: 20458A8C
#5398.MFC80U(000000FF), ref: 20458AA9
#5149.MFC80U(00000100), ref: 20458AC8
#5398.MFC80U(000000FF), ref: 20458AE8
#6232.MFC80U(00000000), ref: 20458AF5
#6751.MFC80U(00000000,?), ref: 20458B29

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #5149#5398$#314#6232#6751
String ID:
API String ID: 180633984-0
Opcode ID: 98d6e08747b58175edc8de0211b6bc34471b3f46bfc46e5587e545123c05fc96
Instruction ID: 4d7bf4a7517d6a98d7be27a3230b32b6c0188237c0bd57952305acd3f7769b65
Opcode Fuzzy Hash: 98d6e08747b58175edc8de0211b6bc34471b3f46bfc46e5587e545123c05fc96
Instruction Fuzzy Hash: BD31E3713047019BD7148F64CC85BAAB7A5BB94B28F10872DF466577D0DF38A808C792

Function 204576D0 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20457721
#5149.MFC80U(00000100), ref: 2045775C
#5398.MFC80U(000000FF), ref: 20457779
#5149.MFC80U(00000100), ref: 20457798
#5398.MFC80U(000000FF), ref: 204577B8
#6232.MFC80U(00000000), ref: 204577C5
#6751.MFC80U(00000000,?), ref: 204577F9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #5149#5398$#314#6232#6751
String ID:
API String ID: 180633984-0
Opcode ID: 709f66a4117406ca6d6d34b38997a045ea813d83459dce7f719479f88577e3ac
Instruction ID: 483a925638e855082552fd50976feeb080d5bc34dbf6352f9900ef8d0743a9c5
Opcode Fuzzy Hash: 709f66a4117406ca6d6d34b38997a045ea813d83459dce7f719479f88577e3ac
Instruction Fuzzy Hash: CA31C2312047029BD7148F64DC85BAABBA5BB98728F10873DF566473D0DF38A808C791

Function 20410DF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 20410E35
memset.MSVCR80 ref: 20410E4D
wsprintfW.USER32 ref: 20410E69
VerQueryValueW.VERSION(?,?,?,?), ref: 20410E8F
lstrcpynW.KERNEL32(00000000,?,?,?,?,?,?), ref: 20410EA7

Strings

\StringFileInfo\%04X%04X\%s, xrefs: 20410E63

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: memset$QueryValuelstrcpynwsprintf
String ID: \StringFileInfo\%04X%04X\%s
API String ID: 3128287595-3176804452
Opcode ID: 3c0e6aa56a169eea6ca0dda9920636210079d7c0bc2b52ee6a1792caa3739355
Instruction ID: fc621e41e0b6f7a248fb3d8dc6ec6a1377c4a68bc81ad14f51c872d7764165fd
Opcode Fuzzy Hash: 3c0e6aa56a169eea6ca0dda9920636210079d7c0bc2b52ee6a1792caa3739355
Instruction Fuzzy Hash: C021D6B1504325ABC314DB96CC44FA7F7E8AF68B05F00C92DBA0997250DBB9E94487D5

Function 2043DC70 Relevance: 10.6, APIs: 7, Instructions: 75threadCOMMON

Download Yara Rule

APIs

OpenThreadToken.ADVAPI32(00000000,00020008,00000000,?,?,2044A3EC), ref: 2043DCA6
CloseHandle.KERNEL32(?,?), ref: 2043DCC9
CloseHandle.KERNEL32(00000000,?,2044A3EC), ref: 2043DCCC

Part of subcall function 2043DB70: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,00000408,?,00000000,00000000,75922EE0), ref: 2043DBB9
Part of subcall function 2043DB70: LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 2043DBEC

OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,00000000,?,2043DD55,?,00000000,?,2044A3EC), ref: 2043DCDE
OpenProcessToken.ADVAPI32(00000000,00020008,?,?,2044A3EC), ref: 2043DCF5
CloseHandle.KERNEL32(?,?), ref: 2043DD18
CloseHandle.KERNEL32(00000000,?,2044A3EC), ref: 2043DD1B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CloseHandle$OpenToken$Process$AccountInformationLookupThread
String ID:
API String ID: 2379517368-0
Opcode ID: ffa320f2e2dddec958b9ccbc10619eb6b4d988d711617833b0ec466f2450dc13
Instruction ID: 77ace5bbacb9f4f7b807782b2e5576dc0f924ed73937b2c6fd6a01b8e3c90a5d
Opcode Fuzzy Hash: ffa320f2e2dddec958b9ccbc10619eb6b4d988d711617833b0ec466f2450dc13
Instruction Fuzzy Hash: ED11AC712047116BD301CBA49C85E3BB7ACEF89A86F20891DFA1187240DB78EC0597A5

Function 2046EE80 Relevance: 10.6, APIs: 7, Instructions: 66windowCOMMON

Download Yara Rule

APIs

#2788.MFC80U(?,?,75A85540,75A8A000), ref: 2046EE99
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 2046EEAF
SendMessageW.USER32(?,0000101D,00000000,00000000), ref: 2046EEC9
#2788.MFC80U(?,75A85540,75A8A000), ref: 2046EED4
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 2046EEE6
GetWindowRect.USER32(?,?), ref: 2046EEF8
SendMessageW.USER32(?,0000101E,00000006), ref: 2046EF28

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#2788$RectWindow
String ID:
API String ID: 300975974-0
Opcode ID: 26b220786117be0fd9864e48f2826445de03b4374e5fb91333f92b391d40d9fa
Instruction ID: 2660f09377d91215cdbc5b5b44f5567b84ed3998579b8bffc11fbdc14886bb12
Opcode Fuzzy Hash: 26b220786117be0fd9864e48f2826445de03b4374e5fb91333f92b391d40d9fa
Instruction Fuzzy Hash: C111D3723403546BD320DFA9CC84F9E77E8EB88B40F01462CF988DB2A0D939E8048B64

Function 20431180 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

DestroyCursor.USER32(?), ref: 204311C1
#764.MFC80U(?,?,?,?,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431225
#745.MFC80U(?,?,?,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431235
#578.MFC80U(?,?,?,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431242
#745.MFC80U ref: 20431250
#578.MFC80U ref: 2043125D
#741.MFC80U ref: 2043126D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578#745$#741#764CursorDestroy
String ID:
API String ID: 3925348513-0
Opcode ID: 197ff15cbbc536f4c8d649963d6329e935b72bd93f72a301cd583617f43cb2c5
Instruction ID: 83450769d22ba5ea2da18077b8e71055b68bb0ae34810d94dd1e9f3b960c75f6
Opcode Fuzzy Hash: 197ff15cbbc536f4c8d649963d6329e935b72bd93f72a301cd583617f43cb2c5
Instruction Fuzzy Hash: AF214D700087818ED315DF64D944B9BBBE4AB54A18F108D1DF0D697690DB79A908CBA3

Function 20460E90 Relevance: 10.6, APIs: 7, Instructions: 61windowCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,00000000,?,00000000,2047C2A9,000000FF,204610AA,00000000), ref: 20460EB9
#6232.MFC80U(00000001,?,00000000,?,00000000,2047C2A9), ref: 20460ECB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 20460EE6
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 20460EF7
#4026.MFC80U(0000029B,?,00000000,?,00000000,2047C2A9), ref: 20460F2B
#5803.MFC80U(00000413,?,?,00000000,?,00000000,2047C2A9), ref: 20460F3D
#578.MFC80U(?,00000000,?,00000000,2047C2A9), ref: 20460F4E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSend$#310#4026#578#5803#6232
String ID:
API String ID: 1927394422-0
Opcode ID: 6d79880abb2d890cd9b834e26bed755587d6767e3dc2070f059ac3f25da627e8
Instruction ID: f4d91fef00b462b39b8f7165b100f23ca1ca97f6120ade2b4f677b82167f9e61
Opcode Fuzzy Hash: 6d79880abb2d890cd9b834e26bed755587d6767e3dc2070f059ac3f25da627e8
Instruction Fuzzy Hash: 79118171208740ABE324DB54CC45FABB7A4EB84711F108A2DF551873E0EBBCA9048A55

Function 20436B40 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

#3793.MFC80U(?,?,?), ref: 20436B5D
#2870.MFC80U(00000000,?,00000001,?,?,?), ref: 20436B75
PtInRect.USER32(?,?,?), ref: 20436B84
SendMessageW.USER32(0000006E,0000110B,00000009,00000000), ref: 20436B9A
#1894.MFC80U(?,?,?), ref: 20436BA2

Strings

n, xrefs: 20436B62

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1894#2870#3793MessageRectSend
String ID: n
API String ID: 884959302-2013832146
Opcode ID: 5866f101f56c324c047dc9070cf5a48073e1388c4ebbad63f5b795759658d119
Instruction ID: 71019f4995f92062321f6225cc7bfc0385661450bec6320917ff5e80ad3be0bc
Opcode Fuzzy Hash: 5866f101f56c324c047dc9070cf5a48073e1388c4ebbad63f5b795759658d119
Instruction Fuzzy Hash: E701D6762042047BC714DB94DC81FAFB7ACABC8B28F00C61DFA45C6281DA74ED0087B5

Function 2042A0A0 Relevance: 10.5, APIs: 7, Instructions: 39COMMON

Download Yara Rule

APIs

#591.MFC80U(A1C94593,?,00000000,20479F3C,000000FF,204268E1,?,?,?), ref: 2042A0D9
#620.MFC80U(A1C94593,?,00000000,20479F3C,000000FF,204268E1,?,?,?), ref: 2042A0E9
#620.MFC80U(A1C94593,?,00000000,20479F3C,000000FF,204268E1,?,?,?), ref: 2042A0F9
#591.MFC80U(A1C94593,?,00000000,20479F3C,000000FF,204268E1,?,?,?), ref: 2042A109
#587.MFC80U(A1C94593,?,00000000,20479F3C,000000FF,204268E1,?,?,?), ref: 2042A119
#587.MFC80U(A1C94593,?,00000000,20479F3C,000000FF,204268E1,?,?,?), ref: 2042A129
#718.MFC80U(A1C94593,?,00000000,20479F3C,000000FF,204268E1,?,?,?), ref: 2042A138

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #587#591#620$#718
String ID:
API String ID: 779086787-0
Opcode ID: 55dc9b1225ac67a39df09c050b186613a022d060eedc91c6ed3d9f0b6e735293
Instruction ID: 4bfbe0f9ee4b9d9f74dec981ebf672b7e5bbcb66592917bebe203b0f831196a0
Opcode Fuzzy Hash: 55dc9b1225ac67a39df09c050b186613a022d060eedc91c6ed3d9f0b6e735293
Instruction Fuzzy Hash: 6D113C700087819BC325DF64C855BEABBE0FFA1714F44CE1DE0A6476A0DBB86609C792

Function 20439E40 Relevance: 10.1, APIs: 8, Instructions: 82COMMON

Download Yara Rule

APIs

malloc.MSVCR80 ref: 20439E79
memset.MSVCR80 ref: 20439E88
malloc.MSVCR80 ref: 20439EA7
memset.MSVCR80 ref: 20439EB6
malloc.MSVCR80 ref: 20439ED5
memset.MSVCR80 ref: 20439EE4
malloc.MSVCR80 ref: 20439EEA
memset.MSVCR80 ref: 20439EF9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: mallocmemset
String ID:
API String ID: 2882185209-0
Opcode ID: 16eda0088e1a5efdb71a992086406c3f3cb6e23979dc3489307c2ce772580dd1
Instruction ID: 4e0b3dd741fcd93010f2d198cb1a9cbd8eb2462f2375d9f8cd808f0600696381
Opcode Fuzzy Hash: 16eda0088e1a5efdb71a992086406c3f3cb6e23979dc3489307c2ce772580dd1
Instruction Fuzzy Hash: 7A212EB15047045BC720CF999CC196BBBF8BB99604F50893EE599D3700D739EE18CAA6

Function 2040CA10 Relevance: 9.2, APIs: 6, Instructions: 224COMMON

Download Yara Rule

APIs

#764.MFC80U(89640C24,A1C94593,?,?,00000000,00000000,?,2047D3CC,000000FF,2040E2F8,?), ref: 2040CAB9
#764.MFC80U(CCCC0006,A1C94593,?,?,00000000,00000000,?,2047D3CC,000000FF,2040E2F8,?), ref: 2040CAD2
#764.MFC80U(3274046E,A1C94593,?,?,00000000,00000000,?,2047D3CC,000000FF,2040E2F8,?), ref: 2040CAEB
#764.MFC80U(E5E2E850,A1C94593,?,?,00000000,00000000,?,2047D3CC,000000FF,2040E2F8,?), ref: 2040CB04
#265.MFC80U(00000000,A1C94593,?,?,00000000,00000000,?,2047D3CC,000000FF,2040E2F8,?), ref: 2040CBF8
#265.MFC80U(00000000,A1C94593,?,?,00000000,00000000,?,2047D3CC,000000FF,2040E2F8,?), ref: 2040CC63

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#265
String ID:
API String ID: 4171483331-0
Opcode ID: a07db5e2b5ef17b65e2b32640280f0aa3b5643831db1a4af1dde70ad20b809fb
Instruction ID: 8b597c311dad229945d0d65014c3e31015da35acb0ec0f77e7b8bb510146f47a
Opcode Fuzzy Hash: a07db5e2b5ef17b65e2b32640280f0aa3b5643831db1a4af1dde70ad20b809fb
Instruction Fuzzy Hash: 849189B1500304CFCB18CF69C481A56BBF2FF48614B988AADD8096B756CB39F949CF85

Function 2044BF50 Relevance: 9.2, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2044BFA0
EnterCriticalSection.KERNEL32(-00003A6C,?), ref: 2044C01A
EnterCriticalSection.KERNEL32(-00003A6C,?,00000000,81000000,?,?,00000000,?,00000000), ref: 2044C139
LeaveCriticalSection.KERNEL32(-00003A6C), ref: 2044C1E5
#6751.MFC80U(00000000,?), ref: 2044C2CD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CriticalSection$Enter$#314#6751Leave
String ID:
API String ID: 2506506037-0
Opcode ID: cd4c29c1b17a92d963c63d2088b7e1b9501995bccafe37cacce562f497645b4d
Instruction ID: 1aabffa1d9b2c20e7814515fd4c05f6d6d675276f08e87f32a92343a013f52db
Opcode Fuzzy Hash: cd4c29c1b17a92d963c63d2088b7e1b9501995bccafe37cacce562f497645b4d
Instruction Fuzzy Hash: BC91D1715087408BD761CFA4C891B9FB7E8BF91B08F10C91DF58997290DB78AA45CBA3

Function 2043F6C0 Relevance: 9.2, APIs: 6, Instructions: 182COMMON

Download Yara Rule

APIs

memmove_s.MSVCR80 ref: 2043F742
#1176.MFC80U(A1C94593,?,?,?,00000000,2047A185,000000FF,2043F1B8,?,?), ref: 2043F7BB
#1176.MFC80U(?,00000000,A1C94593,?,?,?,00000000,2047A185,000000FF,2043F1B8,?,?), ref: 2043F7E0
#6282.MFC80U(?,?,?,?,?,00000000,A1C94593,?,?,?,00000000,2047A185,000000FF,2043F1B8,?,?), ref: 2043F81E
#5316.MFC80U(?,?,?,?,?,00000000,A1C94593,?,?,?,00000000,2047A185,000000FF,2043F1B8,?,?), ref: 2043F854
#1172.MFC80U(00000003,00000000,?,?,?,?,?,00000000,A1C94593,?,?,?,00000000,2047A185,000000FF,2043F1B8), ref: 2043F870

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176$#1172#5316#6282memmove_s
String ID:
API String ID: 189992903-0
Opcode ID: efa184b823bbe05bf1ea6564afe0f2415fd702c19bf77f4f3cff90be8c8e7e34
Instruction ID: 89ce70431d1a0a37f86b060fd4245eb7056398a8d95b8d4857f3a984e6c9254d
Opcode Fuzzy Hash: efa184b823bbe05bf1ea6564afe0f2415fd702c19bf77f4f3cff90be8c8e7e34
Instruction Fuzzy Hash: 2D51DF7160831A8FC328DF88C880A56B7A5FF58724F29C62DE94887311DB75E905CBD1

Function 20428C20 Relevance: 9.1, APIs: 6, Instructions: 127windowCOMMON

Download Yara Rule

APIs

Part of subcall function 2042D2E0: #359.MFC80U(00000000,A1C94593), ref: 2042D320
Part of subcall function 2042D2E0: memset.MSVCR80 ref: 2042D33C
Part of subcall function 2042D2E0: #3998.MFC80U(?,00000000,A1C94593), ref: 2042D370
Part of subcall function 2042D2E0: #6735.MFC80U(?,?,00000000,A1C94593), ref: 2042D382
Part of subcall function 2042D2E0: #5832.MFC80U(?,?), ref: 2042D39F
Part of subcall function 2042D2E0: #578.MFC80U(?,?), ref: 2042D3B0
Part of subcall function 2042D2E0: #3828.MFC80U(?,00000000), ref: 2042D3C6
Part of subcall function 2042D2E0: #2011.MFC80U(00000000,A1C94593), ref: 2042D3CD
Part of subcall function 2042D2E0: #607.MFC80U(?,00000000), ref: 2042D3E3

Part of subcall function 204179F0: #1176.MFC80U(00000001,?,?,?,20428CCC,?,00000001), ref: 20417A3B

#310.MFC80U(?,00000001), ref: 20428CF3
#2311.MFC80U(?,2048A5C0,?,?), ref: 20428D34
SendMessageW.USER32(?,00000181,-00000001,?), ref: 20428D63
SendMessageW.USER32(?,0000019A,-00000001,00000005), ref: 20428D82
#2155.MFC80U(00000001), ref: 20428DB1
#578.MFC80U ref: 20428DD6

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578MessageSend$#1176#2011#2155#2311#310#359#3828#3998#5832#607#6735memset
String ID:
API String ID: 2206005235-0
Opcode ID: 5d98db17271ceefec40e4686cedd3b400c23290e0028667f441ba2ae5cb3a62e
Instruction ID: a991864db3a0a3185713833567a21807db3ec07bc176c53f6d209b427fa1a97f
Opcode Fuzzy Hash: 5d98db17271ceefec40e4686cedd3b400c23290e0028667f441ba2ae5cb3a62e
Instruction Fuzzy Hash: 925194712187819FC320DBB4C891FEBB7E5BB54718F008A2DE5A9876D1DB38A904C792

Function 204382A0 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 20437980: CopyRect.USER32(?,?), ref: 204379CC
Part of subcall function 20437980: #310.MFC80U(?,?,?,?), ref: 204379D6
Part of subcall function 20437980: SendMessageW.USER32(00000020,00001200,00000000,00000000), ref: 20437A02
Part of subcall function 20437980: #578.MFC80U ref: 20437A18

SetTextColor.GDI32(?,?), ref: 20438333
GetCurrentObject.GDI32(?,00000006), ref: 20438363
GetObjectW.GDI32(00000000,0000005C,?), ref: 20438375
CreateFontIndirectW.GDI32(?), ref: 2043838C
#1271.MFC80U(00000000), ref: 20438395
SelectObject.GDI32(?), ref: 204383B0

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Object$#1271#310#578ColorCopyCreateCurrentFontIndirectMessageRectSelectSendText
String ID:
API String ID: 4284396756-0
Opcode ID: 8705216cc76b13d0f737ef574a491e92388a5e8e7d4070be1353ec410c3028ca
Instruction ID: 484de9f246bdf82a8301fbaf3a63fc84f0942e2abdd496c54fb230ee13603b97
Opcode Fuzzy Hash: 8705216cc76b13d0f737ef574a491e92388a5e8e7d4070be1353ec410c3028ca
Instruction Fuzzy Hash: 7C41D6B22007019BD720CFA4D885B67F7E4FF89754F208A1DEA5587B91DB39E904CB51

Function 20454480 Relevance: 9.1, APIs: 6, Instructions: 119windowCOMMON

Download Yara Rule

APIs

#2361.MFC80U(?), ref: 204544CA
#2860.MFC80U(00000000,?), ref: 204544E2
#3396.MFC80U(00000000,00000000,00000000,?,00000000,?), ref: 20454535
#3396.MFC80U(00000000,00000000,00000001,?,00000000,00000000,00000000,?,00000000,?), ref: 2045454A
SendMessageW.USER32(?,00001000,00000000,00000000), ref: 20454567
#2255.MFC80U(?,00000000), ref: 20454579

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #3396$#2255#2361#2860MessageSend
String ID:
API String ID: 1954174168-0
Opcode ID: cb7de2568d13e4670ff08f8d41b71d634ad4678d3c454fbf4b0aead7b3e26e92
Instruction ID: c5855179c074373f60ae8c677f0082ddd0828e8fe3e3ea2248cd01ddea852f80
Opcode Fuzzy Hash: cb7de2568d13e4670ff08f8d41b71d634ad4678d3c454fbf4b0aead7b3e26e92
Instruction Fuzzy Hash: 2541A272204205AFC304CF58D880FAAF7E5EBD8324F00C62EFA499B291D675E849CB91

Function 204605D0 Relevance: 9.1, APIs: 6, Instructions: 119windowCOMMON

Download Yara Rule

APIs

#2361.MFC80U(?), ref: 2046061A
#2860.MFC80U(00000000,?), ref: 20460632
#3396.MFC80U(00000000,00000000,00000000,?,00000000,?), ref: 20460685
#3396.MFC80U(00000000,00000000,00000001,?,00000000,00000000,00000000,?,00000000,?), ref: 2046069A
SendMessageW.USER32(?,00001000,00000000,00000000), ref: 204606B7
#2255.MFC80U(?,00000000), ref: 204606C9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #3396$#2255#2361#2860MessageSend
String ID:
API String ID: 1954174168-0
Opcode ID: 958238bf71ac4715f8ddfb8c01e7def0aeec5b4875cd1fe542732df0f3a72233
Instruction ID: 126db6bb1b3f769ee96d377db79cbabebc7581eef1bc95ec5cdcf709eca0c113
Opcode Fuzzy Hash: 958238bf71ac4715f8ddfb8c01e7def0aeec5b4875cd1fe542732df0f3a72233
Instruction Fuzzy Hash: 6B418F722042056FC304CF68D880FABB7E5EB98324F00C66DFA599B291DA74E845CB91

Function 20402E40 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

wcschr.MSVCR80 ref: 20402E94
wcschr.MSVCR80 ref: 20402EA2
wcschr.MSVCR80 ref: 20402EB5
wcschr.MSVCR80 ref: 20402EC3
wcschr.MSVCR80 ref: 20402ED4
memcpy.MSVCR80(?,?,?), ref: 20402F21

Part of subcall function 20402BB0: wcschr.MSVCR80 ref: 20402BDC
Part of subcall function 20402BB0: realloc.MSVCR80 ref: 20402C0E
Part of subcall function 20402BB0: free.MSVCR80 ref: 20402C6B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcschr$freememcpyrealloc
String ID:
API String ID: 167584904-0
Opcode ID: 79e9b2ff87d29b74a77624e85320ed0fe6e6514f70e8057716c5544e99aabd57
Instruction ID: 3d209cc773c25d1276801a86a55cdadc7f4b325e4ec272aeb9d5ae2cd2e00bf9
Opcode Fuzzy Hash: 79e9b2ff87d29b74a77624e85320ed0fe6e6514f70e8057716c5544e99aabd57
Instruction Fuzzy Hash: 5131A7716043055BD714DEA5DD81BBBB3E9DF94645F00843CFE48A7381E678AE0586A2

Function 20444BF0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20444C28
#6751.MFC80U(00000000,?), ref: 20444C61
#4026.MFC80U(000001FA), ref: 20444CCB
#4026.MFC80U(000001FB), ref: 20444CDE
#4026.MFC80U(000001FC), ref: 20444CFA
#4026.MFC80U(000001FD), ref: 20444D0D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4026$#314#6751
String ID:
API String ID: 624441723-0
Opcode ID: 7c2ac32a584af543b31e7d4ba2eba0a92f74952405558f1ebb88d8a70f75d7cd
Instruction ID: 80e23fc9a9e5395550071c8955333a20239846f9909a3b99e3d10eb53f791a7a
Opcode Fuzzy Hash: 7c2ac32a584af543b31e7d4ba2eba0a92f74952405558f1ebb88d8a70f75d7cd
Instruction Fuzzy Hash: 1F41C071A087019FE310CF98C8C5BAAB7E0FB84764F44CA2DE9555B7D0DB39A905CB61

Function 204369F0 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

#2579.MFC80U(A1C94593), ref: 20436A61
ScreenToClient.USER32(?,?), ref: 20436A85
#3793.MFC80U(?,?,?), ref: 20436A9C
#280.MFC80U(-00000004,?,?,?), ref: 20436ACA
wcsncpy_s.MSVCR80 ref: 20436B01
#578.MFC80U ref: 20436B16

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2579#280#3793#578ClientScreenwcsncpy_s
String ID:
API String ID: 3590633572-0
Opcode ID: 3061a5369420997e25cd18ecfc2a179ae1df2e6ddf54eae5e46729ca15c6e81d
Instruction ID: fa1ad2b7282cafb1daa863134dea4cd9b2a47bc730152b5a941792659c6a9c33
Opcode Fuzzy Hash: 3061a5369420997e25cd18ecfc2a179ae1df2e6ddf54eae5e46729ca15c6e81d
Instruction Fuzzy Hash: 2C317E715087029BD304DF58CC45B5ABBE8EB89728F20CA2DF86593391EB39E944CE56

Function 204215C0 Relevance: 9.1, APIs: 6, Instructions: 93COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 20421636

Part of subcall function 20421700: wcscpy_s.MSVCR80 ref: 204217EF

GetObjectW.GDI32(?,0000005C,?), ref: 20421656
GetObjectW.GDI32(?,0000005C,?), ref: 2042167A
#762.MFC80U(00000008,A1C94593,?,?,?), ref: 2042168D
CreateFontIndirectW.GDI32(?), ref: 204216C4
#1271.MFC80U(00000000), ref: 204216CD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Object$#1271#762CreateFontIndirectwcscpy_s
String ID:
API String ID: 59788365-0
Opcode ID: 6707239445c955c7e539035827d95cdf433977ea8fd111f2add55a54eca427fa
Instruction ID: 4e5803fff410f36f8d1a55258727d8a2190b7b04d5b7813e904d9cd8e91b01ee
Opcode Fuzzy Hash: 6707239445c955c7e539035827d95cdf433977ea8fd111f2add55a54eca427fa
Instruction Fuzzy Hash: 7B314D716087459FD720CF64D881FABB7E9FB94604F00892DF64997290DB78E909CBA2

Function 20430DC0 Relevance: 9.1, APIs: 6, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 20423790: #572.MFC80U(A1C94593,20428001,00000000,2047A038,000000FF,20422C6F,204280D9,20428085,20428001,000000FF,A1C94593,?,?,?,2047B870,000000FF), ref: 204237B7

#310.MFC80U(?,A1C94593,00000000,?,00000000,?,2047AE6F,000000FF,20472632,?), ref: 20430DFC
#557.MFC80U ref: 20430E0A
#310.MFC80U ref: 20430E17
#557.MFC80U ref: 20430E25
LoadCursorW.USER32(00000000,00007F89), ref: 20430EA4
SetRectEmpty.USER32(?), ref: 20430F17

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#557$#572CursorEmptyLoadRect
String ID:
API String ID: 3215843377-0
Opcode ID: cb476f6742f4f7be8deaae5ffae4be086f958656c7a3645eb977df059f44e975
Instruction ID: 2bb2124f3408417cacaab87f7974d43fdc1ced6e54dd9e3e44e2c068e37398bd
Opcode Fuzzy Hash: cb476f6742f4f7be8deaae5ffae4be086f958656c7a3645eb977df059f44e975
Instruction Fuzzy Hash: 5A41E7B1408B818ED321CF79C885B87FBE4BB65714F548D1EE1EA83251CB786148CBA2

Function 20443240 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20443278
#2310.MFC80U(?,00000161,00000004), ref: 204432AA
#4026.MFC80U(0000015E), ref: 204432BD
#5149.MFC80U(00000000), ref: 204432C7
#5149.MFC80U(00000000), ref: 204432D4

Part of subcall function 2042E670: #6751.MFC80U(00000000,?,2042E5B8,00000000,A1C94593), ref: 2042E688

#6751.MFC80U(00000000,?), ref: 2044332A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #5149#6751$#2310#314#4026
String ID:
API String ID: 1935839213-0
Opcode ID: a839281dc79383c955cb29c32a29cefc9a3d5eff2f851f3a21d5c4233857ed16
Instruction ID: 95da39ba3c92a4bc929dfcd721f6019bdc6ab8c86110e5e0e6207edb284bf60f
Opcode Fuzzy Hash: a839281dc79383c955cb29c32a29cefc9a3d5eff2f851f3a21d5c4233857ed16
Instruction Fuzzy Hash: 7B31BF726087009BE700CF54DC85B5ABBE4FB94B2AF00C62DFA519B3D0EB399904CB95

Function 20438630 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

#5829.MFC80U ref: 20438653
#3342.MFC80U ref: 2043866B
GetScrollPos.USER32(?,00000002), ref: 20438679
GetClientRect.USER32(?,?), ref: 204386CB
#6061.MFC80U(00000000,?,00000003,00000000,00000000,00000015), ref: 204386E8
#5053.MFC80U(?,?,?,00000000,?,00000003,00000000,00000000,00000015), ref: 204386FF

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #3342#5053#5829#6061ClientRectScroll
String ID:
API String ID: 3428498704-0
Opcode ID: 510ea35aade66fe04555974c49d38585692205ebdea659769a8c91a3b845935b
Instruction ID: faa25bfa3efe4b003f9fa37e8d05ddedd5c73f56c3e317c5f132f19a95779bc4
Opcode Fuzzy Hash: 510ea35aade66fe04555974c49d38585692205ebdea659769a8c91a3b845935b
Instruction Fuzzy Hash: 4121C772204700AFD314DF65CC86F6AB7AABBC8718F20C61DF95597690EE78AD018752

Function 2042F940 Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,?), ref: 2042F969
#776.MFC80U(?,?,?), ref: 2042F981
#1176.MFC80U(?,?), ref: 2042F99D
#774.MFC80U(?,?,?), ref: 2042F9BA
#3756.MFC80U(?), ref: 2042F9E1
#578.MFC80U(00000000,?), ref: 2042F9FF

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176#310#3756#578#774#776
String ID:
API String ID: 1501068398-0
Opcode ID: 91aa2c8e6c1f7e646a1858a9b7e0583eb1c2fc4c340d20cd71adb63df5d13810
Instruction ID: 534fe2c38459ee26a4300b236243343f8cf4d76be2ead2851599a08232dda2c4
Opcode Fuzzy Hash: 91aa2c8e6c1f7e646a1858a9b7e0583eb1c2fc4c340d20cd71adb63df5d13810
Instruction Fuzzy Hash: 4A214F71508B419FC714DF58D880B4AB7E4FF98728F108B2DF866933A1DB38A909CB91

Function 2040C930 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

#764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C964
#764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C974
#764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C990
#764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C9AC
#764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C9C8
#764.MFC80U(?,A1C94593,?,?,2047BB2C,000000FF,2040E34E,?,?,?,?,20464AC2,?,?,?,?), ref: 2040C9E7

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 2b07dee99d85256ead5c4b3a1e0c4762968547d79fd58e5faf9f8336b2089ed3
Instruction ID: f65c931a0d252e298a1c7162bb7c7cfd43a9f6234d6beb007c26361baf17acd5
Opcode Fuzzy Hash: 2b07dee99d85256ead5c4b3a1e0c4762968547d79fd58e5faf9f8336b2089ed3
Instruction Fuzzy Hash: 0B216DF19047808BD721DFA48841B57B7E8AF10A18F40CE2DE89997790E37DE608CBD2

Function 20464070 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 2046407B
#764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 20464094
#764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 204640B3
#764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 204640D8
#764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 204640FD
#764.MFC80U(?,?,20462A82,?,?,00000000,?,?), ref: 20464122

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 21bc7dc6c0a5576b8b1e108272b6e18468e01767883acd5b2ffdba6672f1f9ac
Instruction ID: e585b21587b3ce3f0501f9cf68ed5c0128c1d7ad264244d93a85d520306c797b
Opcode Fuzzy Hash: 21bc7dc6c0a5576b8b1e108272b6e18468e01767883acd5b2ffdba6672f1f9ac
Instruction Fuzzy Hash: 232194F1901B108BD6219FAA9841B97F6F9AFA0600F548D1EE1AED3224E779B4448F51

Function 20460050 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

#1921.MFC80U(A1C94593,00000000,?,?,?,00000000,2047DB16,000000FF,20470C33,A1C94593,-00003AB4,?,00000000,2047F476,000000FF,2046254B), ref: 20460090
#1921.MFC80U(A1C94593,00000000,?,?,?,00000000,2047DB16,000000FF,20470C33,A1C94593,-00003AB4,?,00000000,2047F476,000000FF,2046254B), ref: 2046009D

Part of subcall function 20431180: DestroyCursor.USER32(?), ref: 204311C1
Part of subcall function 20431180: #764.MFC80U(?,?,?,?,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431225
Part of subcall function 20431180: #745.MFC80U(?,?,?,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431235
Part of subcall function 20431180: #578.MFC80U(?,?,?,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431242
Part of subcall function 20431180: #745.MFC80U ref: 20431250
Part of subcall function 20431180: #578.MFC80U ref: 2043125D
Part of subcall function 20431180: #741.MFC80U ref: 2043126D

Part of subcall function 2045D000: free.MSVCR80 ref: 2045D058
Part of subcall function 2045D000: #6003.MFC80U(00000000,000000FF,A1C94593,?,?,?,?,00000000,204798FB,000000FF,2045D691,?,?,?,00000000,2047A52C), ref: 2045D06E
Part of subcall function 2045D000: #722.MFC80U(00000000,000000FF,A1C94593,?,?,?,?,00000000,204798FB,000000FF,2045D691,?,?,?,00000000,2047A52C), ref: 2045D07D

#651.MFC80U(A1C94593,00000000,?,?,?,00000000,2047DB16,000000FF,20470C33,A1C94593,-00003AB4,?,00000000,2047F476,000000FF,2046254B), ref: 204600D9
#651.MFC80U(A1C94593,00000000,?,?,?,00000000,2047DB16,000000FF,20470C33,A1C94593,-00003AB4,?,00000000,2047F476,000000FF,2046254B), ref: 204600E5
#658.MFC80U(A1C94593,00000000,?,?,?,00000000,2047DB16,000000FF,20470C33,A1C94593,-00003AB4,?,00000000,2047F476,000000FF,2046254B), ref: 204600F5
#718.MFC80U(?,00000004,00000002,6C8560B9,A1C94593,00000000,?,?,?,00000000,2047DB16,000000FF,20470C33,A1C94593,-00003AB4,?), ref: 2046011F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1921#578#651#745$#6003#658#718#722#741#764CursorDestroyfree
String ID:
API String ID: 2094964046-0
Opcode ID: 45e935d5c378266e553fa27c6ea45fee95c4babfb8c822c790624cf8745d6752
Instruction ID: 97fa06e62d3a3789af2fe61a12c763a3e0c8e09cd1a0fd74276bfca5eb1cd016
Opcode Fuzzy Hash: 45e935d5c378266e553fa27c6ea45fee95c4babfb8c822c790624cf8745d6752
Instruction Fuzzy Hash: EB21C2701487818ED315DF65C851BABBBE4EBA4718F40C91DF0A647291CB7D690DCFA2

Function 2044A5F0 Relevance: 9.1, APIs: 6, Instructions: 60timeCOMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593), ref: 2044A62B
FileTimeToSystemTime.KERNEL32(?,?), ref: 2044A64D
GetDateFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000100), ref: 2044A66F
#2310.MFC80U(?,?,?), ref: 2044A68B
#896.MFC80U(?), ref: 2044A69C
#578.MFC80U ref: 2044A6B1

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Time$#2310#310#578#896DateFileFormatSystem
String ID:
API String ID: 1214211288-0
Opcode ID: 6ed68abcd28ce48f2fbeb676e58b4509ff3b508b12a135595b734adc215a4cd3
Instruction ID: 05188214ffbfdb47170fc93420c0872eb3a8fe3c16bd2a1318f7243c7ef8323f
Opcode Fuzzy Hash: 6ed68abcd28ce48f2fbeb676e58b4509ff3b508b12a135595b734adc215a4cd3
Instruction Fuzzy Hash: A62142B1108741AFD324DF64CC89FAAB7E4FB88715F00892DF196862E0EF789544DB52

Function 20417A70 Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

#764.MFC80U(?,75A85540,2044717A), ref: 20417A7B
#764.MFC80U(?,75A85540,2044717A), ref: 20417A97
#764.MFC80U(?,75A85540,2044717A), ref: 20417AB9
#764.MFC80U(?,75A85540,2044717A), ref: 20417AD2
#764.MFC80U(?,75A85540,2044717A), ref: 20417AEB
#764.MFC80U(?,75A85540,2044717A), ref: 20417B07

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: e27f454289218852687a0a50fc370cd0d11d2e5be6741b802adb9106cb9d2f23
Instruction ID: d6b260b91b2afa18662dcd0aa496fce44bf5087fc199903c461d7b48f04e172e
Opcode Fuzzy Hash: e27f454289218852687a0a50fc370cd0d11d2e5be6741b802adb9106cb9d2f23
Instruction Fuzzy Hash: 7011B6F0D01B508BD621DF6A9841A57F7F9BFA0604F548D1EE19AC3A20D3B9F5448F41

Function 20462140 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

#1894.MFC80U ref: 2046214E
#2651.MFC80U(000003F0), ref: 2046215A
GetWindowRect.USER32(?,?), ref: 20462174
GetWindowRect.USER32(?,?), ref: 2046217F
#5609.MFC80U(?), ref: 20462188
#4119.MFC80U(?,?,?,?,00000001,?), ref: 204621C7

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: RectWindow$#1894#2651#4119#5609
String ID:
API String ID: 3214300710-0
Opcode ID: 1e99c9a13bc6be8278a85a2e538068f55881aa7fabc93538300013c71da43b19
Instruction ID: a0c356166229a589cb426dd41d67ea829bd0afa39bcfa3783ce831c5abca2097
Opcode Fuzzy Hash: 1e99c9a13bc6be8278a85a2e538068f55881aa7fabc93538300013c71da43b19
Instruction Fuzzy Hash: D91194712087025FC204DFA9C880D6FB7E8FBD9614F008A1DB98593250DA38ED05CB91

Function 2043BAC0 Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(?,00000006), ref: 2043BAF1
GetObjectW.GDI32(00000000,0000005C,?), ref: 2043BB01
CreateFontIndirectW.GDI32(?), ref: 2043BB0C
SelectObject.GDI32(?,00000000), ref: 2043BB14

Part of subcall function 2043B8A0: GetTextMetricsW.GDI32(?,?), ref: 2043B8B1
Part of subcall function 2043B8A0: GetTextExtentPoint32W.GDI32(?,2048B8C8,00000001,?), ref: 2043B8C4
Part of subcall function 2043B8A0: memset.MSVCR80 ref: 2043B8D3

SelectObject.GDI32(?,00000000), ref: 2043BB3C
DeleteObject.GDI32(00000000), ref: 2043BB43

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Object$SelectText$CreateCurrentDeleteExtentFontIndirectMetricsPoint32memset
String ID:
API String ID: 2269657172-0
Opcode ID: 8d39f8bf82fdabb041275fa10538bb64814c54a3a0a6bb52cd58f27b94c9564d
Instruction ID: c0e3721598ee792724bbe563eaaf6ce25a994d6c8023372eb2cb07eff0f08ebf
Opcode Fuzzy Hash: 8d39f8bf82fdabb041275fa10538bb64814c54a3a0a6bb52cd58f27b94c9564d
Instruction Fuzzy Hash: 321130B5508705AFD310EFA48C89A7BB7ACFB89606F108C1CFB5592255DE7998048BA2

Function 204384A0 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 204384B3
GetWindowRect.USER32(?,?), ref: 204384C2
GetDC.USER32(?), ref: 204384D4
#2361.MFC80U(00000000), ref: 204384DB
GetTextExtentPoint32W.GDI32(00000000,2048B8C8,00000001,00000000), ref: 204384F6
ReleaseDC.USER32(?,?), ref: 20438504

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$#2361EmptyExtentPoint32ReleaseTextWindow
String ID:
API String ID: 1840419848-0
Opcode ID: a581caf8df79517cd945ad324e0a4fd0f37ce596f542015ce5c6ca5b8c9c3f65
Instruction ID: 496008046cc68aad03aa913379702d96c16767321fb24cf3775948f9e0ec9cee
Opcode Fuzzy Hash: a581caf8df79517cd945ad324e0a4fd0f37ce596f542015ce5c6ca5b8c9c3f65
Instruction Fuzzy Hash: 3D017072204705AFC714DFA8CC89867BBECFB88219B00CA1DF98587644DA74E809CBA1

Function 20422D00 Relevance: 9.0, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

#656.MFC80U(A1C94593,?,?,2047B7F8,000000FF,20428343,?), ref: 20422D33
#656.MFC80U(A1C94593,?,?,2047B7F8,000000FF,20428343,?), ref: 20422D43
#741.MFC80U(A1C94593,?,?,2047B7F8,000000FF,20428343,?), ref: 20422D53
#741.MFC80U(A1C94593,?,?,2047B7F8,000000FF,20428343,?), ref: 20422D63
#587.MFC80U(A1C94593,?,?,2047B7F8,000000FF,20428343,?), ref: 20422D73
#605.MFC80U(A1C94593,?,?,2047B7F8,000000FF,20428343,?), ref: 20422D82

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #656#741$#587#605
String ID:
API String ID: 2045721391-0
Opcode ID: e2b5862769a4427eae46f48d823d9ee51c2a6fd6aec84f59f66b854840967707
Instruction ID: 9f5cefbeefa0941ab7df07d9c822c4b112fbf010f8018cdb454d69d8254480c9
Opcode Fuzzy Hash: e2b5862769a4427eae46f48d823d9ee51c2a6fd6aec84f59f66b854840967707
Instruction Fuzzy Hash: 67015A710087818BC315CF24C855BEABBF4FB65728F80CE1DE0E6936A0DB786609C796

Function 20439B10 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 219fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 20439B96
memset.MSVCR80 ref: 20439BEA
CloseHandle.KERNEL32(?,?,?,00000200,?,?,?,?,?), ref: 20439DE8

Strings

$, xrefs: 20439D4B
0, xrefs: 20439C3E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CloseCreateFileHandlememset
String ID: $$0
API String ID: 2300874326-389342756
Opcode ID: 057662e644b0b9a3d99144212f4c6014112c615fb078cfd1729006145fb7cb57
Instruction ID: 04d4c340668600435f704b31e0fa8d8e5d729e4efcc25c61fd6eacbfdca0a0c7
Opcode Fuzzy Hash: 057662e644b0b9a3d99144212f4c6014112c615fb078cfd1729006145fb7cb57
Instruction Fuzzy Hash: 4191F8B15083419FD350DF64C885BABBBE9BBC8744F10892DF999C7290EB78D944CB52

Function 2043B500 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,2048B8C8,00000001,?), ref: 2043B5F8
GetTextMetricsW.GDI32(?,?), ref: 2043B633
GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 2043B673
DrawTextW.USER32(?,?,?,?,00008020), ref: 2043B6CC

Strings

, xrefs: 2043B6E9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Text$ExtentPoint32$DrawMetrics
String ID:
API String ID: 7047841-3916222277
Opcode ID: a6e062c6499c17f33c23375c66fc969aad25fadcdc9bef878475d3043f4a74b2
Instruction ID: cd33e530e8e5d1403df619d4bd40830191e19536f182b1d6df7ce893f6c7a7bf
Opcode Fuzzy Hash: a6e062c6499c17f33c23375c66fc969aad25fadcdc9bef878475d3043f4a74b2
Instruction Fuzzy Hash: 288125756047018BC764DF68C981AABB7F1FF88204F509A1DE5CA83B51EB34E949CB92

Function 20455710 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150windowCOMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2045574E
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 204558D9
#6232.MFC80U(00000000,?), ref: 204558F0
#6751.MFC80U(00000000,?,00000000,?), ref: 20455922

Strings

DetectAppChanging, xrefs: 2045579C, 2045584F, 2045586E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #314#6232#6751MessageSend
String ID: DetectAppChanging
API String ID: 4076680601-2516610685
Opcode ID: dd83c7099006d640d4028cd5ef4313dbfd9bec513ddbd34065a42c64c41d866c
Instruction ID: 01685508ceafbcd4e3093f46b1938b49ce02c36cf81fe32ffcfde260fc9db048
Opcode Fuzzy Hash: dd83c7099006d640d4028cd5ef4313dbfd9bec513ddbd34065a42c64c41d866c
Instruction Fuzzy Hash: 525183715087419FC314DFA4C8D0BAAFBE5BFA4718F508B2DF19897290C778A958CB92

Function 20442E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 2043CFE0: wcscpy_s.MSVCR80 ref: 2043D00F
Part of subcall function 2043CFE0: wcscpy_s.MSVCR80 ref: 2043D065
Part of subcall function 2043CFE0: wcscpy_s.MSVCR80 ref: 2043D0A5
Part of subcall function 2043CFE0: wcscpy_s.MSVCR80 ref: 2043D101

EnterCriticalSection.KERNEL32(?), ref: 20442E95
swprintf_s.MSVCR80 ref: 20442EB4
swprintf_s.MSVCR80 ref: 20442F3F

Part of subcall function 2043C6E0: free.MSVCR80 ref: 2043C71E

LeaveCriticalSection.KERNEL32(?), ref: 20442FAE

Strings

NODE;NAME=%s;TYPE=SUBNODE, xrefs: 20442EA5, 20442F30

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_s$CriticalSectionswprintf_s$EnterLeavefree
String ID: NODE;NAME=%s;TYPE=SUBNODE
API String ID: 1679566870-1146357381
Opcode ID: 300c08941aa98cdd12e71b9335bfd12ee22951b283c6f9c713b90c7db156eaf8
Instruction ID: f148fae018eb77c923de99daf751580223cfb0c657fecf375db81c05a93d6ced
Opcode Fuzzy Hash: 300c08941aa98cdd12e71b9335bfd12ee22951b283c6f9c713b90c7db156eaf8
Instruction Fuzzy Hash: 8841C7706087015FE314DFA4C981B6BB7E59FA8608F90882CFE8983341DA7DE94DD792

Function 2041E0F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_snwprintf_s.MSVCR80 ref: 2041E145
_snwprintf_s.MSVCR80 ref: 2041E179
#1176.MFC80U(?,00000000,IP_RANGE,2041F192,?,?), ref: 2041E1A0

Strings

IP_RANGE, xrefs: 2041E0F2
%d.%d.%d.%d, xrefs: 2041E13B, 2041E16F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _snwprintf_s$#1176
String ID: %d.%d.%d.%d$IP_RANGE
API String ID: 2565221431-1721630847
Opcode ID: 49220e3e8c8959c2477940a03975da61ffd8b4cd5e5257e2152aac5567fa5f25
Instruction ID: 8c70e820a42cc0ef8199f5320f7b48e118a5ff02f37061a88ee0ced0dda78f7a
Opcode Fuzzy Hash: 49220e3e8c8959c2477940a03975da61ffd8b4cd5e5257e2152aac5567fa5f25
Instruction Fuzzy Hash: E321F375008654AFD3248B968C80F37F7E9AFC9704F09CA8DF9A807292D639F9449B20

Function 2041E1B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_snwprintf_s.MSVCR80 ref: 2041E205
_snwprintf_s.MSVCR80 ref: 2041E239
#1176.MFC80U(?,00000000,IP_RANGE,?,00000000,IP_RANGE,2041F192,?,?), ref: 2041E260

Strings

IP_RANGE, xrefs: 2041E1B2
%d.%d.%d.%d, xrefs: 2041E1FB, 2041E22F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _snwprintf_s$#1176
String ID: %d.%d.%d.%d$IP_RANGE
API String ID: 2565221431-1721630847
Opcode ID: 009708743ea9818ec7ad0d2cc6a41fbe2433ea119526d0ec921832998b0044b0
Instruction ID: 61b2732691e54731793042617214c6e827681a1db8e85d9a3db6ce66c5009b46
Opcode Fuzzy Hash: 009708743ea9818ec7ad0d2cc6a41fbe2433ea119526d0ec921832998b0044b0
Instruction Fuzzy Hash: 962120340096549ED3648B96CD90E33F7F9ABCAB04F09C98DF8A4472A2D238F9449B20

Function 20442D80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(APPDATA,00000000,00000000,?,?,00000074,204411DB,?,00000000), ref: 20442D9A
malloc.MSVCR80 ref: 20442DAF

Strings

APPDATA, xrefs: 20442D8D, 20442DCE

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: EnvironmentVariablemalloc
String ID: APPDATA
API String ID: 1015899132-4054820676
Opcode ID: e5ed7cc41b6f1eeb17cad5362a1277d3937bd62b615e593f88bc3bc90783f534
Instruction ID: 399d6329eac5c24fb3c80049560c3f0fde6e9d094a0bf09a4978420cbd522793
Opcode Fuzzy Hash: e5ed7cc41b6f1eeb17cad5362a1277d3937bd62b615e593f88bc3bc90783f534
Instruction Fuzzy Hash: 8311BFB26057026AE310DF85DC84B67B398FBC4756F10892EFA4186240EB79E918C7A6

Function 204390C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

wcschr.MSVCR80 ref: 204390E9
wcschr.MSVCR80 ref: 204390FF
swscanf_s.MSVCR80 ref: 20439119
wcscspn.MSVCR80 ref: 20439141

Strings

;,, xrefs: 204390E4, 204390FA, 2043913B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcschr$swscanf_swcscspn
String ID: ;,
API String ID: 372877846-2160969846
Opcode ID: 115a5b567d316050a3f747767341e443d573e0f1640489c73d189da7d107d0af
Instruction ID: 83b26625e96d8970be58b0dd86d482f679ae9785e3e383a395c437aaa651944f
Opcode Fuzzy Hash: 115a5b567d316050a3f747767341e443d573e0f1640489c73d189da7d107d0af
Instruction Fuzzy Hash: 2811E771601213A6EB108F94DC8456773E4FF80266F10DD2DFD51A3240F77D9D5587A1

Function 2045F970 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 2045F989
ScreenToClient.USER32(?,00000000), ref: 2045F99B
#3793.MFC80U(00000000,?,?), ref: 2045F9B6
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 2045F9D5

Strings

F, xrefs: 2045F9BB

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #3793ClientCursorMessageScreenSend
String ID: F
API String ID: 2192606099-1304234792
Opcode ID: c1b02fb2e73d36783ef106c15e9ce598c6b04e6ea6825887fd932bac7e8e4ee9
Instruction ID: 80928f24070fcba48f7bac73c9c1762405fb736f405f160aeaa39f66132af33b
Opcode Fuzzy Hash: c1b02fb2e73d36783ef106c15e9ce598c6b04e6ea6825887fd932bac7e8e4ee9
Instruction Fuzzy Hash: AEF081B5508705BBC304DB64CC89FA7BBECEB88715F00CA1EB99983190EB74A804C792

Function 2045CF00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 2045CF19
ScreenToClient.USER32(?,00000000), ref: 2045CF2B
#3793.MFC80U(00000000,?,?), ref: 2045CF46
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 2045CF65

Strings

F, xrefs: 2045CF4B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #3793ClientCursorMessageScreenSend
String ID: F
API String ID: 2192606099-1304234792
Opcode ID: d3287485287acd700b6024ef1f140c52c484e9c25ee022c7e01d1cd40f9d1640
Instruction ID: f69385dd0af284a01ae3ba057e28231b8480156d648f90a51f256bc835e075d5
Opcode Fuzzy Hash: d3287485287acd700b6024ef1f140c52c484e9c25ee022c7e01d1cd40f9d1640
Instruction Fuzzy Hash: E6F0A4B6508705BFC304DB64CC85FD7BBECDB88715F00C91DB99983290EA74A904D791

Function 2044D900 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

#3990.MFC80U(?,00000039,A1C94593,?,00000000,20479989,000000FF,2044D616), ref: 2044D92A
#774.MFC80U(00000000,?,00000000,20479989,000000FF,2044D616), ref: 2044D93B
#578.MFC80U(?,00000000,20479989,000000FF,2044D616), ref: 2044D94D
#1236.MFC80U(...,?,00000000,20479989,000000FF,2044D616), ref: 2044D95A

Strings

..., xrefs: 2044D953

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1236#3990#578#774
String ID: ...
API String ID: 899038673-440645147
Opcode ID: 28ee0e0e95ed9453771ffe66ed81ba7c4483bbcdf2d3f5ce2050e615fe0b29e5
Instruction ID: 5373712dfce97079d76891927ad7678fd32071b7dc647f24b25153347c72ce09
Opcode Fuzzy Hash: 28ee0e0e95ed9453771ffe66ed81ba7c4483bbcdf2d3f5ce2050e615fe0b29e5
Instruction Fuzzy Hash: DDF06DB5108A40EFD305DF04CD84B2ABBE8FB88B25F008E2CF456823E0DB3C5A04CA42

Function 2042F360 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

wcsstr.MSVCR80 ref: 2042F515

Strings

TiH , xrefs: 2042F4F0
DELETE, xrefs: 2042F4DC
0, xrefs: 2042F544
DELETE=1, xrefs: 2042F509

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcsstr
String ID: 0$DELETE$DELETE=1$TiH
API String ID: 2735924446-925229115
Opcode ID: 68c5d955a3c88ee057bc51f0b690206c4601981c66816eccda9a2ea4ed6d696d
Instruction ID: 36bfe8ecc8532c90e75d599914e160e591052902f4073c0fc9fa8b5ab0026c70
Opcode Fuzzy Hash: 68c5d955a3c88ee057bc51f0b690206c4601981c66816eccda9a2ea4ed6d696d
Instruction Fuzzy Hash: CD91A4B1A006149FCB10CF98EC80B9AB7B4EF54314F8482EDEA05A7352D7789E85CF55

Function 2042F000 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 214COMMON

Download Yara Rule

APIs

Part of subcall function 20404CB0: wcscpy_s.MSVCR80 ref: 20404CD7

Part of subcall function 20404CB0: wcsncpy_s.MSVCR80 ref: 20404CEA

wcsstr.MSVCR80 ref: 2042F1A7

Strings

0, xrefs: 2042F1C7
DELETE, xrefs: 2042F168
TiH , xrefs: 2042F17C
DELETE=1, xrefs: 2042F19B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_swcsncpy_swcsstr
String ID: 0$DELETE$DELETE=1$TiH
API String ID: 311962889-925229115
Opcode ID: 6de001f378f2d674e41ac09f3baf5954175bde3fd077e12621cfe321a923b03b
Instruction ID: c816f1638251860e255fec58d209106db8c5ff8e578f00fddaf8b93408f4d45d
Opcode Fuzzy Hash: 6de001f378f2d674e41ac09f3baf5954175bde3fd077e12621cfe321a923b03b
Instruction Fuzzy Hash: E99182B5A00619DFCB20CF94DD80B99B7B5BF88204F9482E9EA0967341D734AF45CF65

Function 20463ED0 Relevance: 7.6, APIs: 5, Instructions: 137COMMON

Download Yara Rule

APIs

#1176.MFC80U(A1C94593,-00003A6C,-00003AB4,?,?,2047F4A8,000000FF,2044F9B2,-00003AB4,?), ref: 20463F8E
#764.MFC80U(?), ref: 20463FCA
#764.MFC80U(?), ref: 20463FDB
#764.MFC80U(?), ref: 20463FEC
#764.MFC80U(?), ref: 20463FFD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#1176
String ID:
API String ID: 987861311-0
Opcode ID: 14f07787d7d781585720ef2c76eb071abde77c01d8e2852b6f52fc6dd90be62f
Instruction ID: a98070125c487795d5e1c1e41b76c1b437769026aba7d230c424ffc06d12d48c
Opcode Fuzzy Hash: 14f07787d7d781585720ef2c76eb071abde77c01d8e2852b6f52fc6dd90be62f
Instruction Fuzzy Hash: 2E419E71A043459BC714DFA8C8C0B9AB3F5AFA5A48F40C92CF92487255F739EA09CB91

Function 2046C590 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 2042D280: #354.MFC80U(00000097,20428001,A1C94593,20428001,000000FF,20479D18,000000FF,20422C46,20428001,000000FF,A1C94593,?,?,?,2047B870,000000FF), ref: 2042D2AD

#416.MFC80U(?,?,A1C94593,00000000,?,?,2047D8E4,000000FF,20462057,?,00000000,00000000,00000000,00000000,0000015E,00000000), ref: 2046C5D8

Part of subcall function 2045CF80: #530.MFC80U(A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593,?,?,?,2047BED4), ref: 2045CFB1
Part of subcall function 2045CF80: #6003.MFC80U(00000000,000000FF,A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593), ref: 2045CFCD

Part of subcall function 20423810: #572.MFC80U(A1C94593,20428001,00000000,2047A038,000000FF,20422C5E,20428085,20428001,000000FF,A1C94593,?,?,?,2047B870,000000FF,20428001), ref: 20423837

#563.MFC80U(?,?,?,?,A1C94593,00000000,?,?,2047D8E4,000000FF,20462057,?,00000000,00000000,00000000,00000000), ref: 2046C63B
#563.MFC80U(?,?,?,?,A1C94593,00000000,?,?,2047D8E4,000000FF,20462057,?,00000000,00000000,00000000,00000000), ref: 2046C64B

Part of subcall function 20430DC0: #310.MFC80U(?,A1C94593,00000000,?,00000000,?,2047AE6F,000000FF,20472632,?), ref: 20430DFC
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E0A
Part of subcall function 20430DC0: #310.MFC80U ref: 20430E17
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E25
Part of subcall function 20430DC0: LoadCursorW.USER32(00000000,00007F89), ref: 20430EA4
Part of subcall function 20430DC0: SetRectEmpty.USER32(?), ref: 20430F17

#1079.MFC80U(?,?,?,?,?,?,?,?,?,A1C94593,00000000,?,?,2047D8E4,000000FF,20462057), ref: 2046C6BE
LoadAcceleratorsW.USER32(?,0000008A), ref: 2046C6CC

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#557#563Load$#1079#354#416#530#572#6003AcceleratorsCursorEmptyRect
String ID:
API String ID: 117230559-0
Opcode ID: f28c4c780984babebea40927c8fc153bc9f58949aae5e3684a3fe37845274eea
Instruction ID: 8df188cfc0f7d2dff96fac6e1b3f3a4b29b502d6c609d554b63601a0c70ab361
Opcode Fuzzy Hash: f28c4c780984babebea40927c8fc153bc9f58949aae5e3684a3fe37845274eea
Instruction Fuzzy Hash: B6412B71509B808ED310CF74D544B9BFBE4AFA5B08F048E4DE4DA97251C778A508CBA3

Function 20431480 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(?,00000006), ref: 204314A2
GetObjectW.GDI32(00000000,0000005C,?), ref: 204314BA
CreateFontIndirectW.GDI32(?), ref: 20431543
SelectObject.GDI32(?,00000000), ref: 20431553
DeleteObject.GDI32(00000000), ref: 2043155A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Object$CreateCurrentDeleteFontIndirectSelect
String ID:
API String ID: 50039150-0
Opcode ID: 026ec79d7094d8a6f952af61633666c1d8a61d2f72d75d7ce869e004ac234820
Instruction ID: d9b3a9d93c16308a6b1df22556706bd8d4e25d073b5324bc4cf5619c2a00a30a
Opcode Fuzzy Hash: 026ec79d7094d8a6f952af61633666c1d8a61d2f72d75d7ce869e004ac234820
Instruction Fuzzy Hash: 8921043140C740ABC211CFA48954B6B7BD4AFDEB4CF20A91CFA8697361DB2CC9058793

Function 20443350 Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20443383
#310.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,2047C8A1), ref: 204433DF
#4026.MFC80U(00000176), ref: 204433F3
#578.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,2047C8A1), ref: 2044340B

Part of subcall function 2042E670: #6751.MFC80U(00000000,?,2042E5B8,00000000,A1C94593), ref: 2042E688

#6751.MFC80U(00000000,?), ref: 2044345B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6751$#310#314#4026#578
String ID:
API String ID: 1182657103-0
Opcode ID: 919f7780caee2980bc3da968e62253433011368395cdbebddbc3a6bb4ace46c1
Instruction ID: d5c34774d3e3678e067be1a01ecc7778953f0c800ade90182d4a99d713b34071
Opcode Fuzzy Hash: 919f7780caee2980bc3da968e62253433011368395cdbebddbc3a6bb4ace46c1
Instruction Fuzzy Hash: B1318C316087419BD314CF54D884BAABBE0FBA4B29F10CB2DF8A5436E0DB399904CA46

Function 20439F10 Relevance: 7.6, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

free.MSVCR80 ref: 20439F3F
free.MSVCR80 ref: 20439F50
free.MSVCR80 ref: 20439F5D
free.MSVCR80 ref: 20439F7F
free.MSVCR80 ref: 20439F90
free.MSVCR80 ref: 20439F9D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 040aff806755fcecff898535f29387a8eec72c5b727a23081639e353423ce75a
Instruction ID: cdf0b8556220d5f65de270d08de19bbd4e4139c6ff79a35e881a18613564584c
Opcode Fuzzy Hash: 040aff806755fcecff898535f29387a8eec72c5b727a23081639e353423ce75a
Instruction Fuzzy Hash: 1E114C716006108BD730DF95C880A5773F6AB88310F25997DDD4A87210D73DFD49DBA2

Function 2042D9C0 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

#3064.MFC80U(?,?,204478CD,?,?), ref: 2042D9C6
#6361.MFC80U(?,?,204478CD,?,?), ref: 2042D9F5
#3064.MFC80U(?,?,204478CD,?,?), ref: 2042DA06
memset.MSVCR80 ref: 2042DA1B
memset.MSVCR80 ref: 2042DA2E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #3064memset$#6361
String ID:
API String ID: 4293083676-0
Opcode ID: b92684f67381bc14c3d4f75ce0dc2221cd5d245a442cc12f69b557ce1c2757f0
Instruction ID: 0702784574e55f6291f664e765b2f929f8af4fcd1af1c7acafbc4c6a93329a04
Opcode Fuzzy Hash: b92684f67381bc14c3d4f75ce0dc2221cd5d245a442cc12f69b557ce1c2757f0
Instruction Fuzzy Hash: 0A112670709B408BE720ABA4D825B9B77F27F60B08F11C41ED556572A0DBBDA4818791

Function 2041E000 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,2046787F), ref: 2041E00B
#764.MFC80U(?,?,2046787F), ref: 2041E024
#764.MFC80U(?,?,2046787F), ref: 2041E03D
#764.MFC80U(?,?,2046787F), ref: 2041E056
#764.MFC80U(?,?,2046787F), ref: 2041E06F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 5cdd4422dfb11c58f9158799d8e4986ffe300afca717e2e9f41fc0aaa154c452
Instruction ID: a45c504ce9664a0af5def6404d9244c2f5a598a96061cf544b85d7e9c55dab90
Opcode Fuzzy Hash: 5cdd4422dfb11c58f9158799d8e4986ffe300afca717e2e9f41fc0aaa154c452
Instruction Fuzzy Hash: 2511A8F1D01B108BC6719F5B9981817FBF9BFA46007949D1EE18AC2A20D3B9F4848F51

Function 204129C0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

#764.MFC80U(00000000,?,00000001,?,?,20462D01), ref: 204129EE
#764.MFC80U(20462D01,?,00000001,?,?,20462D01), ref: 204129FE
#764.MFC80U(?,?,00000001,?,?,20462D01), ref: 20412A0E
#764.MFC80U(?,?,00000001,?,?,20462D01), ref: 20412A1E
#764.MFC80U(?,?,?,20462D01), ref: 20412A37

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 3601c3366580da7bba9342901ffdafa328c0f1da6d4fcc88da08de05a8ecddd4
Instruction ID: 3b3e0f5020365ef418d4e4a8d25d9515d89a794e690bf130ed1b31d4d5b1dce2
Opcode Fuzzy Hash: 3601c3366580da7bba9342901ffdafa328c0f1da6d4fcc88da08de05a8ecddd4
Instruction Fuzzy Hash: B8014CF2E007129BD6319EE49E41A57F3A86F10584B04C828E919E7600E63DF9A4CAE2

Function 204385B0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 204385CB
#2366.MFC80U(00000000), ref: 204385D2
#2648.MFC80U(00000000), ref: 204385F6
#2648.MFC80U(00000000), ref: 20438601
SendMessageW.USER32(?,0000004E,00000000,00000000), ref: 20438616

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2648$#2366MessageParentSend
String ID:
API String ID: 618804366-0
Opcode ID: cd4e2aa80283902dd658a5a69b0aa514c0ff9a341a78e5f375abb5c017dea3f9
Instruction ID: 6b27879f19521a8650714e7d031745b5b5e2419dbccdf476676730fdb6f9a243
Opcode Fuzzy Hash: cd4e2aa80283902dd658a5a69b0aa514c0ff9a341a78e5f375abb5c017dea3f9
Instruction Fuzzy Hash: 12011EB26043049BCB04DFA8C895A6BB7A9FB88714F10896DFD598B680DB75E904CB91

Function 2045A2F0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,?,00000000,20479929,000000FF,2045A0D6,00000000), ref: 2045A318
#6232.MFC80U(00000001), ref: 2045A32A
#4026.MFC80U(?,00000001), ref: 2045A357
#5803.MFC80U(000003FC,?,?,00000001), ref: 2045A369
#578.MFC80U(000003FC,?,?,00000001), ref: 2045A37A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#4026#578#5803#6232
String ID:
API String ID: 1453617869-0
Opcode ID: f98708d631100de7f398db51057dde8a6b5c887a45a5df038a9467d1af8224b6
Instruction ID: 21f2922d4e9f85d5c6767d76ba903275e276ecd49b4a8d21b2b4aacec48a433f
Opcode Fuzzy Hash: f98708d631100de7f398db51057dde8a6b5c887a45a5df038a9467d1af8224b6
Instruction Fuzzy Hash: 86012D75108A01AFD314DF58DC94BABB7E4FB84719F108A2EF5A6477A0DF39A908CB41

Function 2045D630 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

#1921.MFC80U(A1C94593,?,?,?,00000000,2047A52C,000000FF,204560BC), ref: 2045D66F
DestroyAcceleratorTable.USER32(?), ref: 2045D67B

Part of subcall function 2045D000: free.MSVCR80 ref: 2045D058
Part of subcall function 2045D000: #6003.MFC80U(00000000,000000FF,A1C94593,?,?,?,?,00000000,204798FB,000000FF,2045D691,?,?,?,00000000,2047A52C), ref: 2045D06E
Part of subcall function 2045D000: #722.MFC80U(00000000,000000FF,A1C94593,?,?,?,?,00000000,204798FB,000000FF,2045D691,?,?,?,00000000,2047A52C), ref: 2045D07D

#658.MFC80U(?,?,?,00000000,2047A52C,000000FF,204560BC), ref: 2045D69C
#651.MFC80U(?,?,?,00000000,2047A52C,000000FF,204560BC), ref: 2045D6A8
#605.MFC80U(?,?,?,00000000,2047A52C,000000FF,204560BC), ref: 2045D6B7

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1921#6003#605#651#658#722AcceleratorDestroyTablefree
String ID:
API String ID: 3189193943-0
Opcode ID: 074fffb333143394038fb696c20330bed956ab92d4bab4a04e213e4ffb927463
Instruction ID: 6615b9cedfd4d8d6a70bf06ef8f864a55d9fe342bd741bf547e0d738b5018bca
Opcode Fuzzy Hash: 074fffb333143394038fb696c20330bed956ab92d4bab4a04e213e4ffb927463
Instruction Fuzzy Hash: 6501A1701087808FD315CF28C895BAABBE4FB90618F50891DF096832A1DB786509CBD2

Function 20459450 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,00000000,A1C94593), ref: 20459477
#6232.MFC80U(00000001), ref: 204594A1
#4026.MFC80U(?,00000001), ref: 204594BA
#5803.MFC80U(00000413,?,00000001), ref: 204594CC
#578.MFC80U(00000413,?,00000001), ref: 204594DD

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#4026#578#5803#6232
String ID:
API String ID: 1453617869-0
Opcode ID: f86256a3efc04a42eacee18c2d2bea885fb2b4719f2c3ecb3668a5cd64f5898e
Instruction ID: 9bd44db928dee0b38f906c4aee4a3c82d3db633600cc66f3fe952941ce938208
Opcode Fuzzy Hash: f86256a3efc04a42eacee18c2d2bea885fb2b4719f2c3ecb3668a5cd64f5898e
Instruction Fuzzy Hash: 500157B5108A00ABD304DF54C985B9BBBE4FB84B18F008A1DF452966D0DB799908CB92

Function 20455940 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20455983
#6232.MFC80U(00000001,00000000,A1C94593), ref: 20455991
#6751.MFC80U(00000000,00000001), ref: 20455B32

Strings

DetectAppChanging, xrefs: 204559F0, 20455A2B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #314#6232#6751
String ID: DetectAppChanging
API String ID: 2722654210-2516610685
Opcode ID: b7f6271265944db94faaadf3a698083846833aab4ebac0db9ee8707db7b2ab85
Instruction ID: 9ed9b2dda144238cdeb4c173259532dea9aa329e793ebb0550c710b0c65b3c42
Opcode Fuzzy Hash: b7f6271265944db94faaadf3a698083846833aab4ebac0db9ee8707db7b2ab85
Instruction Fuzzy Hash: C6517E715087418FC314CFA8C5D1AABFBE1FB94754F108A2EF29A87291D738E849CB12

Function 2043EAC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 2043A150: free.MSVCR80 ref: 2043A164
Part of subcall function 2043A150: malloc.MSVCR80 ref: 2043A18A
Part of subcall function 2043A150: memcpy.MSVCR80(?,?,?), ref: 2043A1A9

EnterCriticalSection.KERNEL32(?,?,?,?,A1C94593), ref: 2043EB30
LeaveCriticalSection.KERNEL32(?,?,A1C94593), ref: 2043EBC2
#1176.MFC80U(?,A1C94593), ref: 2043EC2F

Strings

gfff, xrefs: 2043EB75

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CriticalSection$#1176EnterLeavefreemallocmemcpy
String ID: gfff
API String ID: 4100045392-1553575800
Opcode ID: 64efc84ac7f6c0c395452fcad5ca3549b208dd17e4628c0b1fb12a9484cd8484
Instruction ID: bfe25518644de768d182e323753ab60f9fc9b9fc0b8f3c8177bbc63c303b0321
Opcode Fuzzy Hash: 64efc84ac7f6c0c395452fcad5ca3549b208dd17e4628c0b1fb12a9484cd8484
Instruction Fuzzy Hash: 2E41D0712087858FD705CFAAC880B8BB7E5AF88714F14CA1CE89687391D738F945CB91

Function 2043B2E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

<, xrefs: 2043B3AB

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_s
String ID: <
API String ID: 4009619764-3887346652
Opcode ID: e04a5b232591d9ffbf860a7328188433d2a46c3e7e538cd84ba0cecbcb35da20
Instruction ID: d6ccd733044bd11b1b099a1abc239f885c02b4958a0f254662bc588efb38c9b5
Opcode Fuzzy Hash: e04a5b232591d9ffbf860a7328188433d2a46c3e7e538cd84ba0cecbcb35da20
Instruction Fuzzy Hash: E33148B2A0423147CB183B5CEC8079A73F0DF95325F198169EF01DF38AE678AD4296D5

Function 20417ED0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

_snwprintf_s.MSVCR80 ref: 20417F25
_snwprintf_s.MSVCR80 ref: 20417F59
#1176.MFC80U(?,?,?,20413EEB,00000002,?), ref: 20417F80

Strings

%d.%d.%d.%d, xrefs: 20417F1B, 20417F4F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _snwprintf_s$#1176
String ID: %d.%d.%d.%d
API String ID: 2565221431-3491811756
Opcode ID: 1b96df800e304920a0115d2cb6ad1b36057cacb305216eed5eef70d8304d5a87
Instruction ID: e6bc5996723d5b37b73d512024ffb5d4e11874207e31cf63148c0156e5b1bce3
Opcode Fuzzy Hash: 1b96df800e304920a0115d2cb6ad1b36057cacb305216eed5eef70d8304d5a87
Instruction Fuzzy Hash: 2B2120311086509ED364CB95CC80E37F7F9ABC9608F09C88DF8A40B2A6D239F9468B20

Function 20472850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_snwprintf_s.MSVCR80 ref: 2047289A
_snwprintf_s.MSVCR80 ref: 204728BE
#2310.MFC80U(?,0000025D,?,?), ref: 204728D9

Strings

%d.%d.%d.%d, xrefs: 20472888, 204728B0

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _snwprintf_s$#2310
String ID: %d.%d.%d.%d
API String ID: 921588996-3491811756
Opcode ID: 5fb0a209fa81a561125ac6c09dff1d6614aed634006b3f9d46bfa7fd8e06037a
Instruction ID: b1c32227e64822f16640b2784a13768f6d212c5f5b3873dce6694a974748ca9a
Opcode Fuzzy Hash: 5fb0a209fa81a561125ac6c09dff1d6614aed634006b3f9d46bfa7fd8e06037a
Instruction Fuzzy Hash: 7D1104B11083106BC304CB698C90EBBF7E9ABD8301F408E1EF9D1922D1D679E524DB72

Function 204062A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 20406540: wcscpy_s.MSVCR80 ref: 204066C2
Part of subcall function 20406540: wcschr.MSVCR80 ref: 204066EB

_snwprintf_s.MSVCR80 ref: 204062D8
wcschr.MSVCR80 ref: 20406304
_snwprintf_s.MSVCR80 ref: 20406322

Strings

%%%d, xrefs: 204062C9

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _snwprintf_swcschr$wcscpy_s
String ID: %%%d
API String ID: 1759257516-704803261
Opcode ID: e7371da27c0bddc6dcdb050928b916e4e307d7d8195393fa1b92d13a1548eea4
Instruction ID: 522c5e4176b67f78ba8be082eb7b4f6369f96635ae9f8aa8f9e4ab9c953b70f6
Opcode Fuzzy Hash: e7371da27c0bddc6dcdb050928b916e4e307d7d8195393fa1b92d13a1548eea4
Instruction Fuzzy Hash: F2114C312006296BC714AF5C9D88D7F776AEB80315B458B3DFD51A32C4C725FD1986B0

Function 204061D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

_snwprintf_s.MSVCR80 ref: 20406202

Part of subcall function 20404CB0: wcscpy_s.MSVCR80 ref: 20404CD7

wcschr.MSVCR80 ref: 2040622D
_snwprintf_s.MSVCR80 ref: 20406247

Strings

%d.%d.%d.%d, xrefs: 204061F3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _snwprintf_s$wcschrwcscpy_s
String ID: %d.%d.%d.%d
API String ID: 584907567-3491811756
Opcode ID: cf1b214b1a40a5629e9223c01a41b2366a36f0f5e33a4f3ec048d969d7ad2733
Instruction ID: 62284f0cb5b1c6d56f04d6346a0236fee5cd40c6f8b159ead40cda12a97532b1
Opcode Fuzzy Hash: cf1b214b1a40a5629e9223c01a41b2366a36f0f5e33a4f3ec048d969d7ad2733
Instruction Fuzzy Hash: FF114C725046387787212F5D4D84CBF3BADDAC4725B44C619FE94672C4C5387E118BB4

Function 20440280 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 2042C340: #356.MFC80U(A1C94593,00000000,0000000B,?,000000FF,2047EBCB,000000FF,204402AC,0000000B,A1C94593,00000000,00000000,00000104,2047FA81,000000FF,20445D01), ref: 2042C369
Part of subcall function 2042C340: #310.MFC80U(A1C94593,00000000,0000000B,?,000000FF), ref: 2042C3B1
Part of subcall function 2042C340: #563.MFC80U(?,000000FF), ref: 2042C3C2

#6735.MFC80U ref: 204402E6

Part of subcall function 20424700: #572.MFC80U(A1C94593,000000FF,00000000,2047A038,000000FF,20425F90,0000017F,000000FF,2047B3D6,A1C94593,?,?,?,2047B3D6,000000FF,20428C79), ref: 20424727

#6735.MFC80U(20485878,0000011F), ref: 2044030D
#6735.MFC80U(20485878), ref: 20440323

Strings

4H , xrefs: 204402C3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6735$#310#356#563#572
String ID: 4H
API String ID: 3660135715-267674204
Opcode ID: 207525e7d9b9a88def6f2e2f9cce33c0383f00cf5ba607997c4762eb9fcf0969
Instruction ID: 363adbb328d852d6b09fcd62fbcb88f34514aa4ee2b8565f9c1794eb3b7c0308
Opcode Fuzzy Hash: 207525e7d9b9a88def6f2e2f9cce33c0383f00cf5ba607997c4762eb9fcf0969
Instruction Fuzzy Hash: 34212971409B419FD321CF64ED84BD7FBE4FB59714F408D2EE4A682280CB79A508CBA2

Function 2046C340 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

#6700.MFC80U(A1C94593,?,?,00000000,204798CA,000000FF,2046C1A8,?), ref: 2046C378
#299.MFC80U(00000000), ref: 2046C381
#1479.MFC80U(?,?,?,=15,=15), ref: 2046C3BD

Strings

=15, xrefs: 2046C38F, 2046C3B4, 2046C3B5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1479#299#6700
String ID: =15
API String ID: 3511267609-1125936192
Opcode ID: c2ae5ae8c1a9744f10e8017b7d8b9841f1a9731f14c805d3af0950f7fa2b947f
Instruction ID: 3c7a2e0f35e53a7bdeb6c56fc24520ac8421f4797ff936fc5c5ec81e778a25c9
Opcode Fuzzy Hash: c2ae5ae8c1a9744f10e8017b7d8b9841f1a9731f14c805d3af0950f7fa2b947f
Instruction Fuzzy Hash: 01018070108641AFD304CF48CC95B6BB7E8FB84718F04C91DF80687350EB79A9048B92

Function 2043BCE0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

Part of subcall function 2043D210: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000008,-00000023,6C954B78,?), ref: 2043D266

RegCloseKey.ADVAPI32(?,-00000002,-00000002,?,2043C1B7), ref: 2043BD4F

Part of subcall function 2043D430: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,00000000,2043F01E,00000000,00000001,00000000), ref: 2043D466

Strings

ProductVersion, xrefs: 2043BD2A
4~H , xrefs: 2043BD20
Software\ESET\ESET Security\CurrentVersion\Info, xrefs: 2043BCED

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: 4~H $ProductVersion$Software\ESET\ESET Security\CurrentVersion\Info
API String ID: 3677997916-3933421762
Opcode ID: afc6a44b089bdcb016b5a6ef78c43ae4238845301192c1b7bdd1c23f2bd2b367
Instruction ID: 914dfda0ce83377511228f51b07b4ab881ac781a6ba4cd484d9ae1c21c81ffde
Opcode Fuzzy Hash: afc6a44b089bdcb016b5a6ef78c43ae4238845301192c1b7bdd1c23f2bd2b367
Instruction Fuzzy Hash: 60F0F6220442196AD3106BD5AC42F77B7ECDF15689F30D41DBA5486141EFBD9C5095E2

Function 2043BD60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

Part of subcall function 2043D210: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000008,-00000023,6C954B78,?), ref: 2043D266

RegCloseKey.ADVAPI32(?,-00000002,?,2043C0B9,00000105), ref: 2043BDCE

Part of subcall function 2043D430: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,00000000,2043F01E,00000000,00000001,00000000), ref: 2043D466

Strings

ProductName, xrefs: 2043BDAE
T~H , xrefs: 2043BDA0
Software\ESET\ESET Security\CurrentVersion\Info, xrefs: 2043BD6D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: ProductName$Software\ESET\ESET Security\CurrentVersion\Info$T~H
API String ID: 3677997916-2656945498
Opcode ID: 1b30e3a84631aab0c4b7d4b110c5badaf1cd747ca1323e0ffffa4887a791e24d
Instruction ID: 65d34e742e52f4b2defbbd06fcf1642087ee4278305361be0e027dd8d7bc9dbd
Opcode Fuzzy Hash: 1b30e3a84631aab0c4b7d4b110c5badaf1cd747ca1323e0ffffa4887a791e24d
Instruction Fuzzy Hash: D3F0C262044319AAD310AFD0EC82F6BB7E8EF55648F20E81DBA4542541EB7C9C549692

Function 2043D740 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,GIF,00000000,?,?,20472692,0000024F), ref: 2043D766
#1058.MFC80U(?,GIF), ref: 2043D77A
#1058.MFC80U(?,GIF,00000000,?,?,20472692,0000024F), ref: 2043D790

Strings

GIF, xrefs: 2043D763, 2043D778, 2043D78E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1058$FindResource
String ID: GIF
API String ID: 2438790252-881873598
Opcode ID: 9eb4c446ac0929af3a9cd147b67188f7ef94327fbaa61bebdc1786359fc39285
Instruction ID: a20db0469bcc12d11d5da9d1ad7551215c0c58e1f7aa44d32378eaca37f11d3e
Opcode Fuzzy Hash: 9eb4c446ac0929af3a9cd147b67188f7ef94327fbaa61bebdc1786359fc39285
Instruction Fuzzy Hash: E3F0A7729005297A81105BD9AC90A9F7B5EDA865ADB50C039FD4C82227F72DDC018FA1

Function 20439070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_00079081,20499408), ref: 20439080
LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_00079081,20499408), ref: 20439091
GetProcAddress.KERNEL32(00000000,ImageList_Replace), ref: 204390AB

Strings

ImageList_Replace, xrefs: 204390A5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_Replace
API String ID: 310444273-3096891558
Opcode ID: 52852995afb5886327d2e362851438bf7aba3aee773e5fa7b5c832c119c7e6ea
Instruction ID: 64b91df37241fb0394471559f0806e23743298c2429490576642b568fbc93b1b
Opcode Fuzzy Hash: 52852995afb5886327d2e362851438bf7aba3aee773e5fa7b5c832c119c7e6ea
Instruction Fuzzy Hash: 31F07F75A05B019FC724CFA9D988B02BBF8BB48A15B10DC2DE5DAC3A11DB39E940DB00

Function 20435210 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,20435186,?,?), ref: 20435220
LoadLibraryW.KERNEL32(?), ref: 20435231
GetProcAddress.KERNEL32(00000000,ImageList_Add), ref: 2043524B

Strings

ImageList_Add, xrefs: 20435245

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_Add
API String ID: 310444273-2139371048
Opcode ID: 059ce8af9f42aabfe0cd5e377f5a41b3970c0beea28853d1bbe08e662d45d612
Instruction ID: 61125b7eef0a31584287f038c8e0a1b67b7715f4f3ef1c4395f14a17ca5db06c
Opcode Fuzzy Hash: 059ce8af9f42aabfe0cd5e377f5a41b3970c0beea28853d1bbe08e662d45d612
Instruction Fuzzy Hash: CDF07475605B019FC720CFA9C988B07B7E4AB0CA25F10DD6DA49AC3A25D738E584DF04

Function 20435AA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 20435AB3
LoadLibraryW.KERNEL32(?), ref: 20435AC4
GetProcAddress.KERNEL32(00000000,ImageList_GetImageInfo), ref: 20435ADE

Strings

ImageList_GetImageInfo, xrefs: 20435AD8

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_GetImageInfo
API String ID: 310444273-158344479
Opcode ID: c024165aa123b689d06b6dbdf8e77b7d6a87fe6dc0445346d27547bcca64b791
Instruction ID: e0c6696969016ec1769552a578c8248ca279875db4b0b8f7fac6fa2bfb55e8b3
Opcode Fuzzy Hash: c024165aa123b689d06b6dbdf8e77b7d6a87fe6dc0445346d27547bcca64b791
Instruction Fuzzy Hash: AAF0D470A04B01DFD720DFB8C888B02B7E4AB08A25F10D82DA4AAC3651DB38E440DF10

Function 20427350 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,204272C9), ref: 20427360
LoadLibraryW.KERNEL32(?), ref: 20427371
GetProcAddress.KERNEL32(00000000,ImageList_SetBkColor), ref: 2042738B

Strings

ImageList_SetBkColor, xrefs: 20427385

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_SetBkColor
API String ID: 310444273-1554945321
Opcode ID: e8d77fa53df3f7ee09eaa64477699b8d18d36c9305cf34044fe3b494192e285d
Instruction ID: 284c7b030e246ad0862ef96458f4fdec8fd086ceb7392f24da5df9d6a012c85e
Opcode Fuzzy Hash: e8d77fa53df3f7ee09eaa64477699b8d18d36c9305cf34044fe3b494192e285d
Instruction Fuzzy Hash: E3F07475605B01DFD760CFA8D988B07B7E4BB08A19B00D82DE89AC3A11D738E940DB00

Function 20435360 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,204352D9,?,?,A1C94593), ref: 20435370
LoadLibraryW.KERNEL32(?), ref: 20435381
GetProcAddress.KERNEL32(00000000,ImageList_GetImageCount), ref: 2043539B

Strings

ImageList_GetImageCount, xrefs: 20435395

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_GetImageCount
API String ID: 310444273-4246500564
Opcode ID: d8097c728569e3866e52bdd65f396c4fad9623ee8d0876328ff2cbbc020671d3
Instruction ID: 2da6b41783d0211aef1b011f4005f966f4402148aba3db6cb9b097729d0c8202
Opcode Fuzzy Hash: d8097c728569e3866e52bdd65f396c4fad9623ee8d0876328ff2cbbc020671d3
Instruction Fuzzy Hash: F2F06275605B019FC760CFA8C988B06B7E4BF08A55B10DD2DA4DAC7A11E778E540DB00

Function 204354C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,20435436,?), ref: 204354D0
LoadLibraryW.KERNEL32(?), ref: 204354E1
GetProcAddress.KERNEL32(00000000,ImageList_ReplaceIcon), ref: 204354FB

Strings

ImageList_ReplaceIcon, xrefs: 204354F5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_ReplaceIcon
API String ID: 310444273-3264144174
Opcode ID: 74c869a9a8c2336e005997e81289362f39642b772dcdaed8b0994d0f4db7fbd2
Instruction ID: 3e15f9a9b1d919c9fe31402087bf8c7712b9f134e2685c61a9ad19c662dd77c6
Opcode Fuzzy Hash: 74c869a9a8c2336e005997e81289362f39642b772dcdaed8b0994d0f4db7fbd2
Instruction Fuzzy Hash: 5FF07475605B01DFC720CFA9C988B06B7E4AB1CA16B10D92DE49AC3A51D738F980DF04

Function 20438D80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?), ref: 20438D90
LoadLibraryW.KERNEL32(?), ref: 20438DA1
GetProcAddress.KERNEL32(00000000,ImageList_Remove), ref: 20438DBB

Strings

ImageList_Remove, xrefs: 20438DB5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_Remove
API String ID: 310444273-1758120396
Opcode ID: 079ee940bcfe234ec36ffd8b644cc9a63304a968f59cf3a307cb535ea809afee
Instruction ID: 16fb2f48fd19f0c7492424fa88f2029c9d2318f9a38d168fc86bc1dfa45b5a4d
Opcode Fuzzy Hash: 079ee940bcfe234ec36ffd8b644cc9a63304a968f59cf3a307cb535ea809afee
Instruction Fuzzy Hash: 3BF07475605B019FC760CFB8C988B02B7E4BB58A19B10DC2DE09AC3B91D778E580DB00

Function 20438F20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,20438E89,?,00000000,A1C94593,00000000,00000000,?,?,00000001,?,00000000,00000000,?), ref: 20438F30
LoadLibraryW.KERNEL32(?,?,00000001,?,00000000,00000000,?), ref: 20438F41
GetProcAddress.KERNEL32(00000000,ImageList_Draw), ref: 20438F5B

Strings

ImageList_Draw, xrefs: 20438F55

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: ImageList_Draw
API String ID: 310444273-2074868843
Opcode ID: 5d39e66da341277afc1545f6a1c92b557577de52ee8df2f5711e62b8d41952b8
Instruction ID: 8b8081af3f1095d29bb6d133c22ff23e0a3673458e9ea1b94d5029bc85ce2e59
Opcode Fuzzy Hash: 5d39e66da341277afc1545f6a1c92b557577de52ee8df2f5711e62b8d41952b8
Instruction Fuzzy Hash: D4F06275605B019FD760DFA9D988B02B7E5BB08A15B10DD2DA49AC3A11D778F540DF00

Function 2043AB60 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

#1925.MFC80U(00000000,20436061), ref: 2043AB63
#1271.MFC80U(00000000,?,?,?), ref: 2043AB89

Part of subcall function 2043ABB0: GetDC.USER32(00000000), ref: 2043ABBB

#1271.MFC80U(00000000,?,?,?), ref: 2043AB9A

Strings

GIF, xrefs: 2043AB6A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1271$#1925
String ID: GIF
API String ID: 2963369623-881873598
Opcode ID: 67bc59806b93bca34cfaf44b3f5a76d57afad8e0f6fcef2c268d3422498132ff
Instruction ID: 80c5814576790c0fea39c145eb7b3bb292eaa8cb087cab8eddaf8f736d068315
Opcode Fuzzy Hash: 67bc59806b93bca34cfaf44b3f5a76d57afad8e0f6fcef2c268d3422498132ff
Instruction Fuzzy Hash: 99D05BD174121013D845A3E61DD2F3E44DF0FDC809F64E09EFA09C6353DB4D9D212196

Function 2044EEB0 Relevance: 6.3, APIs: 4, Instructions: 253COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000), ref: 2044EEF2
EnterCriticalSection.KERNEL32(-00003AFC), ref: 2044EF14

Part of subcall function 2044F870: EnterCriticalSection.KERNEL32(-00003A6C), ref: 2044F886
Part of subcall function 2044F870: LeaveCriticalSection.KERNEL32(-00003A6C,?), ref: 2044F89C

Part of subcall function 2040E8B0: _wcsicmp.MSVCR80 ref: 2040E8F6

_time32.MSVCR80 ref: 2044F19D
#6751.MFC80U(00000000,?), ref: 2044F241

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CriticalSection$Enter$#314#6751Leave_time32_wcsicmp
String ID:
API String ID: 572526790-0
Opcode ID: ed03fb45f41e36c0d5e5fc2ddcd8a74d31b367c40610b0e286b421728a2960dc
Instruction ID: a41998383fe25ffac22fc7ccb07849e4817f59a96ff63d102d77dae527154431
Opcode Fuzzy Hash: ed03fb45f41e36c0d5e5fc2ddcd8a74d31b367c40610b0e286b421728a2960dc
Instruction Fuzzy Hash: 9CB19E31A04641DBE705CFA5C980B56B7A6BB84308F54C7BDE9484B787CB39AE46CB81

Function 2044B670 Relevance: 6.2, APIs: 4, Instructions: 187COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2044B6C3
#6751.MFC80U(00000000,?), ref: 2044B743
#1176.MFC80U(?), ref: 2044B80F
#6751.MFC80U(00000000,?,?), ref: 2044B930

Part of subcall function 2042D0B0: IsWindow.USER32(?), ref: 2042D0E9
Part of subcall function 2042D0B0: PostMessageW.USER32(?,00000445,010300D4), ref: 2042D102

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #6751$#1176#314MessagePostWindow
String ID:
API String ID: 3217281582-0
Opcode ID: 5fa345bc5857240e9f86b57c889d0dfae663a8f57130abd31cf7eab99548e548
Instruction ID: b28df402dce2b7cef7e71af0391a6853a6e5c8744560c8c3959885f1aa1c6a3a
Opcode Fuzzy Hash: 5fa345bc5857240e9f86b57c889d0dfae663a8f57130abd31cf7eab99548e548
Instruction Fuzzy Hash: 4F814574A087419FE314DF64C441B5ABBF4BF84318F10CA2DE599873A1DB78E945CB92

Function 20435ED0 Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001200,00000000,00000000), ref: 20435F56
malloc.MSVCR80 ref: 20435F6E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: MessageSendmalloc
String ID:
API String ID: 43557236-0
Opcode ID: 0273294137bafeba153553bf9ff409c144a9c4f10f83f9969a1467e48c19bd3d
Instruction ID: 78cf341bdd41b49a2db8feef9d956a25f6772ab74c18bfb087e45b95b70bec9a
Opcode Fuzzy Hash: 0273294137bafeba153553bf9ff409c144a9c4f10f83f9969a1467e48c19bd3d
Instruction Fuzzy Hash: 9751F0712042069FC704DFA4C881A6AB7E5FF98328F64D66DF9558B391D738ED04CB91

Function 20410F30 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

#265.MFC80U(00000000,00000000,00000000,?,20412895,?), ref: 20410F83
#265.MFC80U(00000000,00000000,00000000,?,20412895,?), ref: 20410FE3
#265.MFC80U(00000000,00000000,00000000,?,20412895,?), ref: 20411043
#265.MFC80U(00000000,00000000,00000000,?,20412895,?), ref: 204110A3

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265
String ID:
API String ID: 1803795300-0
Opcode ID: 9b3e34e20514793be14f5fc2f0b18d951115683c20f85ad0fc61bec4e7d5a730
Instruction ID: 9403ae3a06e9507dc1ff99d48ab7f3c065b4733f5c841587fd49247d63e3c639
Opcode Fuzzy Hash: 9b3e34e20514793be14f5fc2f0b18d951115683c20f85ad0fc61bec4e7d5a730
Instruction Fuzzy Hash: 295190366002018BCB18CF64C8527AB77A2EF88754F59C66CDD069F795E679FE42C780

Function 20402BB0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

wcschr.MSVCR80 ref: 20402BDC
realloc.MSVCR80 ref: 20402C0E

Part of subcall function 20402090: _wcsicmp.MSVCR80 ref: 204020FE

memcpy.MSVCR80(00000000,00000004), ref: 20402C31
free.MSVCR80 ref: 20402C6B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: _wcsicmpfreememcpyreallocwcschr
String ID:
API String ID: 29784309-0
Opcode ID: 2ca4960e8b7845ac15a85c0466c447a55554a0e6fb247eef4d323213e34a1664
Instruction ID: feb4e5f844788c8695473aa1f2191a6a043e49db64690f2c89d34fc1cc0b7b57
Opcode Fuzzy Hash: 2ca4960e8b7845ac15a85c0466c447a55554a0e6fb247eef4d323213e34a1664
Instruction Fuzzy Hash: 1D31B6B2908700ABD304DF64DE81A3BB3E9EB94615F158A3DFC45D3380E639DD0586A2

Function 2044F6D0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 2044F70F
EnterCriticalSection.KERNEL32(?), ref: 2044F795
LeaveCriticalSection.KERNEL32(?), ref: 2044F7B6
#6751.MFC80U(00000000,?), ref: 2044F84A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CriticalSection$#314#6751EnterLeave
String ID:
API String ID: 43741055-0
Opcode ID: 81f2132f0f5e54a88fdd4fa29ecbc24753f534aa3ac267aedb014eeb049dfa1d
Instruction ID: 2a341d5d441c251ca3bdd549d2104671dc06891eb54429a817a1eb2414ec20f1
Opcode Fuzzy Hash: 81f2132f0f5e54a88fdd4fa29ecbc24753f534aa3ac267aedb014eeb049dfa1d
Instruction Fuzzy Hash: 4341F271A047058FEB10DFA4C880B9677A5EF94B18F04CB7DE9589F291DB39E904CB62

Function 20462BC0 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 20420040: #764.MFC80U(?,?,?,20462BF8,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?,?,00000000), ref: 20420074

Part of subcall function 2041B640: #764.MFC80U(?,?,?,20462C00,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?,?,00000000), ref: 2041B674

Part of subcall function 20412B10: #1176.MFC80U(A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89), ref: 20412B3D
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B64
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B74
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B84
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412B94
Part of subcall function 20412B10: #764.MFC80U(?,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000,00000000), ref: 20412BAD

Part of subcall function 2040F390: #764.MFC80U(?,?,00000000,?,20462C12,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?), ref: 2040F3AF
Part of subcall function 2040F390: #764.MFC80U(?,00000000,?,20462C12,00000000,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?), ref: 2040F3C7

#2461.MFC80U(00000000,A1C94593,?,?,?,00000000,00000000,2047AC89,000000FF,20462A77,?,?,00000000,?,?), ref: 20462C27
#578.MFC80U ref: 20462C6E
#2461.MFC80U(00030003), ref: 20462CD7
#578.MFC80U ref: 20462D35

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#2461#578$#1176
String ID:
API String ID: 3417459804-0
Opcode ID: 371db3f090722565ab10a011f626aeafc9584fdcccf669e087e96a213066d7ca
Instruction ID: c2a683849d6fb96d4b3e35d838ed9aec9a96d629bdbd65cf109ae4fc9048b901
Opcode Fuzzy Hash: 371db3f090722565ab10a011f626aeafc9584fdcccf669e087e96a213066d7ca
Instruction Fuzzy Hash: B0412331608A00AFD304CBA0C94139E7BD4AB64B58F04CA3DFC45A7391DB3DDA4ACB92

Function 20421900 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

#764.MFC80U(?,?,?,00000000,75A85540,?,20420AC2,?), ref: 20421954
#764.MFC80U(?,?,?,00000000,75A85540,?,20420AC2,?), ref: 2042196D
#764.MFC80U(00000000,00000000,?,?,00000000,75A85540,?,20420AC2,?), ref: 204219D5
#1176.MFC80U(?,?,00000000,75A85540,?,20420AC2,?), ref: 204219E5

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764$#1176
String ID:
API String ID: 987861311-0
Opcode ID: 20e9d8c626773fd68c79db1f578be4406d3d27dbf94b22d3dc0e594d28f61c13
Instruction ID: 65ffa9f82092dabdcb5bed94917da9e578248e28c1d1eeaeeb7bb9fc897bd46c
Opcode Fuzzy Hash: 20e9d8c626773fd68c79db1f578be4406d3d27dbf94b22d3dc0e594d28f61c13
Instruction Fuzzy Hash: 523141F2700B418FC720DFD9D8D192BB7E5BF68604794892DE28A87A60C635F884CB51

Function 20411680 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

#764.MFC80U(00000000,?,20411B81,00000000), ref: 20411695
#764.MFC80U(FF000002,?,20411B81,00000000), ref: 204116AC
#265.MFC80U(00000000,?,20462D01,?,20411B81,00000000), ref: 204116E9
#265.MFC80U(00000000,?,20462D01,?,20411B81,00000000), ref: 20411746

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265#764
String ID:
API String ID: 2915978212-0
Opcode ID: ba2e8e614aacfb2c1cfc17631be87df5023eeda68792fc49645a80e1b67e0cd6
Instruction ID: 7a5158a3ee04ab6488e1a237766dc88d7216dad2747c0f1574a6556f2305acef
Opcode Fuzzy Hash: ba2e8e614aacfb2c1cfc17631be87df5023eeda68792fc49645a80e1b67e0cd6
Instruction Fuzzy Hash: 1F2173766002008BDB189F64CD567AB73A5EF84694F49C52CDD0A8F7A4E73AFE05C680

Function 20444D70 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

#314.MFC80U(00000000,A1C94593), ref: 20444DA6
#2461.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,2047DED8,000000FF), ref: 20444DE9
#2461.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,2047DED8), ref: 20444E54
#6751.MFC80U(00000000,?), ref: 20444E8F

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2461$#314#6751
String ID:
API String ID: 931018407-0
Opcode ID: 26d87b569da9c3e50e22f2a10a356677a855cf05579aeb297ba1f5042db95ef0
Instruction ID: 76b2dcf8fe44664dc88a3af28260734e3798ef99fca1d7f944336e42d88328c0
Opcode Fuzzy Hash: 26d87b569da9c3e50e22f2a10a356677a855cf05579aeb297ba1f5042db95ef0
Instruction Fuzzy Hash: FA318D31A087008FE310DFA4C885B9AB7E4FBA5768F60CA1DE855577E0DB39E905CB81

Function 20433DE0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

#1894.MFC80U ref: 20433DEE

Part of subcall function 204316C0: PtInRect.USER32(?,?,?), ref: 204317F9
Part of subcall function 204316C0: PtInRect.USER32(?,?,?), ref: 20431806
Part of subcall function 204316C0: PtInRect.USER32(?,?,?), ref: 20431813

InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 20433E9D
InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 20433EAA
InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 20433EB7

Part of subcall function 20433ED0: InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 20433F37
Part of subcall function 20433ED0: InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 20433F44
Part of subcall function 20433ED0: InvalidateRect.USER32(?,?,00000001,?,?,?), ref: 20433F51

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$Invalidate$#1894
String ID:
API String ID: 3887639419-0
Opcode ID: e815c2661e558f242e4c03c4ff3a68e1085abd3e151ac4e0b690b076e2d82447
Instruction ID: 669572870b13d328d3c28b5ce8d592afa34f028504738166e2341f06c687eada
Opcode Fuzzy Hash: e815c2661e558f242e4c03c4ff3a68e1085abd3e151ac4e0b690b076e2d82447
Instruction Fuzzy Hash: C22132722047046BD310DBA4CC92F6BB3E9FBD8719F108A1DF695872D0DBB5E9058B91

Function 204758B0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

#354.MFC80U(000000B2,?,A1C94593,?,00000000,2047D512,000000FF,20470A25,00000000,?,?,?,?), ref: 204758E1
#563.MFC80U(000000B2,?,A1C94593,?,00000000,2047D512,000000FF,20470A25,00000000,?,?,?,?), ref: 2047593A

Part of subcall function 2045CF80: #530.MFC80U(A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593,?,?,?,2047BED4), ref: 2045CFB1
Part of subcall function 2045CF80: #6003.MFC80U(00000000,000000FF,A1C94593,00000222,000000FF,00000000,2047A55B,000000FF,2045D5C1,000001EB,00000193,000000FF,?,A1C94593), ref: 2045CFCD

Part of subcall function 20423810: #572.MFC80U(A1C94593,20428001,00000000,2047A038,000000FF,20422C5E,20428085,20428001,000000FF,A1C94593,?,?,?,2047B870,000000FF,20428001), ref: 20423837

Part of subcall function 20430DC0: #310.MFC80U(?,A1C94593,00000000,?,00000000,?,2047AE6F,000000FF,20472632,?), ref: 20430DFC
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E0A
Part of subcall function 20430DC0: #310.MFC80U ref: 20430E17
Part of subcall function 20430DC0: #557.MFC80U ref: 20430E25
Part of subcall function 20430DC0: LoadCursorW.USER32(00000000,00007F89), ref: 20430EA4
Part of subcall function 20430DC0: SetRectEmpty.USER32(?), ref: 20430F17

#1079.MFC80U(?,?,?,?,?,?,000000B2,?,A1C94593,?,00000000,2047D512,000000FF,20470A25,00000000,?), ref: 204759C8
LoadAcceleratorsW.USER32(?,00000084), ref: 204759D6

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#557Load$#1079#354#530#563#572#6003AcceleratorsCursorEmptyRect
String ID:
API String ID: 2898300369-0
Opcode ID: 25145885f755b7da27b2183d7801b8a14ebb19caded4335ed2728ef1bae41064
Instruction ID: c9898c695ffcc76be56d112311e911471fd38206f09a34854931a16e4d6a0a3e
Opcode Fuzzy Hash: 25145885f755b7da27b2183d7801b8a14ebb19caded4335ed2728ef1bae41064
Instruction Fuzzy Hash: 1831E8B1508B818FD361CF78C445B9BBBE4BB59718F008E1DE5EAC7251DB78A508CB92

Function 2043C5E0 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 2043C644
malloc.MSVCR80 ref: 2043C698
memset.MSVCR80 ref: 2043C6AF

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: mallocmemsetwcscpy_s
String ID:
API String ID: 995197152-0
Opcode ID: 9c3eb15f5dc6e294465321d57e3f220c202f05c3c8742495f74193d9d1d2d59d
Instruction ID: 64582f39a420c492fcb8207987f9435a1f8be2e36599d7ac70da3adc889762b8
Opcode Fuzzy Hash: 9c3eb15f5dc6e294465321d57e3f220c202f05c3c8742495f74193d9d1d2d59d
Instruction Fuzzy Hash: FC2107B168070057D310DB98CC4BBEB77E4EF98B04F15C82CEA46972A1EABC964487C2

Function 204332C0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 204332EF
PtInRect.USER32(?,?,?), ref: 20433304
ScreenToClient.USER32(?,?), ref: 20433317

Part of subcall function 204316C0: PtInRect.USER32(?,?,?), ref: 204317F9
Part of subcall function 204316C0: PtInRect.USER32(?,?,?), ref: 20431806
Part of subcall function 204316C0: PtInRect.USER32(?,?,?), ref: 20431813

#925.MFC80U(?,?,00000000), ref: 20433364

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$#925ClientScreenWindow
String ID:
API String ID: 2780130384-0
Opcode ID: dc416124104b3f95af4896d9c531a06e60a9371ec363dfeb83695ee6ffca8474
Instruction ID: 23278acfa54654be79d7e5eaec57ad399739bda5b89f9b7708fafed77743f82c
Opcode Fuzzy Hash: dc416124104b3f95af4896d9c531a06e60a9371ec363dfeb83695ee6ffca8474
Instruction Fuzzy Hash: 00116076604205ABD310CF68DC85EABB7ACEBD8725F10CA1EF95887350EB75E81087A1

Function 20438A40 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

#1176.MFC80U(?,20435667), ref: 20438A49
#6282.MFC80U(?,?,?,?,?,?,20435667), ref: 20438A80
#5316.MFC80U(?,?,?,?,?,?,20435667), ref: 20438ABC
#1172.MFC80U(00000003,00000000,?,?,?,?,?,?,20435667), ref: 20438AD8

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1172#1176#5316#6282
String ID:
API String ID: 3256105086-0
Opcode ID: 5466beb91be7b456f7ff05ec4f6a72c3cf1f55533bb50de6cc8ad8a4eb1cc903
Instruction ID: a71a2722f5498a0fd1945e18532a1812739f6c9d749954d77beda677cef91372
Opcode Fuzzy Hash: 5466beb91be7b456f7ff05ec4f6a72c3cf1f55533bb50de6cc8ad8a4eb1cc903
Instruction Fuzzy Hash: A701043230130A4BD520BFD49C80B8AB31AEBD5B70F61821EFB1407AD1D6A9A90683A1

Function 20420530 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 20421B70: #572.MFC80U(A1C94593,?,?,2047A038,000000FF,2042055C,?,A1C94593,00000000,?,00000000,2047CF55,000000FF,204132FB,00000000), ref: 20421B97

#764.MFC80U(?,?,A1C94593,00000000,?,00000000,2047CF55,000000FF,204132FB,00000000), ref: 2042059A
#764.MFC80U(?,?,A1C94593,00000000,?,00000000,2047CF55,000000FF,204132FB,00000000), ref: 204205BF
GetSysColor.USER32(0000000E), ref: 204205E4
GetSysColor.USER32(0000000D), ref: 204205EE

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764Color$#572
String ID:
API String ID: 3483561206-0
Opcode ID: 2ce00bcb911a0adf78cd9849c7c425dd942b9d041eb1801af834b2b93f52d9de
Instruction ID: c3474024772679d4fc8c10b854ff922739a4d7c1715f003fed4a8b73763e614e
Opcode Fuzzy Hash: 2ce00bcb911a0adf78cd9849c7c425dd942b9d041eb1801af834b2b93f52d9de
Instruction Fuzzy Hash: 1021CAB1905B419FD320CF6AD941B96FBE8FFA0614F108A1FE1A993260D7B9A5048F61

Function 20410CD0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION ref: 20410CE5
malloc.MSVCR80 ref: 20410CF1
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?,?,20410C8F), ref: 20410D06
VerQueryValueW.VERSION ref: 20410D32

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValuemalloc
String ID:
API String ID: 1270079192-0
Opcode ID: a86856293d64de432b3949596be9cdd879a74fc3581f4e17848ba5143e8bd00a
Instruction ID: c8f75003a6e533de741e8816a0542783ade0f3979282a4eae5926f6df052299d
Opcode Fuzzy Hash: a86856293d64de432b3949596be9cdd879a74fc3581f4e17848ba5143e8bd00a
Instruction Fuzzy Hash: 8201CE711042019BDB10CFA8EC81BAB7BE8AF80654F44842DFD09D7240E778E948C7A2

Function 20461370 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

#1921.MFC80U(A1C94593,00000000,?,?,00000000,2047D9E8,000000FF,20470C23,A1C94593,-00003AB4,?,00000000,2047F476,000000FF,2046254B,?), ref: 204613AF

Part of subcall function 20431180: DestroyCursor.USER32(?), ref: 204311C1
Part of subcall function 20431180: #764.MFC80U(?,?,?,?,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431225
Part of subcall function 20431180: #745.MFC80U(?,?,?,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431235
Part of subcall function 20431180: #578.MFC80U(?,?,?,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431242
Part of subcall function 20431180: #745.MFC80U ref: 20431250
Part of subcall function 20431180: #578.MFC80U ref: 2043125D
Part of subcall function 20431180: #741.MFC80U ref: 2043126D

Part of subcall function 2045D000: free.MSVCR80 ref: 2045D058
Part of subcall function 2045D000: #6003.MFC80U(00000000,000000FF,A1C94593,?,?,?,?,00000000,204798FB,000000FF,2045D691,?,?,?,00000000,2047A52C), ref: 2045D06E
Part of subcall function 2045D000: #722.MFC80U(00000000,000000FF,A1C94593,?,?,?,?,00000000,204798FB,000000FF,2045D691,?,?,?,00000000,2047A52C), ref: 2045D07D

#651.MFC80U(A1C94593,00000000,?,?,00000000,2047D9E8,000000FF,20470C23,A1C94593,-00003AB4,?,00000000,2047F476,000000FF,2046254B,?), ref: 204613EB
#658.MFC80U(A1C94593,00000000,?,?,00000000,2047D9E8,000000FF,20470C23,A1C94593,-00003AB4,?,00000000,2047F476,000000FF,2046254B,?), ref: 204613FB
#718.MFC80U(?,00000004,00000002,6C8560B9,A1C94593,00000000,?,?,00000000,2047D9E8,000000FF,20470C23,A1C94593,-00003AB4,?,00000000), ref: 20461425

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578#745$#1921#6003#651#658#718#722#741#764CursorDestroyfree
String ID:
API String ID: 602197399-0
Opcode ID: dbbd932bae2c3452bf3c64ad00c1fbe8bfc9d51b218b477bca544865daeb77bf
Instruction ID: 119b809bf4f96c5bd9266e20159618770743de9896ef792059788e81e2d00db8
Opcode Fuzzy Hash: dbbd932bae2c3452bf3c64ad00c1fbe8bfc9d51b218b477bca544865daeb77bf
Instruction Fuzzy Hash: 1311B1701087819AD314DF68C891BABBBE4ABA5758F50C91DF0A5872E1DB78650CC7D2

Function 20460300 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

#1079.MFC80U(?,75A85540,?,204602E5), ref: 20460309

Part of subcall function 20435260: #1079.MFC80U(?,A1C94593), ref: 2043529B
Part of subcall function 20435260: #6749.MFC80U(?,?,A1C94593), ref: 204352A7

#1079.MFC80U(?,-00000001,75A85540,?,204602E5), ref: 2046032C

Part of subcall function 20438C80: #1079.MFC80U(?,A1C94593), ref: 20438CBB
Part of subcall function 20438C80: #6749.MFC80U(?,?,A1C94593), ref: 20438CC7

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 2046035B
SendMessageW.USER32(?,0000101E,00000001,0000FFFF), ref: 20460398

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1079$#6749MessageSend
String ID:
API String ID: 3611429224-0
Opcode ID: 42af1b52751994337f860d7887d5713359492234ca42d99299fbf78c5578e644
Instruction ID: 84401560cff12eddf0e38724ac67850e5e3849c2a06f6b5b4cf76c25a307d55b
Opcode Fuzzy Hash: 42af1b52751994337f860d7887d5713359492234ca42d99299fbf78c5578e644
Instruction Fuzzy Hash: 14018032B406116BD22487B4C985FABB3A9BF44B49F158268FA0C6B791DB78BC40C7D0

Function 204615F0 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

#1079.MFC80U(?,75A85540,00000000,204615CF), ref: 204615F9

Part of subcall function 20435260: #1079.MFC80U(?,A1C94593), ref: 2043529B
Part of subcall function 20435260: #6749.MFC80U(?,?,A1C94593), ref: 204352A7

#1079.MFC80U(?,-00000001,75A85540,00000000,204615CF), ref: 2046161C

Part of subcall function 20438C80: #1079.MFC80U(?,A1C94593), ref: 20438CBB
Part of subcall function 20438C80: #6749.MFC80U(?,?,A1C94593), ref: 20438CC7

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 2046164B
SendMessageW.USER32(?,0000101E,00000000,0000FFFF), ref: 20461688

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1079$#6749MessageSend
String ID:
API String ID: 3611429224-0
Opcode ID: 7a587c9cea0989edabe2cffac45c37636974af111bd2aa4f96ef4d627b3bc468
Instruction ID: 742600d1976ab0db29e4d7ae0ad4cb0ff4a5a4958f97b4a84386632c03135728
Opcode Fuzzy Hash: 7a587c9cea0989edabe2cffac45c37636974af111bd2aa4f96ef4d627b3bc468
Instruction Fuzzy Hash: 11014436B406116BD2248BB4CD85FA6B3A8BF54B48F198568F91C5B6A1DB64AC00C7D0

Function 2042FC10 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

#4755.MFC80U(A1C94593), ref: 2042FC3D
#330.MFC80U ref: 2042FC4D
GetClientRect.USER32(?,?), ref: 2042FC63

Part of subcall function 2042FDE0: GetCurrentObject.GDI32(?,00000001), ref: 2042FE0D
Part of subcall function 2042FDE0: #2362.MFC80U(00000000,?,?,?,?,?,?,?,?,?,A1C94593), ref: 2042FE14
Part of subcall function 2042FDE0: GetSysColor.USER32(00000008), ref: 2042FE1D
Part of subcall function 2042FDE0: #502.MFC80U(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,A1C94593), ref: 2042FE2C
Part of subcall function 2042FDE0: #5638.MFC80U(00000001), ref: 2042FE40
Part of subcall function 2042FDE0: GetObjectW.GDI32(?,00000010,?), ref: 2042FE50
Part of subcall function 2042FDE0: SetPixel.GDI32(?,?,?,?), ref: 2042FE88
Part of subcall function 2042FDE0: #4117.MFC80U(?,?,?), ref: 2042FE9D
Part of subcall function 2042FDE0: #3995.MFC80U(?,?,?,?,?), ref: 2042FEAF
Part of subcall function 2042FDE0: #4117.MFC80U(?,?,?,?,?,?,?,?), ref: 2042FEC3
Part of subcall function 2042FDE0: #3995.MFC80U(?,?,?,?,?,?,?,?,?,?), ref: 2042FED5
Part of subcall function 2042FDE0: #4117.MFC80U(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 2042FEE9

Part of subcall function 2042FCB0: CopyRect.USER32(?,?), ref: 2042FCE3
Part of subcall function 2042FCB0: GetSysColor.USER32(00000010), ref: 2042FD0A
Part of subcall function 2042FCB0: #502.MFC80U(00000000,00000001,00000000,?,?,?,?), ref: 2042FD19
Part of subcall function 2042FCB0: #5638.MFC80U(?), ref: 2042FD2D
Part of subcall function 2042FCB0: #4117.MFC80U(?,?,?,?), ref: 2042FD3B
Part of subcall function 2042FCB0: #3995.MFC80U(?,?,?,?,?,?), ref: 2042FD46
Part of subcall function 2042FCB0: GetSysColor.USER32(00000014), ref: 2042FD55
Part of subcall function 2042FCB0: #502.MFC80U(00000000,00000001,00000000), ref: 2042FD64
Part of subcall function 2042FCB0: #5638.MFC80U(?,00000000,00000001,00000000), ref: 2042FD75
Part of subcall function 2042FCB0: #4117.MFC80U(?,?,?,?,00000000,00000001,00000000), ref: 2042FD83
Part of subcall function 2042FCB0: #3995.MFC80U(00000001,?,?,?,?,?,00000000,00000001,00000000), ref: 2042FD90

#589.MFC80U(?,?), ref: 2042FC8E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #4117$#3995$#502#5638Color$ObjectRect$#2362#330#4755#589ClientCopyCurrentPixel
String ID:
API String ID: 1933966242-0
Opcode ID: 106bca368c93dcad6a37d183b57086cd195daf11abbfae5fd64e4fc3866764b0
Instruction ID: bf67b66eeb2af4af3a49994a45e750dcbfbab94742a63c72a59aa0bce75d9589
Opcode Fuzzy Hash: 106bca368c93dcad6a37d183b57086cd195daf11abbfae5fd64e4fc3866764b0
Instruction Fuzzy Hash: 7F0161721087459FC314DF65DC81BABB7ECFB89A28F408B2DF452866D0EB79A904C791

Function 20433B80 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 20433B9A
ScreenToClient.USER32(?,?), ref: 20433BA9

Part of subcall function 204316C0: PtInRect.USER32(?,?,?), ref: 204317F9
Part of subcall function 204316C0: PtInRect.USER32(?,?,?), ref: 20431806
Part of subcall function 204316C0: PtInRect.USER32(?,?,?), ref: 20431813

SetCursor.USER32(00000000,?,00000000,?,?), ref: 20433BCD
#1894.MFC80U ref: 20433BE1

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Rect$Cursor$#1894ClientScreen
String ID:
API String ID: 1097337831-0
Opcode ID: 6e8bad8587e5a1bc7b03b88541dae4f67b5da31f90726aa4d83728ab5a48553e
Instruction ID: d0b058352fe7409e0972a8766911b0a5ff0b5ac52e584bb824b48cc46fa8e4be
Opcode Fuzzy Hash: 6e8bad8587e5a1bc7b03b88541dae4f67b5da31f90726aa4d83728ab5a48553e
Instruction Fuzzy Hash: 57F0CD351146045BC1149B64CC85FABB7ACEB88615F10CB1EF995832D0EA78B854D791

Function 2042FBA0 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

#1946.MFC80U(?,?,2042F9D5,?,?), ref: 2042FBA7
CreatePopupMenu.USER32 ref: 2042FBAC
#1274.MFC80U(00000000,?,?), ref: 2042FBB5
AppendMenuW.USER32(?,00000000,?), ref: 2042FBED

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: Menu$#1274#1946AppendCreatePopup
String ID:
API String ID: 565603816-0
Opcode ID: aaf0739e9862d876b99429d21172c434b335f44f3f36f8acdd4ef8f58907c7ca
Instruction ID: 22653fce8f7fc219fa0d79c3d3a268c06482d39e5a006231ce4e4780a8ed22e2
Opcode Fuzzy Hash: aaf0739e9862d876b99429d21172c434b335f44f3f36f8acdd4ef8f58907c7ca
Instruction Fuzzy Hash: A7F0A476300F019FC231CBA4DCD4F7A73E5FB84604B208A6CEA5687A10DB75F401C621

Function 20444EF0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

#310.MFC80U(A1C94593,?,00000000,20479989,000000FF,20444EE3,?,?,20441B98,00000000), ref: 20444F15

Part of subcall function 20464370: #310.MFC80U(A1C94593,?,?,?,?), ref: 204643C1
Part of subcall function 20464370: #310.MFC80U ref: 204643D6
Part of subcall function 20464370: #776.MFC80U(?), ref: 204643F5
Part of subcall function 20464370: #578.MFC80U ref: 20464782
Part of subcall function 20464370: #578.MFC80U ref: 20464797

#2310.MFC80U(?,000001F9,?,0002081F,?,?,20441B98,00000000), ref: 20444F47
#4026.MFC80U(000001F8), ref: 20444F5B
#578.MFC80U ref: 20444F6D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #310#578$#2310#4026#776
String ID:
API String ID: 2713097316-0
Opcode ID: f38fdda6803060b10cda4cebfd11934e57a21f8a204cf63cbc7694572fa9a78b
Instruction ID: 62b18f49c2976f3a1648797b94e06c1760f7416b953b5242b11fe7e9a348d550
Opcode Fuzzy Hash: f38fdda6803060b10cda4cebfd11934e57a21f8a204cf63cbc7694572fa9a78b
Instruction Fuzzy Hash: 11012CB5148B41ABC304DF54CC85F9BBBE4FB84B55F008E2DF5A6422A1EF39A505CB91

Function 20461CC0 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyCursor.USER32(?), ref: 20461CFB
#741.MFC80U(A1C94593,00000000,00000000,2047A32F,000000FF,204609F4,?), ref: 20461D09
#578.MFC80U(A1C94593,00000000,00000000,2047A32F,000000FF,204609F4,?), ref: 20461D16
#605.MFC80U ref: 20461D26

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #578#605#741CursorDestroy
String ID:
API String ID: 2649864807-0
Opcode ID: 72c7e532bf72629e51e410de0217574248842e4c710283ec1e03ec363cfc3b25
Instruction ID: 00fa475b0f723163b9ef425cedf1ac6c6dd878fe1d6408c9c5d916e06b312514
Opcode Fuzzy Hash: 72c7e532bf72629e51e410de0217574248842e4c710283ec1e03ec363cfc3b25
Instruction Fuzzy Hash: 5D016DB1108B818FD311DF64C884B5ABBE4FB54724F008E2DF4A2837A0DB79A504CB92

Function 20423970 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

#620.MFC80U(A1C94593,?,00000000,2047B72C,000000FF,20429D63,?), ref: 204239A3
#620.MFC80U(A1C94593,?,00000000,2047B72C,000000FF,20429D63,?), ref: 204239B3
#587.MFC80U(A1C94593,?,00000000,2047B72C,000000FF,20429D63,?), ref: 204239C3
#605.MFC80U(A1C94593,?,00000000,2047B72C,000000FF,20429D63,?), ref: 204239D2

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #620$#587#605
String ID:
API String ID: 1344418851-0
Opcode ID: e4373f1ffc39f3d123fc98dec62f3b610d6eb1b7b3b21473807efdfda39071a7
Instruction ID: 17e832972ff24de2340f15e5b985e6d048a7fa2478449078d64daeb3ea82d8d6
Opcode Fuzzy Hash: e4373f1ffc39f3d123fc98dec62f3b610d6eb1b7b3b21473807efdfda39071a7
Instruction Fuzzy Hash: A3F0EC710087819BC315CF24C855BEABBE4FBA5624F40CE1DF4A6476A0DB796609C792

Function 20410EE0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

#764.MFC80U(2040FAB2,?,2041270C), ref: 20410EEB
#764.MFC80U(000000FF,?,2041270C), ref: 20410EFB
#764.MFC80U(20481BC6,?,2041270C), ref: 20410F0B
#764.MFC80U(?,?,2041270C), ref: 20410F1B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: 53785fc8c5d8aa416b36db5ead045fe28ddff352e4ae91a238ca4cb2fcf491b7
Instruction ID: aa89646db224e286d08f34acd16ae685d5e3d0b2f5bbc42a80b755ba2ba03713
Opcode Fuzzy Hash: 53785fc8c5d8aa416b36db5ead045fe28ddff352e4ae91a238ca4cb2fcf491b7
Instruction Fuzzy Hash: 31E012F2E1172147D931AAB5BC02F5763FC5E10910704C868E90DE7750E66CFE4986E2

Function 20412AC0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

#764.MFC80U(?,20412D1A,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000), ref: 20412AC8
#764.MFC80U(?,20412D1A,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000), ref: 20412AD8
#764.MFC80U(?,20412D1A,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000), ref: 20412AE8
#764.MFC80U(?,20412D1A,A1C94593,?,?,00000000,00000000,2047CFDF,000000FF,20462C0A,00000000,A1C94593,?,?,?,00000000), ref: 20412AF8

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #764
String ID:
API String ID: 441403673-0
Opcode ID: d8e0d085c19e314a48a1a9d527d5c971ea9ff2f61093a01c00064bde6e98c76d
Instruction ID: 2f56db5e7e50298a93a4395ebbfe2a0783e2749026fa76c7b127cb879bf8f226
Opcode Fuzzy Hash: d8e0d085c19e314a48a1a9d527d5c971ea9ff2f61093a01c00064bde6e98c76d
Instruction Fuzzy Hash: 29E012F0B0031147DE31D9B59D42F1763BC5F10980704CC28B80ED2750E92CF858C9A6

Function 2041A110 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 20402090: _wcsicmp.MSVCR80 ref: 204020FE

#1176.MFC80U ref: 2041A3AF

Strings

RULES, xrefs: 2041A159, 2041A19E
RULE, xrefs: 2041A1B4, 2041A38E

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176_wcsicmp
String ID: RULE$RULES
API String ID: 2845765141-712924407
Opcode ID: fd79992d94718f941946dc9e5921394aec7a051119f5e79913273f0386f3e403
Instruction ID: b4e5ab64a95f3cd3e80be46b906802b12ab383ea1aacfb3d5f14cde5a2b4de09
Opcode Fuzzy Hash: fd79992d94718f941946dc9e5921394aec7a051119f5e79913273f0386f3e403
Instruction Fuzzy Hash: 3871A772504345DBC720CF94C880B9EF7E5BBD4718F04CA2EE99997240E73D9A95C762

Function 2041F6B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 20402090: _wcsicmp.MSVCR80 ref: 204020FE

#1176.MFC80U ref: 2041F86B

Strings

ZONE, xrefs: 2041F726, 2041F835
ZONES, xrefs: 2041F6FA

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176_wcsicmp
String ID: ZONE$ZONES
API String ID: 2845765141-1311964101
Opcode ID: 0b0506ad5b2d146664ced8278c20028e6b8f1e5887b66f19d395d1db46f6c2ab
Instruction ID: e962bf3334346c320cba89ab3e971ff476eb2335ab69f2fcf4e18d4b151ddf76
Opcode Fuzzy Hash: 0b0506ad5b2d146664ced8278c20028e6b8f1e5887b66f19d395d1db46f6c2ab
Instruction Fuzzy Hash: FA41C8725083419BC714DFA4C881B9EF7D5BBD4618F04CB2EE59963240E73DAA868753

Function 2043CD60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 2043CE05

Strings

;TYPE=SUBNODE, xrefs: 2043CDD0

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_s
String ID: ;TYPE=SUBNODE
API String ID: 4009619764-510700506
Opcode ID: 295bf4163d2ba2424e6742c7e7ee4d3692e7ed40754a85512b7c0dd1c1e29102
Instruction ID: 923173743ffc042a4c26aee04fc60cb36920cbffe0cc6cb874af857bf3bee5e6
Opcode Fuzzy Hash: 295bf4163d2ba2424e6742c7e7ee4d3692e7ed40754a85512b7c0dd1c1e29102
Instruction Fuzzy Hash: 732105716042005BD724DB98DC82BEB73A5EFD8308F54C83DF54A8A240EA39DA58C793

Function 20416BF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

wcstoul.MSVCR80 ref: 20416C48
wcstoul.MSVCR80 ref: 20416C59

Strings

END, xrefs: 20416BFB

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcstoul
String ID: END
API String ID: 892063014-2522575163
Opcode ID: 516d9ee3ffe1919fc515415a9a8dc2ebfd4fbd04545ce6306222040cf46a9d83
Instruction ID: d781e54f4b726f0326807b470d3a4157c85b224036378ecabbc1ca170fd87aed
Opcode Fuzzy Hash: 516d9ee3ffe1919fc515415a9a8dc2ebfd4fbd04545ce6306222040cf46a9d83
Instruction Fuzzy Hash: 7B1193366182064FC700DF58DC41EA7B3E5EBD4655F44892AE885DB250F664EA48C7E2

Function 20416D40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

wcstoul.MSVCR80 ref: 20416D98
wcstoul.MSVCR80 ref: 20416DA9

Strings

END, xrefs: 20416D4B

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcstoul
String ID: END
API String ID: 892063014-2522575163
Opcode ID: 6eea9143e0841a8954e2af8905f97407e0c322005e003e2375bcde716abbfe52
Instruction ID: 45325b7411c91057e604454dbfd3b01e2674a9d4fe60a20d8b2dc2addd9da03c
Opcode Fuzzy Hash: 6eea9143e0841a8954e2af8905f97407e0c322005e003e2375bcde716abbfe52
Instruction Fuzzy Hash: 8D1190366182068BC600DF58EC41EA7B3E5EBD4755F448A2AF844D7250E6A4EE49C7E2

Function 204169B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

#764.MFC80U(?,USER_NAME,?,?,2041A6FB,?,?,?,APP,00000000,?), ref: 204169C2
#265.MFC80U(00000000,USER_NAME,?,?,2041A6FB,?,?,?,APP,00000000,?), ref: 20416A19

Strings

USER_NAME, xrefs: 204169B2

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265#764
String ID: USER_NAME
API String ID: 2915978212-2711683876
Opcode ID: 60220bc3fac06e7d7fd8e22c1c3b1263feaf933f0dec8b28df8d309dc7ad7a3c
Instruction ID: 718287ba2ef2795e51430284b6d98f088cd25205a8662a8475a34baa831e6628
Opcode Fuzzy Hash: 60220bc3fac06e7d7fd8e22c1c3b1263feaf933f0dec8b28df8d309dc7ad7a3c
Instruction Fuzzy Hash: 6011A97260020247C7285B68C8167A7B2A5EF94384F1DC66CDD07CB795E779EA45C280

Function 2041D2B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

#764.MFC80U(?,USER_NAME,?,?,2041F9F5,?,?,?,?,?,?,00000000,?,00000000), ref: 2041D2BF
#265.MFC80U(00000000,USER_NAME,?,?,2041F9F5,?,?,?,?,?,?,00000000,?,00000000), ref: 2041D313

Strings

USER_NAME, xrefs: 2041D2B2

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265#764
String ID: USER_NAME
API String ID: 2915978212-2711683876
Opcode ID: 977bb986bdcdd12487ec7b74c613de0c6e298482021d6da0dcc376a75d3a9192
Instruction ID: 16bbc5916caa5d5e9459ab86b4d8b9e188137772422cfe08ee9949ad357b6734
Opcode Fuzzy Hash: 977bb986bdcdd12487ec7b74c613de0c6e298482021d6da0dcc376a75d3a9192
Instruction Fuzzy Hash: 8301D6B660010147C7289BA8C9167A7B2E6DF94754B0DC66CDD47CB7A4EA7DFE42C280

Function 20416B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

wcstoul.MSVCR80 ref: 20416B94
#1176.MFC80U(00000000,?,?,?,?,?,?,?,?,?,?,APP,00000000,?), ref: 20416BB8

Strings

VALUE, xrefs: 20416B62

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176wcstoul
String ID: VALUE
API String ID: 3675936516-3928201860
Opcode ID: 204953ee459651e22383c62154fb1e0814999fc4d7b6302c92f75dfd7fd456a8
Instruction ID: 6cd52337d766cad2bbfdb2be4bb04db06c941cd6b52cfeee4ef4902ebb02185b
Opcode Fuzzy Hash: 204953ee459651e22383c62154fb1e0814999fc4d7b6302c92f75dfd7fd456a8
Instruction Fuzzy Hash: 8701B1732092154BC3109B99EC809A7F3A8EF90775B14C57BE906CB250EB69F951C6A1

Function 20416CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

wcstoul.MSVCR80 ref: 20416CE4
#1176.MFC80U(00000000,?,?,?,?,?,?,?,?,?,?,?,?,APP,00000000,?), ref: 20416D0B

Strings

VALUE, xrefs: 20416CB2

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #1176wcstoul
String ID: VALUE
API String ID: 3675936516-3928201860
Opcode ID: 744fe91340c676ee151dcc8812c8066fed556214d2ba2870eac7fbaaadfdf688
Instruction ID: 5e542635e4cb2e281cacfe732269673ee9e98e3561a780c9365db6609ba08a47
Opcode Fuzzy Hash: 744fe91340c676ee151dcc8812c8066fed556214d2ba2870eac7fbaaadfdf688
Instruction Fuzzy Hash: E901F1333042014BC3108B98E880AA7F3A8EF90365B14C53AE942CB250EB65E951C6E1

Function 204310D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

#2340.MFC80U(A1C94593,?,?,?,2047AD46,000000FF,204311D8,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431125
#2340.MFC80U(A1C94593,?,?,?,2047AD46,000000FF,204311D8,?,A1C94593,?,?,00000000,2047CC2F,000000FF,20472809), ref: 20431158

Strings

Z}G , xrefs: 20431101, 2043113A

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2340
String ID: Z}G
API String ID: 2713651825-1569403603
Opcode ID: b0e711cb28bc94559a32db6d9f9c115b975c89de548a4b0a21120574d5059796
Instruction ID: 8c203898c7f688d659cd6d84f8d1bbcda003a320613c40679092cee84c31ed11
Opcode Fuzzy Hash: b0e711cb28bc94559a32db6d9f9c115b975c89de548a4b0a21120574d5059796
Instruction Fuzzy Hash: EC11DAB1504B018FC320CF4AC980657F7F9FFA8620F508A1FD59687B60D774A904CB51

Function 20430F70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

#2340.MFC80U(A1C94593,?,?,?,2047ADC6,000000FF,2043120B,?,?,?,?,A1C94593,?,?,00000000,2047CC2F), ref: 20430FC5
#2340.MFC80U(A1C94593,?,?,?,2047ADC6,000000FF,2043120B,?,?,?,?,A1C94593,?,?,00000000,2047CC2F), ref: 20430FF8

Strings

Z}G `IC , xrefs: 20430FA1, 20430FDA

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #2340
String ID: Z}G `IC
API String ID: 2713651825-1538320670
Opcode ID: ffd9a7c15cd2314e7afb8e63cd8cbcf8a1fa13156512ad2ccf328b0646429dc9
Instruction ID: 4b53b4b4c21d0ccb09c6883d7037afde1683d37df218632097dab51fcc10c47d
Opcode Fuzzy Hash: ffd9a7c15cd2314e7afb8e63cd8cbcf8a1fa13156512ad2ccf328b0646429dc9
Instruction Fuzzy Hash: 7311B4B1904B018FC220CF4AC580A5AFBF9FF98620F509A1FE49687B60D7B8B904CB51

Function 20416820 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

#764.MFC80U(C483FFFF,NAME,?,2041A524,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 20416833
#265.MFC80U(00000000,?,NAME,?,2041A524,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 2041688A

Strings

NAME, xrefs: 20416825

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265#764
String ID: NAME
API String ID: 2915978212-1756795826
Opcode ID: e417d6c7d640ba29e51ed22828b6f194236f642014d8e1db654f0874495d9ca3
Instruction ID: 9b9e6db2e03491bd060ec6f1cc5890f08d9a998089444d02fccabe02c0bc4bbb
Opcode Fuzzy Hash: e417d6c7d640ba29e51ed22828b6f194236f642014d8e1db654f0874495d9ca3
Instruction Fuzzy Hash: 810186B2E0111047D714AAADD815BDBE2EA9FD4240F09C43AED4EDB364DA79DE418750

Function 2041D230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

#764.MFC80U(?,NAME,?,2041F9B3,?,?,?,?,?,00000000,?,00000000), ref: 2041D23E
#265.MFC80U(00000000,NAME,?,2041F9B3,?,?,?,?,?,00000000,?,00000000), ref: 2041D279

Strings

NAME, xrefs: 2041D231

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265#764
String ID: NAME
API String ID: 2915978212-1756795826
Opcode ID: b343fbe9f8c3d35c27ef8665a104de6f016a1fe6d367c5569ab81c7f72f69fb9
Instruction ID: 27df0e5e7042484b8f82d2f65be5d274d78df37164e9677cd9e857a686fc84a1
Opcode Fuzzy Hash: b343fbe9f8c3d35c27ef8665a104de6f016a1fe6d367c5569ab81c7f72f69fb9
Instruction Fuzzy Hash: FB01A2B2A0021147C7285B7898167A7B2E6AFD0244F09866CDE17CB7A4EA79E946C280

Function 20411460 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

#764.MFC80U(2040FAB2,OPTNAME,?,2041266B,?,?,?,?,?,?,?,?,?,00000000), ref: 2041146E
#265.MFC80U(00000000,OPTNAME,?,2041266B,?,?,?,?,?,?,?,?,?,00000000), ref: 204114A9

Strings

OPTNAME, xrefs: 20411461

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265#764
String ID: OPTNAME
API String ID: 2915978212-2814441404
Opcode ID: c06f1343c6f6ff4015d8432217f7321f933cf600c8837ef54efcb357b23a6978
Instruction ID: 18af0267a53afb741a50367a9575ee059119c30dc13d8d9f85fae6b088000f58
Opcode Fuzzy Hash: c06f1343c6f6ff4015d8432217f7321f933cf600c8837ef54efcb357b23a6978
Instruction Fuzzy Hash: 0801D672A0020147DB289B6899167A7B2E69FD0B44F09C52CDD4BCB7A4EA79E946C280

Function 204114E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

#764.MFC80U(000000FF,DESC,?,204126B7,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 204114EE
#265.MFC80U(00000000,DESC,?,204126B7,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 20411529

Strings

DESC, xrefs: 204114E1

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265#764
String ID: DESC
API String ID: 2915978212-1025524192
Opcode ID: 93ba1ca0a8181baa6ec8efd99bbd3d08027859d3c956d3f315b04a8f9d9b367b
Instruction ID: e446cb4000a4225e02b2bc687bc2567b08fe33d186fc47da35a145bccfc8ff4a
Opcode Fuzzy Hash: 93ba1ca0a8181baa6ec8efd99bbd3d08027859d3c956d3f315b04a8f9d9b367b
Instruction Fuzzy Hash: 8E01D672A0020247C7289B69D8167A7B2E69FD0344F19C52CDD0BCB7A4EA79F946C680

Function 20411560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

#764.MFC80U(20481BC6,TYPE,?,204126DB,?,?,?,?,?,?,?,?,?,?,?,?), ref: 2041156E
#265.MFC80U(00000000,TYPE,?,204126DB,?,?,?,?,?,?,?,?,?,?,?,?), ref: 204115A9

Strings

TYPE, xrefs: 20411561

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265#764
String ID: TYPE
API String ID: 2915978212-3125525149
Opcode ID: 65d51408a0ea5b3b09fdbd41ab366035654041028fc359d7ca2011b4bd0cb090
Instruction ID: 2cd7abbc26cf08fa152c7a898c6834cdd234cf72ce0b17dc7037bfd9d9872fd2
Opcode Fuzzy Hash: 65d51408a0ea5b3b09fdbd41ab366035654041028fc359d7ca2011b4bd0cb090
Instruction Fuzzy Hash: 6801D672A002014BD7285B7998167A7B3E69FD0254F09C52CDD0BCB7A4EA7DEA46C680

Function 204115E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

#764.MFC80U(?,GROUP,?,2041268F,?,?,?,?,?,?,?,?,?,?,00000000), ref: 204115EE
#265.MFC80U(00000000,GROUP,?,2041268F,?,?,?,?,?,?,?,?,?,?,00000000), ref: 20411629

Strings

GROUP, xrefs: 204115E1

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: #265#764
String ID: GROUP
API String ID: 2915978212-2593425013
Opcode ID: 4441ea9952aeb4f67f9bb942b7a51cbf5afd12ee8f5ab09860910747c860d621
Instruction ID: 078da062846c854fe8d229d4896ac332e971acb456084f57a9e1f0e622e69b6f
Opcode Fuzzy Hash: 4441ea9952aeb4f67f9bb942b7a51cbf5afd12ee8f5ab09860910747c860d621
Instruction Fuzzy Hash: C701DB72A0020147C7349F78D916797B2E69FD4644F0D862CDD07C77A4EA7AEE46C690

Function 2043BBE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

Part of subcall function 2043D210: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000008,-00000023,6C954B78,?), ref: 2043D266

RegCloseKey.ADVAPI32(?,-00000002,-00000002,?,2043BF84), ref: 2043BC4F

Part of subcall function 2043D430: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,00000000,2043F01E,00000000,00000001,00000000), ref: 2043D466

Strings

InstallDir, xrefs: 2043BC20, 2043BC2A
Software\ESET\ESET Security\CurrentVersion\Info, xrefs: 2043BBED

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: InstallDir$Software\ESET\ESET Security\CurrentVersion\Info
API String ID: 3677997916-2402332192
Opcode ID: ab5813b784cd28df3b08b768c5bf18a612f79d654d01ff718f912ac86473955e
Instruction ID: 65131c554d5c207b059628cd951e31ba65e2829a174fefab873b5179a0dbc55e
Opcode Fuzzy Hash: ab5813b784cd28df3b08b768c5bf18a612f79d654d01ff718f912ac86473955e
Instruction Fuzzy Hash: 3FF046220842196AD3202BD1AC86F67B3ECEF14649F30E41DBA1082141EEBC995091E2

Function 2043BC60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

Part of subcall function 2043D210: RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000008,-00000023,6C954B78,?), ref: 2043D266

RegCloseKey.ADVAPI32(?,-00000002,-00000002,?,2043C2B7), ref: 2043BCCF

Part of subcall function 2043D430: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,00000000,2043F01E,00000000,00000001,00000000), ref: 2043D466

Strings

ScannerVersion, xrefs: 2043BCA0, 2043BCAA
Software\ESET\ESET Security\CurrentVersion\Info, xrefs: 2043BC6D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: ScannerVersion$Software\ESET\ESET Security\CurrentVersion\Info
API String ID: 3677997916-1329455690
Opcode ID: 4fabe655bc6b6f0cf15cd9cd466d05cb7acbe1ac770ee6e94530c14eaa8a2f53
Instruction ID: e33bc56ea8b68f918a9df8f36d16bb2335e5f2c1da2b4c33de064e52f6140d45
Opcode Fuzzy Hash: 4fabe655bc6b6f0cf15cd9cd466d05cb7acbe1ac770ee6e94530c14eaa8a2f53
Instruction Fuzzy Hash: E3F0FC3104421569D3202BD5EC85F77B7ECEF25648F20E41DFA4543241EFBC985091D1

Function 2043D3A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 2043D3C2
RegQueryValueExW.ADVAPI32(?,Enable,00000000,?,?,00000000), ref: 2043D3F1

Strings

Enable, xrefs: 2043D3B8, 2043D3E7

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: QueryValue
String ID: Enable
API String ID: 3660427363-4094479620
Opcode ID: ed02eb41d3ab33f6139152233edbb16b26a503998652c18463881816d381c4c5
Instruction ID: 21a20d413257b4013ad3e7cfe7eb5f0e01aac04d2ba5bc616c8e638391f3c8f9
Opcode Fuzzy Hash: ed02eb41d3ab33f6139152233edbb16b26a503998652c18463881816d381c4c5
Instruction Fuzzy Hash: FAF0C975104302AFD300CF85DC85F9BB7E8EB89610F50981DFA5886250E674EA0D9B67

Function 20416A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 20416A78
wcsncpy_s.MSVCR80 ref: 20416A8A

Strings

MODIFIED, xrefs: 20416A55

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_swcsncpy_s
String ID: MODIFIED
API String ID: 2961736276-2572742880
Opcode ID: 3b14faa9bb107d061dc084ee79fdf8e8909575ca574943e3d3af438eb1dd3a9d
Instruction ID: 43315aadba7b460d0b3bb39ace077c631ecd9e0630d136a34f5ba29ca97b0eb9
Opcode Fuzzy Hash: 3b14faa9bb107d061dc084ee79fdf8e8909575ca574943e3d3af438eb1dd3a9d
Instruction Fuzzy Hash: A7E02B3120451026E210530CAC05BEB7268CFCA719F068424F506EB192D7A88B8251E5

Function 2041D350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 2041D378
wcsncpy_s.MSVCR80 ref: 2041D38A

Strings

MODIFIED, xrefs: 2041D355

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_swcsncpy_s
String ID: MODIFIED
API String ID: 2961736276-2572742880
Opcode ID: 81984847ea2c89f37d3749c741d08e631871613c21970c91a36a12a16bae4335
Instruction ID: fa8e129176709dfeb56772712bc1153eee58b06ca9e58b6c5c0c9638e17d60fa
Opcode Fuzzy Hash: 81984847ea2c89f37d3749c741d08e631871613c21970c91a36a12a16bae4335
Instruction Fuzzy Hash: 59E061716046146BE310570CFC06BDB73A4DFC971DF068828FD15DB292D7A49B9192E5

Function 20407F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,?,20407F85), ref: 20407F22

Part of subcall function 20478A06: __onexit.MSVCRT ref: 20478A0A

GetProcAddress.KERNEL32(75900000,20485DD0), ref: 20407F4D

Strings

Kernel32.dll, xrefs: 20407F1D

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: AddressLibraryLoadProc__onexit
String ID: Kernel32.dll
API String ID: 3191664640-1926710522
Opcode ID: 182276237d73de789b3110b188e23378c23cb851714cac343eae65dbb068b692
Instruction ID: 92a4920863b73ead2e7eac29c162c847a3ef0cf9a536e8aee4fbdd8cccbd758e
Opcode Fuzzy Hash: 182276237d73de789b3110b188e23378c23cb851714cac343eae65dbb068b692
Instruction Fuzzy Hash: 0FF08270D099234B8200CBF49DD9A463BD66B0861D701C535FA00F6364FA2CC8446B82

Function 2043D150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 2043D174
wcsncpy_s.MSVCR80 ref: 2043D18C

Strings

${ProfileName}=, xrefs: 2043D16D, 2043D185

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_swcsncpy_s
String ID: ${ProfileName}=
API String ID: 2961736276-3568326518
Opcode ID: 9645f0102fb7c9f4a977f96bbfedd3f02f5f17286875abe5bbfd3782ce1628cf
Instruction ID: 35c1f051060d02334839f396f06e384fa197c4b07e658202deac2d0e0b4a0606
Opcode Fuzzy Hash: 9645f0102fb7c9f4a977f96bbfedd3f02f5f17286875abe5bbfd3782ce1628cf
Instruction Fuzzy Hash: 84E0DF30244A027BE601870CAC0ABF73260CFC8B09F158828F552DA292DA98AA918288

Function 2043D1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCR80 ref: 2043D1DC
wcsncpy_s.MSVCR80 ref: 2043D1F2

Strings

NODE;NAME=, xrefs: 2043D1B0, 2043D1D4, 2043D1EA

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: wcscpy_swcsncpy_s
String ID: NODE;NAME=
API String ID: 2961736276-3737436838
Opcode ID: 9221e6d5e071d06bcc23d811ee8fb088245b344934b43f02d6b6592d69878a72
Instruction ID: 09a811c32454f88a4cbe355f34ba139e64e1809b7de3bf9afe3b07dbb26a51b9
Opcode Fuzzy Hash: 9221e6d5e071d06bcc23d811ee8fb088245b344934b43f02d6b6592d69878a72
Instruction Fuzzy Hash: 0EE0DF2024AA0063FA104788AC86B463652BF8870EF05DD14F719DF2C5DBAD9B6883C9

Function 20410C50 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

memset.MSVCR80 ref: 20410C71
free.MSVCR80 ref: 20410C7A
memset.MSVCR80 ref: 20410CA6
free.MSVCR80 ref: 20410CAF

Memory Dump Source

Source File: 00000004.00000002.2106455947.0000000020401000.00000020.00000001.01000000.00000005.sdmp, Offset: 20400000, based on PE: true

Associated: 00000004.00000002.2106441431.0000000020400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106510721.0000000020483000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106538636.00000000204A3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106552905.00000000204A4000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106566934.00000000204A5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2106579835.00000000204A6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20400000_EHttpSrv.jbxd

Similarity

API ID: freememset
String ID:
API String ID: 2499939622-0
Opcode ID: 7ed1fa7bd064699fc94fc603efc9eee1eb75c1e7271c7244f950269077a0b571
Instruction ID: d5b3a2db785fefb14b26ed880e5bc61ec4fa5722a994a65ae12af91ff6c10451
Opcode Fuzzy Hash: 7ed1fa7bd064699fc94fc603efc9eee1eb75c1e7271c7244f950269077a0b571
Instruction Fuzzy Hash: 6F01A7716007085BC3609FEA8DC1A47F7FCEF54A55740891EFA4297A11DBB9F5408BA0

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Slf.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6b430d.rbs

C:\Users\user\AppData\Local\Temp\5ef74389

C:\Users\user\AppData\Local\Temp\6f377be8

C:\Users\user\AppData\Local\Temp\761dc869

C:\Users\user\AppData\Local\Temp\EHttpSrv.exe

C:\Users\user\AppData\Local\Temp\MSIb41e2.LOG

C:\Users\user\AppData\Local\Temp\Microsoft.VC80.CRT.manifest

C:\Users\user\AppData\Local\Temp\Microsoft.VC80.MFC.manifest

C:\Users\user\AppData\Local\Temp\Microsoft.VC80.MFCLOC.manifest

Windows Analysis Report
Slf.msi

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre