Edit tour

Windows Analysis Report
UIxMarketPlugin.dll

Overview

General Information

Sample name:	UIxMarketPlugin.dll
Analysis ID:	1429045
MD5:	d1ba9412e78bfc98074c5d724a1a87d6
SHA1:	0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256:	cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
Tags:	dll
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6848 cmdline: loaddll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6008 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6680 cmdline: rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 672 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 4296 cmdline: rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,MarketCreate MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7232 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 664 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7396 cmdline: rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,MarketRelease MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7444 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 664 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7548 cmdline: rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,_Finalize@0 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7620 cmdline: rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",MarketCreate MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7628 cmdline: rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",MarketRelease MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7724 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 664 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7636 cmdline: rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",_Finalize@0 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7644 cmdline: rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",_Initialize@4 MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: UIxMarketPlugin.dll	Virustotal: Detection: 12%			Perma Link

Source: UIxMarketPlugin.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, DLL

Source: UIxMarketPlugin.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UIxMarketPlugin.pdb source: rundll32.exe, 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1803415292.000000006CC5F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1810698421.000000006CC5F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1779888849.000000006CC5F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1819191029.000000006CC5F000.00000002.00000001.01000000.00000003.sdmp, UIxMarketPlugin.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB5778C __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,

3_2_6CB5778C

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f4a2262f4d43d5b9ac2196a348f57232fa6b6712_7522e4b5_4a8c2699-ff11-4fe9-b765-eff75ae06606\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6a4b12cc5ab5a864a1114bf7acfd58aabbffc_7522e4b5_2ed9bbc9-d9dc-40e8-8bc1-c2b2b18dc67e\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Amcache.hve.9.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB7BDCA GetAsyncKeyState,WindowFromPoint,SendMessageW,ScreenToClient,

3_2_6CB7BDCA

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB8B09 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	3_2_6CBB8B09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB6A603 MessageBeep,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,	3_2_6CB6A603
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB6B1E9 GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,	3_2_6CB6B1E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB762B4 ScreenToClient,_memset,_free,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	3_2_6CB762B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7329A SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	3_2_6CB7329A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7D26F IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_6CB7D26F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7B3DD IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_6CB7B3DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBC637D GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	3_2_6CBC637D

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC3AEDE	3_2_6CC3AEDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC49E1C	3_2_6CC49E1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB70F8A	3_2_6CB70F8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB3989	3_2_6CBB3989
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC3DA35	3_2_6CC3DA35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB41130	3_2_6CB41130

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC3A9E0 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC3A43D appears 45 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC3A3D4 appears 180 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 664

Source: UIxMarketPlugin.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, DLL

Source: classification engine

Classification label: mal48.winDLL@24/17@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB5CFC0 CoInitialize,CoCreateInstance,

3_2_6CB5CFC0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB85CBF FindResourceW,LoadResource,LockResource,FreeResource,

3_2_6CB85CBF

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6680
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7396
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4296
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7628
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6bad748c-da68-4f4b-9a85-4415e67a1c2f

Jump to behavior

Source: UIxMarketPlugin.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,MarketCreate

Source: UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: UIxMarketPlugin.dll	Virustotal: Detection: 12%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,MarketCreate
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 664
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 672
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,MarketRelease
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,_Finalize@0
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",MarketCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",MarketRelease
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",_Finalize@0
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",_Initialize@4
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,MarketCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,MarketRelease	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,_Finalize@0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",MarketCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",MarketRelease	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",_Finalize@0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",_Initialize@4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: UIxMarketPlugin.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: UIxMarketPlugin.dll

Static file information: File size 1640960 > 1048576

Source: UIxMarketPlugin.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11d200

Source: UIxMarketPlugin.dll

Static PE information: More than 200 imports for USER32.dll

Source: UIxMarketPlugin.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UIxMarketPlugin.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UIxMarketPlugin.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UIxMarketPlugin.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UIxMarketPlugin.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UIxMarketPlugin.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: UIxMarketPlugin.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: UIxMarketPlugin.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: UIxMarketPlugin.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UIxMarketPlugin.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UIxMarketPlugin.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UIxMarketPlugin.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UIxMarketPlugin.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC4AB94 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_6CC4AB94

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC3AA25 push ecx; ret		3_2_6CC3AA38
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC3A4AC push ecx; ret		3_2_6CC3A4BF

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB9E81 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	3_2_6CBB9E81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBBAFD1 IsIconic,PostMessageW,	3_2_6CBBAFD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB789B2 SetForegroundWindow,IsIconic,	3_2_6CB789B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB83902 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	3_2_6CB83902
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB73ABC IsWindowVisible,IsIconic,	3_2_6CB73ABC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB78A56 IsIconic,	3_2_6CB78A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB9B81 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_6CBB9B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB9B81 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_6CBB9B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB9B81 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_6CBB9B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBBA40C IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	3_2_6CBBA40C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB90F2 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	3_2_6CBB90F2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB5E019 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CB5E019

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB5778C __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,

3_2_6CB5778C

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f4a2262f4d43d5b9ac2196a348f57232fa6b6712_7522e4b5_4a8c2699-ff11-4fe9-b765-eff75ae06606\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6a4b12cc5ab5a864a1114bf7acfd58aabbffc_7522e4b5_2ed9bbc9-d9dc-40e8-8bc1-c2b2b18dc67e\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

graph_3-43237

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBB9CA2 __EH_prolog3,GetSystemMenu,IsMenu,IsMenu,IsMenu,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,RedrawWindow,

3_2_6CBB9CA2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC40458 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6CC40458

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6CC4AB94

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC40458 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6CC40458
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC39185 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6CC39185

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC42D23 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6CC42D23

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC46799 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,LdrInitializeThunk,LdrInitializeThunk,

3_2_6CC46799

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6CB5E019

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Virtualization/Sandbox Evasion	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
UIxMarketPlugin.dll	13%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429045
Start date and time:	2024-04-20 11:34:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UIxMarketPlugin.dll
Detection:	MAL
Classification:	mal48.winDLL@24/17@0/0
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 83% Number of executed functions: 14 Number of non-executed functions: 290
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 7396 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 7628 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
11:35:08	API Interceptor	1x Sleep call for process: loaddll32.exe modified
11:35:10	API Interceptor	4x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6a4b12cc5ab5a864a1114bf7acfd58aabbffc_7522e4b5_2ed9bbc9-d9dc-40e8-8bc1-c2b2b18dc67e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9169191604141269
Encrypted:	false
SSDEEP:	192:NcBi5zOhq0BU/wjeTqPZrICzuiFOZ24IO8dciw:+Bi56hxBU/wjeszuiFOY4IO8dci
MD5:	CEDE392BAA3DFA85A6745C5281954AD6
SHA1:	31EA79CFADFB23648DE43EBC43C0E9272D9DAC20
SHA-256:	565F1B4B28D75EB0D6383BCAAEC423A370B081FB01E32AB3B5A0338D1CB6E805
SHA-512:	68E1E14AB724333DC4FBF3D9D8E293FBA95AFCA58F26340DFBAF9853522E8FD4FB7C5F3CEB0C2681146346336D93A1F014DD5F67CFC7F49E46B8F7B88590D827
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.3.0.2.5.1.3.7.4.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.7.9.3.0.2.9.6.6.8.0.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.d.9.b.b.c.9.-.d.9.d.c.-.4.0.e.8.-.8.b.c.1.-.c.2.b.2.b.1.8.d.c.6.7.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.2.4.3.c.8.0.-.c.b.0.c.-.4.1.0.1.-.9.c.3.2.-.d.5.f.0.c.2.8.f.8.6.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.e.4.-.0.0.0.1.-.0.0.1.4.-.6.2.9.5.-.d.e.0.4.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6a4b12cc5ab5a864a1114bf7acfd58aabbffc_7522e4b5_6d591dea-2ba8-4815-b033-90e29eb221c5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9169449133066548
Encrypted:	false
SSDEEP:	192:h2Ji/JzOlq0BU/wjeTqPZrICzuiFOZ24IO8dci:8Jix6lxBU/wjeszuiFOY4IO8dci
MD5:	13DEBEF552EBDBDFB1D3B070D0E7E037
SHA1:	221AA96DAE3EF3BDD335EA5D7009537F67A98C33
SHA-256:	4311E17B4C7A3F93CD63D01A13726EA0D75E167E3018B97360C8DBB704FBC9B3
SHA-512:	6807E928C969093DA16B3D7A2CDA162B6477AF9A5F3C7D3B47E5E5BD011826DE099F4A5E81700AF039CB3FBDAA2AA89672A71803AE9B46D5CDF08304DDA71737
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.3.0.8.6.2.0.4.1.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.7.9.3.0.8.9.4.8.5.2.0.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.5.9.1.d.e.a.-.2.b.a.8.-.4.8.1.5.-.b.0.3.3.-.9.0.e.2.9.e.b.2.2.1.c.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.8.5.d.a.7.c.-.e.6.c.c.-.4.0.2.a.-.8.6.e.1.-.d.d.7.b.e.a.9.4.4.6.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.c.c.-.0.0.0.1.-.0.0.1.4.-.5.2.6.c.-.8.1.0.8.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f4a2262f4d43d5b9ac2196a348f57232fa6b6712_7522e4b5_4a8c2699-ff11-4fe9-b765-eff75ae06606\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9171633720004378
Encrypted:	false
SSDEEP:	192:MGi9zOjz0BU/wjeTqPZrICzuiFOZ24IO8dci:hi96jgBU/wjeszuiFOY4IO8dci
MD5:	A8CCC759B41724DD95B618BF0799D402
SHA1:	CFD59F597414473B1ED46D2E58D2EF8AFED4B831
SHA-256:	0CBE6DEFC1596D54825562A2D410CF6E7535AF83E9F3BFB1C985B88FE557CA4C
SHA-512:	ECCC292AD2117902083F22B02EF4E94951B6A91D92E0C663FF8E49FED4E4D4570C73DC54410F1152E8447A71C00C42CAEF3C923760C885BDD27291404A1F2A08
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.2.9.9.8.4.6.8.6.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.7.9.3.0.0.9.7.1.8.6.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.8.c.2.6.9.9.-.f.f.1.1.-.4.f.e.9.-.b.7.6.5.-.e.f.f.7.5.a.e.0.6.6.0.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.6.1.9.4.5.5.-.2.7.0.f.-.4.7.7.4.-.b.e.4.0.-.c.0.c.3.4.c.d.4.5.d.0.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.1.8.-.0.0.0.1.-.0.0.1.4.-.e.4.2.9.-.1.3.0.3.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f4a2262f4d43d5b9ac2196a348f57232fa6b6712_7522e4b5_881e2de0-372e-410d-9f8d-be4be5931c9d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9164981196324312
Encrypted:	false
SSDEEP:	192:lbxmiodzO3z0BU/wjeTqPZrICzuiFOZ24IO8dci:vmiq63gBU/wjeszuiFOY4IO8dci
MD5:	352B748030504EE0D40FBC9DAC7A532F
SHA1:	B40F5658625A28CB3594EE37F94581DDD0D4C15C
SHA-256:	3446301AB912C564F8DEAA088EA721BFD2014E3E69A8CD4DAAED58F7AA3F5D58
SHA-512:	47E85BC7B53CD965B8C4846252BD58587BD145B81D415AF016119707D0AF612A62DD11840D792408B827EA6CA115A9832BDAA6F6D095CBFBC9FE23390E9D13F7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.2.9.9.8.3.9.0.3.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.7.9.3.0.0.9.3.2.7.8.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.1.e.2.d.e.0.-.3.7.2.e.-.4.1.0.d.-.9.f.8.d.-.b.e.4.b.e.5.9.3.1.c.9.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.e.1.6.3.4.4.-.1.7.1.a.-.4.b.5.2.-.8.1.0.5.-.5.d.f.a.2.0.3.4.1.6.4.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.c.8.-.0.0.0.1.-.0.0.1.4.-.d.6.c.d.-.1.0.0.3.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C48.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Apr 20 09:35:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45568
Entropy (8bit):	1.938788622619129
Encrypted:	false
SSDEEP:	192:vvc+lwbclQZXXnDfUZMO5H4XLuzwtp+Fq3TLUHOwfq2uF:3c++bcinDf05HzzwtpF3TEO/
MD5:	F42CBF2BD3216C2BD0B9C64A6A6F498F
SHA1:	CF918E2B2F7A92759578DB6B9918202705F72B4A
SHA-256:	E21CFC6DF52D97E3F62E0329F1A2C0EE596FCBD6EFD534B7AEE6E87437A1A410
SHA-512:	6619D98A5F4B9B873FA27C858B472857DD42FC49383D655B5772D2BAD6A753AD3750CDE6FA9B540E31ED9D79557ECD73F1F35071CB746085B12FDB356763CF16
Malicious:	false
Preview:	MDMP..a..... .......D.#f.........................................+..........T.......8...........T...........x...............X...........D...............................................................................eJ..............GenuineIntel............T...........C.#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C67.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Apr 20 09:35:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44356
Entropy (8bit):	2.0008919248350883
Encrypted:	false
SSDEEP:	192:vkbwbHQZXXnoCLO5H4XVYWo5Ag/fFfGa8:scb8noV5Hcvo5Agfp8
MD5:	565F622D3E49A0A82E01B671C0E82506
SHA1:	2EB48EFE3E148E0247216BB360A3DE585094BF6C
SHA-256:	16FDFBB0590A43037F14634A307E15B6DB4D98D124F682F76D4F7DAD9D7A024D
SHA-512:	E5157B5156264DA2E09E44BBE106A3A125D10AFBE6ABC73552E7BB814C2B7C7E236FEEE33A9FD83B4E6031A4CBB28368BB8B376E270BB0172ADB74D151A37E10
Malicious:	false
Preview:	MDMP..a..... .......D.#f.........................................+..........T.......8...........T...............\|...........X...........D...............................................................................eJ..............GenuineIntel............T...........C.#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E8B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.690622226434646
Encrypted:	false
SSDEEP:	192:R6l7wVeJEC6IeG16YIw67gmfT98pr789bPCsfwxwFm:R6lXJR6IeG16YP67gmfT9lPBf8P
MD5:	C5BC00237B3AD9CD3E39B874685A1825
SHA1:	0CC7B631561729E342BCFF8B7C990A1E9FD33BE0
SHA-256:	88B933314C75EF3D8A100F09A256EE8D1FCFFDE47B6D703FC413D790758CCFB9
SHA-512:	11963FE9FFFF65513E7E2C4062E3642471F0FFB2E90084B248E7AEC64A35E21AF09EA11CE4DE91EAF089FD98E2A2AF59F0ABDED214B18B4911836632C0068972
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8272
Entropy (8bit):	3.6917903834014107
Encrypted:	false
SSDEEP:	192:R6l7wVeJFz6mGayme6YFh6ngmfT98pr789bPksfqFm:R6lXJx6mG/6Yj6ngmfT9lPXfx
MD5:	743C16286E5C81F447F999DB7011C549
SHA1:	41F8C59FBA85E9B7B0F85458151D7C0DE78015AA
SHA-256:	9DDD8AD594224D5FE9F10F2BE576DB60C444496AAFF7376E9C0EC5CD33F4AFA5
SHA-512:	33C4907B726EB00BD382792A82348AEA0B9DE2E17655EB147F44F18331FD01FE27F2157125F1A48A9DFB0BA1D462651AB6E4316D0B759439DE9F08A9737F9A6B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F28.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4662
Entropy (8bit):	4.469758995638258
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9ilWpW8VY1Ym8M4JCdPaW8Fx+q8/wsSIGScSAd:uIjfQI78U7VRJDWk7snJ3Ad
MD5:	5C586B038C7F4F17D7FF9E0F54A7A710
SHA1:	BC236BA436CC94DEA74759021A2DDFD9F17FA10D
SHA-256:	CBDF62D800E1B4F0D0E77CF5B7CBECB0750E8820FAF26FD0F31E63FFBC591BD4
SHA-512:	1018ADE9CF190BC3EC7982C2393B849FE0FE66A792F779F977B3399D7A9A2B65883D7AA6C2B0C272D7CE9A5F90C2E7DEA95D7BEA44F2EF2BCEEAA210F9B27C9E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F76.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4662
Entropy (8bit):	4.470755269754867
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9ilWpW8VYpYm8M4JCdPaW8F5hvno+q8/wsSQinGScStd:uIjfQI78U7VxJDWOA7sOnJ3td
MD5:	6257D37BCC378F5A710AC4A761473431
SHA1:	D0836214D3647D9B6178BBBF3779FC0188AE2D67
SHA-256:	894F91F218F0CDD45F585B9FEC035E8C925F114A054DB46060C1B0F8EB377B14
SHA-512:	4423B3173CA50D3F868783B62A233CB4CEF5A24BBA29816FE1D6C556ACAE40A4AF1F56974690AE83E2BE2FE2282AD9AEED932B0C09071ACFA28100DA58B1FCCB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26A8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Apr 20 09:35:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44420
Entropy (8bit):	1.9800580285756308
Encrypted:	false
SSDEEP:	192:J3bwbpQZXXnhOjrqXO5H4XYx+cH07MBtCZeIWWM7+S/yRK:JcbOn0z5HtjBSexJp
MD5:	82DE42E9D6C4435617FD7B10798FC74D
SHA1:	83C1F05BA0620F5395068576792E7507DD296DA3
SHA-256:	CB7D65A4C4BA9379943177C0DC90CF27FCCF9B714A2FA7AEA4DC24BBA320D552
SHA-512:	5E50CD8CA6D845C214D454E718FF9FAB008EA09A179A5C7BCEAAC7FB06DD9B90C99BD2B68D9FAC0E4C671F3699EC7B8AA2C77A487DA9A316B913BDB979E23679
Malicious:	false
Preview:	MDMP..a..... .......F.#f.........................................+..........T.......8...........T...........x...............X...........D...............................................................................eJ..............GenuineIntel............T...........F.#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2716.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8276
Entropy (8bit):	3.691710337404795
Encrypted:	false
SSDEEP:	192:R6l7wVeJeB6uGwb6YIR6ygmfTS8prH89bdQsfd7fm:R6lXJw6uG86Yu6ygmfTShdjfdK
MD5:	925C3712C755E042AF6881A85C92F3A4
SHA1:	EB21031580BC381922283700D18891BB0900E260
SHA-256:	1BC9075A32DF2227DAE42DB04ADE6567E84ED957697B817472A6438F22C6600E
SHA-512:	8313C8F2F0A1304F7114E2AB7A4AC1330DF7587F4436298B9A47F387AABA508363C62F420C13B6B003957D87A9B8902F0A12E19F7BCE19B8DAD18978492FE666
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER27D3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4662
Entropy (8bit):	4.472379149129144
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9ilWpW8VYIYm8M4JCdPaWLFbl+q8/wsS+GScS6d:uIjfQI78U7V4JDW/7sxJ36d
MD5:	781DF6FDCA3F838758EE5CEA26F07452
SHA1:	352E29734B29FF1FBF8E2AE037BB7A5F004AE60B
SHA-256:	0534A3A16796C305BEAED19846CFA15F601BA7E989709A17550B716F1A0543FE
SHA-512:	06B77C3742E216BBDACC121AD45424FCA70B91C5A2DA84A9A3DBC95C3D86884FA2FB07ED53970755A9DE04505699B2483D1D985DA5339148B3C3C952D4EE63DC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E85.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Apr 20 09:35:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43980
Entropy (8bit):	1.9660490230878094
Encrypted:	false
SSDEEP:	192:3JqwbzQZXXnVUAuCXO5H4Xm4KxC/RFg2v8TPGv2i:ZlbQnVU95Hz4KxC/XgBSj
MD5:	C691B0655D76D219B0EFB9428B487346
SHA1:	1F851FAE7916CC1DAEDD2CE4DA63BACB90C8A03B
SHA-256:	5B4C773A29D386A5930DB375C2DB3C04BFFE7FDC8538691E10F7EF9D50463DE7
SHA-512:	00B232F4AC1DB52234C2F55BF900DE7288C2DC480E547AF80B2C9762A7BDC9592ABFC8F07FFB76FA17F8CB7C8DD36A1558E2EBA24ED1545D03F8435C1F5B4AD4
Malicious:	false
Preview:	MDMP..a..... .......L.#f.........................................+..........T.......8...........T...........x...T...........X...........D...............................................................................eJ..............GenuineIntel............T...........L.#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EE4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8268
Entropy (8bit):	3.6915145709013233
Encrypted:	false
SSDEEP:	192:R6l7wVeJm46oGSH6YI56jgmfTS8prO89bHesfetm:R6lXJx6oGy6YW6jgmfTSeHdf1
MD5:	0A7244CAE4B53FF55347DD1739120392
SHA1:	74AE7B041A858F0FB9BF71F14ADAE1BD07EDD1C9
SHA-256:	361BEA9623458BDC49CCF7063D4CCB275D0DD90C347A67F49C961DE4268FF3E6
SHA-512:	66400818EEDD2C1C131DB5C11C56FE550C40A0D1E23A61CFE587A9D5288BC906DBF52E67AAAA930C258D5C796753F36D72F3C7150462C444FB4187014CE51B8E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F14.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4662
Entropy (8bit):	4.471657325233035
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9ilWpW8VY7Ym8M4JCdPaWLFi+q8/wsS66KGScSud:uIjfQI78U7VvJDWQ7spJ3ud
MD5:	DAA0956FEF9C83988A5F9CBD9AB0818A
SHA1:	96CED4CBB31ED54C1B0A76B7308E3688DDFFFC38
SHA-256:	2AC039E09512FD59B6DC4438664E8576E0C50EE0B3C66810EDBE0C1CC2E68AE3
SHA-512:	CF9CDD52D58FF05D68BF635BE540F4AB8715D460778E34E7D3288B4F0BEACDDAB53E11F1EFA0C0DBEC094D0C13525FB6BA6A06FEAA7AA0979FEC43F787E042D4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288037" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46623869994409
Encrypted:	false
SSDEEP:	6144:cIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:hXD94+WlLZMM6YFHT+G
MD5:	CF26F5AB2896A83EB20C3A9941BFEFFB
SHA1:	D5C1D9B38996A65D68315D2935FB97B264F66A6A
SHA-256:	7A23137D6F739DA278696F28930E2F19F75834C90B6397DDF6219597222EA6FB
SHA-512:	14CD3B78AA2E13A2B5A63F7869753B322D1773A7B197763033ACA87C66C217F66D9416AC0795EB00CC8955690CFCBEAC07B72B5481452EF40AB7153A6B38B380
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.@c..................................................................................................................................................................................................................................................................................................................................................Iu7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.484662993855079
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	UIxMarketPlugin.dll
File size:	1'640'960 bytes
MD5:	d1ba9412e78bfc98074c5d724a1a87d6
SHA1:	0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256:	cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512:	8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
TLSH:	C6758D223680807AD27A3670D72EB37DB2FD95704E314287B9A10F397E35492962D7DB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100f9f93
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x556BF902 [Mon Jun 1 06:17:38 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12fbd1bc75de00e13e4da8fd25e68e9a

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FA4E490E577h
call 00007FA4E49172F5h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007FA4E490E461h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
je 00007FA4E490E59Fh
push dword ptr [ebp+08h]
push 00000000h
push dword ptr [1016ECF0h]
call dword ptr [1011F26Ch]
test eax, eax
jne 00007FA4E490E58Ah
push esi
call 00007FA4E490F293h
mov esi, eax
call dword ptr [1011F3F4h]
push eax
call 00007FA4E490F243h
pop ecx
mov dword ptr [esi], eax
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
mov esi, dword ptr fs:[00000000h]
mov dword ptr [ebp-04h], esi
mov dword ptr [ebp-08h], 100FA054h
push 00000000h
push dword ptr [ebp+0Ch]
push dword ptr [ebp-08h]
push dword ptr [ebp+08h]
call 00007FA4E4923DFFh
mov eax, dword ptr [ebp+0Ch]
mov eax, dword ptr [eax+04h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[EXP] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x162ac0	0x99	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15fb9c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x171000	0x51c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x172000	0x1a0f8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11fc90	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x148ad0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11f000	0x8b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11d016	0x11d200	19c22e50444b2cb95ca4b8dabebd0451	False	0.5568855148509426	COM executable for DOS	6.588771268212372	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11f000	0x43b59	0x43c00	2cb3a6941f9c3dc2670270e0c20f3879	False	0.2618700991697417	data	5.248483094701738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x163000	0xd4fc	0x5e00	3994260b23fd11cb128a1f8bb327feea	False	0.2810837765957447	OpenPGP Public Key	4.905865876978756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x171000	0x51c	0x600	952d409009613bb50a943166bbec340f	False	0.4010416666666667	data	4.542443196063801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x172000	0x29364	0x29400	1b3611266ed137e60ef23b3549d980a9	False	0.2672644412878788	data	4.954189557699308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1710a0	0x320	data	Japanese	Japan	0.46
RT_MANIFEST	0x1713c0	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	VerifyVersionInfoW, VerSetConditionMask, GetConsoleMode, GetConsoleCP, LCMapStringW, GetTimeZoneInformation, GetStringTypeW, QueryPerformanceCounter, GetEnvironmentStringsW, WriteConsoleW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetModuleFileNameA, GetStartupInfoW, SetHandleCount, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, HeapDestroy, HeapCreate, GetStdHandle, IsProcessorFeaturePresent, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetFileType, SetStdHandle, VirtualQuery, GetSystemInfo, VirtualAlloc, GetSystemTimeAsFileTime, ExitProcess, HeapQueryInformation, HeapSize, CreateThread, ExitThread, HeapReAlloc, RaiseException, RtlUnwind, HeapFree, GetCommandLineA, EncodePointer, DecodePointer, HeapAlloc, FindResourceExW, VirtualProtect, SearchPathW, Sleep, GetProfileIntW, GetTickCount, InitializeCriticalSectionAndSpinCount, GetTempPathW, GetTempFileNameW, GetNumberFormatW, GetWindowsDirectoryW, lstrcpyW, GetCurrentDirectoryW, GetFileTime, GetFileSizeEx, GetFileAttributesW, FileTimeToLocalFileTime, GetFileAttributesExW, GetUserDefaultUILanguage, GetLocaleInfoW, InterlockedExchange, GetFullPathNameW, GetVolumeInformationW, FindFirstFileW, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileW, lstrcmpiW, GlobalFlags, FreeResource, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, GetVersionExW, LoadLibraryW, lstrcmpW, FileTimeToSystemTime, lstrlenA, lstrcmpA, GlobalGetAtomNameW, CompareStringW, InterlockedIncrement, GetModuleHandleW, GetProcAddress, WaitForSingleObject, GetCurrentThreadId, ResumeThread, SetThreadPriority, CloseHandle, MultiByteToWideChar, CopyFileW, GlobalSize, FormatMessageW, MulDiv, lstrlenW, WideCharToMultiByte, GetCurrentProcessId, FreeLibrary, FindResourceW, LoadResource, LockResource, SizeofResource, InterlockedDecrement, GetModuleFileNameW, ActivateActCtx, ReleaseActCtx, DeactivateActCtx, TlsFree, GlobalFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalAlloc, GlobalHandle, GlobalUnlock, GlobalReAlloc, GlobalLock, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalFree, LocalAlloc, GetLastError, SetLastError
USER32.dll	SetCapture, MapVirtualKeyW, IsRectEmpty, CreatePopupMenu, GetMenuDefaultItem, RedrawWindow, SetLayeredWindowAttributes, EnumDisplayMonitors, KillTimer, SetTimer, DeleteMenu, ShowOwnedPopups, SetCursor, IntersectRect, InvalidateRect, SetRectEmpty, IsIconic, PostQuitMessage, EndPaint, BeginPaint, GetWindowDC, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, FillRect, SystemParametersInfoW, DestroyMenu, GetMenuItemInfoW, InflateRect, CharUpperW, DestroyIcon, GetDesktopWindow, RealChildWindowFromPoint, ClientToScreen, ShowWindow, MoveWindow, SetWindowTextW, IsDialogMessageW, CheckDlgButton, RegisterWindowMessageW, LoadIconW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, GetClassLongW, GetClassNameW, SetPropW, GetPropW, RemovePropW, IsWindow, SetFocus, GetForegroundWindow, SetActiveWindow, BeginDeferWindowPos, EndDeferWindowPos, GetDlgItem, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MonitorFromWindow, GetMonitorInfoW, MapWindowPoints, ScrollWindow, TrackPopupMenu, IsZoomed, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, GetAsyncKeyState, UpdateWindow, GetClientRect, PostMessageW, CreateWindowExW, SetWindowRgn, SetParent, ReleaseCapture, InvertRect, DrawFocusRect, GetClassInfoExW, GetClassInfoW, RegisterClassW, AdjustWindowRectEx, GetWindowRect, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, CopyRect, PtInRect, SetWindowPlacement, GetWindowPlacement, GetDlgCtrlID, DefWindowProcW, CallWindowProcW, HideCaret, EnableScrollBar, NotifyWinEvent, MessageBeep, GetNextDlgTabItem, OffsetRect, GetIconInfo, CopyImage, LoadImageW, GetNextDlgGroupItem, DrawIconEx, EndDialog, CreateDialogIndirectParamW, TranslateAcceleratorW, UnhookWindowsHookEx, MessageBoxW, EnableWindow, IsWindowEnabled, GetLastActivePopup, GetWindowLongW, GetParent, SendMessageW, GetWindowThreadProcessId, RemoveMenu, GetSubMenu, GetMenuItemCount, InsertMenuW, PostThreadMessageW, GetMenuItemID, AppendMenuW, GetMenuStringW, GetMenuState, ValidateRect, GetCursorPos, PeekMessageW, GetKeyState, IsWindowVisible, GetActiveWindow, DispatchMessageW, TranslateMessage, GetMessageW, CallNextHookEx, SetWindowsHookExW, GetSysColorBrush, GetSysColor, ReleaseDC, GetDC, GetSystemMetrics, DestroyAcceleratorTable, SetClassLongW, GetSystemMenu, LoadCursorW, GetWindowTextW, GetWindowTextLengthW, CheckMenuItem, EnableMenuItem, ModifyMenuW, GetFocus, LoadBitmapW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, GetWindow, SetWindowPos, SetWindowLongW, GetMenu, DrawStateW, DrawEdge, DrawFrameControl, CopyAcceleratorTableW, ToUnicodeEx, GetKeyboardLayout, GetKeyboardState, BringWindowToTop, InsertMenuItemW, LoadAcceleratorsW, LoadMenuW, ReuseDDElParam, UnpackDDElParam, SetRect, ShowScrollBar, WindowFromPoint, CreateAcceleratorTableW, SetCursorPos, LockWindowUpdate, GetKeyNameTextW, OpenClipboard, SetClipboardData, CloseClipboard, EmptyClipboard, IsCharLowerW, MapVirtualKeyExW, UnionRect, UpdateLayeredWindow, MonitorFromPoint, IsMenu, GetWindowRgn, DestroyCursor, DrawIcon, MapDialogRect, SubtractRect, GetDoubleClickTime, CharUpperBuffW, CopyIcon, RegisterClipboardFormatW, GetUpdateRect, FrameRect, IsClipboardFormatAvailable, SetMenuDefaultItem, CreateMenu, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcW, DefFrameProcW, WaitMessage, SetMenu
GDI32.dll	PtVisible, RectVisible, TextOutW, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, CreatePatternBrush, GetStockObject, SelectPalette, GetObjectType, CreatePen, CreateSolidBrush, CreateHatchBrush, CreateCompatibleBitmap, CreateRectRgnIndirect, SetRectRgn, CombineRgn, PatBlt, DPtoLP, CreateDIBitmap, GetTextMetricsW, EnumFontFamiliesW, GetTextCharsetInfo, GetBkColor, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, CreateDIBSection, CreateRoundRectRgn, GetWindowExtEx, GetTextColor, CreateEllipticRgn, Polyline, Ellipse, Polygon, SetDIBColorTable, StretchBlt, SetPixel, Rectangle, OffsetRgn, GetRgnBox, EnumFontFamiliesExW, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, SetPixelV, GetTextFaceW, CreatePalette, GetPixel, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetROP2, GetViewportExtEx, CreateRectRgn, SelectClipRgn, SetLayout, CreatePolygonRgn, GetLayout, GetDeviceCaps, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, GetTextExtentPoint32W, ExtTextOutW, BitBlt, CreateCompatibleDC, CreateFontIndirectW, DeleteObject, GetObjectW, SetBkColor, SetTextColor, CreateBitmap, CreateDCW, GetPaletteEntries, CopyMetaFileW
WINSPOOL.DRV	DocumentPropertiesW, OpenPrinterW, ClosePrinter
COMDLG32.dll	GetFileTitleW
ADVAPI32.dll	RegQueryValueExW, RegEnumKeyExW, RegSetValueExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW, RegCloseKey
SHELL32.dll	SHGetFileInfoW, SHGetDesktopFolder, SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHAppBarMessage, SHBrowseForFolderW, DragQueryFileW, DragFinish, ShellExecuteW
ole32.dll	OleRun, OleGetClipboard, RegisterDragDrop, CoLockObjectExternal, RevokeDragDrop, DoDragDrop, OleLockRunning, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, CreateStreamOnHGlobal, CoInitializeEx, CoInitialize, CoUninitialize, CoCreateInstance, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, CoTaskMemFree
OLEAUT32.dll	VariantChangeType, VariantClear, SysFreeString, VarBstrFromDate, VariantInit, SysAllocString, VariantTimeToSystemTime, SystemTimeToVariantTime, SysStringLen, SysAllocStringLen
SHLWAPI.dll	PathRemoveFileSpecW, PathFindExtensionW, PathIsUNCW, PathStripToRootW, PathFindFileNameW
OLEACC.dll	AccessibleObjectFromWindow, CreateStdAccessibleObject, LresultFromObject
gdiplus.dll	GdipDrawImageI, GdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipFree, GdipAlloc, GdipDeleteGraphics, GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdiplusStartup, GdiplusShutdown, GdipCreateFromHDC, GdipSetInterpolationMode, GdipDrawImageRectI, GdipCloneImage, GdipGetImageWidth, GdipGetImageHeight, GdipGetImagePixelFormat
MSIMG32.dll	TransparentBlt, AlphaBlend
IMM32.dll	ImmReleaseContext, ImmGetContext, ImmGetOpenStatus
WINMM.dll	PlaySoundW
COMCTL32.dll	ImageList_GetIconSize

Exports

Name	Ordinal	Address
MarketCreate	1	0x100031b0
MarketRelease	2	0x10003250
_Finalize@0	3	0x100031a0
_Initialize@4	4	0x10003140

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan
English	United States

Target ID:	0
Start time:	11:34:59
Start date:	20/04/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll"
Imagebase:	0xad0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:34:59
Start date:	20/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:34:59
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:34:59
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,MarketCreate
Imagebase:	0x6a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:34:59
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",#1
Imagebase:	0x6a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:34:59
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 664
Imagebase:	0xcd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:34:59
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 672
Imagebase:	0xcd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:35:02
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,MarketRelease
Imagebase:	0x6a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:35:02
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 664
Imagebase:	0xcd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:35:05
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\UIxMarketPlugin.dll,_Finalize@0
Imagebase:	0x6a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:35:08
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",MarketCreate
Imagebase:	0x6a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:35:08
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",MarketRelease
Imagebase:	0x6a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:35:08
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",_Finalize@0
Imagebase:	0x6a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:35:08
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\UIxMarketPlugin.dll",_Initialize@4
Imagebase:	0x6a0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:35:08
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 664
Imagebase:	0xcd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	497
Total number of Limit Nodes:	17

Executed Functions

Function 6CB5E019 Relevance: 105.6, APIs: 48, Strings: 12, Instructions: 557
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB5E023

Part of subcall function 6CB599DE: __EH_prolog3.LIBCMT ref: 6CB599E5
Part of subcall function 6CB599DE: GetWindowDC.USER32(00000000,00000004,6CB5DB43,00000000,?,?,6CC6AFB0), ref: 6CB59A11

GetDeviceCaps.GDI32(?,00000058), ref: 6CB5E049
DeleteObject.GDI32(00000000), ref: 6CB5E0AA
DeleteObject.GDI32(00000000), ref: 6CB5E0C7
DeleteObject.GDI32(00000000), ref: 6CB5E0E4
DeleteObject.GDI32(00000000), ref: 6CB5E0FB
DeleteObject.GDI32(00000000), ref: 6CB5E118
DeleteObject.GDI32(00000000), ref: 6CB5E12F
DeleteObject.GDI32(00000000), ref: 6CB5E146
DeleteObject.GDI32(00000000), ref: 6CB5E15D
DeleteObject.GDI32(00000000), ref: 6CB5E17A
DeleteObject.GDI32(00000000), ref: 6CB5E191
_memset.LIBCMT ref: 6CB5E1A8
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6CB5E1B8
lstrcpyW.KERNEL32(?,?), ref: 6CB5E207
EnumFontFamiliesW.GDI32(?,00000000,Function_0001DFD0), ref: 6CB5E22E
lstrcpyW.KERNEL32(?), ref: 6CB5E23E
EnumFontFamiliesW.GDI32(?,00000000,Function_0001DFD0), ref: 6CB5E259
lstrcpyW.KERNEL32(?), ref: 6CB5E271
CreateFontIndirectW.GDI32(?), ref: 6CB5E27D
CreateFontIndirectW.GDI32(?), ref: 6CB5E2CD
CreateFontIndirectW.GDI32(?), ref: 6CB5E308
CreateFontIndirectW.GDI32(?), ref: 6CB5E330
CreateFontIndirectW.GDI32(?), ref: 6CB5E34D
GetSystemMetrics.USER32(00000048), ref: 6CB5E368
lstrcpyW.KERNEL32(?), ref: 6CB5E37C
CreateFontIndirectW.GDI32(?), ref: 6CB5E382
GetStockObject.GDI32(00000011), ref: 6CB5E3B0
GetObjectW.GDI32(?,0000005C,?), ref: 6CB5E3D2
lstrcpyW.KERNEL32(?), ref: 6CB5E40B
CreateFontIndirectW.GDI32(?), ref: 6CB5E415
CreateFontIndirectW.GDI32(?), ref: 6CB5E434
GetStockObject.GDI32(00000011), ref: 6CB5E44A
GetObjectW.GDI32(?,0000005C,?), ref: 6CB5E45B
CreateFontIndirectW.GDI32(?), ref: 6CB5E465
CreateFontIndirectW.GDI32(?), ref: 6CB5E488
__EH_prolog3_GS.LIBCMT ref: 6CB5E513
GetVersionExW.KERNEL32(?,0000011C,00000000), ref: 6CB5E669
GetSystemMetrics.USER32(00001000), ref: 6CB5E674
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 6CB5E6F9
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 6CB5E70C
GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 6CB5E71F
GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 6CB5E732
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 6CB5E745
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 6CB5E758
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 6CB5E7A1
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 6CB5E7B4
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 6CB5E7C7

Strings

DrawThemeParentBackground, xrefs: 6CB5E6F3
UxTheme.dll, xrefs: 6CB5E6D8
BeginBufferedPaint, xrefs: 6CB5E734
DwmIsCompositionEnabled, xrefs: 6CB5E7B6
DwmExtendFrameIntoClientArea, xrefs: 6CB5E79B
DrawThemeTextEx, xrefs: 6CB5E6FB
Pl)u, xrefs: 6CB5E3B2
dwmapi.dll, xrefs: 6CB5E786
BufferedPaintUnInit, xrefs: 6CB5E721
EndBufferedPaint, xrefs: 6CB5E747
BufferedPaintInit, xrefs: 6CB5E70E
DwmDefWindowProc, xrefs: 6CB5E7A3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3_MetricsStockSystem$CapsCharsetDeviceH_prolog3InfoTextVersionWindow_memset
String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$Pl)u$UxTheme.dll$dwmapi.dll
API String ID: 3153784359-3653758685
Opcode ID: b41ee5be48ec006cc78d4a656bd398d0ddc6eae047697663397fc31ff43ccdad
Instruction ID: 3a59d3e6471b63bc47b957bb9770b127b7cc698f496356eddea2f8c49705dbb0
Opcode Fuzzy Hash: b41ee5be48ec006cc78d4a656bd398d0ddc6eae047697663397fc31ff43ccdad
Instruction Fuzzy Hash: EA3266B0C017989FCB219FB5C844BDEFBF8AF49304F40499AD5AAA7600DB74A554CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5DAE7 Relevance: 64.8, APIs: 43, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CB5DAEE
GetSysColor.USER32(00000016), ref: 6CB5DAFD
GetSysColor.USER32(0000000F), ref: 6CB5DB0A
GetSysColor.USER32(00000015), ref: 6CB5DB1D
GetSysColor.USER32(0000000F), ref: 6CB5DB25
GetDeviceCaps.GDI32(?,0000000C), ref: 6CB5DB4B
GetSysColor.USER32(0000000F), ref: 6CB5DB59
GetSysColor.USER32(00000010), ref: 6CB5DB63
GetSysColor.USER32(00000015), ref: 6CB5DB6D
GetSysColor.USER32(00000016), ref: 6CB5DB77
GetSysColor.USER32(00000014), ref: 6CB5DB81
GetSysColor.USER32(00000012), ref: 6CB5DB8B
GetSysColor.USER32(00000011), ref: 6CB5DB95
GetSysColor.USER32(00000006), ref: 6CB5DB9C
GetSysColor.USER32(0000000D), ref: 6CB5DBA3
GetSysColor.USER32(0000000E), ref: 6CB5DBAA
GetSysColor.USER32(00000005), ref: 6CB5DBB1
GetSysColor.USER32(00000008), ref: 6CB5DBBB
GetSysColor.USER32(00000009), ref: 6CB5DBC2
GetSysColor.USER32(00000007), ref: 6CB5DBC9
GetSysColor.USER32(00000002), ref: 6CB5DBD0
GetSysColor.USER32(00000003), ref: 6CB5DBD7
GetSysColor.USER32(0000001B), ref: 6CB5DBDE
GetSysColor.USER32(0000001C), ref: 6CB5DBE8
GetSysColor.USER32(0000000A), ref: 6CB5DBF2
GetSysColor.USER32(0000000B), ref: 6CB5DBFC
GetSysColor.USER32(00000013), ref: 6CB5DC06
GetSysColor.USER32(0000001A), ref: 6CB5DC20
GetSysColorBrush.USER32(00000010), ref: 6CB5DC3B
GetSysColorBrush.USER32(00000014), ref: 6CB5DC52
GetSysColorBrush.USER32(00000005), ref: 6CB5DC64
CreateSolidBrush.GDI32(?), ref: 6CB5DC88
CreateSolidBrush.GDI32(?), ref: 6CB5DCA4
CreateSolidBrush.GDI32(?), ref: 6CB5DCC0
CreateSolidBrush.GDI32(?), ref: 6CB5DCDC
CreateSolidBrush.GDI32(?), ref: 6CB5DCF8
CreateSolidBrush.GDI32(?), ref: 6CB5DD14
CreateSolidBrush.GDI32(?), ref: 6CB5DD30
CreatePen.GDI32(00000000,00000001,00000000), ref: 6CB5DD59
CreatePen.GDI32(00000000,00000001,00000000), ref: 6CB5DD7C
CreatePen.GDI32(00000000,00000001,00000000), ref: 6CB5DD9F
CreateSolidBrush.GDI32(?), ref: 6CB5DE23
CreatePatternBrush.GDI32(00000000), ref: 6CB5DE64

Part of subcall function 6CB59BE3: DeleteObject.GDI32(00000000), ref: 6CB59BF2

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: 7408f989155ebcb872201e68f91d2f2dd175f18815581c8028fb82a6b0c8b6aa
Instruction ID: ca85c52dc89f806a04a00c07a0a74de4c6139602d5d70c79a4d10644250f67bc
Opcode Fuzzy Hash: 7408f989155ebcb872201e68f91d2f2dd175f18815581c8028fb82a6b0c8b6aa
Instruction Fuzzy Hash: 07B17DB0A00B849EDB64AFB5CC54BEFBBF4AF84304F404A2DD19686A90DF71A559DF10

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA18F3 Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 421
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CBA18FD
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 6CBA1ABF
GetObjectW.GDI32(00000082,00000018,?), ref: 6CBA1AD1
CreateCompatibleDC.GDI32(00000000), ref: 6CBA1B23
GetObjectW.GDI32(00000082,00000018,?), ref: 6CBA1B3E
SelectObject.GDI32(?,00000082), ref: 6CBA1B52
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CBA1B76
SelectObject.GDI32(?,00000000), ref: 6CBA1B89
CreateCompatibleDC.GDI32(?), ref: 6CBA1B9F
SelectObject.GDI32(?,?), ref: 6CBA1BB4
SelectObject.GDI32(?,00000000), ref: 6CBA1BC3
DeleteObject.GDI32(?), ref: 6CBA1BC8
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CBA1BE8
GetPixel.GDI32(?,?,?), ref: 6CBA1C07
SetPixel.GDI32(?,?,?,00000000), ref: 6CBA1C3D
SelectObject.GDI32(?,?), ref: 6CBA1C5F
SelectObject.GDI32(?,00000000), ref: 6CBA1C67
DeleteObject.GDI32(00000082), ref: 6CBA1C6C
DeleteObject.GDI32(00000082), ref: 6CBA1C9E
__EH_prolog3.LIBCMT ref: 6CBA1CD2
CreateCompatibleDC.GDI32(00000000), ref: 6CBA1D9D
CreateCompatibleDC.GDI32(00000000), ref: 6CBA1DA9

Strings

, xrefs: 6CBA1AD7
Pl)u, xrefs: 6CBA1AD1, 6CBA1B3E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$H_prolog3Pixel$BitmapImageLoad
String ID: $Pl)u
API String ID: 1197801157-1824918255
Opcode ID: e4e3945de94536b9c721e8dc95c58887112a37147a970228387717fc07547331
Instruction ID: 56d86b67e1adeb0260d355b8a688e57cdca19c0baf8cec60c8a26f4f8477aed1
Opcode Fuzzy Hash: e4e3945de94536b9c721e8dc95c58887112a37147a970228387717fc07547331
Instruction Fuzzy Hash: 3C0298B0D002A8DFCF45DFA8C880ADEBBB5FF09700F14816AE854AB655D7708956CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4BF50 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(6CCA8D44,?,?,?,6CCA8D28,6CCA8D28,?,6CB4C298,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4BF63
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,6CCA8D28,6CCA8D28,?,6CB4C298,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4BFB9
GlobalHandle.KERNEL32(02D009E8), ref: 6CB4BFC2
GlobalUnlock.KERNEL32(00000000,?,?,6CCA8D28,6CCA8D28,?,6CB4C298,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4BFCC
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6CB4BFE5
GlobalHandle.KERNEL32(02D009E8), ref: 6CB4BFF7
GlobalLock.KERNEL32(00000000,?,?,6CCA8D28,6CCA8D28,?,6CB4C298,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4BFFE
LeaveCriticalSection.KERNEL32(?,?,?,6CCA8D28,6CCA8D28,?,6CB4C298,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C007
GlobalLock.KERNEL32(00000000,?,?,6CCA8D28,6CCA8D28,?,6CB4C298,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C013
_memset.LIBCMT ref: 6CB4C02D
LeaveCriticalSection.KERNEL32(?), ref: 6CB4C05B

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 3b41b27dfa8ed1228c568f2c659292919d462a6a700380625872a8e761d4cfcd
Instruction ID: 4c409ffbe52277a0bdc1bff4bb911c864878194e593a2ab10099e841fe093ae6
Opcode Fuzzy Hash: 3b41b27dfa8ed1228c568f2c659292919d462a6a700380625872a8e761d4cfcd
Instruction Fuzzy Hash: CB31FE71604740AFEB249FA4C888E4EBBF9FF44745B00892DE646E3A10DB70E814DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CBEA2A9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CBEA2B0

Part of subcall function 6CB4C312: EnterCriticalSection.KERNEL32(6CCA8EF8,?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C34C
Part of subcall function 6CB4C312: InitializeCriticalSection.KERNEL32(?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C35E
Part of subcall function 6CB4C312: LeaveCriticalSection.KERNEL32(6CCA8EF8,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C36B
Part of subcall function 6CB4C312: EnterCriticalSection.KERNEL32(?,?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C37B

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6CBEA308
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6CBEA31A

Strings

windows, xrefs: 6CBEA302, 6CBEA307, 6CBEA314
DragDelay, xrefs: 6CBEA30F
DragMinDist, xrefs: 6CBEA2FD

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: 0b09d88e19be1bae3c253af9d5685e8993d0727e6cc1db09b018a10242deb89e
Instruction ID: adda702ddc0eee07a213f88a983ab736565e64e4872ac5bb23afa291d26f5cbe
Opcode Fuzzy Hash: 0b09d88e19be1bae3c253af9d5685e8993d0727e6cc1db09b018a10242deb89e
Instruction Fuzzy Hash: 3F017CB0A487409EDB60EF6A8845B0EFAF8FF94784F44590FE1859BF90D7B1A0018F15

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3ADEB Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 6CC3ADF9

Part of subcall function 6CC397A9: __FF_MSGBANNER.LIBCMT ref: 6CC397C2
Part of subcall function 6CC397A9: __NMSG_WRITE.LIBCMT ref: 6CC397C9
Part of subcall function 6CC397A9: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000000,MarketPlugin,?,6CB4BADA,?,00000000,?,6CB4529F,0000001C,?,6CB43157), ref: 6CC397EE

_free.LIBCMT ref: 6CC3AE0C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 9dfaeb9baa7dcd9bb3c6971f3478062aa8c174ed98f810bdfbab2a78efe10393
Instruction ID: 2b6d7b5caa01c1bb42167fc97a258d7484f93a1589ebeed5af424508f3792a05
Opcode Fuzzy Hash: 9dfaeb9baa7dcd9bb3c6971f3478062aa8c174ed98f810bdfbab2a78efe10393
Instruction Fuzzy Hash: FE11A732944635ABDF151FF9F80468E36B9ABC5768B20A529E80C97BD0FF35897087D0

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA1CCB Relevance: 4.6, APIs: 3, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CBA1CD2
CreateCompatibleDC.GDI32(00000000), ref: 6CBA1D9D
CreateCompatibleDC.GDI32(00000000), ref: 6CBA1DA9

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CompatibleCreate$H_prolog3
String ID:
API String ID: 2193723985-0
Opcode ID: 272df8601691130cb4868091dfcaaca05abf53e4c2a6477eb2fd746c7f5b1797
Instruction ID: b484f105d6866f85df3fac37fddc5975606d334f2634d0abd8ad02b3f65bbbe4
Opcode Fuzzy Hash: 272df8601691130cb4868091dfcaaca05abf53e4c2a6477eb2fd746c7f5b1797
Instruction Fuzzy Hash: 8B51ACB0911764CFCF84DF69C58129A7BB8BB09B00F1482ABEC49DF64AD7B08545DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB47110 Relevance: 3.1, APIs: 2, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memmove_s.LIBCMT ref: 6CB4718A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _memmove_s
String ID:
API String ID: 800865076-0
Opcode ID: 2a082615c113fa8c2e037d02154d60c41e09958726bbab924114efcc001309db
Instruction ID: 46a330e6b26100ec9e96734143e061507a535dd8efede53ca50ed94a346b2389
Opcode Fuzzy Hash: 2a082615c113fa8c2e037d02154d60c41e09958726bbab924114efcc001309db
Instruction Fuzzy Hash: A321D571648554EFCB04CFA8C888D9EF3B9EF84314B00C249E8046B718DA71AD15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB51D28 Relevance: 3.0, APIs: 2, Instructions: 24
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ActivateActCtx.KERNEL32(?,?,6CC92060,00000010,6CB54749,hhctrl.ocx,6CB5397B,0000000C), ref: 6CB51D48
LoadLibraryW.KERNELBASE(?), ref: 6CB51D5F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ActivateLibraryLoad
String ID:
API String ID: 389599620-0
Opcode ID: 5ff32010da2b678037286f6a43bc7c0e5484e5e99686dc0ddcfa7180cfd61ef0
Instruction ID: 87971ee88bfc0d359052b843e368df4cefbd2f8cc653baf0a7fe3e9c71d43fc5
Opcode Fuzzy Hash: 5ff32010da2b678037286f6a43bc7c0e5484e5e99686dc0ddcfa7180cfd61ef0
Instruction Fuzzy Hash: 96F03971D00229AFCF51AFE0C808ADDBBB4FF08794F848565E464F6AA0D7748625DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB46FA0 Relevance: 1.6, APIs: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memcpy_s.LIBCMT ref: 6CB46FEE

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: 6072fad599fa83efc10849c43597ddba39f736bd98e0903b63f19f14f81c58e8
Instruction ID: e685b71c27835bd180faca08d047b04e12b9e13a6a4e0bbf76e8ae27ac32667a
Opcode Fuzzy Hash: 6072fad599fa83efc10849c43597ddba39f736bd98e0903b63f19f14f81c58e8
Instruction Fuzzy Hash: 1B114F76604A05AFC709CF58C880CAAB7B9FF89310715865DE5598B750EB71ED05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4C244 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CB4C24B

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: c0215e38fcb567923c09213c65a00968659c7fb51d10c97aae44778b580330b3
Instruction ID: 20a6730aa0010c78709a9ec001c7abf3add3c22324938b053c34054cd7f3f66a
Opcode Fuzzy Hash: c0215e38fcb567923c09213c65a00968659c7fb51d10c97aae44778b580330b3
Instruction Fuzzy Hash: B6019E30B0818B8BDB54AFB4C415A6E36B2EB91768B108529D8448BB88EB74C809E742

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4DD52 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 6CB4DD71

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 87c3839f3c33660b9132d92c77a4827721ee62a44dd585711ce0bf70b7c7217a
Instruction ID: 749943cefbb8509db003426cb45b67f199880bba5f662f0213ab86b5c714e2ce
Opcode Fuzzy Hash: 87c3839f3c33660b9132d92c77a4827721ee62a44dd585711ce0bf70b7c7217a
Instruction Fuzzy Hash: 1EE092335142255FC7008F5DE404B86FBECDFA2374F16C466E418CB6A2DB71E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3A79F Relevance: 1.5, APIs: 1, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CC3C87C: __lock.LIBCMT ref: 6CC3C87E

__onexit_nolock.LIBCMT ref: 6CC3A7B7

Part of subcall function 6CC3A6B8: DecodePointer.KERNEL32(?,?,?,?,?,6CC3A7BC,?,6CC9D5A0,0000000C,6CC3A7E8,?,?,6CC3C932,6CC42B93), ref: 6CC3A6CD
Part of subcall function 6CC3A6B8: DecodePointer.KERNEL32(?,?,?,?,?,6CC3A7BC,?,6CC9D5A0,0000000C,6CC3A7E8,?,?,6CC3C932,6CC42B93), ref: 6CC3A6DA
Part of subcall function 6CC3A6B8: __realloc_crt.LIBCMT ref: 6CC3A717
Part of subcall function 6CC3A6B8: __realloc_crt.LIBCMT ref: 6CC3A72D
Part of subcall function 6CC3A6B8: EncodePointer.KERNEL32(00000000,?,?,?,?,?,6CC3A7BC,?,6CC9D5A0,0000000C,6CC3A7E8,?,?,6CC3C932,6CC42B93), ref: 6CC3A73F
Part of subcall function 6CC3A6B8: EncodePointer.KERNEL32(?,?,?,?,?,?,6CC3A7BC,?,6CC9D5A0,0000000C,6CC3A7E8,?,?,6CC3C932,6CC42B93), ref: 6CC3A753
Part of subcall function 6CC3A6B8: EncodePointer.KERNEL32(-00000004,?,?,?,?,?,6CC3A7BC,?,6CC9D5A0,0000000C,6CC3A7E8,?,?,6CC3C932,6CC42B93), ref: 6CC3A75B

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: e1af05e9c51a7df78b3ce4196c7b0591872be38a4e381c1120111f3febf79c07
Instruction ID: bd02574346e9cf07a2d7eb55ddbb5f06426c20549b7e728f786b615a7b8d4632
Opcode Fuzzy Hash: e1af05e9c51a7df78b3ce4196c7b0591872be38a4e381c1120111f3febf79c07
Instruction Fuzzy Hash: 35D05E71801229ABCF00AFE4E940BCC77B06F84328FA0A244E01CA6BD0FB3446699B01

Uniqueness

Uniqueness Score: -1.00%

Function 6CB59BE3 Relevance: 1.5, APIs: 1, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteObject.GDI32(00000000), ref: 6CB59BF2

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: 5318de9cf89a5ed84251d5c863118552ef8b34caa6f0c04aaa7635e38d8cbd88
Instruction ID: d2a21817e2c7341e0f4f83832050011a635b42365be7358639b60cd9d3d9d2af
Opcode Fuzzy Hash: 5318de9cf89a5ed84251d5c863118552ef8b34caa6f0c04aaa7635e38d8cbd88
Instruction Fuzzy Hash: C3B092F0E25240AEEE005BB1870871A25789B4130AF888894A108D1840DB398026C550

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6CBBA40C Relevance: 42.5, APIs: 28, Instructions: 452windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBBA441
GetWindowRect.USER32(?,?), ref: 6CBBA464
PtInRect.USER32(?,?,?), ref: 6CBBA472

Part of subcall function 6CBC6981: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CBC69F8

GetAsyncKeyState.USER32(00000012), ref: 6CBBA497
ScreenToClient.USER32(?,?), ref: 6CBBA4E5
IsWindow.USER32(?), ref: 6CBBA52C
IsWindow.USER32(?), ref: 6CBBA56F
GetWindowRect.USER32(?,?), ref: 6CBBA58F
PtInRect.USER32(?,?,?), ref: 6CBBA59F
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBBA5D4
PtInRect.USER32(-00000054,?,?), ref: 6CBBA61F
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBBA644
ScreenToClient.USER32(?,?), ref: 6CBBA69C
PtInRect.USER32(?,?,?), ref: 6CBBA6AC
GetParent.USER32(?), ref: 6CBBA736
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBBA7C9
GetFocus.USER32 ref: 6CBBA7CF
WindowFromPoint.USER32(?,?,00000000), ref: 6CBBA807
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBBA851
GetSystemMenu.USER32(?,00000000,?,?,75C0A000,?), ref: 6CBBA8DA
IsMenu.USER32(?), ref: 6CBBA8FC
EnableMenuItem.USER32(?,0000F030,00000000), ref: 6CBBA919
EnableMenuItem.USER32(?,0000F120,00000000), ref: 6CBBA924
IsZoomed.USER32(?), ref: 6CBBA932
IsIconic.USER32(?), ref: 6CBBA951
EnableMenuItem.USER32(?,0000F120,00000003), ref: 6CBBA965
TrackPopupMenu.USER32(?,00000100,?,?,00000000,?,00000000), ref: 6CBBA98D
SendMessageW.USER32(?,00000112,00000000,00000000), ref: 6CBBA9A7

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$MenuRect$MessageSend$EnableItem$ClientScreen$AsyncFocusFromIconicParentPointPopupRedrawStateSystemTrackVisibleZoomed
String ID:
API String ID: 3398603409-0
Opcode ID: 9556347cc94014ad1b0cfcd5de11ae5cd59ca779bc488f8502103ae680f76353
Instruction ID: 50bcd0e759bce04f79ebed571deff616535e85cad2bdc4c976c5988b7abaad90
Opcode Fuzzy Hash: 9556347cc94014ad1b0cfcd5de11ae5cd59ca779bc488f8502103ae680f76353
Instruction Fuzzy Hash: A0F16AB1A01289AFDF109FA8C988EBDBBB9FB08308B504529E555F7A60DB30D851DF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6A603 Relevance: 27.4, APIs: 18, Instructions: 386windowkeyboardCOMMON

Download Yara Rule

APIs

MessageBeep.USER32 ref: 6CB6A62A
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A66F
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A71C
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A8B6
GetKeyState.USER32(00000010), ref: 6CB6A8EB
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A901
GetKeyState.USER32(00000011), ref: 6CB6A92D
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A943
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A98B

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Send$State$Beep
String ID:
API String ID: 4138746095-0
Opcode ID: 664cc99cf05a2d1b1568738d7ba43b66e78636738b990cbffa648ad708c38285
Instruction ID: e088bafab095c5d26964bba26e0aa37ce6718f5bc8340bedb944445e711520e1
Opcode Fuzzy Hash: 664cc99cf05a2d1b1568738d7ba43b66e78636738b990cbffa648ad708c38285
Instruction Fuzzy Hash: 17D16771200299BFCF01CE96CC80EEE77B9FB05714F14461AFA26D6A80D730EA568F61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB3989 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB3990

Part of subcall function 6CB9D5B8: FillRect.USER32(?,00000020), ref: 6CB9D5CC

Strings

d, xrefs: 6CBB39E8

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FillH_prolog3Rect
String ID: d
API String ID: 1863035756-2564639436
Opcode ID: 127335b3fcf030fdb72d1757d0b9684234a1cbc8c89173f3e4b2653f60db43a3
Instruction ID: 469df30f379f69abca3dd011ea4682b464e16400484c326f0cfb7fff83a08b68
Opcode Fuzzy Hash: 127335b3fcf030fdb72d1757d0b9684234a1cbc8c89173f3e4b2653f60db43a3
Instruction Fuzzy Hash: 4AC1BEB1A002A99FCB04CFA9CD859FEBBB0EB08314F104229F451B7A80DF35D955DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7D26F Relevance: 21.3, APIs: 14, Instructions: 280keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB7D353
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CB7D36F
GetCapture.USER32 ref: 6CB7D3E9
GetKeyState.USER32(00000011), ref: 6CB7D44B
GetKeyState.USER32(00000010), ref: 6CB7D458
ImmGetContext.IMM32(?), ref: 6CB7D466
ImmGetOpenStatus.IMM32(00000000,?), ref: 6CB7D473
ImmReleaseContext.IMM32(?,00000000,?), ref: 6CB7D495
GetFocus.USER32 ref: 6CB7D4BF
IsWindow.USER32(?), ref: 6CB7D500
IsWindow.USER32(?), ref: 6CB7D586
ClientToScreen.USER32(?,?), ref: 6CB7D596
IsWindow.USER32(?), ref: 6CB7D5BC
ClientToScreen.USER32(?,?), ref: 6CB7D5EB

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: 330df3ce51a061d75c1c818bfcebebff2b3da74a78c96c2ee6fe611c82f38225
Instruction ID: f84fa904b45030deb725b97c79f40764060dff298ce610fa50b53ba73d91ee28
Opcode Fuzzy Hash: 330df3ce51a061d75c1c818bfcebebff2b3da74a78c96c2ee6fe611c82f38225
Instruction Fuzzy Hash: E2A18E71A00682AFDB348FB5E884AAE77B4FB0438DF504929ED75D2D50D731E964CB22

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7B3DD Relevance: 21.3, APIs: 14, Instructions: 268keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB7B4B6
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CB7B4D2
GetCapture.USER32 ref: 6CB7B552
GetKeyState.USER32(00000011), ref: 6CB7B5A5
GetKeyState.USER32(00000010), ref: 6CB7B5B2
ImmGetContext.IMM32(?), ref: 6CB7B5C0
ImmGetOpenStatus.IMM32(00000000,?), ref: 6CB7B5CD
ImmReleaseContext.IMM32(00000000,00000000,?), ref: 6CB7B5EF
GetFocus.USER32 ref: 6CB7B619
IsWindow.USER32(?), ref: 6CB7B65A
IsWindow.USER32(?), ref: 6CB7B6E0
ClientToScreen.USER32(?,?), ref: 6CB7B6F0
IsWindow.USER32(?), ref: 6CB7B716
ClientToScreen.USER32(?,?), ref: 6CB7B745

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: ac8edd0b6cd147ff1d09dccf5ae56af9752b6b45fb6fa5dd51315c167fb4d1df
Instruction ID: 5f5b3a797425f5564ab8ec8ffa588baabc56ebc749fc8b0d6a6c8070a2d6c45c
Opcode Fuzzy Hash: ac8edd0b6cd147ff1d09dccf5ae56af9752b6b45fb6fa5dd51315c167fb4d1df
Instruction Fuzzy Hash: A191B371600686AFDF358FA4C894AAEB7B5EF04308F208529E97593D50DB31DA64DF22

Uniqueness

Uniqueness Score: -1.00%

Function 6CB83902 Relevance: 21.3, APIs: 14, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB8397F
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6CB8399D
ReleaseCapture.USER32 ref: 6CB839A3
SetCapture.USER32(?), ref: 6CB839B6
ReleaseCapture.USER32 ref: 6CB83A2B
SetCapture.USER32(?), ref: 6CB83A3E
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6CB83B17
UpdateWindow.USER32(?), ref: 6CB83B7A
SendMessageW.USER32(?,00000111,000000FF,00000000), ref: 6CB83BC2
IsWindow.USER32(?), ref: 6CB83BCD
IsIconic.USER32(?), ref: 6CB83BDA
IsZoomed.USER32(?), ref: 6CB83BE7
IsWindow.USER32(?), ref: 6CB83BFB
UpdateWindow.USER32(?), ref: 6CB83C47

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2500574155-0
Opcode ID: 96c0bd9dd4fee3626a9484a8f9e3a39f692456e906e423992cbb2c964dab7d75
Instruction ID: c3058b28bb4975bc91c4d5fd1598ea01c587c4a99ef1354e25e9e31224ecc208
Opcode Fuzzy Hash: 96c0bd9dd4fee3626a9484a8f9e3a39f692456e906e423992cbb2c964dab7d75
Instruction Fuzzy Hash: A0A16831602284AFDF059F64C888A9D3BB2FF45319F1442B9FC2AAB6A5CB31C954CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41130 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CB411B1

Part of subcall function 6CB4BAB7: _malloc.LIBCMT ref: 6CB4BAD5

_memmove.LIBCMT ref: 6CB411DB
_memmove.LIBCMT ref: 6CB41208
std::exception::exception.LIBCMT ref: 6CB4122C
__CxxThrowException@8.LIBCMT ref: 6CB41241
std::exception::exception.LIBCMT ref: 6CB4141D
__CxxThrowException@8.LIBCMT ref: 6CB41438
__CxxThrowException@8.LIBCMT ref: 6CB41446
__CxxThrowException@8.LIBCMT ref: 6CB41464

Part of subcall function 6CB48250: CoInitialize.OLE32(00000000), ref: 6CB48290
Part of subcall function 6CB48250: SysFreeString.OLEAUT32(5D88C933), ref: 6CB482A1
Part of subcall function 6CB48250: SysAllocString.OLEAUT32(6CC88804), ref: 6CB482AC

Strings

The parameter is invalide., xrefs: 6CB41225
The content of MarketXML is invalide., xrefs: 6CB41416

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8Throw$_memmove$Stringstd::exception::exception$AllocFreeInitialize_malloc
String ID: The content of MarketXML is invalide.$The parameter is invalide.
API String ID: 277576513-953608087
Opcode ID: 232705bf17c50198f6808d4ec486f83edcae4d415a154e9b06af1301398d829a
Instruction ID: 9ab04658d8c2d136f854f03c2921b9e80a3a2f0c1fc34ffc12c99c62846d4bed
Opcode Fuzzy Hash: 232705bf17c50198f6808d4ec486f83edcae4d415a154e9b06af1301398d829a
Instruction Fuzzy Hash: 90A1A171E04748AFDB14CFA9D881B9EBBB5FB48304F54852DE41AE7A40EB70A508DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB90F2 Relevance: 16.7, APIs: 11, Instructions: 220windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CBB9120
GetFocus.USER32 ref: 6CBB912E
IsChild.USER32(?,?), ref: 6CBB9162
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB9196
IsChild.USER32(?,?), ref: 6CBB91B2
SendMessageW.USER32(?,00000100,?,00000000), ref: 6CBB91E1
IsIconic.USER32(?), ref: 6CBB9222
GetAsyncKeyState.USER32(00000011), ref: 6CBB92A8
GetAsyncKeyState.USER32(00000012), ref: 6CBB92BA
GetAsyncKeyState.USER32(00000010), ref: 6CBB92C7
IsWindowVisible.USER32(?), ref: 6CBB9328

Part of subcall function 6CBC59AB: RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 6CBC59D8

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AsyncStateWindow$ChildMessageSend$FocusIconicRedrawVisible
String ID:
API String ID: 763474574-0
Opcode ID: 5df04ab477352ec71b5ea1aada7a39f459251d28a368053226f77913f062557f
Instruction ID: e907d90f6b8b21fbda480fa2f618ca818e0d21f980fa75729290dd281391f4ed
Opcode Fuzzy Hash: 5df04ab477352ec71b5ea1aada7a39f459251d28a368053226f77913f062557f
Instruction Fuzzy Hash: CB71B231E44285AFEF109FA4C888BBE7BB5FF15308F184168E955B7AA0DF31D8059B52

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB9B81 Relevance: 16.6, APIs: 11, Instructions: 99windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000021), ref: 6CBB9BA3
GetSystemMetrics.USER32(00000020), ref: 6CBB9BAA
IsIconic.USER32(?), ref: 6CBB9BBE
GetWindowRect.USER32(?,00000020), ref: 6CBB9BFF
IsIconic.USER32(?), ref: 6CBB9C23
GetSystemMetrics.USER32(00000004), ref: 6CBB9C2F
OffsetRect.USER32(00000020,?,?), ref: 6CBB9C41
GetSystemMetrics.USER32(00000004), ref: 6CBB9C49
IsIconic.USER32(?), ref: 6CBB9C77
GetSystemMetrics.USER32(00000021), ref: 6CBB9C83
GetSystemMetrics.USER32(00000020), ref: 6CBB9C8A

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$Iconic$RectWindow$LongOffset
String ID:
API String ID: 993849457-0
Opcode ID: 178c9857adb7312b5f880d742ed38f09118e5e12dbd1b55ec81e49dc2a8ad1d4
Instruction ID: 5756cbca747c1b45db8fdcb245aba9d374a5d216a5c53f23ae2577e88cb97c31
Opcode Fuzzy Hash: 178c9857adb7312b5f880d742ed38f09118e5e12dbd1b55ec81e49dc2a8ad1d4
Instruction Fuzzy Hash: 9D41F4B1E002099FCF04DFA9C895AAEBBF5FF58304F14406AEA09E7251DB30A940CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB70F8A Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 418COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB70F91
_wcslen.LIBCMT ref: 6CB71034
_wcslen.LIBCMT ref: 6CB7103E
_wcslen.LIBCMT ref: 6CB710AA
_memcpy_s.LIBCMT ref: 6CB710EE
_wcslen.LIBCMT ref: 6CB71101
_memcpy_s.LIBCMT ref: 6CB7114A

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

PathRemoveFileSpecW.SHLWAPI(?), ref: 6CB71265

Part of subcall function 6CB46FA0: _memcpy_s.LIBCMT ref: 6CB46FEE

Strings

, xrefs: 6CB71492

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _wcslen$_memcpy_s$H_prolog3$Exception@8FilePathRemoveSpecThrow
String ID:
API String ID: 25407458-3916222277
Opcode ID: a8093d9f32b19932fcb5fa0b841661ab890509da88cd8233f85e449464dc7c9d
Instruction ID: 66764871356f41b26bc8b7772e133a571632175e05fa0a4ae417dc0a2bdd2b25
Opcode Fuzzy Hash: a8093d9f32b19932fcb5fa0b841661ab890509da88cd8233f85e449464dc7c9d
Instruction Fuzzy Hash: 83F1E0309012969FDF28CFA4C991ABEB774FF04318F18426DE926ABA91D730D905CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6CB762B4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6CB76344
_memset.LIBCMT ref: 6CB76352
_free.LIBCMT ref: 6CB7637E
IsWindow.USER32(?), ref: 6CB7649F

Strings

0, xrefs: 6CB76368

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientScreenWindow_free_memset
String ID: 0
API String ID: 2869304798-4108050209
Opcode ID: a0c0642dc2823a0cbd9789988a3e9d842aa7b29110ccd26d15f962e4f2b0e71d
Instruction ID: cb52a283583162579de51858825723df3f292e7ddbc13202316a02d68d253517
Opcode Fuzzy Hash: a0c0642dc2823a0cbd9789988a3e9d842aa7b29110ccd26d15f962e4f2b0e71d
Instruction Fuzzy Hash: 2951A230A01284EFDF209F65D888B9EBBB1EF05318F100129EC65E7A91DB749895CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB9E81 Relevance: 15.1, APIs: 10, Instructions: 146windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBB9EA7
ScreenToClient.USER32(?,?), ref: 6CBB9F25
GetSystemMetrics.USER32(00000021), ref: 6CBB9F33
GetSystemMetrics.USER32(00000020), ref: 6CBB9F3C
IsIconic.USER32(?), ref: 6CBB9F4A
GetSystemMetrics.USER32(00000004), ref: 6CBB9F56
PtInRect.USER32(00000000,?,?), ref: 6CBB9F9D
PtInRect.USER32(?,?,?), ref: 6CBB9FC6
GetSystemMetrics.USER32(00000004), ref: 6CBB9FDC
PtInRect.USER32(00000020,?,?), ref: 6CBB9FF4

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$Rect$ClientIconicScreenVisibleWindow
String ID:
API String ID: 1122842830-0
Opcode ID: 453159b918c2ae73a3867f7eb8edca448744f815031212f1f6b7b75dd8d8d5c9
Instruction ID: aeaa323591d0bf13cb66bedac75c99017d39fcd7f61e3f4f67c27b5033bc3ec2
Opcode Fuzzy Hash: 453159b918c2ae73a3867f7eb8edca448744f815031212f1f6b7b75dd8d8d5c9
Instruction Fuzzy Hash: 5A517B31A0025AAFDF04CFA4C884AAEB7B9FF08314F504169F918FB650EB30E954DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC637D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CBC63B3

Strings

y, xrefs: 6CBC63F4

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: RectWindow
String ID: y
API String ID: 861336768-4225443349
Opcode ID: c8d7bff4770ec4053c5463e7c128194cea06cc6a27009933fe3182a5858cc7c9
Instruction ID: 1eb8e5ef3b0feb13ce90ec9a43ddb154bd9f351e666e7df613fad71ba61ed7b6
Opcode Fuzzy Hash: c8d7bff4770ec4053c5463e7c128194cea06cc6a27009933fe3182a5858cc7c9
Instruction Fuzzy Hash: 5B31E072B40288AFCF009F69C885FAE77B4EB49318F55413AE925E7541DB388940CB43

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5778C Relevance: 12.1, APIs: 8, Instructions: 132filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB57796
GetFullPathNameW.KERNEL32(00000000,00000104,?,?,00000268,6CB57971,?,?,00000000), ref: 6CB577D4

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

PathIsUNCW.SHLWAPI(?), ref: 6CB57850
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6CB57877
CharUpperW.USER32(?), ref: 6CB578AA
FindFirstFileW.KERNEL32(?,?), ref: 6CB578C6
FindClose.KERNEL32(00000000), ref: 6CB578D2
lstrlenW.KERNEL32(?), ref: 6CB578F0

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: f4e0e957027554d009ec397631cc80db1743d33ed876263b73b469757a56ae8a
Instruction ID: 1537c69472f5d895d4180f93ae253481d28b601342f69e70c9b1c36e407d6fa3
Opcode Fuzzy Hash: f4e0e957027554d009ec397631cc80db1743d33ed876263b73b469757a56ae8a
Instruction Fuzzy Hash: 7041C6B0A18165AFDF15AF71CC8CBEE7638EF01318F9086D8A419F1590DB719AA4CF21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7329A Relevance: 9.1, APIs: 6, Instructions: 116keyboardwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 6CB7331C
UpdateWindow.USER32(?), ref: 6CB73333
GetKeyState.USER32(00000079), ref: 6CB73358
GetKeyState.USER32(00000012), ref: 6CB73365
GetParent.USER32(?), ref: 6CB7341B
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6CB73437

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageState$Exception@8H_prolog3ParentPostSendThrowUpdateWindow
String ID:
API String ID: 2390574533-0
Opcode ID: 13b0824eacb63056dc85be190c3dc1ce73a6e3090880a7a226ce18247a3d6e2d
Instruction ID: a4afd13cdd9ff21613a58e3025027301d5bf37a4bd3f89969a1269930c9857b7
Opcode Fuzzy Hash: 13b0824eacb63056dc85be190c3dc1ce73a6e3090880a7a226ce18247a3d6e2d
Instruction Fuzzy Hash: DF41CF32301785DFE7358F20C848F9A7BB1FF40308F218668E8AA57A90CFB4A455CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB9CA2 Relevance: 7.7, APIs: 5, Instructions: 153windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB9CA9
RedrawWindow.USER32(?,?,?,00000541), ref: 6CBB9E6F

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

GetSystemMenu.USER32(?,00000000), ref: 6CBB9CE3
IsMenu.USER32(?), ref: 6CBB9D02
IsMenu.USER32(?), ref: 6CBB9D10

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Window$H_prolog3LongRedrawSystem
String ID:
API String ID: 1445310841-0
Opcode ID: 40fdbfd042ff0e0a396d757fa6157bdfaebb22ab0f1607bdca3a63226bd905a2
Instruction ID: daf1dab34f2ee533b3d919cd57f116988aa780a7608302782e097f3d2fc4607c
Opcode Fuzzy Hash: 40fdbfd042ff0e0a396d757fa6157bdfaebb22ab0f1607bdca3a63226bd905a2
Instruction Fuzzy Hash: FA51DD31E006558FDB04CFB8C940BEEB7B1AF54308F248228E925FBA94DF709904CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6B1E9 Relevance: 7.6, APIs: 5, Instructions: 86keyboardwindowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB6B21D
GetKeyState.USER32(00000012), ref: 6CB6B24F
GetKeyState.USER32(00000011), ref: 6CB6B258
SendMessageW.USER32(?,00000157,00000000,00000000), ref: 6CB6B271
SendMessageW.USER32(?,0000014F,00000001,00000000), ref: 6CB6B282

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSendState$Parent
String ID:
API String ID: 1284845784-0
Opcode ID: 5576fc98e6cae6d27cc0267b0c3f04b525ff99a8990f7e3dd5a277d992208e6d
Instruction ID: 8ca5b5b255df8c97dce1652c148f92f163b8ff5cc8f35caa9409de72194de3c3
Opcode Fuzzy Hash: 5576fc98e6cae6d27cc0267b0c3f04b525ff99a8990f7e3dd5a277d992208e6d
Instruction Fuzzy Hash: D1213B32340A849BDE066A67CC48E6E3EF6FFC5758F240519F14157EA4EF319841AB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CC39185 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CC3F3EF
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CC3F404
UnhandledExceptionFilter.KERNEL32(6CC83F60), ref: 6CC3F40F
GetCurrentProcess.KERNEL32(C0000409), ref: 6CC3F42B
TerminateProcess.KERNEL32(00000000), ref: 6CC3F432

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8eb6f0a622350d04b8f551b208cdb5a17b7aaea7ca1c1d3aee44214abc047d2a
Instruction ID: e64d1ebca9c874208fb8f82d5a08b0d52ad4543279ffd8c5d831b30908914752
Opcode Fuzzy Hash: 8eb6f0a622350d04b8f551b208cdb5a17b7aaea7ca1c1d3aee44214abc047d2a
Instruction Fuzzy Hash: C321D2B8A05219DFDF00DFE9E44D6483BB8FB0A324F50451EE508A7B40E7B058A58FD5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB85CBF Relevance: 6.2, APIs: 4, Instructions: 183COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,000000F1), ref: 6CB85CE9

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

LoadResource.KERNEL32(?,00000000), ref: 6CB85CFC
LockResource.KERNEL32(00000000), ref: 6CB85D0A
FreeResource.KERNEL32(?), ref: 6CB85EAE

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$Exception@8FindFreeH_prolog3LoadLockThrow
String ID:
API String ID: 1564530344-0
Opcode ID: 411b8290be2a2209d745f666513946ad34cff5d5934f58c5570a67bd986c1584
Instruction ID: 3040cf8c39e798a568ba5349811db85532b4fd29e3474fa0fb64fbd9a23dba16
Opcode Fuzzy Hash: 411b8290be2a2209d745f666513946ad34cff5d5934f58c5570a67bd986c1584
Instruction Fuzzy Hash: 1D611570A05246EFEB059FA5C944AAEBBB4FF04348F108129EC16A7750FB70C954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7BDCA Relevance: 6.1, APIs: 4, Instructions: 137keyboardwindowCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000001), ref: 6CB7BE0B
WindowFromPoint.USER32(?,?), ref: 6CB7BE4B
SendMessageW.USER32(?,00000000,?,00000000), ref: 6CB7BEBE
ScreenToClient.USER32(?,?), ref: 6CB7BF1F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AsyncClientFromMessagePointScreenSendStateWindow
String ID:
API String ID: 227561881-0
Opcode ID: 8ccb11bf7bdb55445a7bc1ea31f2f56c0fdc95a061607dad2497ce28804805f8
Instruction ID: 0821fc9bd3925c5eeb9c8c8ab7c3dcbb080846d5f35aee58a3f92886f63a9072
Opcode Fuzzy Hash: 8ccb11bf7bdb55445a7bc1ea31f2f56c0fdc95a061607dad2497ce28804805f8
Instruction Fuzzy Hash: 64517071604246EFDF189F65C8449EEB7B5FB48708F10862EED2697A50EB30D950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB8B09 Relevance: 4.5, APIs: 3, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 6CBB8B34
GetKeyState.USER32(00000011), ref: 6CBB8B3D
GetKeyState.USER32(00000012), ref: 6CBB8B46

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: d318cf363328d0003d0f62471d45eec06176f8edabe29c1c93376104ca685789
Instruction ID: c9dc7fdc0b05689c969f3932610d336b64e0a24fadec18266bb1c657c2aa9e53
Opcode Fuzzy Hash: d318cf363328d0003d0f62471d45eec06176f8edabe29c1c93376104ca685789
Instruction Fuzzy Hash: 1FF0A77124328B9AEF105AF0CC10FE17A64EB00784F448877AB4877440CE73D541C671

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBAFD1 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 6CBBB025
PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 6CBBB075

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: IconicLongMessagePostWindow
String ID:
API String ID: 1855654840-0
Opcode ID: 1e95eb06338c7d4ab7e6e34bf1a57bfb7d43daff0e18e6683c5ee7717daa74a2
Instruction ID: d4b76ff0ea57a3fdabb99c159775a8ea499fcfba12037fb1c3eae27c0c7cb632
Opcode Fuzzy Hash: 1e95eb06338c7d4ab7e6e34bf1a57bfb7d43daff0e18e6683c5ee7717daa74a2
Instruction Fuzzy Hash: A411C473250B81CBD7308E39C8C4BBAB7AAEB45718F940729E171E29A1CF35D8448626

Uniqueness

Uniqueness Score: -1.00%

Function 6CB73ABC Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CB73AD0
IsIconic.USER32(?), ref: 6CB73AE2

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 29ebb918b05d7a109785cc49bcc9b455dcfcc0d2dc1ff620cf1e23a00d54d20b
Instruction ID: f53c3f9b45dc0b63dd42b550c0fea3454a633361123f2bb58a29592db516182f
Opcode Fuzzy Hash: 29ebb918b05d7a109785cc49bcc9b455dcfcc0d2dc1ff620cf1e23a00d54d20b
Instruction Fuzzy Hash: A0F0E2323419916BCA20152BDC0594FBA79EBC2A35311032AEC75E3AE0EB60CC1282B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5CFC0 Relevance: 3.0, APIs: 2, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 6CB5CFEE
CoCreateInstance.OLE32(6CC87888,00000000,00000001,6CC61D1C,6CCAAED4,-0000043C,?,?,6CB778FD,00000000,?,6CBBC1E6), ref: 6CB5D00C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: 7cc170f8dc1a619616907f4fb8a5b0a02eca2f97f4decfa2ce4936f432ae7eef
Instruction ID: eff576806be618b0c929c956f51f447f7bfee28602ee3a9c67a6eb4d727b2f39
Opcode Fuzzy Hash: 7cc170f8dc1a619616907f4fb8a5b0a02eca2f97f4decfa2ce4936f432ae7eef
Instruction Fuzzy Hash: C4F02E71240182DFDB105EA0EDC89D677BEE78530DFB8053CF104A6801C77248A3DB11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB789B2 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 6CB789DF
IsIconic.USER32(?), ref: 6CB789E8

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ForegroundIconicWindow
String ID:
API String ID: 1248896474-0
Opcode ID: 626c817efc9d0b2d48575d1dca3a2f5c38da2aa39d61333b24d052d1ffb2b880
Instruction ID: 5af2d637a3d2a2ac2afb3ff181e277a4f06e8600df359b036dbf90bd3e76e512
Opcode Fuzzy Hash: 626c817efc9d0b2d48575d1dca3a2f5c38da2aa39d61333b24d052d1ffb2b880
Instruction Fuzzy Hash: 8CE0EC332045515FDA241A659C08D5E3A75EF857317110217F965A6AD4EF21C8514761

Uniqueness

Uniqueness Score: -1.00%

Function 6CB78A56 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 6CB78A76

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 79812059cb1abb911a49a825539fe30944cae1a480d06f0327eda0687fe930cf
Instruction ID: 5f3fa17dfe93cb94ac40945dcc490c2d1bd72d714b199e01d50af60f4697c5e9
Opcode Fuzzy Hash: 79812059cb1abb911a49a825539fe30944cae1a480d06f0327eda0687fe930cf
Instruction Fuzzy Hash: 7AE020333689516FDB155534E844D7F27E5DFC5721714052AF515E3D90EF21D80192B0

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA13F2 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 323fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBA13FC
GetModuleFileNameW.KERNEL32(00000000,?,00000104,6CC61A84,00000000,6CC88600,00000000,6CC885FC,00000000,?,00000A90,6CBA19B0,?,00000000,00000084,6CBA1E57), ref: 6CBA14AB
__wsplitpath_s.LIBCMT ref: 6CBA14D7
__wsplitpath_s.LIBCMT ref: 6CBA14F6
__wmakepath_s.LIBCMT ref: 6CBA1523
_wcslen.LIBCMT ref: 6CBA152F
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6CC885FC,00000000,?,00000A90,6CBA19B0,?,00000000,00000084,6CBA1E57), ref: 6CBA1567

Strings

Pl)u, xrefs: 6CBA1603, 6CBA169A
, xrefs: 6CBA18A3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: File__wsplitpath_s$CreateH_prolog3_ModuleName__wmakepath_s_wcslen
String ID: $Pl)u
API String ID: 1221639053-1824918255
Opcode ID: aeb7659da8758343436ec82d508f0689dedfa75391fbe954d14426319260bfd7
Instruction ID: 55fc4d22c7166156843681461d04a55317207f2a4fef929638684deeb2dee1ac
Opcode Fuzzy Hash: aeb7659da8758343436ec82d508f0689dedfa75391fbe954d14426319260bfd7
Instruction Fuzzy Hash: B5D14A71A04268EFDF609FA0CC84ADDB778EF0A318F5441E9F549A2A50DB309E95CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA1E5F Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBA1E69
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 6CBA1EAC
GetObjectW.GDI32(?,00000018,?), ref: 6CBA1EE6
DeleteObject.GDI32(?), ref: 6CBA1F63
CreateCompatibleDC.GDI32(00000000), ref: 6CBA1F9D
GetObjectW.GDI32(?,00000018,?), ref: 6CBA1FB9

Strings

Pl)u, xrefs: 6CBA1EE6, 6CBA1FB9, 6CBA2012

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$CompatibleCopyCreateDeleteH_prolog3_Image
String ID: Pl)u
API String ID: 641560573-3484285090
Opcode ID: 8b4425438622e1709ca52111e313766e821ef30011fea7a2249528eb1134de95
Instruction ID: a3a7c3b7053ec202cb94d455bf538770bf7fa65bbb7bed0104c621f72eeee9e3
Opcode Fuzzy Hash: 8b4425438622e1709ca52111e313766e821ef30011fea7a2249528eb1134de95
Instruction Fuzzy Hash: 7EC142718002A8EFDF619FA1CC84ADDBBB5EF09304F5041E9E58DA2660DB319EA5DF41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB82E79 Relevance: 41.0, APIs: 27, Instructions: 457keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB82E80
GetParent.USER32(?), ref: 6CB82EDB
GetParent.USER32(?), ref: 6CB82EF7
UpdateWindow.USER32(?), ref: 6CB82F3F
SetCursor.USER32(?,00000000), ref: 6CB82F64
GetAsyncKeyState.USER32(00000012), ref: 6CB82FC6
UpdateWindow.USER32(?), ref: 6CB830CC
InflateRect.USER32(?,00000002,00000002), ref: 6CB8312C
SetCapture.USER32(?), ref: 6CB83135
SetCursor.USER32(00000000), ref: 6CB8314D
IsWindow.USER32(?), ref: 6CB831EB
GetCursorPos.USER32(?), ref: 6CB8322A
ScreenToClient.USER32(?,?), ref: 6CB83237
PtInRect.USER32(?,?,?), ref: 6CB83253
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?,?,?,?,?,?,00000000), ref: 6CB832C7
GetParent.USER32(?), ref: 6CB832E2
GetParent.USER32(?), ref: 6CB832F6
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,?,?,?,?,?,?,00000000), ref: 6CB83308
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?,?,?,?,?,?,00000000), ref: 6CB8332A
GetParent.USER32(?), ref: 6CB83333
GetParent.USER32(?), ref: 6CB8334E
GetParent.USER32(?), ref: 6CB83359
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,?,00000000), ref: 6CB83391
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 6CB834C9

Part of subcall function 6CB8066E: InvalidateRect.USER32(?,?,00000001,?), ref: 6CB806E3
Part of subcall function 6CB8066E: InflateRect.USER32(?,?,?), ref: 6CB80729
Part of subcall function 6CB8066E: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 6CB8073C

UpdateWindow.USER32(?), ref: 6CB83429
UpdateWindow.USER32(?), ref: 6CB83488
SetCapture.USER32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 6CB83493

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Parent$RectRedraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientH_prolog3_ScreenState
String ID:
API String ID: 991125134-0
Opcode ID: 7a0a3dd54f47faf65470b8272758c9214b149cae0e2fae0c76753a4c1664648a
Instruction ID: 922d349d79f82abdb7984b6dd39f3fb8189c934fa3f8a77a15e3dbb2612ee4b5
Opcode Fuzzy Hash: 7a0a3dd54f47faf65470b8272758c9214b149cae0e2fae0c76753a4c1664648a
Instruction Fuzzy Hash: B8028D70602254DFCF059FA4C898ADE3BB5FF49714F1442B9E91AABAA5DF308844CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA6DA6 Relevance: 40.8, APIs: 27, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 6CB56784: GetWindowLongW.USER32(?,000000EC), ref: 6CB5678F

GetClientRect.USER32(?,00000000), ref: 6CBA6E18
CopyRect.USER32(?,?), ref: 6CBA6E4A

Part of subcall function 6CB596EA: ScreenToClient.USER32(?,?), ref: 6CB596FB
Part of subcall function 6CB596EA: ScreenToClient.USER32(?,?), ref: 6CB59708

IntersectRect.USER32(?,?,?), ref: 6CBA6E99
SetRectEmpty.USER32(?), ref: 6CBA6EA7
IntersectRect.USER32(?,?,?), ref: 6CBA6ED9
SetRectEmpty.USER32(?), ref: 6CBA6EE7
IsRectEmpty.USER32(?), ref: 6CBA6EF7
IsRectEmpty.USER32(?), ref: 6CBA6F01
GetWindowRect.USER32(?,?), ref: 6CBA6F2C
GetWindowRect.USER32(?,?), ref: 6CBA6F4F
UnionRect.USER32(?,?,?), ref: 6CBA6F6C
EqualRect.USER32(?,?), ref: 6CBA6F7A
GetWindowRect.USER32(?,?), ref: 6CBA7005
IsRectEmpty.USER32(?), ref: 6CBA706F
MapWindowPoints.USER32(?,?,?,00000002), ref: 6CBA708C
RedrawWindow.USER32(?,?,00000000,00000185), ref: 6CBA70A0
IsRectEmpty.USER32(?), ref: 6CBA70BA
EqualRect.USER32(?,?), ref: 6CBA70C8
MapWindowPoints.USER32(?,?,?,00000002), ref: 6CBA70E5
RedrawWindow.USER32(?,?,00000000,00000185), ref: 6CBA70F9
UpdateWindow.USER32(?), ref: 6CBA710E
IsRectEmpty.USER32(?), ref: 6CBA7152
InvalidateRect.USER32(?,?,00000001), ref: 6CBA7167
IsRectEmpty.USER32(?), ref: 6CBA716D
EqualRect.USER32(?,?), ref: 6CBA717F
InvalidateRect.USER32(?,?,00000001), ref: 6CBA7192
UpdateWindow.USER32(?), ref: 6CBA7197

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyLongUnion
String ID:
API String ID: 4119827998-0
Opcode ID: b0f7dd43012cc7885af6c63089c2cdc1aa1796776aa1f673c6fdc68f0e8ab7e9
Instruction ID: f3f7a9bd10982e7e5bf368703bd74836fdd09e9a162cb1cb86ec737cb4d9206e
Opcode Fuzzy Hash: b0f7dd43012cc7885af6c63089c2cdc1aa1796776aa1f673c6fdc68f0e8ab7e9
Instruction Fuzzy Hash: 26D1F7B2A042199FDF11DFA8C944AEEB7B9FF09304F2041AAE909F7145D771AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CC42261 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6CC39D62,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC42269
__mtterm.LIBCMT ref: 6CC42275

Part of subcall function 6CC41F40: DecodePointer.KERNEL32(00000006,6CC39E25,6CC39E0B,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC41F51
Part of subcall function 6CC41F40: TlsFree.KERNEL32(00000018,6CC39E25,6CC39E0B,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC41F6B
Part of subcall function 6CC41F40: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6CC39E25,6CC39E0B,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC45DC4
Part of subcall function 6CC41F40: _free.LIBCMT ref: 6CC45DC7
Part of subcall function 6CC41F40: DeleteCriticalSection.KERNEL32(00000018,?,?,6CC39E25,6CC39E0B,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC45DEE

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6CC4228B
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6CC42298
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6CC422A5
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6CC422B2
TlsAlloc.KERNEL32(?,?,6CC39D62,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC42302
TlsSetValue.KERNEL32(00000000,?,?,6CC39D62,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC4231D
__init_pointers.LIBCMT ref: 6CC42327
EncodePointer.KERNEL32(?,?,6CC39D62,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC42338
EncodePointer.KERNEL32(?,?,6CC39D62,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC42345
EncodePointer.KERNEL32(?,?,6CC39D62,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC42352
EncodePointer.KERNEL32(?,?,6CC39D62,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC4235F
DecodePointer.KERNEL32(Function_001020C4,?,?,6CC39D62,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC42380
__calloc_crt.LIBCMT ref: 6CC42395
DecodePointer.KERNEL32(00000000,?,?,6CC39D62,6CC9D520,00000008,6CC39EF6,?,?,?,6CC9D540,0000000C,6CC39FB1,?), ref: 6CC423AF
GetCurrentThreadId.KERNEL32 ref: 6CC423C1

Strings

FlsAlloc, xrefs: 6CC42285
FlsSetValue, xrefs: 6CC4229A
FlsFree, xrefs: 6CC422A7
FlsGetValue, xrefs: 6CC4228D
KERNEL32.DLL, xrefs: 6CC42264

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 9fbce3236fc07cc68cd9709803abbeb642c2cbab3e2d41e572d9737d50f5bb2a
Instruction ID: 7badde30699b069f5ec0ddfc343e9a52d55e3765fba38568fc1ed0df3a52304a
Opcode Fuzzy Hash: 9fbce3236fc07cc68cd9709803abbeb642c2cbab3e2d41e572d9737d50f5bb2a
Instruction Fuzzy Hash: 05318F75E012149EEF159FF5EC1D65E3EB9AB4A364B10899AE810E3A90FB309061CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA27EB Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 278windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 6CBA28D4
GetObjectW.GDI32(?,00000018,?), ref: 6CBA2905
DeleteObject.GDI32(?), ref: 6CBA2912
CreateCompatibleDC.GDI32(00000000), ref: 6CBA2956
GetObjectW.GDI32(?,00000018,?), ref: 6CBA296E
SelectObject.GDI32(?,?), ref: 6CBA2994
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CBA29B2
SelectObject.GDI32(?,?), ref: 6CBA29C5
CreateCompatibleDC.GDI32(?), ref: 6CBA29DB
SelectObject.GDI32(?,?), ref: 6CBA29F0
SelectObject.GDI32(?,?), ref: 6CBA29FF
DeleteObject.GDI32(?), ref: 6CBA2A04
BitBlt.GDI32(?,00000000,00000000,6CB8FEEF,?,?,00000000,00000000,00CC0020), ref: 6CBA2A24
GetPixel.GDI32(?,?,?), ref: 6CBA2A43
SetPixel.GDI32(?,?,?,00000000), ref: 6CBA2A79
SelectObject.GDI32(?,?), ref: 6CBA2A9B
SelectObject.GDI32(?,?), ref: 6CBA2AA3
DeleteObject.GDI32(?), ref: 6CBA2AA8
DeleteObject.GDI32(?), ref: 6CBA2B2A
__EH_prolog3.LIBCMT ref: 6CBA27F2

Part of subcall function 6CB56B58: DeleteObject.GDI32(00000000), ref: 6CB56B71

Strings

Pl)u, xrefs: 6CBA2905, 6CBA296E
, xrefs: 6CBA291A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate$Pixel$BitmapH_prolog3ImageLoad
String ID: $Pl)u
API String ID: 2657855633-1824918255
Opcode ID: 8d86c75faff0f37e151e7bd7014c8e807bd6f3b14154f88c7a176c096a9edd74
Instruction ID: 9bb035a223ebe5dbbdecce9f577b986d96cf0afac534f85b6cf64b4b77351315
Opcode Fuzzy Hash: 8d86c75faff0f37e151e7bd7014c8e807bd6f3b14154f88c7a176c096a9edd74
Instruction Fuzzy Hash: 37B19D70D04299EFCF04DFE1C984AEDBB75FF04308F508129F959A2A50DB309A6ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CB491C0 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 454COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CB49265

Part of subcall function 6CC3A59F: RaiseException.KERNEL32(6CB42DF8,00000000,D7F0CEE4,6CC88058,6CB42DF8,00000000,6CC9DBD8,?,D7F0CEE4), ref: 6CC3A5E1

std::exception::exception.LIBCMT ref: 6CB4923C

Part of subcall function 6CC3963D: std::exception::operator=.LIBCMT ref: 6CC39656

std::exception::exception.LIBCMT ref: 6CB492BE
__CxxThrowException@8.LIBCMT ref: 6CB492E7
std::exception::exception.LIBCMT ref: 6CB49336
__CxxThrowException@8.LIBCMT ref: 6CB49353
std::exception::exception.LIBCMT ref: 6CB493B4

Strings

vector<T> too long, xrefs: 6CB49641, 6CB4969E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$ExceptionRaisestd::exception::operator=
String ID: vector<T> too long
API String ID: 1288149269-3788999226
Opcode ID: 9cecccd39da77e666c22ffba4c21480e82bbedded376e3526221f3912f6a9c00
Instruction ID: 3a67a5c04d7d7b47207df7b23c84bff5bcc3f0482e294ea3fec2ed23889ad0b9
Opcode Fuzzy Hash: 9cecccd39da77e666c22ffba4c21480e82bbedded376e3526221f3912f6a9c00
Instruction Fuzzy Hash: A1027071E04259DFCB04CFA4C990AEEBBB9FF48304F248159E515AB744EB30AA45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9FE99 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 237COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB9FEA3
GetObjectW.GDI32(6CCABFC0,00000018,?), ref: 6CB9FEE5
CreateCompatibleDC.GDI32(00000000), ref: 6CB9FF21
SelectObject.GDI32(?,6CCABFC0), ref: 6CB9FF44
_memset.LIBCMT ref: 6CB9FF74
GetObjectW.GDI32(?,00000054,?), ref: 6CB9FF95
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CB9FFF7
CreateCompatibleDC.GDI32(?), ref: 6CBA003C
SelectObject.GDI32(?,?), ref: 6CBA005A

Strings

(, xrefs: 6CB9FFF0
Pl)u, xrefs: 6CB9FEE5, 6CB9FF95

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Create$CompatibleSelect$H_prolog3_Section_memset
String ID: ($Pl)u
API String ID: 1904682052-2157283458
Opcode ID: 649bfd9212d8bfeb501b67c27245c29ee3a996a6dba9d7a2725201520f674390
Instruction ID: 5263cdc05499b60d26556b0367a4a9695a4b6c37d8f9c8c2bd077b83d467f77d
Opcode Fuzzy Hash: 649bfd9212d8bfeb501b67c27245c29ee3a996a6dba9d7a2725201520f674390
Instruction Fuzzy Hash: 8BB12874900658DFDB61CF64CC84FDABBB5FF49300F1080A9E98EA6651DB309995CF21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9DA9D Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 263windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB9DAA7
CreateCompatibleDC.GDI32(00000000), ref: 6CB9DADC
GetObjectW.GDI32(?,00000018,?), ref: 6CB9DAFD
SelectObject.GDI32(?,?), ref: 6CB9DB4F
CreateCompatibleDC.GDI32(?), ref: 6CB9DB7C
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CB9DBE4
SelectObject.GDI32(?,?), ref: 6CB9DC00
SelectObject.GDI32(?,00000000), ref: 6CB9DC1D
SelectObject.GDI32(?,?), ref: 6CB9DC35
DeleteObject.GDI32(?), ref: 6CB9DC3D
BitBlt.GDI32(?,00000000,00000000,?,000000FF,?,00000000,00000000,00CC0020), ref: 6CB9DC66
GetObjectW.GDI32(?,00000054,?), ref: 6CB9DC9C
SelectObject.GDI32(?,?), ref: 6CB9DE91
SelectObject.GDI32(?,?), ref: 6CB9DE9F
DeleteObject.GDI32(?), ref: 6CB9DEA7

Strings

Pl)u, xrefs: 6CB9DAFD, 6CB9DC9C
(, xrefs: 6CB9DBC1
, xrefs: 6CB9DCAA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$Create$CompatibleDelete$H_prolog3_Section
String ID: $($Pl)u
API String ID: 339215182-2532411793
Opcode ID: ff6b0a0b3b4967ad42a7747e0dc049cf5af31ab668394480287627e06792f19c
Instruction ID: d99da5dcb63b5ae07a823dbff44620fa72ea5d539b75d964ec82516c254a783b
Opcode Fuzzy Hash: ff6b0a0b3b4967ad42a7747e0dc049cf5af31ab668394480287627e06792f19c
Instruction Fuzzy Hash: 3FC13570900268DADF24DF65DD44BEDBBB5EF4A300F4081EAE58DA6291DB704A98CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB52605 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

GetParent.USER32(?), ref: 6CB5263F
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6CB52660
GetWindowRect.USER32(?,?), ref: 6CB5267F
GetWindowLongW.USER32(00000000,000000F0), ref: 6CB526B1
MonitorFromWindow.USER32(00000000,00000001), ref: 6CB526E5
GetMonitorInfoW.USER32(00000000), ref: 6CB526EC
CopyRect.USER32(?,?), ref: 6CB52700
CopyRect.USER32(?,?), ref: 6CB5270A
GetWindowRect.USER32(00000000,?), ref: 6CB52713
MonitorFromWindow.USER32(00000000,00000002), ref: 6CB52720
GetMonitorInfoW.USER32(00000000), ref: 6CB52727
CopyRect.USER32(?,?), ref: 6CB52735

Strings

(, xrefs: 6CB526C7

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
String ID: (
API String ID: 783970248-3887548279
Opcode ID: 571e5ae6a835b82e2b4d0e1edb3e1dfc8e8088ecac89e27923aebdf92acd6e48
Instruction ID: 2ab4869afb54ea87595a3358ace4dad052bd9508b9ce9ee74a8b80790d192165
Opcode Fuzzy Hash: 571e5ae6a835b82e2b4d0e1edb3e1dfc8e8088ecac89e27923aebdf92acd6e48
Instruction Fuzzy Hash: 12614BB2A01229AFCF01DFA8C9889DEBBB8FF09714F540116E501F3685D770A915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5F6F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 315windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

SendMessageW.USER32(?,00001032,00000000,00000000), ref: 6CB5F75D
SendMessageW.USER32(?,0000100C,00000000,00000002), ref: 6CB5F790
ClientToScreen.USER32(?,?), ref: 6CB5F7CA
ScreenToClient.USER32(?,?), ref: 6CB5F7E2
SendMessageW.USER32(?,00001012,00000000,?), ref: 6CB5F7FC
_memset.LIBCMT ref: 6CB5F838
SendMessageW.USER32(?,0000104B,00000000,00000004), ref: 6CB5F86A
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 6CB5F89C
SendMessageW.USER32(?,0000104B,00000000,00000004), ref: 6CB5F8B9
CreatePopupMenu.USER32 ref: 6CB5F948
TrackPopupMenu.USER32(?,00000102,?,?,00000000,?,00000000), ref: 6CB5F98D
GetMenuDefaultItem.USER32(?,00000000,00000000), ref: 6CB5F9A9
GetParent.USER32(?), ref: 6CB5F9F9
GetParent.USER32(?), ref: 6CB5FA36
GetParent.USER32(?), ref: 6CB5FA49
SendMessageW.USER32(?,?,00000000,00000000), ref: 6CB5FA62

Strings

$, xrefs: 6CB5F9EF

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$MenuParent$ClientPopupScreen$CreateDefaultException@8H_prolog3ItemThrowTrack_memset
String ID: $
API String ID: 3041658061-3993045852
Opcode ID: 639f07ea814ce29dd547610525840b382e4d6adeb1b731516f7a7c149e7f956c
Instruction ID: ef25438bc0f5a1a913e5f8ff9883ee6749a4900923a95d037e9c160813b945a1
Opcode Fuzzy Hash: 639f07ea814ce29dd547610525840b382e4d6adeb1b731516f7a7c149e7f956c
Instruction Fuzzy Hash: 8BC113B0A01249EFDF10DFA8C888EAEBBB9FF48308F508529E515E7650D731A951CF21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9D7BD Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 237windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB9D7C7
CreateCompatibleDC.GDI32(00000000), ref: 6CB9D82E
GetObjectW.GDI32(?,00000018,000000FF), ref: 6CB9D84C
SelectObject.GDI32(?,?), ref: 6CB9D88A
CreateCompatibleDC.GDI32(?), ref: 6CB9D8A8
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CB9D8FE
SelectObject.GDI32(?,?), ref: 6CB9D913
SelectObject.GDI32(?,00000000), ref: 6CB9D929
SelectObject.GDI32(?,?), ref: 6CB9D938
DeleteObject.GDI32(?), ref: 6CB9D93F
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CB9D991
GetPixel.GDI32(?,?,00000000), ref: 6CB9DA59
SetPixel.GDI32(?,?,00000000,?), ref: 6CB9DA6E
SelectObject.GDI32(?,?), ref: 6CB9DA8B
SelectObject.GDI32(?,?), ref: 6CB9DA93

Strings

Pl)u, xrefs: 6CB9D84C
(, xrefs: 6CB9D8DE

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$Create$CompatiblePixel$DeleteH_prolog3_Section
String ID: ($Pl)u
API String ID: 1942225872-2157283458
Opcode ID: ec37c1239564f0f25dccd4b7826858f0bbc9d537433577877cf798be56cd183d
Instruction ID: 940ece4bf3feffddec2a2fdb9e16b4e94345abd21a4ea00e2a28b1c3d3b8598b
Opcode Fuzzy Hash: ec37c1239564f0f25dccd4b7826858f0bbc9d537433577877cf798be56cd183d
Instruction Fuzzy Hash: 17A10FB0D00258EFDF20DFAAD9849DDBBB5FF4A308F608229E515A7660DB30595ACF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9D5D6 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 157windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB9D5DD
CreateCompatibleDC.GDI32(00000000), ref: 6CB9D613
GetObjectW.GDI32(6CCABFC0,00000018,?), ref: 6CB9D62A
SelectObject.GDI32(00000000,6CCABFC0), ref: 6CB9D656
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 6CB9D678
SelectObject.GDI32(00000000,00000000), ref: 6CB9D68B
CreateCompatibleDC.GDI32(00000000), ref: 6CB9D69E
SelectObject.GDI32(00808080,?), ref: 6CB9D6AF
SelectObject.GDI32(00000000,00000000), ref: 6CB9D6C0
DeleteObject.GDI32(?), ref: 6CB9D6C5
BitBlt.GDI32(00808080,00000000,00000000,?,6CB8FEEF,00000000,00000000,00000000,00CC0020), ref: 6CB9D6F1
GetPixel.GDI32(00808080,6CB6838F,?), ref: 6CB9D710
SetPixel.GDI32(00808080,6CB6838F,?,00000000), ref: 6CB9D757
SelectObject.GDI32(00808080,?), ref: 6CB9D77B
SelectObject.GDI32(00000000,00000000), ref: 6CB9D783
DeleteObject.GDI32(6CCABFC0), ref: 6CB9D78B

Strings

Pl)u, xrefs: 6CB9D62A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
String ID: Pl)u
API String ID: 3639146769-3484285090
Opcode ID: 4e3483f580c4a42c7af9c6991387de72e04e430c8cfa52c238e6da4ea23d76e0
Instruction ID: e44fc708465e56436e1bb7c0b90bdd3d16bf57722ccb3cecd8c1e7dde2a13077
Opcode Fuzzy Hash: 4e3483f580c4a42c7af9c6991387de72e04e430c8cfa52c238e6da4ea23d76e0
Instruction Fuzzy Hash: 5F514230900189EFCF02DFA6DD44AEEBB72FF4A314F604129E514B26A0DB315A66DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9A675 Relevance: 28.9, APIs: 19, Instructions: 446windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB9A67F
IsWindow.USER32(?), ref: 6CB9A721
GetMenuItemCount.USER32(00000001), ref: 6CB9A87F
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 6CB9A895
AppendMenuW.USER32(00000001,00000000,00000000,00000000), ref: 6CB9A8B0
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6CB9A926
SendMessageW.USER32(?,0000041C,00000000,?), ref: 6CB9A963
GetMenuItemCount.USER32(00000001), ref: 6CB9A9B9
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 6CB9A9CF
AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 6CB9A9F0
GetMenuItemCount.USER32(00000001), ref: 6CB9AA57
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 6CB9AA6D
AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 6CB9AA8E
AppendMenuW.USER32(00000002,00000000,00000000,?), ref: 6CB9AB76
GetWindow.USER32(?,00000005), ref: 6CB9ABA7
AppendMenuW.USER32(00000003,00000000,00000000,?), ref: 6CB9AC2D
GetMenuItemCount.USER32(00000000), ref: 6CB9AC72
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 6CB9AC88
AppendMenuW.USER32(00000000,00000000,00000000,?), ref: 6CB9AC9D

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow$H_prolog3_
String ID:
API String ID: 2495817426-0
Opcode ID: 20ab4d251d420ed328d2c84bcab6b16df50c885310971ad98bae01993c67b007
Instruction ID: 04de55fe8db52c5c3b5cf5575c369e846bf288ec00cca6d8ef6aa731b1aca769
Opcode Fuzzy Hash: 20ab4d251d420ed328d2c84bcab6b16df50c885310971ad98bae01993c67b007
Instruction Fuzzy Hash: 71024A30A042559FEF249FA4CD94BADB7B5FF06308F2080B9E519AB692DF349948DF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6DFD3 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB6DFDA
GetIconInfo.USER32(?,?), ref: 6CB6E08B
GetObjectW.GDI32(?,00000018,?), ref: 6CB6E09A
CreateCompatibleDC.GDI32(00000000), ref: 6CB6E0C6
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 6CB6E0E0
SelectObject.GDI32(?,00000000), ref: 6CB6E0F1
FillRect.USER32(?,?), ref: 6CB6E11E
DrawIconEx.USER32(?,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 6CB6E13C
SelectObject.GDI32(?,00000000), ref: 6CB6E14A
DeleteObject.GDI32(?), ref: 6CB6E153
DeleteObject.GDI32(?), ref: 6CB6E16B
DeleteObject.GDI32(?), ref: 6CB6E174
DestroyIcon.USER32(?,00000070,6CB6EFC0,?,00000000,00000000,00000000,00000000,00000000), ref: 6CB6E1C6
DestroyIcon.USER32(?), ref: 6CB6E1D0
DestroyIcon.USER32(?), ref: 6CB6E1DA

Strings

Pl)u, xrefs: 6CB6E09A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Icon$DeleteDestroy$Select$CompatibleCopyCreateDrawFillH_prolog3_ImageInfoRect
String ID: Pl)u
API String ID: 2061919445-3484285090
Opcode ID: 871bda133386c3a1a91ff0ef68af9842b37e3cb63092e4bc40b81f3097ebe0ee
Instruction ID: 596bfda7ba21a22d81087903c38853797b31602f08f57ed6ac95b12fbaa6074e
Opcode Fuzzy Hash: 871bda133386c3a1a91ff0ef68af9842b37e3cb63092e4bc40b81f3097ebe0ee
Instruction Fuzzy Hash: B0614470D00688EFCF12CFA6C9849DEBBB5FF88300F60452AE955B2A10D7329955DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D141 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB51D28: ActivateActCtx.KERNEL32(?,?,6CC92060,00000010,6CB54749,hhctrl.ocx,6CB5397B,0000000C), ref: 6CB51D48

GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 6CB5D16B
GetProcAddress.KERNEL32(745C0000,DrawThemeTextEx), ref: 6CB5D17E
GetProcAddress.KERNEL32(745C0000,BeginBufferedPaint), ref: 6CB5D191
GetProcAddress.KERNEL32(745C0000,EndBufferedPaint), ref: 6CB5D1A4
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 6CB5D1EE
GetProcAddress.KERNEL32(73B00000,DwmDefWindowProc), ref: 6CB5D201
GetProcAddress.KERNEL32(73B00000,DwmIsCompositionEnabled), ref: 6CB5D214

Strings

DrawThemeParentBackground, xrefs: 6CB5D165
UxTheme.dll, xrefs: 6CB5D146
BeginBufferedPaint, xrefs: 6CB5D180
DwmIsCompositionEnabled, xrefs: 6CB5D203
DwmExtendFrameIntoClientArea, xrefs: 6CB5D1E8
DrawThemeTextEx, xrefs: 6CB5D16D
dwmapi.dll, xrefs: 6CB5D1CE
EndBufferedPaint, xrefs: 6CB5D193
DwmDefWindowProc, xrefs: 6CB5D1F0

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressProc$Activate
String ID: BeginBufferedPaint$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 2388279185-3875329446
Opcode ID: 7f00c8696691faff55900049b1b1e71c2d37c2bca97fe6a9ad33747bce4ab9ef
Instruction ID: 9f56d5240487b55bbab29ce0a76dd0c5d37571a13456fd88e51cc10bd1a297ac
Opcode Fuzzy Hash: 7f00c8696691faff55900049b1b1e71c2d37c2bca97fe6a9ad33747bce4ab9ef
Instruction Fuzzy Hash: 8F218670840786ABCB216F76DD889DBFAE4FF44309F510D3EE57A93A01D730A0108B40

Uniqueness

Uniqueness Score: -1.00%

Function 6CB62ECB Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB62ED2
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 6CB62F1D
ClientToScreen.USER32(?,?), ref: 6CB62F52
_memset.LIBCMT ref: 6CB62F92
SendMessageW.USER32 ref: 6CB62FB1
SHGetDesktopFolder.SHELL32(?), ref: 6CB62FD9
GetParent.USER32(?), ref: 6CB63001
CreatePopupMenu.USER32 ref: 6CB63043

Strings

$, xrefs: 6CB630EB

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$ClientCreateDesktopFolderH_prolog3_MenuParentPopupScreen_memset
String ID: $
API String ID: 937397865-3993045852
Opcode ID: 7758059ae535d8f821f75060f0ed57f18fd1b1bc3597c6b106246acae39572e2
Instruction ID: ae636f9d56abd8aef3d1d976e16b16bcbeb2bb60c669e98a6a61720b140d5dd0
Opcode Fuzzy Hash: 7758059ae535d8f821f75060f0ed57f18fd1b1bc3597c6b106246acae39572e2
Instruction Fuzzy Hash: D29164B0A01259AFDF05CFA5C8889DEBBB9FF0C714B208519F519E7A90DB319950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB8BDA0 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB51D28: ActivateActCtx.KERNEL32(?,?,6CC92060,00000010,6CB54749,hhctrl.ocx,6CB5397B,0000000C), ref: 6CB51D48

GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 6CB8BE02
GetProcAddress.KERNEL32(?,CloseThemeData), ref: 6CB8BE0F
GetProcAddress.KERNEL32(?,DrawThemeBackground), ref: 6CB8BE1C
GetProcAddress.KERNEL32(?,GetThemeColor), ref: 6CB8BE29
GetProcAddress.KERNEL32(?,GetThemeSysColor), ref: 6CB8BE36
GetProcAddress.KERNEL32(?,GetCurrentThemeName), ref: 6CB8BE43
GetProcAddress.KERNEL32(?,GetWindowTheme), ref: 6CB8BE50

Strings

UxTheme.dll, xrefs: 6CB8BDA8
GetThemeSysColor, xrefs: 6CB8BE2B
OpenThemeData, xrefs: 6CB8BDFC
CloseThemeData, xrefs: 6CB8BE04
DrawThemeBackground, xrefs: 6CB8BE11
GetThemeColor, xrefs: 6CB8BE1E
GetCurrentThemeName, xrefs: 6CB8BE38
GetWindowTheme, xrefs: 6CB8BE45

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressProc$Activate
String ID: CloseThemeData$DrawThemeBackground$GetCurrentThemeName$GetThemeColor$GetThemeSysColor$GetWindowTheme$OpenThemeData$UxTheme.dll
API String ID: 2388279185-1975976892
Opcode ID: 3f79a6b55975c37126dda3099123f8418e66dc8f3c47b64fabf890942417ae4a
Instruction ID: 0c92c514ba19809b522784dfef666cfa56d9bb0899547e648966a2bca9e7b868
Opcode Fuzzy Hash: 3f79a6b55975c37126dda3099123f8418e66dc8f3c47b64fabf890942417ae4a
Instruction Fuzzy Hash: 833104B0811B949ECB319F6B8A84846FBF9BFE46143114E1FE59693E20D7B6E045CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0B9AC Relevance: 24.4, APIs: 16, Instructions: 368COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CC0B9B3
GetCursorPos.USER32(?), ref: 6CC0BA65
IsRectEmpty.USER32(00000000), ref: 6CC0BA99
IsRectEmpty.USER32(?), ref: 6CC0BABF
IsRectEmpty.USER32(00000000), ref: 6CC0BADB
GetWindowRect.USER32(?,00000000), ref: 6CC0BB01
SetRectEmpty.USER32(?), ref: 6CC0BBB8

Part of subcall function 6CB4BAB7: _malloc.LIBCMT ref: 6CB4BAD5

GetWindowRect.USER32(?,00000000), ref: 6CC0BB35
PtInRect.USER32(00000000,?,00000000), ref: 6CC0BB75
OffsetRect.USER32(00000000,?,00000000), ref: 6CC0BB8D

Part of subcall function 6CBD0F36: __EH_prolog3.LIBCMT ref: 6CBD0F3D
Part of subcall function 6CBD0F36: SetRectEmpty.USER32(?), ref: 6CBD1044
Part of subcall function 6CBD0F36: SetRectEmpty.USER32(?), ref: 6CBD104D

OffsetRect.USER32(00000000,?,?), ref: 6CC0BD17
IsRectEmpty.USER32(?), ref: 6CC0BD3C
IsRectEmpty.USER32(?), ref: 6CC0BD61
PtInRect.USER32(00000000,?,?), ref: 6CC0BD71
OffsetRect.USER32(00000000,?,?), ref: 6CC0BD9A
IsRectEmpty.USER32(?), ref: 6CC0BDB1

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3__malloc
String ID:
API String ID: 1330315114-0
Opcode ID: 90ddd321a570322f7aa0d4622d6a425b89b0310c9affa4262814043ff385862e
Instruction ID: b0dd7005e0f3af0da9cde4228801c52f72a1b8ecb7f63b5ddb09ac677bc7cf3b
Opcode Fuzzy Hash: 90ddd321a570322f7aa0d4622d6a425b89b0310c9affa4262814043ff385862e
Instruction Fuzzy Hash: 86E19C31A01614DFCF05CFA8C894A9EBBB9FF49704F1041AAE905EB659EB32D945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5C5F8 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB5C5FF
CreateRectRgnIndirect.GDI32(?), ref: 6CB5C63C
CopyRect.USER32(?,?), ref: 6CB5C652
InflateRect.USER32(?,?,?), ref: 6CB5C668
IntersectRect.USER32(?,?,?), ref: 6CB5C676
CreateRectRgnIndirect.GDI32(?), ref: 6CB5C680
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB5C695

Part of subcall function 6CB5C420: CombineRgn.GDI32(?,?,?,?), ref: 6CB5C445

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB5C6FD
SetRectRgn.GDI32(?,0000000A,?,?,?), ref: 6CB5C71A
CopyRect.USER32(?,0000000A), ref: 6CB5C725
InflateRect.USER32(?,?,?), ref: 6CB5C73B
IntersectRect.USER32(?,?,0000000A), ref: 6CB5C747
SetRectRgn.GDI32(?,?,?,?,0000000A), ref: 6CB5C75C
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB5C788

Part of subcall function 6CB5C44F: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6CB5C498
Part of subcall function 6CB5C44F: CreatePatternBrush.GDI32(00000000), ref: 6CB5C4A5
Part of subcall function 6CB5C44F: DeleteObject.GDI32(00000000), ref: 6CB5C4B1

Part of subcall function 6CB59C76: SelectObject.GDI32(?,00000000), ref: 6CB59C9C
Part of subcall function 6CB59C76: SelectObject.GDI32(?,?), ref: 6CB59CB2

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6CB5C7F9
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6CB5C84E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
String ID:
API String ID: 3107162742-0
Opcode ID: d3860ee16ffc6da97aa79a8bd50a424c89c899a4c23ff910d9cae34a8c5fa64c
Instruction ID: 3302c21a527a10e3a5c7d21bbde735c48537479c74f25a2ef0363c062cd8c70e
Opcode Fuzzy Hash: d3860ee16ffc6da97aa79a8bd50a424c89c899a4c23ff910d9cae34a8c5fa64c
Instruction Fuzzy Hash: 33A1F0B1E00159AFDF09DFE4C984DEEBBBAFF48304F548119E506A7640DB349A29CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC2CFA Relevance: 24.2, APIs: 16, Instructions: 182windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000201,00000201,00000001), ref: 6CBC2D93
SendMessageW.USER32(00000000,00000084,00000000,?), ref: 6CBC2DB0
ReleaseCapture.USER32 ref: 6CBC2DEB
GetMessageW.USER32(?,00000000,000000A1,000000A1), ref: 6CBC2DFA
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 6CBC2E0E
DispatchMessageW.USER32(?), ref: 6CBC2E15
DispatchMessageW.USER32(?), ref: 6CBC2EC0
GetCursorPos.USER32(?), ref: 6CBC2ECA
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 6CBC2EEB

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Peek$Dispatch$CaptureCursorReleaseSend
String ID:
API String ID: 597789953-0
Opcode ID: 99d762bf2d7e7bc4971576ab546e135fdf9ae4e54cefda1df6bfe5f2dd62bd5b
Instruction ID: 26d619699003df2608f8911a58d5910f9b6373d896e308cd45511f350bac1da1
Opcode Fuzzy Hash: 99d762bf2d7e7bc4971576ab546e135fdf9ae4e54cefda1df6bfe5f2dd62bd5b
Instruction Fuzzy Hash: 5D519930701691BFEB249BA5CC8CEAF76BCEB56705F101419F952E69A0CB74D9808B63

Uniqueness

Uniqueness Score: -1.00%

Function 6CB735FC Relevance: 22.7, APIs: 15, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 6CB73666
GetDlgItem.USER32(?,?), ref: 6CB736F0
ShowWindow.USER32(00000000,00000000), ref: 6CB736FB
GetMenu.USER32(?), ref: 6CB7370D
InvalidateRect.USER32(?,00000000,00000001), ref: 6CB73728

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

GetDlgItem.USER32(?,0000E900), ref: 6CB73765
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 6CB73782
GetDlgItem.USER32(0000EA21,0000EA21), ref: 6CB7379B
GetDlgItem.USER32(0000E900,0000E900), ref: 6CB737B1
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 6CB737C3
SetWindowLongW.USER32(?,000000F4,0000E900), ref: 6CB737CF
InvalidateRect.USER32(00000001,00000000,00000001), ref: 6CB737E2
SetMenu.USER32(00000000,00000000), ref: 6CB737F9
GetDlgItem.USER32(?,00000000), ref: 6CB73840
ShowWindow.USER32(?,00000005), ref: 6CB7384E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ItemWindow$Long$InvalidateMenuRectShow$CtrlException@8H_prolog3Throw
String ID:
API String ID: 3935238147-0
Opcode ID: 245ea9d30ab3a11525eca68b00ab5592dbdae980ba55fb286d5a6f138de17d57
Instruction ID: 35ee64a0dca454b9843093d75455f48d96a7a5cd616b4ba34a6990af3ccd651a
Opcode Fuzzy Hash: 245ea9d30ab3a11525eca68b00ab5592dbdae980ba55fb286d5a6f138de17d57
Instruction Fuzzy Hash: 10818030600640EFCB25DF28C888B9A7BF1FF45715F208569E86ADB6A0EB31D950CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5AAD2 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB5AAD9

Part of subcall function 6CB4BAB7: _malloc.LIBCMT ref: 6CB4BAD5

Part of subcall function 6CB6DC74: __EH_prolog3.LIBCMT ref: 6CB6DC7B

Strings

MFCButton, xrefs: 6CB5AAF4
MFCShellTree, xrefs: 6CB5ACDF
MFCMenuButton, xrefs: 6CB5AC41
MFCVSListBox, xrefs: 6CB5AD0F
MFCShellList, xrefs: 6CB5ACAF
MFCLink, xrefs: 6CB5ABD3
MFCColorButton, xrefs: 6CB5AB2E
MFCFontComboBox, xrefs: 6CB5AB9C
MFCPropertyGrid, xrefs: 6CB5AC78
MFCEditBrowse, xrefs: 6CB5AB65
MFCMaskedEdit, xrefs: 6CB5AC0A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 1683881009-2110171958
Opcode ID: 68f6c608716618155b4609c0b4c2c30b1f63f3a9352827e2daaa8a67723f1c47
Instruction ID: fa94b42c6335da7402eb003cf202ff797ef5ef4c53de35ff31afe82ee5908d70
Opcode Fuzzy Hash: 68f6c608716618155b4609c0b4c2c30b1f63f3a9352827e2daaa8a67723f1c47
Instruction Fuzzy Hash: 6E51F43060D1D496DF04FFB9D9407FC6AA09F0474DF90445EA52ABAFC4EFB086589A63

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9DF94 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB9DF9E
GetObjectW.GDI32(00000000,00000018,?), ref: 6CB9DFD0
GetObjectW.GDI32(?,00000054,?), ref: 6CB9E008
CreateCompatibleDC.GDI32(00000000), ref: 6CB9E09E
SelectObject.GDI32(?,?), ref: 6CB9E0BD
GetPixel.GDI32(?,?,00000000), ref: 6CB9E14A
GetPixel.GDI32(?,?,00000000), ref: 6CB9E15C
SetPixel.GDI32(?,?,00000000,00000000), ref: 6CB9E16B
SetPixel.GDI32(?,?,00000000,?), ref: 6CB9E17D
SelectObject.GDI32(?,?), ref: 6CB9E1B4

Strings

, xrefs: 6CB9DFE6
, xrefs: 6CB9E00E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
String ID: $
API String ID: 1266819874-227171996
Opcode ID: 4e7c0edbbee88f0fdc7e2a6501c3ceb09294b52506529983098743f241a802f7
Instruction ID: 6dbec80b3339977c4878ffee83ea14fbf21955fd315d745b0460914cb483c7c1
Opcode Fuzzy Hash: 4e7c0edbbee88f0fdc7e2a6501c3ceb09294b52506529983098743f241a802f7
Instruction Fuzzy Hash: E7714570E002A8CFDF20DFA9CC85A9DBBB5FF4A314F644169E508A7611EB319995CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB3592 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB3599
GetObjectW.GDI32(00000018,00000018,6CC6AFB0), ref: 6CBB35B5
_memmove.LIBCMT ref: 6CBB3613

Strings

Pl)u, xrefs: 6CBB35B5
, xrefs: 6CBB35FF

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3Object_memmove
String ID: $Pl)u
API String ID: 107514201-1824918255
Opcode ID: a896d505f0c9b538124f644c07bf976511ace8f7d9c029060034d906d83101fd
Instruction ID: 21606d2a532f9432543f1f6f2ff40e600aa071b516603d1fd1bc98ec71be74ed
Opcode Fuzzy Hash: a896d505f0c9b538124f644c07bf976511ace8f7d9c029060034d906d83101fd
Instruction Fuzzy Hash: 734156B1D0016AAFDF04DFA5CC809EEBB75EF44318F504129E512B76A0DF319A19DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA0253 Relevance: 18.2, APIs: 12, Instructions: 226windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBA025A
TransparentBlt.MSIMG32(?,?,?,?,?,?,?,00000000,?,?,?,00000048,6CBA0E83,?,?,?), ref: 6CBA02B2
CreateCompatibleDC.GDI32(?), ref: 6CBA02F7
CreateCompatibleDC.GDI32(?), ref: 6CBA0314
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CBA0332
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,00000000,?,?,00CC0020), ref: 6CBA0396
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 6CBA03C4
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6CBA03D1
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CBA040A
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 6CBA0438
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,008800C6), ref: 6CBA0465
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00EE0086), ref: 6CBA0480

Part of subcall function 6CB5882C: __EH_prolog3_catch_GS.LIBCMT ref: 6CB58836

Part of subcall function 6CB59936: DeleteDC.GDI32(00000000), ref: 6CB59948

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Create$Compatible$Bitmap$DeleteH_prolog3H_prolog3_catch_StretchTransparent
String ID:
API String ID: 650092443-0
Opcode ID: 94fe152a74ae2361be3fa5946b83d296052d791c351131457207d08a28750027
Instruction ID: 737563c67dae0e58039098a9e576b545a4186fff1039572f26fb7b8451f2f3f6
Opcode Fuzzy Hash: 94fe152a74ae2361be3fa5946b83d296052d791c351131457207d08a28750027
Instruction Fuzzy Hash: 0891D071800189AFCF02DFD0DD80DEEBBB6FF08358F544118F515A6660D7329A2AEB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC2EFA Relevance: 18.2, APIs: 12, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBC2B82: LoadCursorW.USER32(00000000,00007F8B), ref: 6CBC2BA3
Part of subcall function 6CBC2B82: LoadCursorW.USER32(?,00007901), ref: 6CBC2BBC

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6CBC2F32
PostMessageW.USER32(?,00000111,0000E145,00000000), ref: 6CBC2F95
SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 6CBC2FB7
GetCursorPos.USER32(?), ref: 6CBC2FD2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6CBC2FFE
ReleaseCapture.USER32 ref: 6CBC304B
SetCapture.USER32(?), ref: 6CBC3050
ReleaseCapture.USER32 ref: 6CBC305C
SendMessageW.USER32(?,00000362,?,00000000), ref: 6CBC3070
SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 6CBC309B
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6CBC30B9

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: 2436ff9a2645bc8c96bfdf8dee35c30f556acc18f8596aa56a02e0cfcd2b2e86
Instruction ID: 326b3db268fe34a5db6cf59c3d6fb31342141bd71876c03132c449e91116a2c2
Opcode Fuzzy Hash: 2436ff9a2645bc8c96bfdf8dee35c30f556acc18f8596aa56a02e0cfcd2b2e86
Instruction Fuzzy Hash: B6516D71700648EFDB10AFA0CC88AAEBBBDFF45348F904469F596A75A1DB309940CB12

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6D36E Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 234windowCOMMON

Download Yara Rule

APIs

RealizePalette.GDI32(?), ref: 6CB6D3B6
InflateRect.USER32(?,000000FE,000000FE), ref: 6CB6D48D
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB6D4A9

Part of subcall function 6CB6D239: __EH_prolog3.LIBCMT ref: 6CB6D240
Part of subcall function 6CB6D239: GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 6CB6D2A8
Part of subcall function 6CB6D239: CreatePalette.GDI32(00000000), ref: 6CB6D2F3

InflateRect.USER32(?,000000FF,000000FF), ref: 6CB6D4C5
GetNearestPaletteIndex.GDI32(?,000000FF), ref: 6CB6D4E8
FillRect.USER32(?,?,?), ref: 6CB6D50E
InflateRect.USER32(?,000000FE,000000FE), ref: 6CB6D535
FillRect.USER32(?,?), ref: 6CB6D587
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB6D5CE

Strings

iii, xrefs: 6CB6D4AB

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Inflate$Palette$Fill$CreateEntriesH_prolog3IndexNearestRealizeSystem
String ID: iii
API String ID: 1028858568-940974255
Opcode ID: ee3a8e3c4cf3dde4346339093695e2a49986c953fe37c08aced57b48844265fd
Instruction ID: 3afce413f3671c923816024e736086557d55b839daeebb9874dca527b8dfe0b7
Opcode Fuzzy Hash: ee3a8e3c4cf3dde4346339093695e2a49986c953fe37c08aced57b48844265fd
Instruction Fuzzy Hash: 9D914F71E00209AFCF01DFA4D844ADEBBBAFF49324F204255E925B7690CB75AA15CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC75BF Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBC75C9
GetSystemMenu.USER32(?,00000000,00000214,6CB7B3A9,00000000,00000000,00000001,?), ref: 6CBC762B
IsMenu.USER32(?), ref: 6CBC7644
IsMenu.USER32(?), ref: 6CBC765E
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 6CBC7693
GetClassLongW.USER32(?,000000DE), ref: 6CBC76A9
GetWindowLongW.USER32(?,000000F0), ref: 6CBC76F4

Strings

0, xrefs: 6CBC77D1

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Long$ClassH_prolog3_MessageSendSystemWindow
String ID: 0
API String ID: 859179710-4108050209
Opcode ID: a01d572d5d3640620d20ae7678f99df27a98fcd3668c17792db6e182f142f776
Instruction ID: 79c421b0d97399e85b6edb412a6881b2d0106b8b20c98d42ce69c9537260d258
Opcode Fuzzy Hash: a01d572d5d3640620d20ae7678f99df27a98fcd3668c17792db6e182f142f776
Instruction Fuzzy Hash: 08817130600695DFDB21CF65CC88FDDB7B8FF44705F2046AAD86AA6690DB709A41CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5F18E Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB5F1A3
SendMessageW.USER32(?,0000104B,00000000,?), ref: 6CB5F1C5
SHGetDesktopFolder.SHELL32(?), ref: 6CB5F204
CreatePopupMenu.USER32 ref: 6CB5F278
GetMenuDefaultItem.USER32(00000000,00000000,00000000), ref: 6CB5F2A7
GetParent.USER32(?), ref: 6CB5F2D4
GetParent.USER32(?), ref: 6CB5F319
GetParent.USER32(?), ref: 6CB5F328
SendMessageW.USER32(?,?,00000000,00000000), ref: 6CB5F33D

Strings

$, xrefs: 6CB5F2CA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$MenuMessageSend$CreateDefaultDesktopFolderItemPopup_memset
String ID: $
API String ID: 2190390364-3993045852
Opcode ID: 59b116bc9cf32fd7bfd0b17263940f021873b24fd54944339bd89a46aa6f36c6
Instruction ID: d55a24333d23168f678cc1ae9c6730e0be0c620a44192ab9d92c241ee58331f2
Opcode Fuzzy Hash: 59b116bc9cf32fd7bfd0b17263940f021873b24fd54944339bd89a46aa6f36c6
Instruction Fuzzy Hash: FB515AB0A01218AFDF109FA5C888E9EBFB9EF89704F604459F909EB250D731DA51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7818A Relevance: 16.8, APIs: 11, Instructions: 269COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CB78228
GetParent.USER32(?), ref: 6CB78235
IsZoomed.USER32(?), ref: 6CB78299
SetWindowRgn.USER32(?,00000000,00000001), ref: 6CB782F8
GetClientRect.USER32(?,?), ref: 6CB78320
GetClientRect.USER32(?,?), ref: 6CB78335

Part of subcall function 6CB5972B: ClientToScreen.USER32(?,?), ref: 6CB5973C
Part of subcall function 6CB5972B: ClientToScreen.USER32(?,?), ref: 6CB59749

GetWindowRect.USER32(?,?), ref: 6CB78355

Part of subcall function 6CB56953: SetWindowPos.USER32(?,00000000,?,00000015,000000FF,000000FF,?,?,6CB527EC,00000000,?,?,000000FF,000000FF,00000015), ref: 6CB5697B

SetWindowRgn.USER32(?,00000000,00000001), ref: 6CB784E0

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ClientRect$Screen$ParentZoomed
String ID:
API String ID: 2314217310-0
Opcode ID: fd575514bfb23076b0aff39cb8ba2f2af445688ee4ade3eaca5e650d84c76d6f
Instruction ID: a962006b1fbe65187c7bb56a406b6cc464d45a66eb4719f7acf27a3610af5124
Opcode Fuzzy Hash: fd575514bfb23076b0aff39cb8ba2f2af445688ee4ade3eaca5e650d84c76d6f
Instruction Fuzzy Hash: 0DB1A071A002199FCF15CFA8C884AEEBBB9FF48308F14016AED15BB645DB719914CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB64F7D Relevance: 16.6, APIs: 11, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 6CB64FB9
ReleaseCapture.USER32 ref: 6CB64FC3
GetClientRect.USER32(?,?), ref: 6CB64FDC
GetSystemMetrics.USER32(00000015), ref: 6CB65003
GetSystemMetrics.USER32(00000015), ref: 6CB65027
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6CB65060
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6CB65082
GetCapture.USER32 ref: 6CB650A7
ReleaseCapture.USER32 ref: 6CB650B1
GetClientRect.USER32(?,?), ref: 6CB650CA
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CB65118

Part of subcall function 6CB642DD: __EH_prolog3_GS.LIBCMT ref: 6CB642E4
Part of subcall function 6CB642DD: IsRectEmpty.USER32(?), ref: 6CB642FF
Part of subcall function 6CB642DD: InvertRect.USER32(?,?), ref: 6CB64315
Part of subcall function 6CB642DD: SetRectEmpty.USER32(?), ref: 6CB64323

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Capture$ClientEmptyMessageMetricsReleaseSendSystem$H_prolog3_InvertRedrawWindow
String ID:
API String ID: 174338775-0
Opcode ID: 9875e0947120db0a57b1ce33d9e6c4a72df5340296e0be6c8a89bccfa2d10eb1
Instruction ID: 1b81005e77958d91e1a198a8b0aa5bfaab1de0264a4b097080a02df004cfcba8
Opcode Fuzzy Hash: 9875e0947120db0a57b1ce33d9e6c4a72df5340296e0be6c8a89bccfa2d10eb1
Instruction Fuzzy Hash: 29518A71A00609DFCB15CFB9C8889EEBBB5FF48304F20052DE09AA7640DB30AA15CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9F704 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB9C758: GdipGetImagePixelFormat.GDIPLUS(?,6CCAC5B0,00000000,00000000,?,6CB9F72E,00000000,00000000,6CCAC5B0), ref: 6CB9C768

_free.LIBCMT ref: 6CB9F837
_free.LIBCMT ref: 6CB9F883
GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,6CCAC5B0), ref: 6CB9F94C
_free.LIBCMT ref: 6CB9F97C

Part of subcall function 6CB9C77A: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,6CB9F7E8,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6CB9C78E

GdipBitmapUnlockBits.GDIPLUS(00000005,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,6CCAC5B0), ref: 6CB9F9F8
_free.LIBCMT ref: 6CB9FA73

Strings

&, xrefs: 6CB9F784

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
String ID: &
API String ID: 4092590016-3042966939
Opcode ID: 757b78a3e753769bb951730feb8fe533d82777c96cd23fdf8f8d9f20f6197cb8
Instruction ID: 42d302c5da217eec8789b84b8c5395024523b16782c8a8ad138396a5bda47bd9
Opcode Fuzzy Hash: 757b78a3e753769bb951730feb8fe533d82777c96cd23fdf8f8d9f20f6197cb8
Instruction Fuzzy Hash: 4CA15DB19002689BDB61CF14CC80BDDB7B5EB46328F1085E9EA08A7651DB349EC5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB965F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CBB96C8
MonitorFromPoint.USER32(?,?,00000002), ref: 6CBB9701
GetMonitorInfoW.USER32(00000000), ref: 6CBB9708
CopyRect.USER32(?,?), ref: 6CBB9720
CopyRect.USER32(?,?), ref: 6CBB972A

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6CBB9761
GetSystemMetrics.USER32(00000022), ref: 6CBB97DF
GetSystemMetrics.USER32(00000023), ref: 6CBB97E6

Strings

(, xrefs: 6CBB96FA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: RectSystem$CopyInfoMetricsMonitor$Exception@8FromH_prolog3ParametersPointThrowWindow
String ID: (
API String ID: 348238172-3887548279
Opcode ID: 0b0e1a89f544b367b562dd0bfcb8ab7f57460a1ddc400cf2842ef68340fde052
Instruction ID: 74fe5fc48cc6a55b8a23b987da2aee21ed7c4b0fbcf377b679b624ef0eec3411
Opcode Fuzzy Hash: 0b0e1a89f544b367b562dd0bfcb8ab7f57460a1ddc400cf2842ef68340fde052
Instruction Fuzzy Hash: E851E9B1E006099FCB04CFAAD985AEEBBF9FF98304F20416AD515F7654DB30AA05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6543B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB65464
LoadCursorW.USER32(?,00007904), ref: 6CB6548B
LoadCursorW.USER32(?,00007905), ref: 6CB654AD
SendMessageW.USER32(?,0000120A,00000000,00000006), ref: 6CB654F4
SendMessageW.USER32(?,0000120A,00000001,00000006), ref: 6CB65518
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 6CB65552
SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 6CB6556C
GetParent.USER32(?), ref: 6CB65596

Strings

d, xrefs: 6CB65501

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$CursorLoad$EmptyParentRect
String ID: d
API String ID: 2284761715-2564639436
Opcode ID: cbce25d1aec841e1dd7cd64031c136caaa70370a105866d75962c71a86b0ee44
Instruction ID: e804f75a07db0d9a94fd13353b3bf16f173f687cbfeda218be0902b7415e49c0
Opcode Fuzzy Hash: cbce25d1aec841e1dd7cd64031c136caaa70370a105866d75962c71a86b0ee44
Instruction Fuzzy Hash: 28519E70A00208AFDB01DFA5CD88EAEB7F9EF88704F100569E256E7AA0DB719D04CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6CB74F7D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB74F84

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

swprintf.LIBCMT ref: 6CB74FCE
_wcslen.LIBCMT ref: 6CB74FD7

Part of subcall function 6CB46A50: _memcpy_s.LIBCMT ref: 6CB46AE9

_wcslen.LIBCMT ref: 6CB74FF2
_wcslen.LIBCMT ref: 6CB75029
swprintf.LIBCMT ref: 6CB75055
_wcslen.LIBCMT ref: 6CB7505E

Strings

:%d, xrefs: 6CB74FC3, 6CB7504A
- , xrefs: 6CB74FEC, 6CB74FF1, 6CB74FF9, 6CB75023, 6CB75028, 6CB75030

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _wcslen$swprintf$H_prolog3_LongWindow_memcpy_s
String ID: - $:%d
API String ID: 3834591121-2359489159
Opcode ID: 3a1ed89411cfd30abd7aa5c787aa71dcdd4880ff0ce88a07a2bb3548a30179d1
Instruction ID: 4edabac22bed264e7066d95ec296e5dfda16d7cc08ae3cc9a15b5e461d6ffd39
Opcode Fuzzy Hash: 3a1ed89411cfd30abd7aa5c787aa71dcdd4880ff0ce88a07a2bb3548a30179d1
Instruction Fuzzy Hash: 75319F72900564ABDB05DBE0DD85EEFB36CAF14308F008415A917EBA54EF34EE1D8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB6215 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 6CBB623D
GetStockObject.GDI32(0000000D), ref: 6CBB6245
GetObjectW.GDI32(00000000,0000005C,?), ref: 6CBB6252
GetDC.USER32(00000000), ref: 6CBB6261
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6CBB6275
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 6CBB6281
ReleaseDC.USER32(00000000,00000000), ref: 6CBB628D

Strings

Pl)u, xrefs: 6CBB6252
System, xrefs: 6CBB6238, 6CBB62A2

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: Pl)u$System
API String ID: 46613423-1456573355
Opcode ID: 6840f622d423f9e000f52af031a69f3f7925b3c24519ff208fa4fb4d878d481f
Instruction ID: 2fae3da87d33e5dc480965ccde69296465ad34067e11e918e821dcde78f87de4
Opcode Fuzzy Hash: 6840f622d423f9e000f52af031a69f3f7925b3c24519ff208fa4fb4d878d481f
Instruction Fuzzy Hash: 8D115871B01758ABEB089BA1DC49FAE7BB8EB85745F400125FA05EB5C0DE709D008B60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB69999 Relevance: 15.4, APIs: 10, Instructions: 368windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB699A0

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

SendMessageW.USER32(?,000000B0,?,?), ref: 6CB699EB
MessageBeep.USER32(000000FF), ref: 6CB69A62

Part of subcall function 6CC3E119: __towupper_l.LIBCMT ref: 6CC3E123

SendMessageW.USER32(?,000000C2,00000001,00000000), ref: 6CB69ADA
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB69B10
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB69B7B
MessageBeep.USER32(000000FF), ref: 6CB69C26
SendMessageW.USER32(?,000000C2,00000001,?), ref: 6CB69D1F

Part of subcall function 6CB47C60: _wmemcpy_s.LIBCMT ref: 6CB47D3E

Part of subcall function 6CB46A50: _memcpy_s.LIBCMT ref: 6CB46AE9

SendMessageW.USER32(?,000000B0,?,?), ref: 6CB69D88
MessageBeep.USER32(000000FF), ref: 6CB69D9E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Send$Beep$H_prolog3LongWindow__towupper_l_memcpy_s_wmemcpy_s
String ID:
API String ID: 197502079-0
Opcode ID: 0124128448fb5d396d05e25708bc91d440a05116108a415f3ebf277f274d28bf
Instruction ID: 77d8ed7285041f61ef746298bda6ee87d0c5bc3d005c04750dcb76466bcf596d
Opcode Fuzzy Hash: 0124128448fb5d396d05e25708bc91d440a05116108a415f3ebf277f274d28bf
Instruction Fuzzy Hash: E1D17A71A00599AFDF05DFA5C880EFEB7B9FF48708F104219E916A7A90DB30A945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC0480 Relevance: 15.3, APIs: 10, Instructions: 269COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CBC04B8
GetWindowRect.USER32(?,00000000), ref: 6CBC050E
CopyRect.USER32(00000000,?), ref: 6CBC0526
PtInRect.USER32(?,?,?), ref: 6CBC05FD
PtInRect.USER32(?,?,?), ref: 6CBC0629
PtInRect.USER32(?,?,?), ref: 6CBC065E
PtInRect.USER32(?,?,?), ref: 6CBC0686
PtInRect.USER32(?,?,?), ref: 6CBC06F2
PtInRect.USER32(?,?,?), ref: 6CBC0720
PtInRect.USER32(?,?,?), ref: 6CBC0760

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$CopyParentWindow
String ID:
API String ID: 642869531-0
Opcode ID: d2b3627dbd866e903493c69fb53ee47b6d9f5fc91948c3228e5c9e3af8cd316b
Instruction ID: 3316a282ca68542b0eecae7aa406d09b69b02c7ac2148eef00e1f9734627c7cd
Opcode Fuzzy Hash: d2b3627dbd866e903493c69fb53ee47b6d9f5fc91948c3228e5c9e3af8cd316b
Instruction Fuzzy Hash: AFB1C4B1A012999FCF01CFA9D984AEEBBF4EF48344F10426AE814E7654E7359A50CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB97FC Relevance: 15.1, APIs: 10, Instructions: 112windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 6CBB982F
IsWindowVisible.USER32(00000000), ref: 6CBB983E
GetSystemMetrics.USER32(00000021), ref: 6CBB9870
GetSystemMetrics.USER32(00000021), ref: 6CBB9877
GetSystemMetrics.USER32(00000020), ref: 6CBB987D

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

IsWindowVisible.USER32(00000000), ref: 6CBB98A5
IsWindowVisible.USER32(00000000), ref: 6CBB98B4
IsZoomed.USER32(00000000), ref: 6CBB98DA
GetSystemMetrics.USER32 ref: 6CBB98F6
GetSystemMetrics.USER32(00000004), ref: 6CBB9939

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$VisibleWindow$Exception@8H_prolog3ThrowZoomed
String ID:
API String ID: 1383962431-0
Opcode ID: 1da67f0fc2b505f1d8e173b94067bb32176d31e4eee1e13e0032127047d6501c
Instruction ID: bfff4e592e45c117cbafd1b24f9d6fa99b4a8d90749c5cdcdfee9d47e070f640
Opcode Fuzzy Hash: 1da67f0fc2b505f1d8e173b94067bb32176d31e4eee1e13e0032127047d6501c
Instruction Fuzzy Hash: 1041A030A007819FE7118B76C884BAA77F5FF14359F058168D9A9DBAA1DF70E840CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7580F Relevance: 15.1, APIs: 10, Instructions: 109COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,00000000,?), ref: 6CB75835
GetWindowRect.USER32(?,?), ref: 6CB75858
SetRect.USER32(?,?,00000000,?,?), ref: 6CB75898
InvalidateRect.USER32(?,?,00000001), ref: 6CB758A7
SetRect.USER32(?,?,00000000,?,?), ref: 6CB758BE
InvalidateRect.USER32(?,?,00000001), ref: 6CB758CD
SetRect.USER32(?,00000000,?,?,?), ref: 6CB758FE
InvalidateRect.USER32(?,?,00000001), ref: 6CB75909
SetRect.USER32(?,00000000,?,00000001,?), ref: 6CB75920
InvalidateRect.USER32(?,?,00000001), ref: 6CB7592B

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 781bb98603f2466afe304b2fa83cdeef4abaa5a1c90a6d4a5b5a680204779486
Instruction ID: 21d13b2000df5b18b68771fcc4ed7e7cc94335ea347539f9a43d6e09a455f393
Opcode Fuzzy Hash: 781bb98603f2466afe304b2fa83cdeef4abaa5a1c90a6d4a5b5a680204779486
Instruction Fuzzy Hash: F941E8B2A0021AAFDF04CFE4C989EAFBB78FB49314F50011AEA15B3550D770A914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB642DD Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB642E4

Part of subcall function 6CB5994F: __EH_prolog3.LIBCMT ref: 6CB59956
Part of subcall function 6CB5994F: GetDC.USER32(00000000), ref: 6CB59982

IsRectEmpty.USER32(?), ref: 6CB642FF
InvertRect.USER32(?,?), ref: 6CB64315
SetRectEmpty.USER32(?), ref: 6CB64323
GetClientRect.USER32(?,?), ref: 6CB6436A
GetSystemMetrics.USER32(00000015), ref: 6CB64391
GetSystemMetrics.USER32(00000015), ref: 6CB643B5
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6CB643EE
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6CB64410
InvertRect.USER32(?,?), ref: 6CB64418

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$EmptyInvertMessageMetricsSendSystem$ClientH_prolog3H_prolog3_
String ID:
API String ID: 3401445556-0
Opcode ID: 305716e1f3569d8bb262d16d421acd7b97ed8cc36587c21b09512ed5935021b2
Instruction ID: 5d902658fe135141fd644ae532a12f70bc94cec8f1042b804814d34c6df077f5
Opcode Fuzzy Hash: 305716e1f3569d8bb262d16d421acd7b97ed8cc36587c21b09512ed5935021b2
Instruction Fuzzy Hash: 9F4136729006189FCF09CFA4C999AEE7BB5FF49304F450178E809BBA55DB306A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC2BDF Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 6CBC2BFD
WindowFromPoint.USER32(?,?,?,00000001,?,00000000), ref: 6CBC2C0C
GetActiveWindow.USER32 ref: 6CBC2C2E
GetCurrentThreadId.KERNEL32 ref: 6CBC2C46
GetWindowThreadProcessId.USER32(?,00000000), ref: 6CBC2C55
GetDesktopWindow.USER32 ref: 6CBC2C61

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: d5c18219ed0623698116584081444443cc82165e03c73a7083ea0883d5fab10d
Instruction ID: ee600da6fefad32a9ec5923b7944b58863fcfbac16f7218f6fb6e36bc3051425
Opcode Fuzzy Hash: d5c18219ed0623698116584081444443cc82165e03c73a7083ea0883d5fab10d
Instruction Fuzzy Hash: 00315771B01295EFCF05EFA9C84C89FBBB5FB49345B601565E812E7A00DB308950CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5491F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6CB5496D
SetActiveWindow.USER32(?), ref: 6CB5497F
SendMessageW.USER32(?,00000112,?,?), ref: 6CB54995
IsWindow.USER32(?), ref: 6CB549A2
SetActiveWindow.USER32(?), ref: 6CB549A9
IsWindow.USER32(?), ref: 6CB549AE
SetFocus.USER32(?), ref: 6CB549B8

Strings

u, xrefs: 6CB549C0

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: b8e0c1aacbd1db7fbbc50741cf25eeda887ff3838ef99b0906ff5941dc3b397d
Instruction ID: 04d45ee02d8c4559956c8598d79a1d8af012f3594966b043e888453cc0523d6b
Opcode Fuzzy Hash: b8e0c1aacbd1db7fbbc50741cf25eeda887ff3838ef99b0906ff5941dc3b397d
Instruction Fuzzy Hash: 0011D0B2602285AFEF159E75CC0AA9E7B78EF45318BD04125EA11E2990DB34C930DF99

Uniqueness

Uniqueness Score: -1.00%

Function 6CC29778 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CC2977F

Part of subcall function 6CB4C312: EnterCriticalSection.KERNEL32(6CCA8EF8,?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C34C
Part of subcall function 6CB4C312: InitializeCriticalSection.KERNEL32(?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C35E
Part of subcall function 6CB4C312: LeaveCriticalSection.KERNEL32(6CCA8EF8,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C36B
Part of subcall function 6CB4C312: EnterCriticalSection.KERNEL32(?,?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C37B

GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6CC297CF
GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6CC297DE
GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6CC297ED

Strings

DragScrollInset, xrefs: 6CC297C4
windows, xrefs: 6CC297C9, 6CC297CE, 6CC297D8, 6CC297E7
DragScrollInterval, xrefs: 6CC297E2
DragScrollDelay, xrefs: 6CC297D3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 4229786687-1024936294
Opcode ID: f6c9d2d78c49815ff9edd0ee927898a7ce159f59b875e9b5ee942f9a2abb0a45
Instruction ID: 601f7e4ba540008c917d613c0afcb7f7200b7597bd809e776e730c68428ea80c
Opcode Fuzzy Hash: f6c9d2d78c49815ff9edd0ee927898a7ce159f59b875e9b5ee942f9a2abb0a45
Instruction Fuzzy Hash: DB01A2B0644340AEDF30DFA69C85B5FB6F4FF99744F40451AE245ABE90E7B48005CB69

Uniqueness

Uniqueness Score: -1.00%

Function 6CB69DBB Relevance: 13.9, APIs: 9, Instructions: 366windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB69DC2
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB69DE0
MessageBeep.USER32(000000FF), ref: 6CB69E7F
MessageBeep.USER32(000000FF), ref: 6CB6A1D0

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Beep$H_prolog3Send
String ID:
API String ID: 491126482-0
Opcode ID: 927f2e3adad2b52f4c30f6df486cda48ff96156828db83e9d8dae7097518dbb8
Instruction ID: 8673bc3ebc398c6a0fd50a18267626c9e7d8c7b1ea99055f2a7696fa2dc35c53
Opcode Fuzzy Hash: 927f2e3adad2b52f4c30f6df486cda48ff96156828db83e9d8dae7097518dbb8
Instruction Fuzzy Hash: 83D17D31E01699DFDF15CF96C880AEEB7B9FF49704F10421AE112A7E90DB30A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6A1ED Relevance: 13.9, APIs: 9, Instructions: 354windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB6A1F4
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A212
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A220
MessageBeep.USER32(000000FF), ref: 6CB6A28C
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A422
MessageBeep.USER32(000000FF), ref: 6CB6A4BF
SendMessageW.USER32(?,000000C2,00000001,?), ref: 6CB6A574
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6A5D0
MessageBeep.USER32(000000FF), ref: 6CB6A5E6

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Send$Beep$H_prolog3
String ID:
API String ID: 204075910-0
Opcode ID: 7f7a235ae650365045ae9302926e18854c55d2c56470fc7f6f2ade19e4d76033
Instruction ID: 90636a348f489da389f1a761bc38583ee2e742ee7b77e3c508477650307c7edb
Opcode Fuzzy Hash: 7f7a235ae650365045ae9302926e18854c55d2c56470fc7f6f2ade19e4d76033
Instruction Fuzzy Hash: 84D19E71E405A9EBCF11CF95C880AEEF7BAFF48708F104219E512A7A90DB31A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB485D0 Relevance: 13.8, APIs: 9, Instructions: 252memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4B270: CoCreateInstance.OLE32(?,00000000,00000017,6CC8885C,?,?,?,6CB4836D,6CC88644,D7F0CEE4), ref: 6CB4B293
Part of subcall function 6CB4B270: OleRun.OLE32(?), ref: 6CB4B2A3

__CxxThrowException@8.LIBCMT ref: 6CB4866A

Part of subcall function 6CC3A59F: RaiseException.KERNEL32(6CB42DF8,00000000,D7F0CEE4,6CC88058,6CB42DF8,00000000,6CC9DBD8,?,D7F0CEE4), ref: 6CC3A5E1

std::exception::exception.LIBCMT ref: 6CB4864D

Part of subcall function 6CC3963D: std::exception::operator=.LIBCMT ref: 6CC39656

SysAllocString.OLEAUT32(?), ref: 6CB4873D
SysAllocString.OLEAUT32(00000000), ref: 6CB48783

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AllocString$CreateExceptionException@8InstanceRaiseThrowstd::exception::exceptionstd::exception::operator=
String ID:
API String ID: 816851581-0
Opcode ID: 05014e7177fe4589be67727f556eadc8119d6654e4b6c5ac4eed88d95389e211
Instruction ID: dae6cc8baa3f2d4cbb3a639502595ac1375531e85eb3ae2356152cde8627de54
Opcode Fuzzy Hash: 05014e7177fe4589be67727f556eadc8119d6654e4b6c5ac4eed88d95389e211
Instruction Fuzzy Hash: D0A1AC71D05658EFDB10DBA5C880BCEBBB5EF48308F14811AE909EB744EB31A905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7900D Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB79017
GetWindowRect.USER32(?,?), ref: 6CB79066
OffsetRect.USER32(?,?,?), ref: 6CB7907C

Part of subcall function 6CB5994F: __EH_prolog3.LIBCMT ref: 6CB59956
Part of subcall function 6CB5994F: GetDC.USER32(00000000), ref: 6CB59982

CreateCompatibleDC.GDI32(?), ref: 6CB790ED
SelectObject.GDI32(?,?), ref: 6CB7910D
SelectObject.GDI32(?,?), ref: 6CB7914F
CreateCompatibleDC.GDI32(?), ref: 6CB79268
SelectObject.GDI32(?,?), ref: 6CB79288
SelectObject.GDI32(?,00000000), ref: 6CB792B8

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateRect$H_prolog3H_prolog3_OffsetWindow
String ID:
API String ID: 2818906880-0
Opcode ID: 90f4f6cad67b39b86a587de458c9ab95dedd88bf9db07e91cad98942f130ad5c
Instruction ID: f364bbb4c4b06699be0e615de80f8960dd33962ef0c38f47235a994bc8c4815c
Opcode Fuzzy Hash: 90f4f6cad67b39b86a587de458c9ab95dedd88bf9db07e91cad98942f130ad5c
Instruction Fuzzy Hash: 9FA122B1D0025AEFCF24DFA4C988AEDBBB5BF08304F144199E929B7650DB305A59CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4D735 Relevance: 13.7, APIs: 9, Instructions: 233filecomstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB4D73C
OleDuplicateData.OLE32(?,?,00000000), ref: 6CB4D7BD
GlobalLock.KERNEL32(00000000,0000005C,6CC259D2,?,?,?), ref: 6CB4D7EC
CopyMetaFileW.GDI32(?,00000000), ref: 6CB4D7F8
GlobalUnlock.KERNEL32(?), ref: 6CB4D808
GlobalFree.KERNEL32(?), ref: 6CB4D811
GlobalUnlock.KERNEL32(?), ref: 6CB4D81D
lstrlenW.KERNEL32(?,0000005C,6CC259D2,?,?,?), ref: 6CB4D87D
CopyFileW.KERNEL32(?,?,00000000,0000005C,6CC259D2,?,?,?), ref: 6CB4D975

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3_LockMetalstrlen
String ID:
API String ID: 3489744035-0
Opcode ID: acf4715538eba0f909371d4fb3f41f423bd58b6f9d76bc3e32f0967e9cf983f5
Instruction ID: f4211c22afd6c6fa7fdb06c6efcd9c72b09cc3b444ef41dd70c1631f940df159
Opcode Fuzzy Hash: acf4715538eba0f909371d4fb3f41f423bd58b6f9d76bc3e32f0967e9cf983f5
Instruction Fuzzy Hash: 5881BDB1608286EFEB049FB4D98892EBBB9FF45348710C61DE466D7A48D730EC11DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB645D5 Relevance: 13.7, APIs: 9, Instructions: 189COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB64648
InvalidateRect.USER32(?,?,00000001), ref: 6CB646AB
InvalidateRect.USER32(?,?,00000001), ref: 6CB646B6

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Invalidate$Empty
String ID:
API String ID: 1126320529-0
Opcode ID: bf6d6e2b7fc88293808ea45b0af8d3550a0ba1955f924197966882a44b58b3b3
Instruction ID: 799ec76f8bac8c92d3550c78d74e501658094f11c2df49c21c2d47691961cf71
Opcode Fuzzy Hash: bf6d6e2b7fc88293808ea45b0af8d3550a0ba1955f924197966882a44b58b3b3
Instruction Fuzzy Hash: D9615A71A006099FDF01CF65C894AEEB7F5FF49304F2540A9E815EBA51D7B1A940CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB77575 Relevance: 13.7, APIs: 9, Instructions: 168windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBB7659: GetParent.USER32(?), ref: 6CBB7665
Part of subcall function 6CBB7659: GetParent.USER32(00000000), ref: 6CBB7668

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

GetParent.USER32(?), ref: 6CB775D6
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CB775EB
GetClientRect.USER32(?,?), ref: 6CB77652
GetClientRect.USER32(?,?), ref: 6CB77667

Part of subcall function 6CB5972B: ClientToScreen.USER32(?,?), ref: 6CB5973C
Part of subcall function 6CB5972B: ClientToScreen.USER32(?,?), ref: 6CB59749

GetWindowRect.USER32(?,?), ref: 6CB77687

Part of subcall function 6CB56953: SetWindowPos.USER32(?,00000000,?,00000015,000000FF,000000FF,?,?,6CB527EC,00000000,?,?,000000FF,000000FF,00000015), ref: 6CB5697B

GetParent.USER32(?), ref: 6CB776D6
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CB776EA
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CB7773F
PostMessageW.USER32(?,00000000,00000000), ref: 6CB77761

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientMessageParent$RectSendWindow$Screen$LongPost
String ID:
API String ID: 3884207962-0
Opcode ID: 15e78871f9ef4b79e15141a61d749ba245577dae37f8f98aadc130c9201445b5
Instruction ID: 653739ee52eb515ed092ddbe429c877c698b6aba596fb0907cd4a1c97dfa4328
Opcode Fuzzy Hash: 15e78871f9ef4b79e15141a61d749ba245577dae37f8f98aadc130c9201445b5
Instruction Fuzzy Hash: 5A6118B1A00209AFCF15DFA9C884EEEBBB5FF89304F50416AE905B7265DB719914CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB730EF Relevance: 13.6, APIs: 9, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB56E15: GetFocus.USER32 ref: 6CB56E1B
Part of subcall function 6CB56E15: GetParent.USER32(00000000), ref: 6CB56E43
Part of subcall function 6CB56E15: GetWindowLongW.USER32(?,000000F0), ref: 6CB56E5E
Part of subcall function 6CB56E15: GetParent.USER32(?), ref: 6CB56E6C
Part of subcall function 6CB56E15: GetDesktopWindow.USER32 ref: 6CB56E70
Part of subcall function 6CB56E15: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6CB56E84

GetMenu.USER32(?), ref: 6CB73169
GetMenuItemCount.USER32(?), ref: 6CB73199
GetSubMenu.USER32(?,00000000), ref: 6CB731AA
GetMenuItemCount.USER32(?), ref: 6CB731CC
GetMenuItemID.USER32(?,00000000), ref: 6CB731ED
GetSubMenu.USER32(?,00000000), ref: 6CB73205
GetMenuItemID.USER32(?,00000000), ref: 6CB7321D
GetMenuItemCount.USER32(?), ref: 6CB73254
GetMenuItemID.USER32(?,00000000), ref: 6CB7326F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: e66ab70be12e31ad2cf6ecf36974ca8c055210a0f411d6ecb2eda01b6bbab285
Instruction ID: 089dbc30e28b08fb5a9d32a4e6a9a454ba45acfbb68737b94551b61f496322b3
Opcode Fuzzy Hash: e66ab70be12e31ad2cf6ecf36974ca8c055210a0f411d6ecb2eda01b6bbab285
Instruction Fuzzy Hash: 7E518970A40689EFCF219FA5C884A9EBBB5FF49708F244569E831A7950DB31D950CF31

Uniqueness

Uniqueness Score: -1.00%

Function 6CB75652 Relevance: 13.6, APIs: 9, Instructions: 134timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 6CB7565F
GetCursorPos.USER32(?), ref: 6CB75686
ScreenToClient.USER32(?,?), ref: 6CB75693
GetCapture.USER32 ref: 6CB756E8

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

ClientToScreen.USER32(?,?), ref: 6CB7572F
WindowFromPoint.USER32(?,?), ref: 6CB7573B
IsChild.USER32(?,00000000), ref: 6CB75750
KillTimer.USER32(?,0000E001), ref: 6CB7578D
KillTimer.USER32(?,0000E000), ref: 6CB757A9

Part of subcall function 6CB55A23: GetForegroundWindow.USER32 ref: 6CB55A37
Part of subcall function 6CB55A23: GetLastActivePopup.USER32(?), ref: 6CB55A48

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorException@8ForegroundFromH_prolog3LastPointPopupStateThrow
String ID:
API String ID: 1544770960-0
Opcode ID: 81097fb553f04f90df60fb6eb4dacce4a415dbd40a962d8038d14749daae09d8
Instruction ID: 0515aae57a5c102cc7a9d9c446d6ab014bd5703ded530d87a19ce1be28114b71
Opcode Fuzzy Hash: 81097fb553f04f90df60fb6eb4dacce4a415dbd40a962d8038d14749daae09d8
Instruction Fuzzy Hash: 4341C230600685EFDB20DF75C888A9E7BB9FF44328F604669E871D36A0DB34D918CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6CB81C38 Relevance: 13.6, APIs: 9, Instructions: 129windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,0000420F,00000001), ref: 6CB81C8C
EnableMenuItem.USER32(?,0000420E,00000001), ref: 6CB81CA8
CheckMenuItem.USER32(?,00004213,00000008), ref: 6CB81CDD
EnableMenuItem.USER32(?,00004212,00000001), ref: 6CB81CFD
EnableMenuItem.USER32(?,00004212,00000001), ref: 6CB81D21
EnableMenuItem.USER32(?,00004213,00000001), ref: 6CB81D2D
EnableMenuItem.USER32(?,00004214,00000001), ref: 6CB81D39
EnableMenuItem.USER32(?,00004215,00000001), ref: 6CB81D81
CheckMenuItem.USER32(?,00004215,00000008), ref: 6CB81D95

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: eb2e39f68d89206f67071f937fd2748f89c9253d5ba8c169658199a196b5322a
Instruction ID: 07246aef52be8996e77ad69fad900503a9a39bacef7cd870f0a128067cd3609b
Opcode Fuzzy Hash: eb2e39f68d89206f67071f937fd2748f89c9253d5ba8c169658199a196b5322a
Instruction Fuzzy Hash: 1A41BC70783251EBEF108E25CD81F0577B5EB01718F688165FA25BE9E5DBA0D890CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB62D98 Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB62D9F
_memset.LIBCMT ref: 6CB62DBF
SendMessageW.USER32 ref: 6CB62DE7
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CB62E07
SHGetDesktopFolder.SHELL32(?), ref: 6CB62E2F
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CB62E58
SendMessageW.USER32(?,00001115,00000000,?), ref: 6CB62E8F
SendMessageW.USER32(6CB62349,0000000B,00000001,00000000), ref: 6CB62E99
RedrawWindow.USER32(6CB62349,00000000,00000000,00000105), ref: 6CB62EA5

Part of subcall function 6CB55C2B: __EH_prolog3_catch_GS.LIBCMT ref: 6CB55C35

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$DesktopFolderH_prolog3H_prolog3_catch_RedrawWindow_memset
String ID:
API String ID: 3540180273-0
Opcode ID: 768297948b4b6525ca6d07daab51b5c886408d86395b6d2a524b5391c123f9b9
Instruction ID: 41be22342bfa0cd1581a4b2f397e53cce045a71a327cab0c64802d30c47d85d1
Opcode Fuzzy Hash: 768297948b4b6525ca6d07daab51b5c886408d86395b6d2a524b5391c123f9b9
Instruction Fuzzy Hash: B9416E70A00209AFDF14DFA0CC89DEEBB79FF44348F104528E655ABAA0E7319D15CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4C10F Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CB4C116
EnterCriticalSection.KERNEL32(?,00000010,6CB4C2C4,?,00000000,?,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C127
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C145
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C179
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C1E5
_memset.LIBCMT ref: 6CB4C204
TlsSetValue.KERNEL32(?,00000000), ref: 6CB4C215
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C236

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: d972d52e733c705d0001f814aef6a5cd070bf524d9529e42c5a46e7476aaa95b
Instruction ID: 774c911a2f1c56c55915ad9d21059aa7ee92f1ed065b607685ff76f2e37f7578
Opcode Fuzzy Hash: d972d52e733c705d0001f814aef6a5cd070bf524d9529e42c5a46e7476aaa95b
Instruction Fuzzy Hash: 11310471548642EFDB14EFA4C884D9EB7B4FF01714B20C629E615A7E54CB30AD68DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9F0ED Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 469COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB9F0F7
GetObjectW.GDI32(?,00000018,?), ref: 6CB9F1AA
DeleteObject.GDI32(?), ref: 6CB9F276
_memset.LIBCMT ref: 6CB9F465
_memset.LIBCMT ref: 6CB9F4A9
DeleteObject.GDI32(?), ref: 6CB9F65F

Strings

Pl)u, xrefs: 6CB9F1AA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Delete_memset$H_prolog3
String ID: Pl)u
API String ID: 1235337548-3484285090
Opcode ID: bae77e7d22790413c7df0466134b1efb23025b00f9ef0fd962a55cec6b0c5b41
Instruction ID: d55d3b9b9e7186d3fc5b6becf0e23ee2e0ade5f001b51fce85f41a3481bee2d0
Opcode Fuzzy Hash: bae77e7d22790413c7df0466134b1efb23025b00f9ef0fd962a55cec6b0c5b41
Instruction Fuzzy Hash: C5124870E00269DFCF14CFA4C980ADDBBB4FF0A714F1081AAE459A7651DB309A95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6EFD6 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB6EFDD

Part of subcall function 6CB54635: GetWindowTextLengthW.USER32(?), ref: 6CB54646
Part of subcall function 6CB54635: GetWindowTextW.USER32(?,00000000,00000001), ref: 6CB5465D

InflateRect.USER32(?,?,?), ref: 6CB6F0FA
SetRectEmpty.USER32(?), ref: 6CB6F106
InflateRect.USER32(?,00000000,00000000), ref: 6CB6F197
OffsetRect.USER32(?,00000001,00000001), ref: 6CB6F224
IsRectEmpty.USER32(?), ref: 6CB6F2B1

Strings

mmm, xrefs: 6CB6F245

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$EmptyInflateTextWindow$H_prolog3_LengthOffset
String ID: mmm
API String ID: 2648887860-1545505134
Opcode ID: 00acaa70307f1a0e2d6839aa44e955249dc8c9476b671592285bc95bbd2ad05d
Instruction ID: 1d6e140a1b86a8eca80bad9a4f30971d64361f35c8c9df9800e84eb3c0055852
Opcode Fuzzy Hash: 00acaa70307f1a0e2d6839aa44e955249dc8c9476b671592285bc95bbd2ad05d
Instruction Fuzzy Hash: 8AE15B31A00589DFCF05CFA9C884AEE7BB5FF89304F184279E815ABA55DB31A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4CD74 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4CCC2: GetParent.USER32(?), ref: 6CB4CD16
Part of subcall function 6CB4CCC2: GetLastActivePopup.USER32(?), ref: 6CB4CD27
Part of subcall function 6CB4CCC2: IsWindowEnabled.USER32(?), ref: 6CB4CD3B
Part of subcall function 6CB4CCC2: EnableWindow.USER32(?,00000000), ref: 6CB4CD4E

EnableWindow.USER32(?,00000001), ref: 6CB4CDC1
GetWindowThreadProcessId.USER32(?,?), ref: 6CB4CDD5
GetCurrentProcessId.KERNEL32(?,?), ref: 6CB4CDDF
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6CB4CDF7
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6CB4CE73
EnableWindow.USER32(00000000,00000001), ref: 6CB4CEBA

Strings

0, xrefs: 6CB4CE4C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: bd0863d62ba110f8bb10458a2714ff70ea1899b87c0cb6ab76b442d49aa7f474
Instruction ID: cc4679d33f123049426ec46299b2382c8e9711e3812cf82de68cf0733b01a62f
Opcode Fuzzy Hash: bd0863d62ba110f8bb10458a2714ff70ea1899b87c0cb6ab76b442d49aa7f474
Instruction Fuzzy Hash: A841F571A85258AFDB10AF65CC88BDA77B4FF04B04F204594F528E7284D770EE489BD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6293D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100windowmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB62944
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,00000078,6CB62C2A,?,6CB62CA8), ref: 6CB62967

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

SHGetDesktopFolder.SHELL32(?,?,6CB62CA8), ref: 6CB6297C
GlobalAlloc.KERNEL32(?,0000000C,?,6CB62CA8), ref: 6CB62991
SendMessageW.USER32(?,00001132,00000000,?), ref: 6CB62A3A
SendMessageW.USER32(?,00001102,00000002,00000000), ref: 6CB62A47

Strings

g, xrefs: 6CB6298A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FolderH_prolog3MessageSend$AllocDesktopException@8GlobalLocationSpecialThrow
String ID: g
API String ID: 2027722222-30677878
Opcode ID: 95ece0ec354e03d0e4413b63ebe18b7f7dead888acf179c781602528a3551382
Instruction ID: c31b758f10999c0ee39e6ff9945e803e1060d03c76e74b66828368b57d33135a
Opcode Fuzzy Hash: 95ece0ec354e03d0e4413b63ebe18b7f7dead888acf179c781602528a3551382
Instruction Fuzzy Hash: 07318871A002199FDF10DFA9CC88AAEBBF9FF89300F004569E506EB790DB709801CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB63183 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,?), ref: 6CB631CA
_memset.LIBCMT ref: 6CB631D7
SendMessageW.USER32(?,00001102,00008001,?), ref: 6CB63240

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 6CB63209
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 6CB63214
SendMessageW.USER32(?,0000110B,00000009,?), ref: 6CB6322E

Strings

@, xrefs: 6CB631E8

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Exception@8H_prolog3Throw_memset
String ID: @
API String ID: 3199205413-2766056989
Opcode ID: 29b65640c484cfb7d598ac98fecaea460abfbc9e1bf7126d04159e198f90d4aa
Instruction ID: 562058b94885c20216478503ef59a966a6bc1e985b63593b6f7b238ea4b8bd6c
Opcode Fuzzy Hash: 29b65640c484cfb7d598ac98fecaea460abfbc9e1bf7126d04159e198f90d4aa
Instruction Fuzzy Hash: 4F21A1B2640348BBEB119F96CC81FDA7BB8FF48758F104015F704AB9A0D6B1E8408B61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB63F77 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB63F81

Part of subcall function 6CB60913: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6CB6091C

SendMessageW.USER32(FFFFFFFF,00000030,?,00000001), ref: 6CB63FED
SendMessageW.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 6CB63FFA
SendMessageW.USER32(FFFFFFFF,00000030,?,00000001), ref: 6CB6401A
SendMessageW.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 6CB64024
~_Task_impl.LIBCPMT ref: 6CB64044

Strings

d, xrefs: 6CB63FBA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$H_prolog3_Task_impl
String ID: d
API String ID: 731318678-2564639436
Opcode ID: 1f83613665623e4ef84fd9588acef043465cb39ecfc933d527dc55dc343e738b
Instruction ID: 5522423512ebcff2ca016dbcdba3c1d9a07838efa96a55b11542fe064f9752be
Opcode Fuzzy Hash: 1f83613665623e4ef84fd9588acef043465cb39ecfc933d527dc55dc343e738b
Instruction Fuzzy Hash: 39218470A00258AEEF11DFA5CD85FEDBAB8FF04308F500169A218A7AD1DB709E15CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB834D7 Relevance: 12.3, APIs: 8, Instructions: 309timewindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB834DE
SetCursor.USER32(?,6CB83C6D,00000000,00000000,?), ref: 6CB83578

Part of subcall function 6CB5994F: __EH_prolog3.LIBCMT ref: 6CB59956
Part of subcall function 6CB5994F: GetDC.USER32(00000000), ref: 6CB59982

Part of subcall function 6CB5C5F8: __EH_prolog3_GS.LIBCMT ref: 6CB5C5FF
Part of subcall function 6CB5C5F8: CreateRectRgnIndirect.GDI32(?), ref: 6CB5C63C
Part of subcall function 6CB5C5F8: CopyRect.USER32(?,?), ref: 6CB5C652
Part of subcall function 6CB5C5F8: InflateRect.USER32(?,?,?), ref: 6CB5C668
Part of subcall function 6CB5C5F8: IntersectRect.USER32(?,?,?), ref: 6CB5C676
Part of subcall function 6CB5C5F8: CreateRectRgnIndirect.GDI32(?), ref: 6CB5C680
Part of subcall function 6CB5C5F8: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB5C695
Part of subcall function 6CB5C5F8: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB5C6FD

Part of subcall function 6CB599A3: __EH_prolog3.LIBCMT ref: 6CB599AA
Part of subcall function 6CB599A3: ReleaseDC.USER32(?,00000000), ref: 6CB599C7

GetFocus.USER32 ref: 6CB83617
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 6CB836D7
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6CB8377C
KillTimer.USER32(?,00000014), ref: 6CB838A8
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 6CB838C5
UpdateWindow.USER32(?), ref: 6CB838E4

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Create$Timer$H_prolog3H_prolog3_Indirect$CopyCursorFocusInflateIntersectKillMessageReleaseSendUpdateWindow
String ID:
API String ID: 2399994607-0
Opcode ID: 28a475129de199148362bf56563f799cdfd2495e354e89c2c67073702c81a685
Instruction ID: ae7760797e1c874529d97ac59599ed7bf41099431f8567e43438f35eea02f8a2
Opcode Fuzzy Hash: 28a475129de199148362bf56563f799cdfd2495e354e89c2c67073702c81a685
Instruction Fuzzy Hash: 9FC158706062849FDF158F64C884B9D37B1EF48329F284279EC299FAD5DB71D885CB22

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBA096 Relevance: 12.2, APIs: 8, Instructions: 239windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBBA0C5
IsWindowVisible.USER32(?), ref: 6CBBA0D4
GetWindowRect.USER32(?,?), ref: 6CBBA126
IsZoomed.USER32(?), ref: 6CBBA135
SetWindowRgn.USER32(?,00000000,00000001), ref: 6CBBA1A2
_memset.LIBCMT ref: 6CBBA1C2
GetSystemMetrics.USER32(00000004), ref: 6CBBA20C
_memset.LIBCMT ref: 6CBBA2DD

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Visible_memset$MetricsRectSystemZoomed
String ID:
API String ID: 3274878110-0
Opcode ID: 831714cb8cfe9631140abce6ae7222109e5aafd4b0f5947dd33e7251bfa8172b
Instruction ID: 205cb18e9f4d04aff89bbf2ceac45f29a475e0c7eeb365228950f831dfbbc203
Opcode Fuzzy Hash: 831714cb8cfe9631140abce6ae7222109e5aafd4b0f5947dd33e7251bfa8172b
Instruction Fuzzy Hash: 30914AB0E01258AFCF14CFA9C884AEEBBB5FF49704F144169E819BB655DB309901CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9EC8F Relevance: 12.2, APIs: 8, Instructions: 204windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB9EC96
EnterCriticalSection.KERNEL32(6CCAC5B0,00000014,6CB6F3E7,?,00000000,00000000,00000000), ref: 6CB9ECBB
SelectObject.GDI32(?,00000014), ref: 6CB9EDAA
LeaveCriticalSection.KERNEL32(6CCAC5B0,00000020,?,00000014,6CB6F3E7,?,00000000,00000000,00000000), ref: 6CB9EDC9
CreateBitmap.GDI32(-00000002,-00000002,00000001,00000001,00000000), ref: 6CB9EDEC
SelectObject.GDI32(00000000), ref: 6CB9EDFB
CreateCompatibleDC.GDI32(00000000), ref: 6CB9EE85
CreateCompatibleBitmap.GDI32(?,-00000002,-00000002), ref: 6CB9EEA5

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 4255533662-0
Opcode ID: 042b2157978a53ebe6f43b20af7bfcd1a5159815836e5bbaeabf59512d9c8d35
Instruction ID: 867164cf12d0ffc6b129dc5bfb3b7d6c1b15a294cc6188332556b4e391ad1077
Opcode Fuzzy Hash: 042b2157978a53ebe6f43b20af7bfcd1a5159815836e5bbaeabf59512d9c8d35
Instruction Fuzzy Hash: DA717C70600BD5DFDB258F65C88465EB7F1FF86308B248A39E09697A60E770E494CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC5EA7 Relevance: 12.2, APIs: 8, Instructions: 183windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBC5EAE
GetSystemMenu.USER32(?,00000000,00000038,6CB7B3D7,00000000,00000000,?), ref: 6CBC5F5C
IsMenu.USER32(?), ref: 6CBC5F71
IsMenu.USER32(?), ref: 6CBC5F82
GetWindowLongW.USER32(?,000000F0), ref: 6CBC5FAA
_memset.LIBCMT ref: 6CBC608C
GetMenuItemInfoW.USER32(00000000,0000F060,00000000,?), ref: 6CBC60A7
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CBC60FC

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Window$H_prolog3InfoItemLongRedrawSystem_memset
String ID:
API String ID: 428562733-0
Opcode ID: 4040b02a53465615c6bd28cfae6ed75527a9a860fe997c06b60750d80dbb2fe0
Instruction ID: 86aced357c604e5e0c6dab95662d5a6e3cedbc02e4f42cba479e377bd1dea862
Opcode Fuzzy Hash: 4040b02a53465615c6bd28cfae6ed75527a9a860fe997c06b60750d80dbb2fe0
Instruction Fuzzy Hash: BF719E716007499FDF15CF60C888BAEB7F8FF44318F20461DE869EA690DB709A44DB56

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4AE10 Relevance: 12.2, APIs: 8, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4B270: CoCreateInstance.OLE32(?,00000000,00000017,6CC8885C,?,?,?,6CB4836D,6CC88644,D7F0CEE4), ref: 6CB4B293
Part of subcall function 6CB4B270: OleRun.OLE32(?), ref: 6CB4B2A3

__CxxThrowException@8.LIBCMT ref: 6CB4AEA3

Part of subcall function 6CC3A59F: RaiseException.KERNEL32(6CB42DF8,00000000,D7F0CEE4,6CC88058,6CB42DF8,00000000,6CC9DBD8,?,D7F0CEE4), ref: 6CC3A5E1

std::exception::exception.LIBCMT ref: 6CB4AE86

Part of subcall function 6CC3963D: std::exception::operator=.LIBCMT ref: 6CC39656

std::exception::exception.LIBCMT ref: 6CB4AF20
__CxxThrowException@8.LIBCMT ref: 6CB4AF3D
SysAllocString.OLEAUT32(00000000), ref: 6CB4AF43
SysFreeString.OLEAUT32(00000000), ref: 6CB4AF65
SysAllocString.OLEAUT32(00000000), ref: 6CB4AF80
VariantClear.OLEAUT32(?), ref: 6CB4AFF5

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: String$AllocException@8Throwstd::exception::exception$ClearCreateExceptionFreeInstanceRaiseVariantstd::exception::operator=
String ID:
API String ID: 313639242-0
Opcode ID: a564c3af8722cb9cde21eb675db74bc83a63cd5ba59d53278777c6f3f50fc327
Instruction ID: 5bafc6d22fd5f3a60997abe08faaba23c076bb5e24e87fbee7f88e2ee95479e1
Opcode Fuzzy Hash: a564c3af8722cb9cde21eb675db74bc83a63cd5ba59d53278777c6f3f50fc327
Instruction Fuzzy Hash: A4714CB1D05259DFCB04DFA8C880ADEBBB8EF48314F248159E915A7744DB34A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBDA3A1 Relevance: 12.1, APIs: 8, Instructions: 149windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 6CBDA3D1
IsWindow.USER32(?), ref: 6CBDA3F2
DestroyWindow.USER32(?), ref: 6CBDA402
GetParent.USER32(?), ref: 6CBDA41E
IsRectEmpty.USER32(?), ref: 6CBDA4CA
IsWindowVisible.USER32(?), ref: 6CBDA50C
MapWindowPoints.USER32(?,?,?,00000001), ref: 6CBDA523
SendMessageW.USER32(?,00000202,?,?), ref: 6CBDA542

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID:
API String ID: 3509494761-0
Opcode ID: 67f44c9ee4f0861d8f9a721288781bd8c13b3806f0d3263dbe8101298586cf47
Instruction ID: 26e42cd14d67587c3a5dca8068ca54fa2235477e845c9a4e988451a34cbd2b2d
Opcode Fuzzy Hash: 67f44c9ee4f0861d8f9a721288781bd8c13b3806f0d3263dbe8101298586cf47
Instruction Fuzzy Hash: 89517A303102819FEF04DF64C899BAA37B5EF05709F5605B8E90A9F696DB71E904CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB613DB Relevance: 12.1, APIs: 8, Instructions: 146windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6CB61424
ScreenToClient.USER32(00000000,?), ref: 6CB61469
SendMessageW.USER32(?,0000102C,00000000,00000003), ref: 6CB614A7
SetCapture.USER32(?), ref: 6CB614CD
ReleaseCapture.USER32 ref: 6CB61508
ScreenToClient.USER32(?,?), ref: 6CB61527
GetSystemMetrics.USER32(00000044), ref: 6CB61562
GetSystemMetrics.USER32(00000045), ref: 6CB6157E

Part of subcall function 6CB60995: SendMessageW.USER32(6CB6140B,00001018,00000000,00000000), ref: 6CB609A1

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CaptureClientMessageMetricsScreenSendSystem$FocusRelease
String ID:
API String ID: 3871486171-0
Opcode ID: cc652b1b42448ae990ef2e9af4b95867eea8918a6769318313c46681289a9fc9
Instruction ID: 373392828aa7674f1b7000e2e8519d3d0d8ce8db831d753f42daaa7ed5736d6f
Opcode Fuzzy Hash: cc652b1b42448ae990ef2e9af4b95867eea8918a6769318313c46681289a9fc9
Instruction Fuzzy Hash: E251AD71A00645AFDB10CFBAC844ADEBBB4FF15304F148229E69AD7A90DB70E980CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CC23957 Relevance: 12.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CC2395E
EqualRect.USER32(?,?), ref: 6CC2397D
EqualRect.USER32(?,?), ref: 6CC2398E
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 6CC239DE
CreateRectRgn.GDI32(?,00000000,?,?), ref: 6CC23A11
CreateRectRgnIndirect.GDI32(?), ref: 6CC23A1D
SetWindowRgn.USER32(?,?,00000000), ref: 6CC23A44
RedrawWindow.USER32(?,00000000,00000000,00000105,6CCAA7C8,?,?,?,00000001,00000058), ref: 6CC23ABC

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Create$EqualWindow$H_prolog3IndirectRedraw
String ID:
API String ID: 1234839666-0
Opcode ID: 0ca0f678e0559bddb394217f694966e8f316c922cc868c434ec2849326403fa0
Instruction ID: 7ebdb680e16f99039be696bac9210ec3987dc7058632e1b6167dbc994ab81cff
Opcode Fuzzy Hash: 0ca0f678e0559bddb394217f694966e8f316c922cc868c434ec2849326403fa0
Instruction Fuzzy Hash: 5151397190010AEFCF05DFA8C988EEF7B79EF09344F048119BC15AB645DB74AA55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB534C3 Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB53506
BeginDeferWindowPos.USER32(00000008), ref: 6CB5351E
GetTopWindow.USER32(?), ref: 6CB53533
GetDlgCtrlID.USER32(00000000), ref: 6CB53542
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 6CB53574
GetWindow.USER32(00000000,00000002), ref: 6CB5357D
CopyRect.USER32(?,?), ref: 6CB5359B
EndDeferWindowPos.USER32(00000000), ref: 6CB53612

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 19ec6100bcddb56e42f6d2fb8122e7e9b3b626042b5e0b0aaf73d3ff3c3569e7
Instruction ID: 511d267ec80f0218e25fce9febd3cbb07a3050e4556654a60254c9ad8c6efb34
Opcode Fuzzy Hash: 19ec6100bcddb56e42f6d2fb8122e7e9b3b626042b5e0b0aaf73d3ff3c3569e7
Instruction Fuzzy Hash: A5514471901258EFCF01CFA8D8849EEBBB4FF49314B94416AE815BB244DB309961CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB8075A Relevance: 12.1, APIs: 8, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 6CBDB33E: ReleaseCapture.USER32 ref: 6CBDB36C
Part of subcall function 6CBDB33E: IsWindow.USER32(?), ref: 6CBDB390
Part of subcall function 6CBDB33E: DestroyWindow.USER32(?,?,6CB8422C,?,?,?,?,?,6CB7A4D5,00000000,?,6CB7AA24), ref: 6CBDB3A0

SetRectEmpty.USER32(?), ref: 6CB8078D
ReleaseCapture.USER32 ref: 6CB80793
SetCapture.USER32(?,?,6CB8422C,?,?,?,?,?,6CB7A4D5,00000000,?,6CB7AA24), ref: 6CB807A2
GetCapture.USER32 ref: 6CB807E4
ReleaseCapture.USER32 ref: 6CB807F4
SetCapture.USER32(?,?,6CB8422C,?,?,?,?,?,6CB7A4D5,00000000,?,6CB7AA24), ref: 6CB80803
RedrawWindow.USER32(?,?,?,00000505), ref: 6CB8086E
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6CB808AD

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
String ID:
API String ID: 2209428161-0
Opcode ID: f0235da6924eb91f7514044f92708e6cc1f1724989500d268045dbda687032f8
Instruction ID: 1b9ad258ff3d2cdce031b1f8f65d6f878e8b1aab69b0767eca36110f946aff3e
Opcode Fuzzy Hash: f0235da6924eb91f7514044f92708e6cc1f1724989500d268045dbda687032f8
Instruction Fuzzy Hash: C8418E31202A809FDB249B35D848F9F7BB5EF84759F61065CE46A97AA0DF30E8508B51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6850F Relevance: 12.1, APIs: 8, Instructions: 109windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CB68553
InvalidateRect.USER32(?,00000000,00000001), ref: 6CB68594
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 6CB685E1
GetParent.USER32(?), ref: 6CB685F0
SendMessageW.USER32(?,00000111,?,?), ref: 6CB68626
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 6CB68644
UpdateWindow.USER32(?), ref: 6CB6864D
ReleaseCapture.USER32 ref: 6CB6865C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$InvalidateWindow$CaptureMenuMessageParentPopupReleaseSendTrackUpdate
String ID:
API String ID: 2465089168-0
Opcode ID: 19759c555a38083891be5277cb0aea4c6c5416b5c04c83c5f0966804b124435c
Instruction ID: 8d499d6f93663745183b1e5f63e618bfa7ae94a83e17fcc20b126157add19ad9
Opcode Fuzzy Hash: 19759c555a38083891be5277cb0aea4c6c5416b5c04c83c5f0966804b124435c
Instruction Fuzzy Hash: 09412C71E00B44EFCB119F75C8489ABBBF5FF8A305F50051EE49A92610D776A850CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB71558 Relevance: 12.1, APIs: 8, Instructions: 105windowstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 6CB7156E
_memset.LIBCMT ref: 6CB7158D
GetFocus.USER32 ref: 6CB71595

Part of subcall function 6CB52DF8: UnhookWindowsHookEx.USER32(?), ref: 6CB52E28

IsWindowEnabled.USER32(?), ref: 6CB715CA
EnableWindow.USER32(?,00000000), ref: 6CB715E6
EnableWindow.USER32(00000000,00000001), ref: 6CB71679
IsWindow.USER32(?), ref: 6CB7167E
SetFocus.USER32(?), ref: 6CB7168B

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$EnableFocus$EnabledHookUnhookWindows_memsetlstrlen
String ID:
API String ID: 3424750955-0
Opcode ID: f201c4bee523226417e43df36b216ce6e37544abf1bf2038634972de18345429
Instruction ID: 091ef4ed71a37a11b6394638ec77e7f4a96d8ca96dedc641b8634cac15c2acf4
Opcode Fuzzy Hash: f201c4bee523226417e43df36b216ce6e37544abf1bf2038634972de18345429
Instruction Fuzzy Hash: C941BF30601640DFDB249FB4C954F8ABBB5EF45308F288469E92E9B652CB31E916CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6EC91 Relevance: 12.1, APIs: 8, Instructions: 102windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB6ED2B
SendMessageW.USER32(?,00000111,?,?), ref: 6CB6ED59
IsWindow.USER32(?), ref: 6CB6ED68
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,6CB687C6,?,?,?), ref: 6CB6ED78
IsWindow.USER32(?), ref: 6CB6ED88
ReleaseCapture.USER32 ref: 6CB6ED96
KillTimer.USER32(?,00000001,?,?,?,?,?,6CB687C6,?,?,?), ref: 6CB6EDAF
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 6CB6EDCE

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$MessageSend$CaptureKillParentRedrawReleaseTimer
String ID:
API String ID: 3014619129-0
Opcode ID: 6f396c8eddc2dc1f313ba545fae4208bbab47fd94a841935ebb7959a50105407
Instruction ID: b2fb91102474eba98f90b3f1219b60a25926ee17b3502a3afa27460b6a44d988
Opcode Fuzzy Hash: 6f396c8eddc2dc1f313ba545fae4208bbab47fd94a841935ebb7959a50105407
Instruction Fuzzy Hash: 42315E70611F90EFCB219F36CC44AAFBAF5FB85705F20052EA5AA92950E771A440CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6CBEDBBB Relevance: 12.1, APIs: 8, Instructions: 100COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6CBEDBD8
GetParent.USER32(?), ref: 6CBEDBEF
GetClientRect.USER32(?,?), ref: 6CBEDC7D
MapWindowPoints.USER32(?,?,?,00000002), ref: 6CBEDC90
PtInRect.USER32(?,?,?), ref: 6CBEDCA0

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientRect$ParentPointsScreenWindow
String ID:
API String ID: 1402249346-0
Opcode ID: b78077ab1b7e14028c5162e12b90a5ed7a7a370bb7de3e6f6b86958f36884dbf
Instruction ID: 935a4a07fee2b63d20f36ce9f69b27f91906c36bfafec07ea7a6d25909fadef3
Opcode Fuzzy Hash: b78077ab1b7e14028c5162e12b90a5ed7a7a370bb7de3e6f6b86958f36884dbf
Instruction Fuzzy Hash: D1318C72700109AFCF05DFB5C8488AEBBB9FF8C394B600529E906E7650EBB0D911CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB8F5BC Relevance: 12.1, APIs: 8, Instructions: 75keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000012), ref: 6CB8F5EC
GetAsyncKeyState.USER32(00000012), ref: 6CB8F606
_memset.LIBCMT ref: 6CB8F625
GetKeyboardState.USER32(?), ref: 6CB8F634
GetKeyboardLayout.USER32(?), ref: 6CB8F64B
MapVirtualKeyW.USER32(?,00000000), ref: 6CB8F667
ToUnicodeEx.USER32(?,00000000), ref: 6CB8F66F
CharUpperW.USER32(?), ref: 6CB8F67C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual_memset
String ID:
API String ID: 3224171628-0
Opcode ID: 9f0e81e673b43f4d4d1f11ad98d1a9eafa6e81be1632ba00f6022c7d8a734200
Instruction ID: d51d40ef8f904a80499fb6e401494d8bdb97dcdefd91e37a0f70ed6011b433f0
Opcode Fuzzy Hash: 9f0e81e673b43f4d4d1f11ad98d1a9eafa6e81be1632ba00f6022c7d8a734200
Instruction Fuzzy Hash: AE21DE71A01249AFDF00DBA0DC44FED737CEB45748F400166EA40E3584EBB09A99DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4D128 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 6CB4D13A
GetMenuItemCount.USER32(?), ref: 6CB4D142
GetSubMenu.USER32(?,-00000001), ref: 6CB4D15F
GetMenuItemCount.USER32(00000000), ref: 6CB4D16F
GetSubMenu.USER32(00000000,00000000), ref: 6CB4D180
RemoveMenu.USER32(00000000,00000000,00000400), ref: 6CB4D19D
GetSubMenu.USER32(?,?), ref: 6CB4D1B7
RemoveMenu.USER32(?,?,00000400), ref: 6CB4D1D5

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: 415c44154a5c057aec9d3e2c4e59149c119e177d5f3977d27225b44dc30830cf
Instruction ID: 8a3e922a4586a2743c9f7128b412e5b80c23dd8b2ab310a9ca622a838c95656d
Opcode Fuzzy Hash: 415c44154a5c057aec9d3e2c4e59149c119e177d5f3977d27225b44dc30830cf
Instruction Fuzzy Hash: AD212531A4928DFFDF019FB4DD80E9EBBB5EB09304F2088A2ED11A2554D730AA51EF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5A3D2 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?,?,?,?,?,?,6CB54A4A,?), ref: 6CB5A3F1
lstrcmpW.KERNEL32(00000000,?,?,?,?,?,?,6CB54A4A,?), ref: 6CB5A3FE
OpenPrinterW.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,6CB54A4A,?), ref: 6CB5A410
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,6CB54A4A,?), ref: 6CB5A430
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 6CB5A438
GlobalLock.KERNEL32(00000000,?,?,?,?,?,6CB54A4A,?), ref: 6CB5A442
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,6CB54A4A,?), ref: 6CB5A44F
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,6CB54A4A,?), ref: 6CB5A467

Part of subcall function 6CB56B7F: GlobalFlags.KERNEL32(?), ref: 6CB56B8E
Part of subcall function 6CB56B7F: GlobalUnlock.KERNEL32(?,?,6CB5A461,?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,6CB54A4A), ref: 6CB56B9F
Part of subcall function 6CB56B7F: GlobalFree.KERNEL32(?), ref: 6CB56BA9

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 1d0903e25b442ba0bf335e1cc95aa7bdd9c3073f9dc610d826dd97d662643d38
Instruction ID: c01f977a56bc45c4445b5dd05701059d05d6b460065bdfd7e16d8f34e6ab16ac
Opcode Fuzzy Hash: 1d0903e25b442ba0bf335e1cc95aa7bdd9c3073f9dc610d826dd97d662643d38
Instruction Fuzzy Hash: 1F119171500644BEEB125FA5CC49DAF7AFDEF8AB48B508119F601E7520D731D921DB30

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5CB09 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 6CB5CB1F
GetSystemMetrics.USER32(00000032), ref: 6CB5CB29
SetRectEmpty.USER32(6CCAAE14), ref: 6CB5CB38
EnumDisplayMonitors.USER32(00000000,00000000,Function_0001CA84,6CCAAE14,?,?,6CBC3DA4,?,?,?,6CB7F5AA,?,?), ref: 6CB5CB48
SystemParametersInfoW.USER32(00000030,00000000,6CCAAE14,00000000), ref: 6CB5CB63
SystemParametersInfoW.USER32(00001002,00000000,6CCAAE40,00000000), ref: 6CB5CB83
SystemParametersInfoW.USER32(00001012,00000000,6CCAAE44,00000000), ref: 6CB5CB9B
SystemParametersInfoW.USER32 ref: 6CB5CBBB

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: 85e26ffe44732433ebf49b218b0f6d41790a1c27e18da9339fd4b55ea0d8f926
Instruction ID: b63f721c1c9c3483116a8e2833438862827d3f3ef20d4f85bc8f99ccbe1062fc
Opcode Fuzzy Hash: 85e26ffe44732433ebf49b218b0f6d41790a1c27e18da9339fd4b55ea0d8f926
Instruction Fuzzy Hash: 76110775601744AFE2219F768C49EE7BAFCEFCAB00F40091EE5AA97140D7B0A441CA21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4D335 Relevance: 12.1, APIs: 8, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 6CB4D346
GlobalAlloc.KERNEL32(00002002,00000000), ref: 6CB4D358
GlobalSize.KERNEL32(?), ref: 6CB4D369
GlobalLock.KERNEL32(?), ref: 6CB4D37A
GlobalLock.KERNEL32(?), ref: 6CB4D380
GlobalSize.KERNEL32(?), ref: 6CB4D38B
GlobalUnlock.KERNEL32(?), ref: 6CB4D39E
GlobalUnlock.KERNEL32(?), ref: 6CB4D3A3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc
String ID:
API String ID: 2344174106-0
Opcode ID: 38930320a40804f8ef0fe2d7c47f05b3b7324fa1273166137d6439f7f4ff2fd6
Instruction ID: d801c1d2d917ccf37886219952d40bd69cfcfb043289e5275d0db8ff885d559a
Opcode Fuzzy Hash: 38930320a40804f8ef0fe2d7c47f05b3b7324fa1273166137d6439f7f4ff2fd6
Instruction Fuzzy Hash: 4F017C71A04258BFEB116FBADC8489FBF7DEF452A47008026FC04A3211DA709E10EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4E7DF Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6CB4E7EE
GetSystemMetrics.USER32(0000000C), ref: 6CB4E7F5
GetSystemMetrics.USER32(00000002), ref: 6CB4E7FC
GetSystemMetrics.USER32(00000003), ref: 6CB4E806
GetDC.USER32(00000000), ref: 6CB4E810
GetDeviceCaps.GDI32(00000000,00000058), ref: 6CB4E821
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6CB4E829
ReleaseDC.USER32(00000000,00000000), ref: 6CB4E831

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 1a51c0a8c48c68625a5bfb471358310fca16e8b612078dbc4d474fd14c93d43c
Instruction ID: 3c09892c82e6a373cd407fdbe403bd4663bfd24b726602bc9e1fb0136cd0eedf
Opcode Fuzzy Hash: 1a51c0a8c48c68625a5bfb471358310fca16e8b612078dbc4d474fd14c93d43c
Instruction Fuzzy Hash: FFF037B1E40754AFEB105BB29C4EB1A7E78EB46721F004526A604AB2C0DAB598108F90

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBE7C7 Relevance: 10.8, APIs: 7, Instructions: 348COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBBE7CE
GetWindow.USER32(?,00000005), ref: 6CBBE832

Part of subcall function 6CBBDEB8: __EH_prolog3.LIBCMT ref: 6CBBDEBF
Part of subcall function 6CBBDEB8: GetWindow.USER32(?,00000005), ref: 6CBBDEDF
Part of subcall function 6CBBDEB8: GetWindow.USER32(?,00000002), ref: 6CBBDF15

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$H_prolog3
String ID:
API String ID: 1351209170-0
Opcode ID: b3a3e7fd9335e7b4052b31124df6a4a9a7d7f2ca8cd5047f977a3fc7a5b4401e
Instruction ID: 37749e4e871979996cde9907b1f82f09b8fab232e0dafbf1edef187e27b11fba
Opcode Fuzzy Hash: b3a3e7fd9335e7b4052b31124df6a4a9a7d7f2ca8cd5047f977a3fc7a5b4401e
Instruction Fuzzy Hash: 88D14C30A006969FDF04DFA4C898AFDB7B5FF09308F1445A8E556AB7A1DF349844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBE8D30 Relevance: 10.8, APIs: 7, Instructions: 325windowstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBE8D3A
GetMenuItemCount.USER32(0000000D), ref: 6CBE8D83
GetMenuItemID.USER32(0000000D,?), ref: 6CBE8DA6

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Part of subcall function 6CBD93AD: __EH_prolog3.LIBCMT ref: 6CBD93B4

Part of subcall function 6CB5C94F: __EH_prolog3.LIBCMT ref: 6CB5C956

lstrlenW.KERNEL32(00000000), ref: 6CBE8EC8
CharUpperBuffW.USER32(00000002,00000001), ref: 6CBE8EDD
lstrlenW.KERNEL32(00000000), ref: 6CBE8EE5
GetSubMenu.USER32(00000000,?), ref: 6CBE9017

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3Menu$Itemlstrlen$BuffCharCountException@8H_prolog3_ThrowUpper
String ID:
API String ID: 1336055891-0
Opcode ID: fea1bb2adad51c0267e1afa23b39b89241bd45a87040159618dbd5d7381287e3
Instruction ID: 922dc170b1baa2a844dab5fa72a45f9667396257428ebd366e96eec10d9ebb88
Opcode Fuzzy Hash: fea1bb2adad51c0267e1afa23b39b89241bd45a87040159618dbd5d7381287e3
Instruction Fuzzy Hash: 45D1AB309046A8EFDF25CB64CC54BEDB774AF09728F5082C9E129A76D0DB315A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB402A Relevance: 10.7, APIs: 7, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB4031
CreateCompatibleDC.GDI32(00000002), ref: 6CBB408E

Part of subcall function 6CB9D5B8: FillRect.USER32(?,00000020), ref: 6CB9D5CC

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CompatibleCreateFillH_prolog3Rect
String ID:
API String ID: 2215992850-0
Opcode ID: 9849d6a7d2c2117720dd0b5dfb6f52fbfecace52fcec39400b71545ccd61f6f5
Instruction ID: 0735c19c63f0a9ff05795ba224a6f2072c5a2243d68c6f82191c5da3aded2a30
Opcode Fuzzy Hash: 9849d6a7d2c2117720dd0b5dfb6f52fbfecace52fcec39400b71545ccd61f6f5
Instruction Fuzzy Hash: 0791BB71A1069AABDB00CFA9CD84AEEBBB4FF44304F404229F450E6A90DB34D915DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB46730 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 156libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,6CC5B808,000000FF,?,6CB420F8), ref: 6CB467DE
GetProcAddress.KERNEL32(00000000), ref: 6CB467E5

Part of subcall function 6CB42860: std::_Xinvalid_argument.LIBCPMT ref: 6CB42877

Strings

x86, xrefs: 6CB46857
x64, xrefs: 6CB46841
GetNativeSystemInfo, xrefs: 6CB467D4
kernel32.dll, xrefs: 6CB467D9

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProcXinvalid_argumentstd::_
String ID: GetNativeSystemInfo$kernel32.dll$x64$x86
API String ID: 3237870455-405694257
Opcode ID: fcb023f866b8a8a2d537e861ff639a230c6a47cf8f9cfcf370a1035744fc3b5a
Instruction ID: dbb5218e68e40f25ee2dea2d11da56005398e43c5130d3898bae131ee5880eea
Opcode Fuzzy Hash: fcb023f866b8a8a2d537e861ff639a230c6a47cf8f9cfcf370a1035744fc3b5a
Instruction Fuzzy Hash: 515194B1E082459FCB04DF98D841A9EBBB4FF48314F14862FE415E7B44E770A644DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2595E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CC25965

Part of subcall function 6CC258D6: OleGetClipboard.OLE32(?), ref: 6CC258EE

ReleaseStgMedium.OLE32(?), ref: 6CC259DA
ReleaseStgMedium.OLE32(?), ref: 6CC25A1F
CoTaskMemFree.OLE32(?), ref: 6CC25AC7
ReleaseStgMedium.OLE32(?), ref: 6CC25A3F

Part of subcall function 6CB4BAB7: _malloc.LIBCMT ref: 6CB4BAD5

Strings

', xrefs: 6CC259A1

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask_malloc
String ID: '
API String ID: 3930503942-1997036262
Opcode ID: fa10b1c1f2ee0cbd39e3872ed8dd6b696bca9bd348c4bca648871b75be140e0d
Instruction ID: d6311091f6411c920fa16806c7cc32fa63f1dd6a8fc335069a2455fd25b85c2e
Opcode Fuzzy Hash: fa10b1c1f2ee0cbd39e3872ed8dd6b696bca9bd348c4bca648871b75be140e0d
Instruction Fuzzy Hash: B0517570905249EFDF00DFA4C485AEE7BF4FF09308F60842AE505EB644E7799A85DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4B750 Relevance: 10.6, APIs: 7, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB4B7AE
VerSetConditionMask.KERNEL32 ref: 6CB4B7CB
VerifyVersionInfoW.KERNEL32(?,00000002,00000000), ref: 6CB4B7ED
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001), ref: 6CB4B817
VerifyVersionInfoW.KERNEL32(?,00000001,00000000), ref: 6CB4B830
VerSetConditionMask.KERNEL32(00000000,?,00000020,00000001,?,?,00000001,00000001), ref: 6CB4B85A
VerifyVersionInfoW.KERNEL32(?,00000020,00000000), ref: 6CB4B877

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ConditionInfoMaskVerifyVersion$_memset
String ID:
API String ID: 2276291344-0
Opcode ID: 25dbe0fd7d01a87909d565fa0b3a66c7600b8b9397c67612440f0fa6d9f469b4
Instruction ID: a9a3044be4b343e933b773b34b337553dad572ceeaefaa86c3d1cdf16cc98cec
Opcode Fuzzy Hash: 25dbe0fd7d01a87909d565fa0b3a66c7600b8b9397c67612440f0fa6d9f469b4
Instruction Fuzzy Hash: 7841F03160C3805BD710CB15C899B8FB7F9EBCA719F40451EF688A7680D6B18905C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6E1E4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018,?), ref: 6CB6E297
DeleteObject.GDI32(?), ref: 6CB6E356
DeleteObject.GDI32(?), ref: 6CB6E35B
DeleteObject.GDI32(?), ref: 6CB6E365

Strings

Pl)u, xrefs: 6CB6E297
, xrefs: 6CB6E2BC

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Delete
String ID: $Pl)u
API String ID: 774837909-1824918255
Opcode ID: ebdbad09f18091059b55faa961338910d68cc90041feb0534721d91b4d0bc536
Instruction ID: 07e6fdbffc8cf35e9cb945dea83627790622c49628238ae11e565899d8b29b36
Opcode Fuzzy Hash: ebdbad09f18091059b55faa961338910d68cc90041feb0534721d91b4d0bc536
Instruction Fuzzy Hash: 88513A319416C9DBCB12DFA6CC8499E77B2FB85318F20452AE825A3E80D7319A95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA22B7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBA22BE

Part of subcall function 6CB599DE: __EH_prolog3.LIBCMT ref: 6CB599E5
Part of subcall function 6CB599DE: GetWindowDC.USER32(00000000,00000004,6CB5DB43,00000000,?,?,6CC6AFB0), ref: 6CB59A11

CreateCompatibleDC.GDI32(00000000), ref: 6CBA22F3
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CBA2377
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CBA23C3

Part of subcall function 6CB59C1A: SelectObject.GDI32(6CBB40FE,?), ref: 6CB59C25

FillRect.USER32(?,?,?), ref: 6CBA23FE

Strings

(, xrefs: 6CBA2358

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
String ID: (
API String ID: 2680359821-3887548279
Opcode ID: 7c19c011b65e1743096658e48ed0a98f3471ad29cc84af0528a7c4c7411cd254
Instruction ID: 015e303e708f2772358bbc4d34aa36021c35a74692a662d70fa0f2d867b37163
Opcode Fuzzy Hash: 7c19c011b65e1743096658e48ed0a98f3471ad29cc84af0528a7c4c7411cd254
Instruction Fuzzy Hash: E25115B1C00298EFDB11DFE6C9849DEBBB5FF08314F60812AE519AB650DB305A5ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB8DE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 6CBB8EC2
GetMonitorInfoW.USER32(00000000), ref: 6CBB8EC9
CopyRect.USER32(?,?), ref: 6CBB8EDB
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6CBB8EEB
IntersectRect.USER32(?,?,?), ref: 6CBB8F1E

Strings

(, xrefs: 6CBB8EBB

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
String ID: (
API String ID: 2931574886-3887548279
Opcode ID: 4189d230bd698aca39fc901e251ad08c4e92fcea8c1292f0656d180de335e2b2
Instruction ID: f888764ca81e892fdc23023519a422e5fbde3fafdff7a57d4e670dfb953e0a1e
Opcode Fuzzy Hash: 4189d230bd698aca39fc901e251ad08c4e92fcea8c1292f0656d180de335e2b2
Instruction Fuzzy Hash: 6751F4B1A002499FCF14CFA9C9849AEFBF9FF88304B20455AE515E7650DB70AA09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB80AA0 Relevance: 10.6, APIs: 7, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 6CBD82FC: __EH_prolog3_catch.LIBCMT ref: 6CBD8303

UpdateWindow.USER32(?), ref: 6CB80B34
EqualRect.USER32(?,?), ref: 6CB80B6A
InflateRect.USER32(?,00000002,00000002), ref: 6CB80B82
InvalidateRect.USER32(?,?,00000001), ref: 6CB80B91
InflateRect.USER32(?,00000002,00000002), ref: 6CB80BA6
InvalidateRect.USER32(?,?,00000001), ref: 6CB80BB8
UpdateWindow.USER32(?), ref: 6CB80BC1

Part of subcall function 6CB8066E: InvalidateRect.USER32(?,?,00000001,?), ref: 6CB806E3
Part of subcall function 6CB8066E: InflateRect.USER32(?,?,?), ref: 6CB80729
Part of subcall function 6CB8066E: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 6CB8073C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
String ID:
API String ID: 1041772997-0
Opcode ID: 0f79a6d7d8a58f4a9b6b54374048c486e4ac39476de689a6cce28eb2fe1eb637
Instruction ID: 72d10c561bad03d5c5641738cf3efe9ba54bb5d751e39293a581dc1b453acfee
Opcode Fuzzy Hash: 0f79a6d7d8a58f4a9b6b54374048c486e4ac39476de689a6cce28eb2fe1eb637
Instruction Fuzzy Hash: 95419C726016459FCF01CF68C888BAA77B9FF49358F240279EC1AEB295DB309905CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6EDDB Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 6CB6EE1E
GetParent.USER32(?), ref: 6CB6EE4E
SendMessageW.USER32(?,00000111,?), ref: 6CB6EE73
GetParent.USER32(?), ref: 6CB6EE96
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 6CB6EEFE
GetParent.USER32(?), ref: 6CB6EF07
GetWindowLongW.USER32(?,000000F4), ref: 6CB6EF21

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$MessageSendWindow$LongRedraw
String ID:
API String ID: 4271267155-0
Opcode ID: 1b22c4421724513d56835c0598a8fad0733f0dc8fbccbaf72a7a7adf067b1a29
Instruction ID: aae04b3c2303e066062c29dd72e7b2981371fdca7216b6fc43fd6e64fb53d589
Opcode Fuzzy Hash: 1b22c4421724513d56835c0598a8fad0733f0dc8fbccbaf72a7a7adf067b1a29
Instruction Fuzzy Hash: 5B41D3312057C0EBEB544E63CC88BAF76B9FB49308F104529E55A9AD90D770D881CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB527FD Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB52830
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6CB52854
UpdateWindow.USER32(?), ref: 6CB5286F
SendMessageW.USER32(?,00000121,00000000,?), ref: 6CB52890
SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 6CB528A8
UpdateWindow.USER32(?), ref: 6CB528EB
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6CB5291C

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: e62053f68537c08c700bd2065b616e5b76758f53e5875cdbeaa854fac5de8e41
Instruction ID: cc1d124a242355110d3a7b8e7d47cffefbc5161b48404b62c72f7450aae91912
Opcode Fuzzy Hash: e62053f68537c08c700bd2065b616e5b76758f53e5875cdbeaa854fac5de8e41
Instruction Fuzzy Hash: BA41A370E016C5EFDF118FA6C848E9EBBB4FF81709FA0416DE451A6A90DB318960DB53

Uniqueness

Uniqueness Score: -1.00%

Function 6CBDC348 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBDC34F

Part of subcall function 6CB5D65F: __EH_prolog3.LIBCMT ref: 6CB5D666
Part of subcall function 6CB5D65F: LoadCursorW.USER32(00000000,00007F00), ref: 6CB5D692
Part of subcall function 6CB5D65F: GetClassInfoW.USER32(?,00000000,?), ref: 6CB5D6D6

CopyRect.USER32(?,?), ref: 6CBDC403

Part of subcall function 6CB5972B: ClientToScreen.USER32(?,?), ref: 6CB5973C
Part of subcall function 6CB5972B: ClientToScreen.USER32(?,?), ref: 6CB59749

IsRectEmpty.USER32(?), ref: 6CBDC41C
IsRectEmpty.USER32(?), ref: 6CBDC434
IsRectEmpty.USER32(?), ref: 6CBDC449

Strings

Afx:ControlBar, xrefs: 6CBDC37E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Empty$ClientScreen$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
String ID: Afx:ControlBar
API String ID: 2202805320-4244778371
Opcode ID: cd37bb8fcdd82240d397d0da2a4d573e71d5baaef6b2ae80113c5e8a27b9f2cf
Instruction ID: af25dfbe24c904d8ff8e05961175303ef51e565929ebbd7cfcc8948946f277fc
Opcode Fuzzy Hash: cd37bb8fcdd82240d397d0da2a4d573e71d5baaef6b2ae80113c5e8a27b9f2cf
Instruction Fuzzy Hash: FB418B31A00258AFCF01DFA8C884AEE77B9FF49318F454168FC09BB655DB35A918CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6CB67F75 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB67F7C

Part of subcall function 6CBACFF5: __EH_prolog3.LIBCMT ref: 6CBACFFC

Part of subcall function 6CBAE01D: SetRectEmpty.USER32(?), ref: 6CBAE04D

SetRectEmpty.USER32(?), ref: 6CB680C4
SetRectEmpty.USER32(?), ref: 6CB680D3
SetRectEmpty.USER32(?), ref: 6CB680DC

Strings

True, xrefs: 6CB680E7
False, xrefs: 6CB68133

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: 9d6778b2851b5890dd3b978320e67387d1214d6aca2f7163b1b26d82a9048769
Instruction ID: 812098909718fab82917a4de98f4f7adae5c2d5b74f07e9d72fbbe9a4b627fbc
Opcode Fuzzy Hash: 9d6778b2851b5890dd3b978320e67387d1214d6aca2f7163b1b26d82a9048769
Instruction Fuzzy Hash: E251BEB0805B808FC362DF7AC5947DAFBE8BFA4304F50491FD0AE96660DBB06648CB15

Uniqueness

Uniqueness Score: -1.00%

Function 6CB78B8F Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 6CB78AFC: _malloc.LIBCMT ref: 6CB78B0F

_free.LIBCMT ref: 6CB78BB8
_memset.LIBCMT ref: 6CB78BD1
_memset.LIBCMT ref: 6CB78C0B
_memcpy_s.LIBCMT ref: 6CB78C25
CreateDIBSection.GDI32(00000000,00000000,00000000,00000008,00000000,00000000), ref: 6CB78C3E
_free.LIBCMT ref: 6CB78C50
_free.LIBCMT ref: 6CB78C83

Part of subcall function 6CC39FB6: HeapFree.KERNEL32(00000000,00000000,?,6CC4209B,00000000,?,00000000,6CC3ACFF,6CC39832,MarketPlugin,?,6CB4BADA,?,00000000,?,6CB4529F), ref: 6CC39FCC
Part of subcall function 6CC39FB6: GetLastError.KERNEL32(00000000,?,6CC4209B,00000000,?,00000000,6CC3ACFF,6CC39832,MarketPlugin,?,6CB4BADA,?,00000000,?,6CB4529F,0000001C), ref: 6CC39FDE

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _free$_memset$CreateErrorFreeHeapLastSection_malloc_memcpy_s
String ID:
API String ID: 2204576675-0
Opcode ID: 5337ba1038c263595c1f9a4a00aa9e19894bcb18a2945fd80f76e5ffad575297
Instruction ID: b75ad214ec3cd76b5010c18f849ae5b638e52c73afab18004d301ea41de098e8
Opcode Fuzzy Hash: 5337ba1038c263595c1f9a4a00aa9e19894bcb18a2945fd80f76e5ffad575297
Instruction Fuzzy Hash: 1A31F072905655ABDB30CF75DC40A8B73A8EF02368F14492AEC65F7B40EB72ED0487A0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB52E91 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB52F2A
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6CB52F53
GetWindowLongW.USER32(?,000000FC), ref: 6CB52F65
GetWindowLongW.USER32(?,000000FC), ref: 6CB52F76
SetWindowLongW.USER32(?,000000FC,?), ref: 6CB52F92

Strings

,, xrefs: 6CB52F49

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 82df3b9f5e7da00c601933916f8d32625ceef8ca025ca735f280a517055eca19
Instruction ID: 0f851e044a5d2da31f2fafa66e6d681d810b34c1eeddf2b29291893820fb3442
Opcode Fuzzy Hash: 82df3b9f5e7da00c601933916f8d32625ceef8ca025ca735f280a517055eca19
Instruction Fuzzy Hash: 9E418D717023849FDB04DFB5D888A5EB7B5FF48318F500629E54697A90DB30E814CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB9A2E Relevance: 10.6, APIs: 7, Instructions: 110windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBB9A61

Part of subcall function 6CBC6981: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CBC69F8

IsWindowVisible.USER32(?), ref: 6CBB9A8B
IsWindowVisible.USER32(?), ref: 6CBB9ACF
RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 6CBB9AF1
RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 6CBB9B03
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CBB9B25
RedrawWindow.USER32(?,?,00000000,00000541), ref: 6CBB9B56

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Redraw$Visible
String ID:
API String ID: 1637130220-0
Opcode ID: 55535f00bc42a7e003d7ee33f4f37399ff3d52169d9666576eae6672917cbe5b
Instruction ID: d2e9c32bf089484b846a00dc0c7fb3aad04f61df0042f971d672481406eab7ae
Opcode Fuzzy Hash: 55535f00bc42a7e003d7ee33f4f37399ff3d52169d9666576eae6672917cbe5b
Instruction Fuzzy Hash: B2415C71A1024ADFEB109FA5C8C0EBABBB9FF44348F20457DE555A7660DB30E900DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CC4FF5C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 6CC50030
std::bad_exception::bad_exception.LIBCMT ref: 6CC5005A
__CxxThrowException@8.LIBCMT ref: 6CC50068

Strings

Bad dynamic_cast!, xrefs: 6CC50052

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1176828985-2956939130
Opcode ID: 1ca7b5b58e4de5b79f954484b3f6aebf325b964e3f86feffbe0541d16e15b033
Instruction ID: 1474d443a1cd9aec70582d50e19fa43c6eae11e573ae7aa686ae8fe1d3560b67
Opcode Fuzzy Hash: 1ca7b5b58e4de5b79f954484b3f6aebf325b964e3f86feffbe0541d16e15b033
Instruction Fuzzy Hash: 5731B072A002559FDF04CF68C890A9EB7F0BF49319F548458E805E7B90F734E866CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6CC382D4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4BE5C: __EH_prolog3_catch.LIBCMT ref: 6CB4BE63

GetUserDefaultUILanguage.KERNEL32(00000000,00000005,6CC382B5,00000000,?,?,6CC1ECAA,00000000,?,6CC1F045,0000001C,6CC1EDD8,00000000,6CC1F045), ref: 6CC3831C
FindResourceExW.KERNEL32(00000000,00000005,?,0000FC11,?,?,6CC1ECAA,00000000,?,6CC1F045,0000001C,6CC1EDD8,00000000,6CC1F045), ref: 6CC3835A
FindResourceW.KERNEL32(00000000,?,00000005,?,?,6CC1ECAA,00000000,?,6CC1F045,0000001C,6CC1EDD8,00000000,6CC1F045), ref: 6CC38373
LoadResource.KERNEL32(00000000,00000000,?,?,6CC1ECAA,00000000,?,6CC1F045,0000001C,6CC1EDD8,00000000,6CC1F045), ref: 6CC38381
GlobalAlloc.KERNEL32(?,00000000,00000005,6CC382B5,00000000,?,?,6CC1ECAA,00000000,?,6CC1F045,0000001C,6CC1EDD8,00000000,6CC1F045), ref: 6CC383B1

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Strings

MS UI Gothic, xrefs: 6CC38336

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$Find$AllocDefaultException@8GlobalH_prolog3H_prolog3_catchLanguageLoadThrowUser
String ID: MS UI Gothic
API String ID: 2010067809-1905310704
Opcode ID: 9a9bcf953c2ad35892e239fec61f9470b64518cf7df8d79def14de9a2db7a326
Instruction ID: 39e2ea9d68564e93611ed6e9faab000369073418dae8f275c1ca7d9f5b458d30
Opcode Fuzzy Hash: 9a9bcf953c2ad35892e239fec61f9470b64518cf7df8d79def14de9a2db7a326
Instruction Fuzzy Hash: C5312471A00211AFEB04AF65CC49EAE77B9EF40314B048026FD09DFB90EB30DC40D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB49760 Relevance: 10.6, APIs: 7, Instructions: 104COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000000FF), ref: 6CB49799
__CxxThrowException@8.LIBCMT ref: 6CB497F9

Part of subcall function 6CC3A59F: RaiseException.KERNEL32(6CB42DF8,00000000,D7F0CEE4,6CC88058,6CB42DF8,00000000,6CC9DBD8,?,D7F0CEE4), ref: 6CC3A5E1

std::exception::exception.LIBCMT ref: 6CB497DC

Part of subcall function 6CC3963D: std::exception::operator=.LIBCMT ref: 6CC39656

std::exception::exception.LIBCMT ref: 6CB49837
__CxxThrowException@8.LIBCMT ref: 6CB49854
VariantClear.OLEAUT32(000000FF), ref: 6CB49876
SysFreeString.OLEAUT32(?), ref: 6CB49880

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8ThrowVariantstd::exception::exception$ClearExceptionFreeInitRaiseStringstd::exception::operator=
String ID:
API String ID: 3374873951-0
Opcode ID: eda80e8ba77dfcd16c69ed86375329f5727c7c93ca1dc366b8dee1834718772c
Instruction ID: 014874965a8d1a80d526b33b3b3f315d1fece9cae7c6d0960b4d182a79ff8068
Opcode Fuzzy Hash: eda80e8ba77dfcd16c69ed86375329f5727c7c93ca1dc366b8dee1834718772c
Instruction Fuzzy Hash: 42411AB2D00218AFCB04CFD8D884ADEBBB8EF48314F10851AE515B7740EB75AA09CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6CB87BB6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6CB87C33
ScreenToClient.USER32(?,?), ref: 6CB87C40
_memset.LIBCMT ref: 6CB87C4E
_free.LIBCMT ref: 6CB87C8B
SendMessageW.USER32(?,00000030,000A0E52,00000000), ref: 6CB87CAD

Strings

,, xrefs: 6CB87C64

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientCursorMessageScreenSend_free_memset
String ID: ,
API String ID: 628317799-3772416878
Opcode ID: 83e824ae500aad6adf248e248c6e74bf1ec2ffc1ada492b00f798e5260b127ae
Instruction ID: 519472aa4f2f6770f47822329bc6c8abcf7f833607470aa0374842573588f5d1
Opcode Fuzzy Hash: 83e824ae500aad6adf248e248c6e74bf1ec2ffc1ada492b00f798e5260b127ae
Instruction Fuzzy Hash: 9D318B30B05219EFCB08DFA5E888E9EBBB5FB08318F100629F415E36A0EB709854CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7939D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB78A56: IsIconic.USER32(?), ref: 6CB78A76

GetWindowRect.USER32(?,?), ref: 6CB79415

Part of subcall function 6CB596EA: ScreenToClient.USER32(?,?), ref: 6CB596FB
Part of subcall function 6CB596EA: ScreenToClient.USER32(?,?), ref: 6CB59708

Part of subcall function 6CB7900D: __EH_prolog3_GS.LIBCMT ref: 6CB79017
Part of subcall function 6CB7900D: GetWindowRect.USER32(?,?), ref: 6CB79066
Part of subcall function 6CB7900D: OffsetRect.USER32(?,?,?), ref: 6CB7907C
Part of subcall function 6CB7900D: CreateCompatibleDC.GDI32(?), ref: 6CB790ED
Part of subcall function 6CB7900D: SelectObject.GDI32(?,?), ref: 6CB7910D

GetModuleHandleW.KERNEL32(DWMAPI), ref: 6CB7944D
GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6CB7945D
DeleteObject.GDI32(00000000), ref: 6CB79474

Strings

DwmSetIconicLivePreviewBitmap, xrefs: 6CB79457
DWMAPI, xrefs: 6CB79448

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$ClientObjectScreenWindow$AddressCompatibleCreateDeleteH_prolog3_HandleIconicModuleOffsetProcSelect
String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
API String ID: 3205686482-239049650
Opcode ID: 5c80f645eb8e23c73e258731a6f5915c31ab357ebb30d2af53143a4b1690cf82
Instruction ID: bd0e7d5a92007cff1250007598c35ebafc4f88e577abfcc1d7c093d250d693d6
Opcode Fuzzy Hash: 5c80f645eb8e23c73e258731a6f5915c31ab357ebb30d2af53143a4b1690cf82
Instruction Fuzzy Hash: FE314D71A00609AFDB15DFA9C9988BFBBF9FF88304B10456AE526E3650DB709905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB98370 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32(00000000,00000000,?,?,?,6CC0B78B,00000000), ref: 6CB983B1
ValidateRect.USER32(?,00000000,?,?,6CC0B78B,00000000), ref: 6CB983E6
UpdateWindow.USER32(?), ref: 6CB983EB
LockWindowUpdate.USER32(00000000,?,6CC0B78B,00000000), ref: 6CB983FE
ValidateRect.USER32(?,00000000,?,?,6CC0B78B,00000000), ref: 6CB98425
UpdateWindow.USER32(?), ref: 6CB9842A
LockWindowUpdate.USER32(00000000,?,6CC0B78B,00000000), ref: 6CB9843D

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: 02d1599b73a8c7d03ecadb98c77c6a3b729f1f188b76573dfe697da3c1698364
Instruction ID: 8411faf1ab7b2c502c5f6341306d678c7d21ba53fe028b2d3e659770d532e788
Opcode Fuzzy Hash: 02d1599b73a8c7d03ecadb98c77c6a3b729f1f188b76573dfe697da3c1698364
Instruction Fuzzy Hash: C1219C32208641EFDB058F64C884B5EB7B1FF46754F65813AF509A7A60DB32EC60CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB73E2B Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 6CB73E4B
GetParent.USER32(?), ref: 6CB73E59
GetWindowThreadProcessId.USER32(?,?), ref: 6CB73E74
GetCurrentProcessId.KERNEL32 ref: 6CB73E7A
GetActiveWindow.USER32 ref: 6CB73ECD
SendMessageW.USER32(?,00000006,00000001,00000000), ref: 6CB73EE1
SendMessageW.USER32(?,00000086,00000001,00000000), ref: 6CB73EF5

Part of subcall function 6CB56903: EnableWindow.USER32(?,?), ref: 6CB56914

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
String ID:
API String ID: 2169720751-0
Opcode ID: 95189dfc573c262ff6cdc0909d750714f35a81be6eff831cacbe7180b6ed6697
Instruction ID: d8bdf9110d178bd257047c5a0605ad2a56b41a358b1fdee7983038de81cbb99c
Opcode Fuzzy Hash: 95189dfc573c262ff6cdc0909d750714f35a81be6eff831cacbe7180b6ed6697
Instruction Fuzzy Hash: 6721D371200784AFCB219F29C888F5E7BB1FF44758F200619FA95979A0DBB1E4808B71

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB947B Relevance: 10.6, APIs: 7, Instructions: 80windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CBB9493
SendMessageW.USER32(?,0000020A,?,?), ref: 6CBB94C5
GetFocus.USER32 ref: 6CBB94D9
IsChild.USER32(?,?), ref: 6CBB94FB
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB952C
IsWindowVisible.USER32(?), ref: 6CBB9541
SendMessageW.USER32(?,0000020A,?,?), ref: 6CBB955F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Window$ChildFocusVisible
String ID:
API String ID: 1252167185-0
Opcode ID: d161ebaa60022e97ee486209b3f43afa1a02160a3fe630bfc4e43d3a6b95bf9a
Instruction ID: 9b638abe28eb8558e2f6c7df651ebff4200876e135d4233787a425bf11cc3437
Opcode Fuzzy Hash: d161ebaa60022e97ee486209b3f43afa1a02160a3fe630bfc4e43d3a6b95bf9a
Instruction Fuzzy Hash: 3F219C32B81351AFDB109F69DA08F6A3BB9FB15704F104164A855EBAB0DB31EC10CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBEA35B Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBEA362

Part of subcall function 6CBEA2A9: __EH_prolog3.LIBCMT ref: 6CBEA2B0
Part of subcall function 6CBEA2A9: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6CBEA308
Part of subcall function 6CBEA2A9: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6CBEA31A

CopyRect.USER32(?,?), ref: 6CBEA390
GetCursorPos.USER32(?), ref: 6CBEA3A2
SetRect.USER32(?,?,?,?,?), ref: 6CBEA3B8
IsRectEmpty.USER32(?), ref: 6CBEA3D3
InflateRect.USER32(?,00000002,00000002), ref: 6CBEA3E5
DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 6CBEA43C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: 02aaaf02ea55650f9079524f55f25b4ab6659779c689d46a1746736990eeb26d
Instruction ID: 41426edc1bf390c6e6c241db1dd837340ee799aa4299bbc093ed3e29270236a2
Opcode Fuzzy Hash: 02aaaf02ea55650f9079524f55f25b4ab6659779c689d46a1746736990eeb26d
Instruction Fuzzy Hash: 7C21F371A00244EFCF01DFE0C8889EEBBB8FF48744B504408E512BBA44EB30A919DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB8A5F9 Relevance: 10.6, APIs: 7, Instructions: 76windowCOMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 6CB8A61B
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB8A629
PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 6CB8A655
PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 6CB8A66A
PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 6CB8A67F
PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 6CB8A695
FillRect.USER32(?,?), ref: 6CB8A6AA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Fill$Inflate
String ID:
API String ID: 2224923502-0
Opcode ID: 1a7522e7a964d52bd2f148010b4f73a3029f18c261d83c85f0199899e0b5917d
Instruction ID: 28de199f1e69a1026e861b3025195fff0c05453244072b1463c176b7b90ea606
Opcode Fuzzy Hash: 1a7522e7a964d52bd2f148010b4f73a3029f18c261d83c85f0199899e0b5917d
Instruction Fuzzy Hash: F021D471200109FFDF019F58DD89DAA7FB9FB49320F148115BE289A1A4C772E920DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB50CB3 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB50CD5
GetWindowRect.USER32(?,?), ref: 6CB50CF9
ScreenToClient.USER32(?,?), ref: 6CB50D0C
ScreenToClient.USER32(?,?), ref: 6CB50D15
EqualRect.USER32(?,?), ref: 6CB50D1C
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 6CB50D46
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 6CB50D50

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: aaef58c1abbed63bf550e4c312f5665a02fb2df9c744037d5b62cd8d1eed64d4
Instruction ID: 3a821e4a1ef8346bf7a13bf359ca76f1c66e4e662f0ac51dfd8bc189c3984dac
Opcode Fuzzy Hash: aaef58c1abbed63bf550e4c312f5665a02fb2df9c744037d5b62cd8d1eed64d4
Instruction Fuzzy Hash: DA213675A0020AEFDB00DFA4DD44DAFB7B9FF49304B504529E915E3254EB30A910CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56D53 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 6CB56D78
ClientToScreen.USER32(?,?), ref: 6CB56D97
GetWindow.USER32(?,00000005), ref: 6CB56DFA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID:
API String ID: 2518355518-0
Opcode ID: f14774336aadb967775df8944564853a31ba7031813f3a4f34109f5cce5d3520
Instruction ID: 3a84562ddbd3cf2c16a1201d22e9115f7537cd8ad81aab1470233ff372b0c966
Opcode Fuzzy Hash: f14774336aadb967775df8944564853a31ba7031813f3a4f34109f5cce5d3520
Instruction Fuzzy Hash: C4214F71A0156AAFDF04CFA5C849FEEB7B8EF0A315F900529E511F2680DB349A15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9D4DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 6CB9D505

Part of subcall function 6CB56B58: DeleteObject.GDI32(00000000), ref: 6CB56B71

SelectObject.GDI32(?,00000000), ref: 6CB9D51B
DeleteObject.GDI32(00000000), ref: 6CB9D586
DeleteDC.GDI32(00000000), ref: 6CB9D595
LeaveCriticalSection.KERNEL32(6CCAC5B0), ref: 6CB9D5AE

Strings

, xrefs: 6CB9D536

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Delete$Select$CriticalLeaveSection
String ID:
API String ID: 3849354926-3916222277
Opcode ID: f00e66487c6deca70cbcaaba6baaa3870aeceeab6a9fdb82ecb487388d99bed3
Instruction ID: 59cbcce6b884e2317091d09b1266945c4b072af8943d285cc3f2b57972f469a3
Opcode Fuzzy Hash: f00e66487c6deca70cbcaaba6baaa3870aeceeab6a9fdb82ecb487388d99bed3
Instruction Fuzzy Hash: 0521CC71A00204DFCF01EFAAD88488E7FB5FF86318B448176EA189B266D771D856DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB45710 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB45728

Part of subcall function 6CC4F971: std::exception::exception.LIBCMT ref: 6CC4F986
Part of subcall function 6CC4F971: __CxxThrowException@8.LIBCMT ref: 6CC4F99B
Part of subcall function 6CC4F971: std::exception::exception.LIBCMT ref: 6CC4F9AC

std::_Xinvalid_argument.LIBCPMT ref: 6CB45746
_memmove.LIBCMT ref: 6CB4578A

Strings

Market, xrefs: 6CB45716
invalid string position, xrefs: 6CB45723
string too long, xrefs: 6CB45741

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: Market$invalid string position$string too long
API String ID: 3404309857-2067195013
Opcode ID: a24b8a63994c312616e01e915fb7c44f7ad800bd8bf81b26d07b76a2a94fb259
Instruction ID: c48cf988da9372f477e16a2cf8cae6cbd6454aa8b6dd0503553973d1912419c0
Opcode Fuzzy Hash: a24b8a63994c312616e01e915fb7c44f7ad800bd8bf81b26d07b76a2a94fb259
Instruction Fuzzy Hash: 1511DF35309602EF8704DF68E8C0C5973AAFF98318710863AE546CBA45EB30E959D792

Uniqueness

Uniqueness Score: -1.00%

Function 6CB60CD1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 6CB60D05
CreateFontIndirectW.GDI32(?), ref: 6CB60D1A
IsWindow.USER32(?), ref: 6CB60D38
InvalidateRect.USER32(?,00000000,00000001), ref: 6CB60D56
UpdateWindow.USER32(?), ref: 6CB60D5F

Strings

Pl)u, xrefs: 6CB60D05

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$CreateFontIndirectInvalidateObjectRectUpdate
String ID: Pl)u
API String ID: 1602852816-3484285090
Opcode ID: b68467bffd06e443bfb83edc77755a2e629b915a129a0490bd0879f41f7bc823
Instruction ID: 2bb401c019c55ee0f2fe5d49a79f4aa75df4d3300135010e782533dd26de5ef5
Opcode Fuzzy Hash: b68467bffd06e443bfb83edc77755a2e629b915a129a0490bd0879f41f7bc823
Instruction Fuzzy Hash: 41118F31600255ABDB249F76DC48AAFB7B8FF45214F400629A54AD7A50DF70E818CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CC38224 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CC38246
_wcslen.LIBCMT ref: 6CC3824C
GetDC.USER32(00000000), ref: 6CC3827B
EnumFontFamiliesExW.GDI32(00000000,?,6CC381E2,?,00000000,?,?,?,?,?,?,000003EE,?), ref: 6CC38296
ReleaseDC.USER32(00000000,00000000), ref: 6CC3829E

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Strings

MS UI Gothic, xrefs: 6CC3824B, 6CC3825E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EnumException@8FamiliesFontH_prolog3ReleaseThrow_memset_wcslen
String ID: MS UI Gothic
API String ID: 2708522728-1905310704
Opcode ID: 99b210f0c7c8ea710137045f8237d2cafa10a0033938c6d5adcda3e2431bb620
Instruction ID: a378ab8fa026d0301b7ad9fb25bc35135555b757bf9e94a928f367f528a22dd4
Opcode Fuzzy Hash: 99b210f0c7c8ea710137045f8237d2cafa10a0033938c6d5adcda3e2431bb620
Instruction Fuzzy Hash: ED01A572901228BFCB10DBA4AD49DEE77BDEF8A714F100016F809E7641EB349A1687A5

Uniqueness

Uniqueness Score: -1.00%

Function 6CC41F7D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6CC9D708,00000008,6CC42085,00000000,00000000,?,00000000,6CC3ACFF,6CC39832,MarketPlugin,?,6CB4BADA,?,00000000), ref: 6CC41F8E
__lock.LIBCMT ref: 6CC41FC2

Part of subcall function 6CC45ED7: __mtinitlocknum.LIBCMT ref: 6CC45EED
Part of subcall function 6CC45ED7: __amsg_exit.LIBCMT ref: 6CC45EF9
Part of subcall function 6CC45ED7: EnterCriticalSection.KERNEL32(?,?,?,6CC41FC7,0000000D), ref: 6CC45F01

InterlockedIncrement.KERNEL32(6CCA74B8), ref: 6CC41FCF
__lock.LIBCMT ref: 6CC41FE3
___addlocaleref.LIBCMT ref: 6CC42001

Strings

KERNEL32.DLL, xrefs: 6CC41F89

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 95650977d95b58d6694525b0b9f31d53fa06d42430fc8161c6d4453f870ac7c8
Instruction ID: 1445762a7f52aa22b50b2cc45b94eda52f4a95c4f3efcad856679cace2382fa3
Opcode Fuzzy Hash: 95650977d95b58d6694525b0b9f31d53fa06d42430fc8161c6d4453f870ac7c8
Instruction Fuzzy Hash: 11016171504B00DFD7209F69D409789BBF0AF40325F10C90ED4D596BA0EB74A548CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4E799 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6CB4E7A7
GetSysColor.USER32(00000010), ref: 6CB4E7AE
GetSysColor.USER32(00000014), ref: 6CB4E7B5
GetSysColor.USER32(00000012), ref: 6CB4E7BC
GetSysColor.USER32(00000006), ref: 6CB4E7C3
GetSysColorBrush.USER32(0000000F), ref: 6CB4E7D0
GetSysColorBrush.USER32(00000006), ref: 6CB4E7D7

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: e32a802bdd2f7ac611340d52c0bd81e400d117953da63b7bc5284cbabe667553
Instruction ID: a087f0552e75b2821ca348ae5f2bf3a42d27febc7b8a491d1c538dc04668c1c9
Opcode Fuzzy Hash: e32a802bdd2f7ac611340d52c0bd81e400d117953da63b7bc5284cbabe667553
Instruction Fuzzy Hash: 60F0FE71A407445BD730BB724909B47BAE1EFC4710F02092AD2858B990DAB5E441DF40

Uniqueness

Uniqueness Score: -1.00%

Function 6CB827B3 Relevance: 9.3, APIs: 6, Instructions: 299COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB8282D
GetClientRect.USER32(?,?), ref: 6CB82840
GetWindowRect.USER32(?,?), ref: 6CB8288E
GetParent.USER32(?), ref: 6CB82897
GetParent.USER32(?), ref: 6CB82AB4
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CB82AD8

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: 40b7893fc0f6659e35276c671313cf7f4bd14d32ec870bcd687473251a38d404
Instruction ID: 82647aa75958b98ab08e7f2d8046c505235ca53389809d034f782a16e2804431
Opcode Fuzzy Hash: 40b7893fc0f6659e35276c671313cf7f4bd14d32ec870bcd687473251a38d404
Instruction Fuzzy Hash: A0B17B71E02658DFCF04CFA9C888AEEBBB5FF48704F1441A9E416AB654CB349940CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB48320 Relevance: 9.2, APIs: 6, Instructions: 212memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4B270: CoCreateInstance.OLE32(?,00000000,00000017,6CC8885C,?,?,?,6CB4836D,6CC88644,D7F0CEE4), ref: 6CB4B293
Part of subcall function 6CB4B270: OleRun.OLE32(?), ref: 6CB4B2A3

std::exception::exception.LIBCMT ref: 6CB4850D
__CxxThrowException@8.LIBCMT ref: 6CB483C0

Part of subcall function 6CC3A59F: RaiseException.KERNEL32(6CB42DF8,00000000,D7F0CEE4,6CC88058,6CB42DF8,00000000,6CC9DBD8,?,D7F0CEE4), ref: 6CC3A5E1

std::exception::exception.LIBCMT ref: 6CB4839D

Part of subcall function 6CC3963D: std::exception::operator=.LIBCMT ref: 6CC39656

SysAllocString.OLEAUT32(?), ref: 6CB48484
__CxxThrowException@8.LIBCMT ref: 6CB4852A

Part of subcall function 6CB48DB0: std::exception::exception.LIBCMT ref: 6CB48E29
Part of subcall function 6CB48DB0: __CxxThrowException@8.LIBCMT ref: 6CB48E46

VariantClear.OLEAUT32(?), ref: 6CB48556

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$AllocClearCreateExceptionInstanceRaiseStringVariantstd::exception::operator=
String ID:
API String ID: 1344557257-0
Opcode ID: 3f2977065250342721199bd251f1ec05faedb0ab56ecbb98865677f1523a990d
Instruction ID: 09ee61a5d28089412c23b118e634d12042438e6fa6e286d69988f09cb5ba20a0
Opcode Fuzzy Hash: 3f2977065250342721199bd251f1ec05faedb0ab56ecbb98865677f1523a990d
Instruction Fuzzy Hash: FB815BB1D04258AFCB00DFA4D880ADEB7B5EF48308F54856DE509AB744EB35A905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB60A77 Relevance: 9.2, APIs: 6, Instructions: 177windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB60A7E
GetClientRect.USER32(?,?), ref: 6CB60AC4

Part of subcall function 6CB5994F: __EH_prolog3.LIBCMT ref: 6CB59956
Part of subcall function 6CB5994F: GetDC.USER32(00000000), ref: 6CB59982

Part of subcall function 6CB59C76: SelectObject.GDI32(?,00000000), ref: 6CB59C9C
Part of subcall function 6CB59C76: SelectObject.GDI32(?,?), ref: 6CB59CB2

SendMessageW.USER32(?,00000030,?,00000000), ref: 6CB60B15
GetTextMetricsW.GDI32(?,?), ref: 6CB60B22
GetParent.USER32(?), ref: 6CB60C07
SendMessageW.USER32(?,00000030,?,00000000), ref: 6CB60C32

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageObjectSelectSend$ClientH_prolog3H_prolog3_MetricsParentRectText
String ID:
API String ID: 1207058154-0
Opcode ID: 7d2ca1067e38fc34081e87a1dfee37073593e662a7d809f021ba3ff66a7bde05
Instruction ID: 04dfc049d267bd0dd4c67626c5eece359a033c3cce45e0df5ddef35561f6ac8c
Opcode Fuzzy Hash: 7d2ca1067e38fc34081e87a1dfee37073593e662a7d809f021ba3ff66a7bde05
Instruction Fuzzy Hash: F651D072A006559FCF18CFA9C884EEE77B5FF48304F158129ED1AABA54DB30A816CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB80C16 Relevance: 9.2, APIs: 6, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48847dd7364e027a4c28d42fa8863efb340eb738372d23d0747d0c21898b210
Instruction ID: 06b1059fdc9545a87878b0284f500c07dccc3c4a8132a91a1788aad31ca8f45f
Opcode Fuzzy Hash: a48847dd7364e027a4c28d42fa8863efb340eb738372d23d0747d0c21898b210
Instruction Fuzzy Hash: BE519C30302691AFDB149F68D888FAE77E9FF48354F204569E95ACB6A1DB70E904CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB84269 Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 6CB842E2
SendMessageW.USER32(00000000,0000040C,00000000,00000000), ref: 6CB84321
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 6CB84350
SetRectEmpty.USER32(?), ref: 6CB843AA
SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 6CB84410
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 6CB84436

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: b0af189c9fdd0888844c7a22f20252ae3b714d3d38509e00c9d4fc4036934a59
Instruction ID: 4700537e0c4d36603a886a3d4695f47ca1d7ab5498636c16aeb32dd0247a48ac
Opcode Fuzzy Hash: b0af189c9fdd0888844c7a22f20252ae3b714d3d38509e00c9d4fc4036934a59
Instruction Fuzzy Hash: 12517A71A02659DFDB20DFA8C894BAEBBF4FF48304F204669E555E7681EB309940CF41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4B080 Relevance: 9.1, APIs: 6, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4B270: CoCreateInstance.OLE32(?,00000000,00000017,6CC8885C,?,?,?,6CB4836D,6CC88644,D7F0CEE4), ref: 6CB4B293
Part of subcall function 6CB4B270: OleRun.OLE32(?), ref: 6CB4B2A3

__CxxThrowException@8.LIBCMT ref: 6CB4B113

Part of subcall function 6CC3A59F: RaiseException.KERNEL32(6CB42DF8,00000000,D7F0CEE4,6CC88058,6CB42DF8,00000000,6CC9DBD8,?,D7F0CEE4), ref: 6CC3A5E1

std::exception::exception.LIBCMT ref: 6CB4B0F6

Part of subcall function 6CC3963D: std::exception::operator=.LIBCMT ref: 6CC39656

std::exception::exception.LIBCMT ref: 6CB4B18E
__CxxThrowException@8.LIBCMT ref: 6CB4B1AB
SysAllocString.OLEAUT32(00000000), ref: 6CB4B1B1
SysFreeString.OLEAUT32(00000000), ref: 6CB4B1D3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8StringThrowstd::exception::exception$AllocCreateExceptionFreeInstanceRaisestd::exception::operator=
String ID:
API String ID: 2630672705-0
Opcode ID: 112d230d97ca22340597c869f382ab59201dfb6777d3fec1b94badf2078a3b89
Instruction ID: 8ab198e43fba40c423537e8f6984fbfcbe7e3aadd623638127cce7a77d7ad6da
Opcode Fuzzy Hash: 112d230d97ca22340597c869f382ab59201dfb6777d3fec1b94badf2078a3b89
Instruction Fuzzy Hash: 9C5137B2905259DFCB04DFD8D980AEEBBB8EF48304F20416EE605B7740D734AA45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB70030 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CB70037
GlobalLock.KERNEL32(?,?,?), ref: 6CB7011D
CreateDialogIndirectParamW.USER32(?,?,?,6CB6FA2E,00000000), ref: 6CB7014C
DestroyWindow.USER32(00000000), ref: 6CB701C6
GlobalUnlock.KERNEL32(?), ref: 6CB701D6
GlobalFree.KERNEL32(?), ref: 6CB701DF

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 213ec6690065d537f7b5e0db509061132c85e1a9557637b773588e5e8dce3e40
Instruction ID: 144e328e73cede2ff1b2001305389b9b04bc09e1f9103d769ccba17bf0da7286
Opcode Fuzzy Hash: 213ec6690065d537f7b5e0db509061132c85e1a9557637b773588e5e8dce3e40
Instruction Fuzzy Hash: DC51B4319002C9DFDF14DFA4D8889EEBBB5EF44318F54052DF512A7A90DB319A49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB64A82 Relevance: 9.1, APIs: 6, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB64AE1
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6CB64B23
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6CB64B45
SendMessageW.USER32(?,00000201,00000000,00000000), ref: 6CB64BBF
SendMessageW.USER32(?,00000202,00000000,00000000), ref: 6CB64BD7
PtInRect.USER32(?,?,?), ref: 6CB64BF3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Rect$Client
String ID:
API String ID: 4194289498-0
Opcode ID: 19563d209c9a9a576bfb83b8671dc9e3ef326fd75a12b4eb6bc09151cc3a05d9
Instruction ID: 80a268496951e6ba82bf3fcfc38f2043f8948a05009b62e2dbed9a2beff28c69
Opcode Fuzzy Hash: 19563d209c9a9a576bfb83b8671dc9e3ef326fd75a12b4eb6bc09151cc3a05d9
Instruction Fuzzy Hash: 4F515B71601259DFCB00CFA9C888E9E7BB9FF49714B1501A9F809AB655CB71E905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6DA00 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 6CB6DAB9
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB6DAEA
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB6DB19
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB6DB3B

Part of subcall function 6CB63307: __EH_prolog3.LIBCMT ref: 6CB6330E

InflateRect.USER32(?,000000FE,000000FE), ref: 6CB6DB48
InflateRect.USER32(?,000000FE,000000FE), ref: 6CB6DB7B

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: InflateRect$H_prolog3
String ID:
API String ID: 3346915232-0
Opcode ID: bfb324c79a4ec0a146e1363f8c8c62b5eedf2b957a7fd52c58e025591edb18f5
Instruction ID: 03757f3f53cc85626d56c33231d89eaffa1fa3a31e79a0dd915c058d46ce74a3
Opcode Fuzzy Hash: bfb324c79a4ec0a146e1363f8c8c62b5eedf2b957a7fd52c58e025591edb18f5
Instruction Fuzzy Hash: 8341A231509555FBCF029FAAE840A993B72EB86778F384325FD385BAD8CB318540DB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CB45D10 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 354COMMON

Download Yara Rule

APIs

Part of subcall function 6CB4BAB7: _malloc.LIBCMT ref: 6CB4BAD5

std::_Xinvalid_argument.LIBCPMT ref: 6CB46040

Strings

LanguageInfo, xrefs: 6CB45F2F
AreaName, xrefs: 6CB46047
vector<T> too long, xrefs: 6CB4603B
CountryInfo, xrefs: 6CB45DE3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argument_mallocstd::_
String ID: AreaName$CountryInfo$LanguageInfo$vector<T> too long
API String ID: 1405337794-1858614581
Opcode ID: e123c0e3fd18b0e55c4ca0d4a8b2e9ca3d9aea558e0b98315fae81eb32206b4d
Instruction ID: a4d6e26e10575534aba1aa7e2c280fc4df8928305bb617faefad11e624a67156
Opcode Fuzzy Hash: e123c0e3fd18b0e55c4ca0d4a8b2e9ca3d9aea558e0b98315fae81eb32206b4d
Instruction Fuzzy Hash: C0C1B471B0DA428FCB18CF28C890A6A73B1FF44319B558A2DD416DBF58E730E845D796

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6E4AD Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB6E50C
PtInRect.USER32(?,?,?), ref: 6CB6E51C
SetCapture.USER32(?), ref: 6CB6E566
ReleaseCapture.USER32 ref: 6CB6E5AD
InvalidateRect.USER32(?,00000000,00000001), ref: 6CB6E5C6
UpdateWindow.USER32(?), ref: 6CB6E5CF

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Capture$ClientInvalidateReleaseUpdateWindow
String ID:
API String ID: 4118727484-0
Opcode ID: 890b015b585c7f436720885346230f0fdc6cd3cf5d668e4751abf63c8469a685
Instruction ID: 1fc841a301401208031b10f33b1c6dd5d0e4c8acce1c5a8db093b9bb06f5a309
Opcode Fuzzy Hash: 890b015b585c7f436720885346230f0fdc6cd3cf5d668e4751abf63c8469a685
Instruction Fuzzy Hash: EF41EAB1A01B89DFCB218F66C8446AFFBF4FB85305F60452FD1AA92910E7309950CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6CB65A1F Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000120B,00000000,00000001), ref: 6CB65A6E
GetClientRect.USER32(?,?), ref: 6CB65A87
GetSystemMetrics.USER32(00000015), ref: 6CB65AB2
GetSystemMetrics.USER32(00000015), ref: 6CB65ADA
InvalidateRect.USER32(?,?,00000001), ref: 6CB65AFA
UpdateWindow.USER32(?), ref: 6CB65B03

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsRectSystem$ClientException@8H_prolog3InvalidateMessageSendThrowUpdateWindow
String ID:
API String ID: 1842141341-0
Opcode ID: f5bb8661fd17a48ca050085478d34aef375e06c080bcc9b1b6262545d9360ee8
Instruction ID: a06cf608ecf2a867f2932c2920ba77be78a9886c8c4ae3fa4bd74473697b3c58
Opcode Fuzzy Hash: f5bb8661fd17a48ca050085478d34aef375e06c080bcc9b1b6262545d9360ee8
Instruction Fuzzy Hash: 40316D72A00608DFCB11CFB9C9849AEBBF5FF88310F15021AE155A7690DB70A955CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9CC27 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

PatBlt.GDI32(00000000,00000000,-00000002,-00000002,00FF0062,00000000), ref: 6CB9CC4E
SetBkColor.GDI32(00F0F0F0), ref: 6CB9CC71
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00CC0020), ref: 6CB9CC9F
SetBkColor.GDI32 ref: 6CB9CCB2
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00EE0086), ref: 6CB9CCDA
BitBlt.GDI32(00010E67,00000001,00000001,00000001,00000001,00010E67,00000000,00000000,008800C6), ref: 6CB9CCFD

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: 5ca56d8420fa70716b734637e7226ffb4241b2fa48d882ed0ee51e4050ad7ac3
Instruction ID: e5e03d689abec2592f5c7a765529e4eb7c1ab8c084857b7629798f2711443ca5
Opcode Fuzzy Hash: 5ca56d8420fa70716b734637e7226ffb4241b2fa48d882ed0ee51e4050ad7ac3
Instruction Fuzzy Hash: CC212AB2210208BFEB14AF95DD89D3B7BBEFB4A758700452CF54297650DBB2AC10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6AE47 Relevance: 9.1, APIs: 6, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB6AE4E

Part of subcall function 6CB568E8: IsWindowEnabled.USER32(?), ref: 6CB568F1

InvalidateRect.USER32(?,00000000,00000001,0000000C,6CB6AF63), ref: 6CB6AE7A
UpdateWindow.USER32(?), ref: 6CB6AE83

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$EnabledH_prolog3InvalidateRectUpdate
String ID:
API String ID: 262192325-0
Opcode ID: 53760bee0cef192c3ea949b0611099f97f763d5d87c32b58c9733881eac049ef
Instruction ID: e0a74ea054af7cd451ebd0dd3f4cf980b58943a8374c31e127bc0e72158846dc
Opcode Fuzzy Hash: 53760bee0cef192c3ea949b0611099f97f763d5d87c32b58c9733881eac049ef
Instruction Fuzzy Hash: 852191719046849FCB11DFB9C884AAF7BB8FF85308B90061DE15AA3A50DB30A914DF25

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9FAFF Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,?,?,?,?,6CB9FC48,00000000,00000000,?,?,6CBA1A83,?,?,?,00000084), ref: 6CB9FB0F
GlobalLock.KERNEL32(00000000,?,6CB9FC48,00000000,00000000,?,?,6CBA1A83,?,?,?,00000084,6CBA1E57,0000000A,0000000A,0000000A), ref: 6CB9FB27
_memmove.LIBCMT ref: 6CB9FB34
CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000,?), ref: 6CB9FB43
EnterCriticalSection.KERNEL32(6CCAC5B0,00000000), ref: 6CB9FB5C
LeaveCriticalSection.KERNEL32(6CCAC5B0,00000000), ref: 6CB9FBC3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream_memmove
String ID:
API String ID: 861836607-0
Opcode ID: 60e4cf42bd52ac294639e40af031458171db6234acbe66f034670766553f447a
Instruction ID: 536ee56e92dba2940f207a8f4c71e542fc2ef7dc3e2eac8a3561416e4da11889
Opcode Fuzzy Hash: 60e4cf42bd52ac294639e40af031458171db6234acbe66f034670766553f447a
Instruction Fuzzy Hash: A921BE74A00245AFEF00AFF5D829A8E3BB8EB0B3A8F104425F900D3640EB31D904DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4CCC2 Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6CB4CCF5
GetParent.USER32(?), ref: 6CB4CD03
GetParent.USER32(?), ref: 6CB4CD16
GetLastActivePopup.USER32(?), ref: 6CB4CD27
IsWindowEnabled.USER32(?), ref: 6CB4CD3B
EnableWindow.USER32(?,00000000), ref: 6CB4CD4E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: ff7b2af184055e1d071fc14630383717ba2c528d997eaa6e4940930677328574
Instruction ID: aa24515c89a127a2ff8cfd34b07ede5767bd17220a909cf9df4aba96a3c13ee9
Opcode Fuzzy Hash: ff7b2af184055e1d071fc14630383717ba2c528d997eaa6e4940930677328574
Instruction Fuzzy Hash: 1C11983260E6B5ABD7113A5E4C40B5E7AB8DF46F98F15C210EC10E765DDF20CC0966D6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB71FF5 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 6CB72001
GetWindow.USER32(00000000), ref: 6CB72008
GetWindowLongW.USER32(00000000,000000F0), ref: 6CB72044
ShowWindow.USER32(00000000,00000000), ref: 6CB7205F
ShowWindow.USER32(00000000,00000004), ref: 6CB72083
GetWindow.USER32(00000000,00000002), ref: 6CB7208C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 135ec281af0231b72989f3ca5fcb34ad3be46e643a904f31dceccfa22cf9808a
Instruction ID: 760ce249c0ec7a27741bdf7811efce11decb7e4137c4a7099e495fa82beba010
Opcode Fuzzy Hash: 135ec281af0231b72989f3ca5fcb34ad3be46e643a904f31dceccfa22cf9808a
Instruction Fuzzy Hash: 7011B27150178AEBD7319665888DF6F36BDDB82768F640204E861A6690CB34E940C773

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56CBB Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6CB56CD7
GetDlgCtrlID.USER32(00000000), ref: 6CB56CE8
GetWindowLongW.USER32(00000000,000000F0), ref: 6CB56CF8
GetWindowRect.USER32(00000000,00000000), ref: 6CB56D1A
PtInRect.USER32(00000000,00000000,00000000), ref: 6CB56D2A
GetWindow.USER32(?,00000005), ref: 6CB56D37

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 34b4d6b21c71c6ac58c0245f6891af5b92ce03cbf4d9ea2112ebe03d7d56eb68
Instruction ID: cdc01b4533d61571ff9c791dec88791a11a60faaa47ec6ca509d97d2dbf0e0cb
Opcode Fuzzy Hash: 34b4d6b21c71c6ac58c0245f6891af5b92ce03cbf4d9ea2112ebe03d7d56eb68
Instruction Fuzzy Hash: F8119E72A01529AFDB01DF94C808FEE7778EF46326F910954F511E2280DB749A25CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6E5ED Relevance: 9.1, APIs: 6, Instructions: 56windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB6E600

Part of subcall function 6CB5683D: GetDlgCtrlID.USER32(?), ref: 6CB56846

SendMessageW.USER32(?,00000111,?,?), ref: 6CB6E629
SetCapture.USER32(?,?,?,?,6CB6874A,?,?,?), ref: 6CB6E652
InvalidateRect.USER32(?,00000000,00000001,?,?,?,6CB6874A,?,?,?), ref: 6CB6E66A
UpdateWindow.USER32(?), ref: 6CB6E673
SetTimer.USER32(?,00000001,?,00000000), ref: 6CB6E68A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CaptureCtrlInvalidateMessageParentRectSendTimerUpdateWindow
String ID:
API String ID: 171814724-0
Opcode ID: 019f100a19c36fa6977b1b6cc50d732e15192ec3fd01a8ae18d44d847c10178b
Instruction ID: 7930c7f128dc99a62334b1513136c257bcc16cfb0fb7cf28d6e9fc1bcc57f3ef
Opcode Fuzzy Hash: 019f100a19c36fa6977b1b6cc50d732e15192ec3fd01a8ae18d44d847c10178b
Instruction Fuzzy Hash: C1114F72200B80AFD7255F31CC08F6BBAB9FF85705F500919F19A92A60DB70A825CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56E15 Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6CB56E1B
GetParent.USER32(00000000), ref: 6CB56E43

Part of subcall function 6CB56C08: GetWindowLongW.USER32(?,000000F0), ref: 6CB56C29
Part of subcall function 6CB56C08: GetClassNameW.USER32(?,?,0000000A), ref: 6CB56C3E
Part of subcall function 6CB56C08: CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF,?,6CB519F9,?,?), ref: 6CB56C58

GetWindowLongW.USER32(?,000000F0), ref: 6CB56E5E
GetParent.USER32(?), ref: 6CB56E6C
GetDesktopWindow.USER32 ref: 6CB56E70
SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6CB56E84

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: 3e0b12cd5925889b2efd73dd34d37daedf682041d1386ed5a5a5c4d34443af32
Instruction ID: a7ee72c9bc668284b13cbe0e06bdeaa0cb67543c115ce1a38ebd78f6bd5743ea
Opcode Fuzzy Hash: 3e0b12cd5925889b2efd73dd34d37daedf682041d1386ed5a5a5c4d34443af32
Instruction Fuzzy Hash: B301863230329167EB111E79CC85F6F367CEB92A69FE50125F611F3780DF65D4228561

Uniqueness

Uniqueness Score: -1.00%

Function 6CC416C3 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CC416CF

Part of subcall function 6CC420AA: __getptd_noexit.LIBCMT ref: 6CC420AD
Part of subcall function 6CC420AA: __amsg_exit.LIBCMT ref: 6CC420BA

__amsg_exit.LIBCMT ref: 6CC416EF
__lock.LIBCMT ref: 6CC416FF
InterlockedDecrement.KERNEL32(?), ref: 6CC4171C
_free.LIBCMT ref: 6CC4172F
InterlockedIncrement.KERNEL32(02BD1658), ref: 6CC41747

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 0d4b2332b582a9b0b1d5264c010908451984ec5fd5b903c2ecfa850583bb0756
Instruction ID: 434f47a7ad6c35984447c9ce1e2e2e08ceebd2233cb9941ee68c065cb1b1b649
Opcode Fuzzy Hash: 0d4b2332b582a9b0b1d5264c010908451984ec5fd5b903c2ecfa850583bb0756
Instruction Fuzzy Hash: 54018431A026229BDB01AFA9944878D77B0BF05758F25C105E854B7F80FB34E8A5DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB562D3 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB56303

Strings

@, xrefs: 6CB5640F
AfxFrameOrView100su, xrefs: 6CB563C9
@, xrefs: 6CB564A8
AfxMDIFrame100su, xrefs: 6CB563A4

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView100su$AfxMDIFrame100su
API String ID: 2102423945-2639805938
Opcode ID: 191717437c3124b166af7475cc25c05e90bccd7d877ba9ac4e03aa1c1c058875
Instruction ID: bdb2ccf873fe604d40d089b228d0d4f0922ad7d0faa0640632f728f1914a63c5
Opcode Fuzzy Hash: 191717437c3124b166af7475cc25c05e90bccd7d877ba9ac4e03aa1c1c058875
Instruction Fuzzy Hash: 51913071C01299BADB40CFD8D585BDEBBF8AF04348F608069E919E7780E7B4D658CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB60F1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?,75295E50,System,0000000A,6CBB62A8,System,?,?,00000000), ref: 6CBB610D
lstrlenW.KERNEL32(?), ref: 6CBB6157
_wcslen.LIBCMT ref: 6CBB6181

Strings

System, xrefs: 6CBB6109

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: GlobalLock_wcslenlstrlen
String ID: System
API String ID: 2647411976-3470857405
Opcode ID: 985eef64b6a71fb545ec9ca1eb1352b6f7914a1ab0e10ca7a0e293dd1e3de915
Instruction ID: a432f4a50a092d9e402e5f8824b2a879aced87b1ed466c2402dbf9a12d6b800e
Opcode Fuzzy Hash: 985eef64b6a71fb545ec9ca1eb1352b6f7914a1ab0e10ca7a0e293dd1e3de915
Instruction Fuzzy Hash: 7E41DE71901615AFDF08CF64C8459BEB7B5FF04308F10852AD815E7642EB309E55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4FFF4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6CB5000C
_memset.LIBCMT ref: 6CB50084
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6CB500E6
LoadBitmapW.USER32(00000000,00007FE3), ref: 6CB500FE

Strings

, xrefs: 6CB50065

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 75e8e91a44f6d9047892ce84c43c589c9361348ce157830b10a019e9751941ba
Instruction ID: a06ce6409017dc854d608b52e6cf887070afff6e8e8b7574683e63105ba1d58f
Opcode Fuzzy Hash: 75e8e91a44f6d9047892ce84c43c589c9361348ce157830b10a019e9751941ba
Instruction Fuzzy Hash: 92314971B002999FEB208F64DC88B9D7BB8FB45308F8541AAE549EB280DF708959CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6FBD8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Edit, xrefs: 6CB6FC32

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: f166fb023d419d8a26de6f07e2286ca712e3a29723d05790cb0c829a4d7a40b9
Instruction ID: cf50267265ed992f44927aed449d9e5842b4f4e3d421fddf515772750785ced7
Opcode Fuzzy Hash: f166fb023d419d8a26de6f07e2286ca712e3a29723d05790cb0c829a4d7a40b9
Instruction Fuzzy Hash: 95118E31345681ABEE101E3BCC09F9ABBB9EF427DCF600525E915E2DE0DF61D421C655

Uniqueness

Uniqueness Score: -1.00%

Function 6CB519B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 6CB51A04
SetBkColor.GDI32(?,?), ref: 6CB51A0E
GetSysColor.USER32(00000008), ref: 6CB51A1E
SetTextColor.GDI32(?,?), ref: 6CB51A26

Strings

Pl)u, xrefs: 6CB51A04

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Color$ObjectText
String ID: Pl)u
API String ID: 829078354-3484285090
Opcode ID: 72b4b38f4f4c37b036a9503f1deea80a8c57e7c7bb7eed58bce513483cc95c6a
Instruction ID: 66981e23c92351a99598538911ef19d1977a7522551b2f3c7f753a892c6f6dfa
Opcode Fuzzy Hash: 72b4b38f4f4c37b036a9503f1deea80a8c57e7c7bb7eed58bce513483cc95c6a
Instruction Fuzzy Hash: 30118436641185AFDB02DF688954AAF77B8EF46218FD50515F935E3680CB30D921C792

Uniqueness

Uniqueness Score: -1.00%

Function 6CB79315 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI), ref: 6CB7933F
GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6CB7934F
DeleteObject.GDI32(00000000), ref: 6CB79389

Strings

DwmSetIconicThumbnail, xrefs: 6CB79349
DWMAPI, xrefs: 6CB79334

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressDeleteHandleModuleObjectProc
String ID: DWMAPI$DwmSetIconicThumbnail
API String ID: 3128169092-3761315311
Opcode ID: d7907545902275fcf62c5bf1d6c8641e7d12ea9775f1f618f4b40d23e20cb93f
Instruction ID: 05f82c6eb1b53a408298eb2047217600a8a22ecf1aa5bb89575a437b030f0a10
Opcode Fuzzy Hash: d7907545902275fcf62c5bf1d6c8641e7d12ea9775f1f618f4b40d23e20cb93f
Instruction Fuzzy Hash: 8801AD71A01244BBEB105B668C88EAF7BBCEB89318F054125F921E7A81DB74D9008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB63EE6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 6CB63F23
_memset.LIBCMT ref: 6CB63F39
GetObjectW.GDI32(?,0000005C,?), ref: 6CB63F4A
CreateFontIndirectW.GDI32(?), ref: 6CB63F5B

Strings

Pl)u, xrefs: 6CB63F4A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$CreateFontIndirectStock_memset
String ID: Pl)u
API String ID: 1064234985-3484285090
Opcode ID: ce02ce2c72d2938e974aea9035856b5c0fb4eafd263b9cfe2b1a5f7b45a40f68
Instruction ID: 2258cd59355060d30ad2207661e6e75d0ebf776dfdb000818ee40bb79c8a3819
Opcode Fuzzy Hash: ce02ce2c72d2938e974aea9035856b5c0fb4eafd263b9cfe2b1a5f7b45a40f68
Instruction Fuzzy Hash: 3401C471B00618EFDF009BE5DC08BDEB779FB84714F500119E519E7A80DBB0991687C1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB57148 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6CB5715C
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6CB5716C
CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 6CB571AB

Strings

CreateFileTransactedW, xrefs: 6CB57166
kernel32.dll, xrefs: 6CB57157

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: a5629dad9c6b663e02956309784f5aa8687fe5fb9c224aaed26739054b4197de
Instruction ID: a0a6b29587c936476f5dc47d8cf570dc5dc0014df3112eb373d6dc2021b75705
Opcode Fuzzy Hash: a5629dad9c6b663e02956309784f5aa8687fe5fb9c224aaed26739054b4197de
Instruction Fuzzy Hash: AC011632240549BBCF124E85DC08C9B3F77EB99B51B608519FA69A1820C772C571EB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56EAA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB56ED3
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6CB56EE3

Part of subcall function 6CB4EA2B: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB4EA3F
Part of subcall function 6CB4EA2B: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6CB4EA4F

Strings

RegDeleteKeyExW, xrefs: 6CB56EDD
Advapi32.dll, xrefs: 6CB56ECE

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: 4ace06de0c5c9a5d3ae1cc10808969cb8ce67c332356db77bbd4917b780922af
Instruction ID: 437e010b827eb7d9878e60615cf8d3a948f6cf76d8f318576df26142bb8fffb4
Opcode Fuzzy Hash: 4ace06de0c5c9a5d3ae1cc10808969cb8ce67c332356db77bbd4917b780922af
Instruction Fuzzy Hash: F1F0FF30306280FFEF129FA6C808B5A7FB5FB46380F408429F485E2A10C7329430EB15

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBDEB8 Relevance: 7.9, APIs: 5, Instructions: 369windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBBDEBF
GetWindow.USER32(?,00000005), ref: 6CBBDEDF
GetWindow.USER32(?,00000002), ref: 6CBBDF15
IsWindowVisible.USER32(?), ref: 6CBBDFF9
GetWindow.USER32(?,00000002), ref: 6CBBE289

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$H_prolog3Visible
String ID:
API String ID: 3969123015-0
Opcode ID: 1fc401834520fc97cedd7ab457add4f55ab40dd4d435fb57586a33856f699bd9
Instruction ID: 887f7a4524587c225d51e43d81775779154efde8e55c51e24be68a7024f7a19d
Opcode Fuzzy Hash: 1fc401834520fc97cedd7ab457add4f55ab40dd4d435fb57586a33856f699bd9
Instruction Fuzzy Hash: C1D15A30A006859FDF05DFA4C898AFE77B5EF48308F1445A9E856BB7A0DF349944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB80F38 Relevance: 7.8, APIs: 5, Instructions: 338COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB80F60
SetRectEmpty.USER32(?), ref: 6CB80FD8
GetClientRect.USER32(?,?), ref: 6CB811D8
GetClientRect.USER32(?,?), ref: 6CB81200
SetRectEmpty.USER32(?), ref: 6CB8128F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: 48b30f9d3a7ab0c728e60f3e6634c35064972a2f79ae3ed5f69ffb9be464e745
Instruction ID: f40a9387943f700b20f055b81197c2ae7632c93acd0e2d9a65002e5444cfd27e
Opcode Fuzzy Hash: 48b30f9d3a7ab0c728e60f3e6634c35064972a2f79ae3ed5f69ffb9be464e745
Instruction Fuzzy Hash: B6D12971E0264ACFCF05CFA9C9805AEB7B6FF49314F288159E825AB640D771E942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBDFFBD Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CBE0037
EqualRect.USER32(?,?), ref: 6CBE0062
BeginDeferWindowPos.USER32(?), ref: 6CBE006F
EndDeferWindowPos.USER32(?), ref: 6CBE0094

Part of subcall function 6CBDB04F: GetWindowRect.USER32(?,?), ref: 6CBDB065
Part of subcall function 6CBDB04F: GetParent.USER32(?), ref: 6CBDB0A7
Part of subcall function 6CBDB04F: GetParent.USER32(?), ref: 6CBDB0B7

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

GetWindowRect.USER32(?,?), ref: 6CBE0149

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Rect$DeferParent$BeginEqualException@8H_prolog3Throw
String ID:
API String ID: 601628497-0
Opcode ID: 76fde2f34107dcc037e3526826858ee8c48f78a1a9669ddbae3e8864e6bd51e8
Instruction ID: a80d3d141419b77f5eefa2d3b57d06d3efe1c91cb63dca864ce368d816f91965
Opcode Fuzzy Hash: 76fde2f34107dcc037e3526826858ee8c48f78a1a9669ddbae3e8864e6bd51e8
Instruction Fuzzy Hash: 5A516771A00289DFCF00CFA9D8849DEBBF8FF49744B24416AE516F7600DB30AA44DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5F391 Relevance: 7.7, APIs: 5, Instructions: 162stringCOMMON

Download Yara Rule

APIs

SHGetPathFromIDListW.SHELL32(?,?), ref: 6CB5F43A
SHGetPathFromIDListW.SHELL32(?,?), ref: 6CB5F46A

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 6CB5F51D
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 6CB5F53E
lstrcmpiW.KERNEL32(?,?), ref: 6CB5F552

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FileFromInfoListPath$Exception@8H_prolog3Throwlstrcmpi
String ID:
API String ID: 4171047833-0
Opcode ID: 81969da264bdcbc15fdd06667b47d6d3ec992de165e809a4b76f5c6ab0fa2482
Instruction ID: 808ede2da57be11a612d1c9fb2f23c3fe80070fbd4cf00c771712a51553e8492
Opcode Fuzzy Hash: 81969da264bdcbc15fdd06667b47d6d3ec992de165e809a4b76f5c6ab0fa2482
Instruction Fuzzy Hash: 16518971A012A99BCF24DF54DC40A9EF7B9FB48344F9041DAE50AA3548DB319EA0CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB8B9E8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB8BA35
GetWindowRect.USER32(?,?), ref: 6CB8BA57
GetClientRect.USER32(?,?), ref: 6CB8BAE7
MapWindowPoints.USER32(?,?,?,00000002), ref: 6CB8BAFA
FillRect.USER32(?,?), ref: 6CB8BB3A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Window$ClientFillParentPoints
String ID:
API String ID: 1064458942-0
Opcode ID: c219da85407e75d661db245b72b65906a6fb4d166682fdba24d6412eca096b20
Instruction ID: 5c8a6aceb265a1f5e2507caf82102801a6a6d10e34897a0a0be632a57aa589bc
Opcode Fuzzy Hash: c219da85407e75d661db245b72b65906a6fb4d166682fdba24d6412eca096b20
Instruction Fuzzy Hash: 00513971A02259DFCF04DFA9CC84CAEBBB9FF48B04B54415AE415E7614E7309951CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA6A93 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CBA6AC4

Part of subcall function 6CB5972B: ClientToScreen.USER32(?,?), ref: 6CB5973C
Part of subcall function 6CB5972B: ClientToScreen.USER32(?,?), ref: 6CB59749

PtInRect.USER32(?,?,?), ref: 6CBA6ADE
PtInRect.USER32(?,?,?), ref: 6CBA6B51

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: 1fb677aca4e08e4d6800d3bdf0d1a85ab1c25f0698ce5ad475ca476f42c06d4d
Instruction ID: 9d01a374f5cdb71cc04c443034c9c9159038c032019fc51b538bda5c3774a139
Opcode Fuzzy Hash: 1fb677aca4e08e4d6800d3bdf0d1a85ab1c25f0698ce5ad475ca476f42c06d4d
Instruction Fuzzy Hash: 0A415CB1A0424AEFCF00CFE8C985A9EBBF9EF09304F504469E455FB640D770AA02CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB83F29 Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6CB83F78
GetParent.USER32(?), ref: 6CB83F99
GetParent.USER32(?), ref: 6CB83FCC
UpdateWindow.USER32(?), ref: 6CB8402E
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6CB84059

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$FocusMessageSendUpdateWindow
String ID:
API String ID: 2438739141-0
Opcode ID: 2402ed3390c1c5dbd019141bb312520d0eae4508734162359bc5c6f0f1fd524b
Instruction ID: bc08071856858c9d5f80aa89c602a0410bd07a46dcbef9383106c7f26d22b169
Opcode Fuzzy Hash: 2402ed3390c1c5dbd019141bb312520d0eae4508734162359bc5c6f0f1fd524b
Instruction Fuzzy Hash: E231EF717056849FCB199F39C848A5E7ABAFF84328B25072DE47A97691EF30D8008F41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB81585 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6CB815AE
ScreenToClient.USER32(?,?), ref: 6CB815DE
SetCursor.USER32 ref: 6CB81627
ScreenToClient.USER32(?,?), ref: 6CB81647
PtInRect.USER32(?,?,?), ref: 6CB81670

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: e6bfa001f1a964c9dccab4355b8ca7e9dc0974fe01f6edc8ca3a66b08c7c44dc
Instruction ID: 6851d65d17494c226387fd0f3a1b314754f4bb59d56da3b40ec217fef731cdca
Opcode Fuzzy Hash: e6bfa001f1a964c9dccab4355b8ca7e9dc0974fe01f6edc8ca3a66b08c7c44dc
Instruction Fuzzy Hash: F23169B1A022499FCF10DFA5C8848AEBBB9FF49318B58052EE566E3650DB34E905CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB84067 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00000000,?,?), ref: 6CB84083
WindowFromPoint.USER32(?,?), ref: 6CB840AE
ScreenToClient.USER32(?,00000000), ref: 6CB840DF
GetParent.USER32(?), ref: 6CB8414D
UpdateWindow.USER32(?), ref: 6CB841A5

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$CallClientFromHookNextParentPointScreenUpdate
String ID:
API String ID: 160110263-0
Opcode ID: bd9ec4f1e4e866cf9015c2c0816905e66d57be87c841bcb004affc4f1ac728d2
Instruction ID: 24ef042cea3ad57cd611cf992e8c23231f6bd62efda8688a825c23e8599501c6
Opcode Fuzzy Hash: bd9ec4f1e4e866cf9015c2c0816905e66d57be87c841bcb004affc4f1ac728d2
Instruction Fuzzy Hash: B331C135609286EFDF05DFA4C828E9D3BB9FF59318F10426AF92497AA1DB319810DF41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB88B4E Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 6CB88B87
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB88BB6
InflateRect.USER32(?,?,?), ref: 6CB88C18
InflateRect.USER32(?,00000001,00000001), ref: 6CB88C34

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: InflateRect
String ID:
API String ID: 2073123975-0
Opcode ID: 9895517466534270ff12455149d9b47ff1ef1a2dcd4cebba35646eb3258a6545
Instruction ID: a94e3bc61ee906e0626bc031421c105645926b2f1b4476d0a2ce7d95a8c31974
Opcode Fuzzy Hash: 9895517466534270ff12455149d9b47ff1ef1a2dcd4cebba35646eb3258a6545
Instruction Fuzzy Hash: A4314F76A0424ABBDF01DED4DC44DAE3B7EEB89328B180716FA25D36C4C731E9248B50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB7EAE Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6CBB7659: GetParent.USER32(?), ref: 6CBB7665
Part of subcall function 6CBB7659: GetParent.USER32(00000000), ref: 6CBB7668

GetWindowLongW.USER32(?,000000EC), ref: 6CBB7F1D
RedrawWindow.USER32(?,00000000,00000000,00000081,?,?,?,?,?,6CBB82C1,00000000), ref: 6CBB7F6E
SetWindowLongW.USER32(?,000000EC,?), ref: 6CBB7F7D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137,?,?,?,?,?,6CBB82C1,00000000), ref: 6CBB7F93
GetClientRect.USER32(?,?), ref: 6CBB7FA7

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$LongParent$ClientRectRedraw
String ID:
API String ID: 556606033-0
Opcode ID: 13a57129aba308ae86058eb9908d3b8ca2c56de96792d34f5ca654301a0e4d92
Instruction ID: a86e6175aeb0f4d57ea40ed7e5e843f6f1b99060811c7999a09a2d0287894321
Opcode Fuzzy Hash: 13a57129aba308ae86058eb9908d3b8ca2c56de96792d34f5ca654301a0e4d92
Instruction Fuzzy Hash: 3121E4326141C4AFEF155BA5CC84DBE7ABAEF45358F200838F126F2A90CEB09D81C675

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6E9F0 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB6EA15
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 6CB6EAA8
GetParent.USER32(?), ref: 6CB6EAB4
GetWindowLongW.USER32(?,000000F4), ref: 6CB6EACE
SendMessageW.USER32(?,00000111,?), ref: 6CB6EADE

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageParentSend$LongWindow
String ID:
API String ID: 2933145521-0
Opcode ID: 5f5a350525a2efff416caa602948ebf79d2c3f53add89009b5a58641b6dc35dd
Instruction ID: 352f8a6d2ae9fa0d4bcb2ffd9b5b30b816b574050de99ac64c0b461f58be3c43
Opcode Fuzzy Hash: 5f5a350525a2efff416caa602948ebf79d2c3f53add89009b5a58641b6dc35dd
Instruction Fuzzy Hash: F221E471605AD4BFDB109B76CC84BAE76A5FF46358F200929F515D2E90EB70D8408B91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5DEA2 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB5DEA9
CreateRectRgnIndirect.GDI32(?), ref: 6CB5DECB

Part of subcall function 6CB5965F: SelectClipRgn.GDI32(?,00000000), ref: 6CB59685
Part of subcall function 6CB5965F: SelectClipRgn.GDI32(?,?), ref: 6CB5969B

GetParent.USER32(?), ref: 6CB5DEEB
MapWindowPoints.USER32(?,00000000,?,00000001), ref: 6CB5DF43
SendMessageW.USER32(?,00000014,?,00000000), ref: 6CB5DF70

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClipSelect$CreateH_prolog3IndirectMessageParentPointsRectSendWindow
String ID:
API String ID: 3362736716-0
Opcode ID: dded80a48625349aadc66c9de53cc667b1788f30347411256a59d698c3b99905
Instruction ID: 7c44cef86a56e4c765cd310ebb65bbfc059efb9d1b5deb0f3221fc2dd5313008
Opcode Fuzzy Hash: dded80a48625349aadc66c9de53cc667b1788f30347411256a59d698c3b99905
Instruction Fuzzy Hash: 8D312CB1A0025AEFCF04DFB4C944AAEB7B5FF08304F504669E515AB690E731DA25CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB80A9 Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

Part of subcall function 6CBB7659: GetParent.USER32(?), ref: 6CBB7665
Part of subcall function 6CBB7659: GetParent.USER32(00000000), ref: 6CBB7668

SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6CBB8124
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CBB814B
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CBB8168
SendMessageW.USER32(?,00000222,?,00000000), ref: 6CBB817F
SendMessageW.USER32(?,00000222,00000000,?), ref: 6CBB81A4

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Parent$LongWindow
String ID:
API String ID: 4191550487-0
Opcode ID: e667e061f34d48ec161ac0e0fc2f7a1a1105c39d71ee4c573e6e28118c6a0457
Instruction ID: d733b23a53b704d5141cf097cc7dc0df99049cb190d3cf80f82ebb2ec6a882da
Opcode Fuzzy Hash: e667e061f34d48ec161ac0e0fc2f7a1a1105c39d71ee4c573e6e28118c6a0457
Instruction Fuzzy Hash: 4321F331751249BBEB095A25CC42FFD7529EF48318F14012AEA29BAAD0CFF1E84086A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC037C Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBC03BF
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CBC03F2
GetWindowRect.USER32(?,?), ref: 6CBC0401
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CBC0457
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 6CBC0469

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$MessageSend$RectRedrawVisible
String ID:
API String ID: 1695962874-0
Opcode ID: afa2738c9d875dffa84e6617e0facf8cc7b9f5a2ffacc9a0a4ab0b1ad27d0573
Instruction ID: b5a6410ec81dbcf48db98382a7aab5d8fee680fc7d60e48d1e5441705da90a15
Opcode Fuzzy Hash: afa2738c9d875dffa84e6617e0facf8cc7b9f5a2ffacc9a0a4ab0b1ad27d0573
Instruction Fuzzy Hash: B5312F71A00595EFCB11CFA9CD84EAFBBB4FB89710F104649E565E72A4D771A900CB11

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB9385 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CBB93DE
GetWindowRect.USER32(?,?), ref: 6CBB9401
PtInRect.USER32(?,?,?), ref: 6CBB940D
GetWindowRect.USER32(?,?), ref: 6CBB942B
PtInRect.USER32(?,?,?), ref: 6CBB9438

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Window
String ID:
API String ID: 924285169-0
Opcode ID: aa8e8c6abe814805c4d38f09111561ded748d322b0777eacfc1dbd5999cffbc0
Instruction ID: cce75d9d566d7e1d047bd27e9d124bf7371f8f0f88d010d2e379c5d78e038a46
Opcode Fuzzy Hash: aa8e8c6abe814805c4d38f09111561ded748d322b0777eacfc1dbd5999cffbc0
Instruction Fuzzy Hash: 7431E2B1E10269AFCB11DFA9D9848EEBBF8EB4D714B1441AAE404F3210DB70D900CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB52472 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CB52495
GetWindowRect.USER32(00000000,?), ref: 6CB524C2
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 6CB524E7
GetWindow.USER32(?,00000005), ref: 6CB524F0
ScrollWindow.USER32(?,?,?,?,?), ref: 6CB5250B

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: 88660eea1939b81d67b681f553cb22fb92e097eaad755184e4508ef2e09bd327
Instruction ID: 2cc8d3383594b497e136de43268c5355ff72c8d53ea2f37ea606b0d7d0e56020
Opcode Fuzzy Hash: 88660eea1939b81d67b681f553cb22fb92e097eaad755184e4508ef2e09bd327
Instruction Fuzzy Hash: 36216D71A00249EFCF11CF95C888D9FBBB9FF89304B504409F645A3650D7309A60DB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CB53EC5 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB53ECF
GetTopWindow.USER32(00000000), ref: 6CB53EF4
GetDlgCtrlID.USER32(00000000), ref: 6CB53F06
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6CB53F62
GetWindow.USER32(00000000,00000002), ref: 6CB53FA2

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: 789f950cac70f7ccd6c17b2acf14a2130ca6055b5d999018e08d5d62b1a9d3d7
Instruction ID: e47e76fa3dceb7621edee0f1350bfce2f5791dd721422b3d17e969692018d0d5
Opcode Fuzzy Hash: 789f950cac70f7ccd6c17b2acf14a2130ca6055b5d999018e08d5d62b1a9d3d7
Instruction Fuzzy Hash: A721D231901398AEDF11DFA0DC68EEDB774EF45308FA04215E051E3690EB318A64CF22

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC082D Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBC0834
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 6CBC085B
SendMessageW.USER32(?,0000007F,00000001,00000000), ref: 6CBC086F
GetClassLongW.USER32(?,000000DE), ref: 6CBC08E7
GetClassLongW.USER32(?,000000F2), ref: 6CBC08F5

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClassLongMessageSend$H_prolog3
String ID:
API String ID: 350087385-0
Opcode ID: 1310efa5c2b1fd8f2f0016f64ae75d826e9d8fc20c02920c4caa6541db6aa8e7
Instruction ID: 86e8029f27d5b32dca56c87a3d2d3b073620895a4ea9a5184568b7d239918467
Opcode Fuzzy Hash: 1310efa5c2b1fd8f2f0016f64ae75d826e9d8fc20c02920c4caa6541db6aa8e7
Instruction Fuzzy Hash: 1621D371B40295ABDB20EBB5CCC0F9D7274AF55754F114224E954BBAE0DF609C048B92

Uniqueness

Uniqueness Score: -1.00%

Function 6CB87A95 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB874D9: __EH_prolog3_GS.LIBCMT ref: 6CB874E0
Part of subcall function 6CB874D9: GetWindowRect.USER32(?,?), ref: 6CB87521
Part of subcall function 6CB874D9: CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 6CB8754B
Part of subcall function 6CB874D9: SetWindowRgn.USER32(?,?,00000000), ref: 6CB87561

GetSystemMenu.USER32(?,00000000), ref: 6CB87B09
DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 6CB87B2A
DeleteMenu.USER32(?,0000F020,00000000), ref: 6CB87B36
DeleteMenu.USER32(?,0000F030,00000000), ref: 6CB87B42
EnableMenuItem.USER32(?,0000F060,00000001), ref: 6CB87B5C

Part of subcall function 6CB8075A: SetRectEmpty.USER32(?), ref: 6CB8078D
Part of subcall function 6CB8075A: ReleaseCapture.USER32 ref: 6CB80793
Part of subcall function 6CB8075A: SetCapture.USER32(?,?,6CB8422C,?,?,?,?,?,6CB7A4D5,00000000,?,6CB7AA24), ref: 6CB807A2
Part of subcall function 6CB8075A: GetCapture.USER32 ref: 6CB807E4
Part of subcall function 6CB8075A: ReleaseCapture.USER32 ref: 6CB807F4
Part of subcall function 6CB8075A: SetCapture.USER32(?,?,6CB8422C,?,?,?,?,?,6CB7A4D5,00000000,?,6CB7AA24), ref: 6CB80803
Part of subcall function 6CB8075A: RedrawWindow.USER32(?,?,?,00000505), ref: 6CB8086E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CaptureMenu$DeleteRectWindow$Release$CreateEmptyEnableH_prolog3_ItemRedrawRoundSystem
String ID:
API String ID: 2818640433-0
Opcode ID: f5c46d839c2c80c90f95a87da88c9927cb825dd017317c531ecf34b006d042e0
Instruction ID: 267bd79a47ad0021e77def51480ea411a241de7730ac3514e80cd62291678af8
Opcode Fuzzy Hash: f5c46d839c2c80c90f95a87da88c9927cb825dd017317c531ecf34b006d042e0
Instruction Fuzzy Hash: 6921C331702251BFDF211F61CC98FAE3A2AEF44B58F040176F605A7AA1CB71D814CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB64432 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 6CB5994F: __EH_prolog3.LIBCMT ref: 6CB59956
Part of subcall function 6CB5994F: GetDC.USER32(00000000), ref: 6CB59982

IsRectEmpty.USER32(?), ref: 6CB6445B
InvertRect.USER32(?,?), ref: 6CB64469
SetRectEmpty.USER32(?), ref: 6CB64479
GetClientRect.USER32(?,?), ref: 6CB64496
InvertRect.USER32(?,?), ref: 6CB644E3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$EmptyInvert$ClientH_prolog3
String ID:
API String ID: 1656078942-0
Opcode ID: cd2c3e5bc6ca26f4bc0e870029d61d1cb63995024afd8185f4c60dd9254a82ec
Instruction ID: b1eecfe81a5c3ff085b0701d3683a9f5abe99db34a4d6309e346771c4d539bf9
Opcode Fuzzy Hash: cd2c3e5bc6ca26f4bc0e870029d61d1cb63995024afd8185f4c60dd9254a82ec
Instruction Fuzzy Hash: 12211B71A00209EFCF05CFA9C8859DE7BB5FF49310F544069E809EB604EB709A55CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB726DE Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB5676A: GetWindowLongW.USER32(?,000000F0), ref: 6CB56775

SendMessageW.USER32(?,00000086,00000001,00000000), ref: 6CB72745
SendMessageW.USER32(?,00000086,00000000,00000000), ref: 6CB7275C
GetDesktopWindow.USER32 ref: 6CB72760
SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 6CB72781
GetWindow.USER32(00000000), ref: 6CB72786

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 513768a8049c5632c4b2083cbfc9bbde55de7fa2d5a2404c0913b88db750c0db
Instruction ID: a8e3c2afca028490925fbdfa90956fe8ec8ee13144aa46f8dbdcc152eb44c9a1
Opcode Fuzzy Hash: 513768a8049c5632c4b2083cbfc9bbde55de7fa2d5a2404c0913b88db750c0db
Instruction Fuzzy Hash: 881108313417C5BBEB311A228D89F9E7A24EF55758F200114FE316A5D0DBA5DC1583B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA90D9 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBA90E0
DestroyMenu.USER32(?,00000004,6CBAC797,00000004,6CB6340B), ref: 6CBA911C
IsWindow.USER32(?), ref: 6CBA912D
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBA9141
~_Task_impl.LIBCPMT ref: 6CBA91BA

Part of subcall function 6CC01C55: GetParent.USER32(00000000), ref: 6CC01CBB

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: DestroyH_prolog3MenuMessageParentSendTask_implWindow
String ID:
API String ID: 1857064102-0
Opcode ID: 0dbe3edd031e21a815ca8ac8e311374d161e66cbc3ca4d2b418eb9c906a6dfd8
Instruction ID: 65ce8394146f85ac98c1827036c8b45b7753fb7e0129b62ce49de4885715d404
Opcode Fuzzy Hash: 0dbe3edd031e21a815ca8ac8e311374d161e66cbc3ca4d2b418eb9c906a6dfd8
Instruction Fuzzy Hash: 4D318B70505680DADB26DFB8C5487FEBBF1EF85308F60444CD09A57B80DBB6660AEB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB887E Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CBB88B2
SHAppBarMessage.SHELL32(00000007,?), ref: 6CBB88D0
SHAppBarMessage.SHELL32(00000007,?), ref: 6CBB88EA
SHAppBarMessage.SHELL32(00000007,?), ref: 6CBB8900
SHAppBarMessage.SHELL32(00000007,?), ref: 6CBB8919

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$_memset
String ID:
API String ID: 2485647581-0
Opcode ID: 2730584e662a8907567d0dc407f4d359d61f433a73698fcbbd4bd8340a60e1cd
Instruction ID: 60a2f27c5f7a1f2321afce8a7032fd9bf986567716e1071f0ddf2441e16e2a95
Opcode Fuzzy Hash: 2730584e662a8907567d0dc407f4d359d61f433a73698fcbbd4bd8340a60e1cd
Instruction Fuzzy Hash: 5F218C71E0121AAFEB04CFA5CC81FEABFB8EB08758F10102AD519E6580DB71E545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB641CC Relevance: 7.6, APIs: 5, Instructions: 68stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 6CB64218
SendMessageW.USER32(?,0000120C,00000000,00000002), ref: 6CB6423C
lstrlenW.KERNEL32(00000000), ref: 6CB64245
SendMessageW.USER32(?,0000120C,00000001,00000002), ref: 6CB64263
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CB6427C

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSendlstrlen$Exception@8H_prolog3RedrawThrowWindow
String ID:
API String ID: 524015339-0
Opcode ID: b1bb514e02e0ed339ca6234986d4acfa8f8eff43444da74be5f2ea5bf6dd3a55
Instruction ID: 5f7a8887a0459bb3632e2fac776ffeda56d4cad5c69541d0c1123e9209c13e7a
Opcode Fuzzy Hash: b1bb514e02e0ed339ca6234986d4acfa8f8eff43444da74be5f2ea5bf6dd3a55
Instruction Fuzzy Hash: 13218875600204AFDB10EF69CC89FAEBBF4FF88310F100169E559A76A0DB70A810CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6CB72EE8 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6CB72F62
GlobalAddAtomW.KERNEL32(?), ref: 6CB72F71
GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6CB72F87
GlobalAddAtomW.KERNEL32(?), ref: 6CB72F90
SendMessageW.USER32(?,000003E4,?,?), ref: 6CB72FBA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 5021fdad75e63d7dd0055d25b524f34b6585e1f321cf2cc9ef84742055bc5629
Instruction ID: c698efea643523b0a97a257cdad762ecac307f3eca258c35df6895a904be8c2f
Opcode Fuzzy Hash: 5021fdad75e63d7dd0055d25b524f34b6585e1f321cf2cc9ef84742055bc5629
Instruction Fuzzy Hash: 14216271A00218ABDF20EF65CC48AE9B3F8FF54704F408559E56DD7681D7749E84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB8AFB1 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 6CB8AFE8
GetParent.USER32(?), ref: 6CB8B005
GetClientRect.USER32(?,?), ref: 6CB8B014
GetParent.USER32(?), ref: 6CB8B01D
MapWindowPoints.USER32(?,?,?,00000002), ref: 6CB8B032

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ParentRect$ClientFillPointsWindow
String ID:
API String ID: 3058756167-0
Opcode ID: a5fd12bdf2ba5a651a65a053798754aa37ddec9d8757bb8076c5032f2f776a2c
Instruction ID: 2b06120d17484048adf81e253d0b75ff7a1b2d182a4060a3c0c6e26c55cff086
Opcode Fuzzy Hash: a5fd12bdf2ba5a651a65a053798754aa37ddec9d8757bb8076c5032f2f776a2c
Instruction Fuzzy Hash: E3216DB1A00219EFCF04EFA4C848CAFBBB5FF4A311B514569E905E7250EB31A915CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB874D9 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB874E0
GetWindowRect.USER32(?,?), ref: 6CB87521
CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 6CB8754B
SetWindowRgn.USER32(?,?,00000000), ref: 6CB87561

Part of subcall function 6CB5882C: __EH_prolog3_catch_GS.LIBCMT ref: 6CB58836

SetWindowRgn.USER32(?,00000000,00000000), ref: 6CB8757D

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_H_prolog3_catch_Round
String ID:
API String ID: 4273792742-0
Opcode ID: 7ef6fdc4a59f726f8988e049d175995248fa57a63e8e3897fdede603abec2c8a
Instruction ID: 1fdd8898013b79524d6068d598e47ef806299e928626bed8047d934f997e3468
Opcode Fuzzy Hash: 7ef6fdc4a59f726f8988e049d175995248fa57a63e8e3897fdede603abec2c8a
Instruction Fuzzy Hash: 2B115671D01208EFDF11DFA9C8888EEFBB8FF89314F60025AE156B26A0D7709911CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56ABF Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6CB56AEB
_memset.LIBCMT ref: 6CB56B09
GetWindowTextW.USER32(00000000,?,00000100), ref: 6CB56B23
lstrcmpW.KERNEL32(?,?,?,?), ref: 6CB56B35
SetWindowTextW.USER32(00000000,?), ref: 6CB56B41

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: d6b7e0b1b768a594b06b9746ea69ec3d2dd373cc966f287a47a915142b389588
Instruction ID: 2ac47f1a46cc6d142a06fb5e235d75674854c43ea0da8bc3fadf896f3cd11b39
Opcode Fuzzy Hash: d6b7e0b1b768a594b06b9746ea69ec3d2dd373cc966f287a47a915142b389588
Instruction Fuzzy Hash: CD0184B6B01218ABDB00EFA59C49DDF77BCEB49354F408161E915E3245EA30DA5487A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6B341 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB6B34D
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6CB6B379
SendMessageW.USER32(?,00000150,?,00000000), ref: 6CB6B38C
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6CB6B3A6
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 6CB6B3B9

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Exception@8H_prolog3ThrowWindow
String ID:
API String ID: 1622667542-0
Opcode ID: 78cc4ce95a8eb956cbfb5c4204e1591f06224a34c26d336a83676eb0d308c97c
Instruction ID: 8387d19aa96c749dd17701c578edc0b426dca930d3e57989b73612e46b3a2379
Opcode Fuzzy Hash: 78cc4ce95a8eb956cbfb5c4204e1591f06224a34c26d336a83676eb0d308c97c
Instruction Fuzzy Hash: 48015E31740649FFEB055BB1CD45F5ABAB9FB48788F100121F604A79A0EBB1EC21AB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB658B1 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB658B8
IsWindow.USER32(?), ref: 6CB658DF
InflateRect.USER32(?,00000000,000000FF), ref: 6CB658FB
InvalidateRect.USER32(?,?,00000001), ref: 6CB65910
UpdateWindow.USER32(?), ref: 6CB6591F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: RectWindow$H_prolog3_InflateInvalidateUpdate
String ID:
API String ID: 2146894351-0
Opcode ID: 4e61e5e8265eee8d9eaaf8a27bb7bc44759acebd44105b29974ef58962969081
Instruction ID: beca2a7c0ab10a20a34fe990a92915ca063623f22dca6aa4f9f641e5c4179513
Opcode Fuzzy Hash: 4e61e5e8265eee8d9eaaf8a27bb7bc44759acebd44105b29974ef58962969081
Instruction Fuzzy Hash: 0C115B712002449FDF04DFA4C984FE937B5FF09305F5442A8E90AAF696DB30E928CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6CBEA679 Relevance: 7.6, APIs: 5, Instructions: 53threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBEA680
EnterCriticalSection.KERNEL32(6CCAD004,00000000,6CB8446A,00000001), ref: 6CBEA6DC
__beginthread.LIBCMT ref: 6CBEA6F6
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 6CBEA70F
LeaveCriticalSection.KERNEL32(6CCAD004), ref: 6CBEA726

Part of subcall function 6CB9D07E: __EH_prolog3.LIBCMT ref: 6CB9D085

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalH_prolog3Section$EnterLeavePriorityThread__beginthread
String ID:
API String ID: 4118814795-0
Opcode ID: a1c34c0f8d9c467c5f33dd4569ab43ba529b94ff41a0b8169915c030b73162bd
Instruction ID: 9bf8f1b171fb2943266f8ce5a289e58ba1464bb3e489e563952ea1f59a510941
Opcode Fuzzy Hash: a1c34c0f8d9c467c5f33dd4569ab43ba529b94ff41a0b8169915c030b73162bd
Instruction Fuzzy Hash: 0B11B274A00650EFCA10EFA6A88C54C3EB8EB0BBB8B204715F43557AD0E73081929F92

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9FBD1 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,75296BA0,00000000,6CC6AFB0,?,6CBA1A83,?,?,?,00000084,6CBA1E57,0000000A,0000000A,0000000A,00000014), ref: 6CB9FBF5
LoadResource.KERNEL32(?,00000000,?,6CBA1A83,?,?,?,00000084,6CBA1E57,0000000A,0000000A,0000000A,00000014,6CB6DCB8,00000004,6CB68318), ref: 6CB9FC0B
LockResource.KERNEL32(00000000,?,?,6CBA1A83,?,?,?,00000084,6CBA1E57,0000000A,0000000A,0000000A,00000014,6CB6DCB8,00000004,6CB68318), ref: 6CB9FC1A
FreeResource.KERNEL32(?,00000000,00000000,?,?,6CBA1A83,?,?,?,00000084,6CBA1E57,0000000A,0000000A,0000000A,00000014,6CB6DCB8), ref: 6CB9FC2B
SizeofResource.KERNEL32(?,00000000,?,?,6CBA1A83,?,?,?,00000084,6CBA1E57,0000000A,0000000A,0000000A,00000014,6CB6DCB8,00000004), ref: 6CB9FC38

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: b263f99e71b07bb76c01c95918e1976265a01cd0011c15ccfa253d20a20b4e8b
Instruction ID: 3332b851cf21d320bea9d57e75edea11b95b025ec01464d44599db03e63de077
Opcode Fuzzy Hash: b263f99e71b07bb76c01c95918e1976265a01cd0011c15ccfa253d20a20b4e8b
Instruction Fuzzy Hash: BE018B76604655BF9F156FAA9848C8F7BBDEF8B7B83158025FD05A3600EB30CD118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6E737 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB6E76A
GetCursorPos.USER32(?), ref: 6CB6E77A
ScreenToClient.USER32(?,?), ref: 6CB6E787
PtInRect.USER32(?,?,?), ref: 6CB6E797
SetCursor.USER32(?), ref: 6CB6E7A7

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientCursorRect$Screen
String ID:
API String ID: 1023402310-0
Opcode ID: b6991130f282b57508d37f88ba996f4e2287b1f3349ab84c68547ebf5fdb592b
Instruction ID: ca23adb71cf70e0e515595eabb228e2fcdb1dbb963ceea84b35eced44f3bee66
Opcode Fuzzy Hash: b6991130f282b57508d37f88ba996f4e2287b1f3349ab84c68547ebf5fdb592b
Instruction Fuzzy Hash: 54110671E0124AEFCF11DFA6C8488BEFBB9FF95204B50442AE116E2560DB349A16DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB72544 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6CB7256A
PostMessageW.USER32(?,00000367,00000000,00000000), ref: 6CB72582
GetCapture.USER32 ref: 6CB72584
ReleaseCapture.USER32 ref: 6CB7258F
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6CB725BD

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: cfd0121ac167e4639a8ecb40b1dfd29e83d73cf2de0487c8d672fdc510d2ff0b
Instruction ID: cc4ae509a580a440a6c41c34493edc9e4bae2eba6d7d9b33576472da4fc931f4
Opcode Fuzzy Hash: cfd0121ac167e4639a8ecb40b1dfd29e83d73cf2de0487c8d672fdc510d2ff0b
Instruction Fuzzy Hash: 8D018431204640AFDB256B31CC4DF5B7AB8FB84708F50452DF596E2690EA70A8108761

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6BC22 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 6CB6BC42
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 6CB6BC5A
PtInRect.USER32(?,?,?), ref: 6CB6BC74
ReleaseCapture.USER32 ref: 6CB6BC81
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 6CB6BC91

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: RectRedrawWindow$CaptureRelease
String ID:
API String ID: 1080614547-0
Opcode ID: f6911844db6de37c332eaa411ed8a5583f2ed847e787caf1a4599a93d3179c81
Instruction ID: 5a5abba830e5bb74e0f2fc852af5b2878f8889cd9aa48ed4689b0058994c5128
Opcode Fuzzy Hash: f6911844db6de37c332eaa411ed8a5583f2ed847e787caf1a4599a93d3179c81
Instruction Fuzzy Hash: D2015E31200B85AFDF215F62C808D9B7FB9FB85704B50881AF6AA92820DB31E125EF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC2AF7 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6CBC2B06
SendMessageW.USER32(?,00000366,00000000,?), ref: 6CBC2B22
ClientToScreen.USER32(?,?), ref: 6CBC2B2F
GetWindowLongW.USER32(?,000000F0), ref: 6CBC2B38
GetParent.USER32(?), ref: 6CBC2B46

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 4ed294a34e829e320fd7ad0a7c3974131fdff7a6b3af698b7ebfe77d360a0da5
Instruction ID: bd1bf55bf5f65a6d6689f1213e1fa8999ca88a7cfd1f5abb581e8adef365149f
Opcode Fuzzy Hash: 4ed294a34e829e320fd7ad0a7c3974131fdff7a6b3af698b7ebfe77d360a0da5
Instruction Fuzzy Hash: 34F06D36205965ABD7065E598808EAE377CEF82761B504222FE25E7180DB30DA12C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB8F531 Relevance: 7.5, APIs: 5, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 6CB8F54D
_memset.LIBCMT ref: 6CB8F567
GetKeyboardLayout.USER32(?), ref: 6CB8F577
MapVirtualKeyW.USER32(?,00000000), ref: 6CB8F595
ToUnicodeEx.USER32(?,00000000), ref: 6CB8F59F

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Keyboard$Exception@8H_prolog3LayoutStateThrowUnicodeVirtual_memset
String ID:
API String ID: 4204171240-0
Opcode ID: 917d1566f3216b061313cf2f8eb62fffdb02bf7a041a1ee2e63161ebcc86b214
Instruction ID: 563d5008000e9cf8ff4bc47e0d0723699b0db3d49c5b7d5d8486bb43b1024980
Opcode Fuzzy Hash: 917d1566f3216b061313cf2f8eb62fffdb02bf7a041a1ee2e63161ebcc86b214
Instruction Fuzzy Hash: 51018FB1600108BFDF049BA0CC49FDE77BCEF08304F400061B605E65D0DFB09A999B55

Uniqueness

Uniqueness Score: -1.00%

Function 6CC41E44 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CC41E50

Part of subcall function 6CC420AA: __getptd_noexit.LIBCMT ref: 6CC420AD
Part of subcall function 6CC420AA: __amsg_exit.LIBCMT ref: 6CC420BA

__getptd.LIBCMT ref: 6CC41E67
__amsg_exit.LIBCMT ref: 6CC41E75
__lock.LIBCMT ref: 6CC41E85
__updatetlocinfoEx_nolock.LIBCMT ref: 6CC41E99

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 1ae05668139a13fa8cd2a8c4d33048d897201e4a7b3f0819144f2e32430e0029
Instruction ID: 787922406ceb5214264da7fc70e4a0b38efa70dd9d4973c68efda6772da43e98
Opcode Fuzzy Hash: 1ae05668139a13fa8cd2a8c4d33048d897201e4a7b3f0819144f2e32430e0029
Instruction Fuzzy Hash: 42F024329053209BEB10ABBCA40DFCD33B0AF40328F11C20AD454A7FC1FB26C5668B55

Uniqueness

Uniqueness Score: -1.00%

Function 6CC05E30 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CC05E37
IsRectEmpty.USER32(?), ref: 6CC06256
OffsetRect.USER32(?,00000000,00000001), ref: 6CC06292

Strings

!, xrefs: 6CC060DC

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$EmptyH_prolog3_Offset
String ID: !
API String ID: 307044148-2657877971
Opcode ID: 3e0ad2b8a2084880dc9794514b48e4c87e669d4bd1ed19d21831bb55134ef99b
Instruction ID: 0115efff2640df9ca781b820994a53a24dd61b247da4b0459cf3766d5b3386b9
Opcode Fuzzy Hash: 3e0ad2b8a2084880dc9794514b48e4c87e669d4bd1ed19d21831bb55134ef99b
Instruction Fuzzy Hash: 99026C71A00619DFCF01CFA8C884ADDBBB9FF49308F144169E816EB695EB71A949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB441E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 6CB4BAB7: _malloc.LIBCMT ref: 6CB4BAD5

_memmove.LIBCMT ref: 6CB44271
_memmove.LIBCMT ref: 6CB4429B

Strings

Languages, xrefs: 6CB44303
Regions, xrefs: 6CB44330

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _memmove$_malloc
String ID: Languages$Regions
API String ID: 1938898002-3463198627
Opcode ID: e514178e9ebf758572d3b69e157141295c441d9e144d858151fd209a12f1f690
Instruction ID: c94898791dc5219f30bb410a8bee08c1d8af2ef91663fd18fbaf83619e6759ed
Opcode Fuzzy Hash: e514178e9ebf758572d3b69e157141295c441d9e144d858151fd209a12f1f690
Instruction Fuzzy Hash: 8351C071A046509FD728CF59D880AABF7F5FF88718B14CA2DE859C7B04E731E8048B91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB42A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB42A86
_memmove.LIBCMT ref: 6CB42ADC

Part of subcall function 6CB42860: std::_Xinvalid_argument.LIBCPMT ref: 6CB42877

Strings

MarketPlugin, xrefs: 6CB42A52, 6CB42A68, 6CB42A75, 6CB42ADA
string too long, xrefs: 6CB42A81

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: MarketPlugin$string too long
API String ID: 2168136238-339044207
Opcode ID: e841b9c86d987bcae4b9d31f415fbcf38f890333ccbd94365cb8e8fc1bb1a2eb
Instruction ID: 967071de99004c00ab1b5c49a92839712847c1c2d74def51ba3e20638296301a
Opcode Fuzzy Hash: e841b9c86d987bcae4b9d31f415fbcf38f890333ccbd94365cb8e8fc1bb1a2eb
Instruction Fuzzy Hash: FA31B2323181519B4724CE5EF8C486AB3AAFFD5365316853AEA04CBA04D720EC65F7B7

Uniqueness

Uniqueness Score: -1.00%

Function 6CB42D40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CB42DDE

Part of subcall function 6CC3957D: std::exception::_Copy_str.LIBCMT ref: 6CC39598

__CxxThrowException@8.LIBCMT ref: 6CB42DF3

Part of subcall function 6CC3A59F: RaiseException.KERNEL32(6CB42DF8,00000000,D7F0CEE4,6CC88058,6CB42DF8,00000000,6CC9DBD8,?,D7F0CEE4), ref: 6CC3A5E1

Part of subcall function 6CB42F10: std::exception::exception.LIBCMT ref: 6CB42F42
Part of subcall function 6CB42F10: __CxxThrowException@8.LIBCMT ref: 6CB42F57

_memmove.LIBCMT ref: 6CB42E37

Strings

MarketPlugin, xrefs: 6CB42D55

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
String ID: MarketPlugin
API String ID: 163498487-3085281971
Opcode ID: 100638d6fe62ed05c414d40d9ac7e63cca75fa12ac73052a394b756d8a6d3bdd
Instruction ID: 92c711860a60a97112bf3b742a69d53efc5885c80220b7fb29ba100726bb768f
Opcode Fuzzy Hash: 100638d6fe62ed05c414d40d9ac7e63cca75fa12ac73052a394b756d8a6d3bdd
Instruction Fuzzy Hash: 9C410B71A14555DBCB04CF68C894AAEB7F9FF44314F10862DE825D7B84E730A914EBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBE482 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CBBE48C

Part of subcall function 6CBEC4EE: __EH_prolog3.LIBCMT ref: 6CBEC4F5

Part of subcall function 6CB4F4F0: __EH_prolog3.LIBCMT ref: 6CB4F4F7

Part of subcall function 6CB4F4AE: __EH_prolog3.LIBCMT ref: 6CB4F4B5

Part of subcall function 6CBEC211: __EH_prolog3.LIBCMT ref: 6CBEC218

_free.LIBCMT ref: 6CBBE584

Strings

%sMDIClientArea-%d, xrefs: 6CBBE4CB
MDITabsState, xrefs: 6CBBE576

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catch_free
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 276651542-353449602
Opcode ID: ea5370f3ea008560ce01d89ce808a84a73a1ea0449d9345320521855e4a44dc2
Instruction ID: 2eb42f35815dda421ecb96728afe13f5427fdb127b7abc7142ac4abadeb46b6d
Opcode Fuzzy Hash: ea5370f3ea008560ce01d89ce808a84a73a1ea0449d9345320521855e4a44dc2
Instruction Fuzzy Hash: 3B418D30900288AFDF05DFE4C984AEDBBB4AF18348F10809DE505BB781DB705B48DB66

Uniqueness

Uniqueness Score: -1.00%

Function 6CB457C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB45839
_memmove.LIBCMT ref: 6CB4586C

Part of subcall function 6CB45710: std::_Xinvalid_argument.LIBCPMT ref: 6CB45728
Part of subcall function 6CB45710: std::_Xinvalid_argument.LIBCPMT ref: 6CB45746
Part of subcall function 6CB45710: _memmove.LIBCMT ref: 6CB4578A

Strings

Market, xrefs: 6CB45802, 6CB45818, 6CB4586A
string too long, xrefs: 6CB45834

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: Market$string too long
API String ID: 2168136238-807897045
Opcode ID: 3c6dfa1fdab9520ac157a2b3b3f732b11191b3fa8f286a1f84569d833f611a8f
Instruction ID: 7604cf26ef6c01b6cb9219b2069572ba5220f0645735cbcd6fb3cb6d2655ed05
Opcode Fuzzy Hash: 3c6dfa1fdab9520ac157a2b3b3f732b11191b3fa8f286a1f84569d833f611a8f
Instruction Fuzzy Hash: 5F21D571309A45EF8704CE6CE8C0C69B3AAFFD1325310813EE505CBA14DB21A869E7A6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB44C70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CB44D19

Strings

ProductName, xrefs: 6CB44D40
RequireNetwork, xrefs: 6CB44CF7
true, xrefs: 6CB44D13

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __wcsicoll
String ID: ProductName$RequireNetwork$true
API String ID: 3832890014-2082567266
Opcode ID: 843f424833f5f67657f8813c3fa0c14c62cab6185c9408abe0222c7a522d0792
Instruction ID: 8bea798d39e3388cf19f01e78bd7b06c31c45268367fae49efcb32e70e76e4dd
Opcode Fuzzy Hash: 843f424833f5f67657f8813c3fa0c14c62cab6185c9408abe0222c7a522d0792
Instruction Fuzzy Hash: 6331F131B081549FD704CF69D880F6AB3F0EF88718F148669E9158BB45E732ED119BD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB55FFB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 6CB56046
__snwprintf_s.LIBCMT ref: 6CB56078

Part of subcall function 6CC3ACFA: __getptd_noexit.LIBCMT ref: 6CC3ACFA

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 6CB5606E
Afx:%p:%x, xrefs: 6CB5603C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __snwprintf_s$__getptd_noexit
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 101746997-2801496823
Opcode ID: 3db7181a5bcb59194ebb0b8443ba65485b572355a1445b747c5396bce517f80c
Instruction ID: f2a490069757c679158d5efda61874cf13204bf7eefcf7eea8acbcf99337de1d
Opcode Fuzzy Hash: 3db7181a5bcb59194ebb0b8443ba65485b572355a1445b747c5396bce517f80c
Instruction Fuzzy Hash: 793160B0D00259AFCF01DFA9D9809DEBBB8EF89754F044026E915A7710E7319A64CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5CBD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB5CBF5
GetSysColor.USER32(00000014), ref: 6CB5CC3F
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 6CB5CC92

Strings

(, xrefs: 6CB5CC23

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: BitmapColorCreate_memset
String ID: (
API String ID: 3930187609-3887548279
Opcode ID: c426ffdd7e219fd3d9cb38be13866dd8f5333421a28f79e50f23c15e7b1c36ff
Instruction ID: 2954ec3463974cca124ca307d29dfa408bd4d20a936513eee5ce8a52e8ed1eb5
Opcode Fuzzy Hash: c426ffdd7e219fd3d9cb38be13866dd8f5333421a28f79e50f23c15e7b1c36ff
Instruction Fuzzy Hash: 5821F531A10258DFEF04CBB8C815BEDBBF4AF95700F00446EE546E7281DE355948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB777E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,6CBBC1DD), ref: 6CB7785C
GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6CB7786C

Strings

DWMAPI, xrefs: 6CB77857
DwmInvalidateIconicBitmaps, xrefs: 6CB77866

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DWMAPI$DwmInvalidateIconicBitmaps
API String ID: 1646373207-1098356003
Opcode ID: 99044279b6d4d728b4b191bb510bbbd5bc4322a56f1da677573f5e731a9b4691
Instruction ID: 392e930de500541fe53c5f2f01695c65ec7793df7117947dd28cb3a940735055
Opcode Fuzzy Hash: 99044279b6d4d728b4b191bb510bbbd5bc4322a56f1da677573f5e731a9b4691
Instruction Fuzzy Hash: C311AC71A102058FDB05DF76C8886AF77F5EF4A205B2409B8AC26FB601EAB1D900CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB42860 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB42877

Part of subcall function 6CC4F971: std::exception::exception.LIBCMT ref: 6CC4F986
Part of subcall function 6CC4F971: __CxxThrowException@8.LIBCMT ref: 6CC4F99B
Part of subcall function 6CC4F971: std::exception::exception.LIBCMT ref: 6CC4F9AC

Part of subcall function 6CB42BA0: std::_Xinvalid_argument.LIBCPMT ref: 6CB42BAD

_memmove.LIBCMT ref: 6CB428D7

Strings

MarketPlugin, xrefs: 6CB42866, 6CB4286A
invalid string position, xrefs: 6CB42872

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: MarketPlugin$invalid string position
API String ID: 3404309857-2617601786
Opcode ID: 6651145d99cca5515324ce6cc86dad108b9d0e4038176e63a23945bb808d83f2
Instruction ID: 981fdb0fa57bdd6d24f100c11d5f0df45d305b68cd27e7cc86053a86703f4d7b
Opcode Fuzzy Hash: 6651145d99cca5515324ce6cc86dad108b9d0e4038176e63a23945bb808d83f2
Instruction Fuzzy Hash: 4F1126327182119B8714DE6DE8848ADB366FF94329310862AE401CBB44E731EC49E7B3

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D65F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB5D666
LoadCursorW.USER32(00000000,00007F00), ref: 6CB5D692
GetClassInfoW.USER32(?,00000000,?), ref: 6CB5D6D6

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Strings

%s:%x:%x:%x:%x, xrefs: 6CB5D6C0

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3$ClassCursorException@8InfoLoadThrow
String ID: %s:%x:%x:%x:%x
API String ID: 3308755097-1000192757
Opcode ID: c93ba05dd5ac1bbc858c8f7b00682bd5fcfcbddf2edd78112309c86953773017
Instruction ID: 59e55cc38e516cd04037cf3d849c8b7462dcaf605428556b4d41c60c345db721
Opcode Fuzzy Hash: c93ba05dd5ac1bbc858c8f7b00682bd5fcfcbddf2edd78112309c86953773017
Instruction Fuzzy Hash: B421E5B0E01259AFCB00DFE9D984ADEBAB4BF18308F508529E504F7740DB749A249BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB8AEFC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 6CB8AF21
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB8AF58
DrawEdge.USER32(?,?,00000000,0000000F), ref: 6CB8AF78

Strings

iii, xrefs: 6CB8AF3E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$DrawEdgeFillInflate
String ID: iii
API String ID: 785442924-940974255
Opcode ID: 745e1aae270f5c355bad7cd2a6a51ec858e0bfa3768907dffd6307fdfae1f067
Instruction ID: 04efd52d0870bd0422eb16ff3c82568f63936913d3a82e4e8c47d52bd76171c7
Opcode Fuzzy Hash: 745e1aae270f5c355bad7cd2a6a51ec858e0bfa3768907dffd6307fdfae1f067
Instruction Fuzzy Hash: B511187560010DAFCF00DFA4DD849EFBBB9FB4A324B504226B916EB191DB309A15CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB54712 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4C312: EnterCriticalSection.KERNEL32(6CCA8EF8,?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C34C
Part of subcall function 6CB4C312: InitializeCriticalSection.KERNEL32(?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C35E
Part of subcall function 6CB4C312: LeaveCriticalSection.KERNEL32(6CCA8EF8,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C36B
Part of subcall function 6CB4C312: EnterCriticalSection.KERNEL32(?,?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C37B

Part of subcall function 6CB4BE5C: __EH_prolog3_catch.LIBCMT ref: 6CB4BE63

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6CB5475B
FreeLibrary.KERNEL32(?), ref: 6CB5476B

Strings

HtmlHelpW, xrefs: 6CB54755
hhctrl.ocx, xrefs: 6CB5473F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: 092c0c3360566b50a0688a967f5a2771b76cfd09eca812fe61f79a51c2f0c88b
Instruction ID: 18ab323f9d7b11413a622398bdc355359180cb53dfdf9379197eb0a26d5d2966
Opcode Fuzzy Hash: 092c0c3360566b50a0688a967f5a2771b76cfd09eca812fe61f79a51c2f0c88b
Instruction Fuzzy Hash: F3012131004B8AAFDB111FB2CC44B9B3BB4EF02759F808824F56AA5E50EF30D4709E52

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56C08 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6CB56C29
GetClassNameW.USER32(?,?,0000000A), ref: 6CB56C3E
CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF,?,6CB519F9,?,?), ref: 6CB56C58

Strings

combobox, xrefs: 6CB56C46

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: 1ebfeaeb36d71c9f25fad7a872b8e9c9c1eb2ff45d4a78da18098d0375c66298
Instruction ID: d9840cd9b8191fa4028f8cc8939f34ed36704a8a48a3ff60b4b3d439895489f5
Opcode Fuzzy Hash: 1ebfeaeb36d71c9f25fad7a872b8e9c9c1eb2ff45d4a78da18098d0375c66298
Instruction Fuzzy Hash: AAF0AF32654118BFCB00DF68CD49EAE7BB8DB06320F900715F962F72C4DA30A9518796

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC59E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000002), ref: 6CBC5A07
GetFocus.USER32 ref: 6CBC5A13
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 6CBC5A44

Strings

y, xrefs: 6CBC59F1

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FocusKillRedrawTimerWindow
String ID: y
API String ID: 1950525498-4225443349
Opcode ID: 56e6bbc0ded09febcf08d7129e9cf6cec8092314af4f2ad2e53b93b9a38ccc1e
Instruction ID: 5b7cdf2d4dfee9b0a5233ae6d1bc6a4a8a8bff3887f03ed01cd258f068c96af6
Opcode Fuzzy Hash: 56e6bbc0ded09febcf08d7129e9cf6cec8092314af4f2ad2e53b93b9a38ccc1e
Instruction Fuzzy Hash: 86F0FF32355384EFCB205AA7CC48B4D3B74EB02729F408129F15A96C90D7B09458EF0B

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4E9C6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB4E9D8
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 6CB4E9E8

Strings

RegCreateKeyTransactedW, xrefs: 6CB4E9E2
Advapi32.dll, xrefs: 6CB4E9D3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: 4157ec6f4ec45fdee30097fd51fc37daff0c3ee05e93c562177952c714118fc6
Instruction ID: 24cf5ef9e9dd93cd35a67a1f2c55984c64656c98d23a107706ab8557ba20e096
Opcode Fuzzy Hash: 4157ec6f4ec45fdee30097fd51fc37daff0c3ee05e93c562177952c714118fc6
Instruction Fuzzy Hash: 35F0873211418ABFDF128F91DC04BEABBB5FB4A354F108425FA60B0820D632D470EB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4EA2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB4EA3F
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6CB4EA4F

Strings

Advapi32.dll, xrefs: 6CB4EA3A
RegDeleteKeyTransactedW, xrefs: 6CB4EA49

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: de893fade88657645a3735563916493cf839c0a327e81b3c780812e9af9105f8
Instruction ID: 5db5efccd339778be3fad8e55e3cd95d9def843e71ee40616350a04a1063d2b7
Opcode Fuzzy Hash: de893fade88657645a3735563916493cf839c0a327e81b3c780812e9af9105f8
Instruction Fuzzy Hash: 94F089326055C4BB8731EA5A9C08C6BBB79FBC3762364C926F1E5E1818D631C451D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4E96D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB4E97F
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6CB4E98F

Strings

RegOpenKeyTransactedW, xrefs: 6CB4E989
Advapi32.dll, xrefs: 6CB4E97A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 64654407de6fea05a9e821077d4e0a8d40194f1d0e69a275f574cc2f1ba16f52
Instruction ID: 47db1584aef2df5beafe7d30d8274a31f1d033142cfb14a6e3b6e33e6a1ca37c
Opcode Fuzzy Hash: 64654407de6fea05a9e821077d4e0a8d40194f1d0e69a275f574cc2f1ba16f52
Instruction Fuzzy Hash: 10F0BE3220468AFFDF119F91CC04BAABBB9FB04351F108825FA60A58E0D731C061EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5B296 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6CB5B2A8
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 6CB5B2B8

Strings

GetFileAttributesTransactedW, xrefs: 6CB5B2B2
kernel32.dll, xrefs: 6CB5B2A3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetFileAttributesTransactedW$kernel32.dll
API String ID: 1646373207-1378992308
Opcode ID: 8a04cc323eca85e505a572987b9430e1c08cf23e822cd7464d8c684fe0051225
Instruction ID: 040a8dc42c92eabaa84ef420e52e01316b6ad97fe14c9c967c9ae6d042689bc9
Opcode Fuzzy Hash: 8a04cc323eca85e505a572987b9430e1c08cf23e822cd7464d8c684fe0051225
Instruction Fuzzy Hash: FCF03031205245FFEF111FA68C08BAA7FB8EB55656F90442AF450E1C50D772C471CA61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D245 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB5D24C
GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6CB5D28D

Part of subcall function 6CB51D28: ActivateActCtx.KERNEL32(?,?,6CC92060,00000010,6CB54749,hhctrl.ocx,6CB5397B,0000000C), ref: 6CB51D48

Strings

SHCreateItemFromParsingName, xrefs: 6CB5D287
Shell32.dll, xrefs: 6CB5D265

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ActivateAddressH_prolog3Proc
String ID: SHCreateItemFromParsingName$Shell32.dll
API String ID: 323876227-214508289
Opcode ID: 6636fc878f232e843839e11f027598b5ce60d0c6425f9171d59c744acf0fb562
Instruction ID: e2abf1a33b38b5e919db5e52ac11b04f8782d8ab5f88b784aa3b6df18adc08bf
Opcode Fuzzy Hash: 6636fc878f232e843839e11f027598b5ce60d0c6425f9171d59c744acf0fb562
Instruction Fuzzy Hash: 8BF05431604289ABDF01DFF9EE49B9D3BB0AB81358F488604F414D6991D7B2C574AF45

Uniqueness

Uniqueness Score: -1.00%

Function 6CB96DB3 Relevance: 6.3, APIs: 4, Instructions: 258keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(6CC74068), ref: 6CB96DDF
GetKeyState.USER32(00000011), ref: 6CB96DE7
IsRectEmpty.USER32(?), ref: 6CB96E44
GetWindowRect.USER32(?,6CC74068), ref: 6CB96FC1

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID:
API String ID: 2684165152-0
Opcode ID: 3c60e5a28857cc1bf8c0008cbb289164dd65cc8f296bd27fe13bf555c4fd1d0a
Instruction ID: 9abe2f77b46ff06e52406a7e72a80dd7b05fc37cdc3fe3630ce8eae2ada7e7ae
Opcode Fuzzy Hash: 3c60e5a28857cc1bf8c0008cbb289164dd65cc8f296bd27fe13bf555c4fd1d0a
Instruction Fuzzy Hash: 9F91AE31A00245AFDF05CFA4C844FEEBBB9FF4A314F208169E905E76A4DB719851CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB48910 Relevance: 6.2, APIs: 4, Instructions: 199memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6CB48A14
std::exception::exception.LIBCMT ref: 6CB48A92
__CxxThrowException@8.LIBCMT ref: 6CB48AAF

Part of subcall function 6CC3A59F: RaiseException.KERNEL32(6CB42DF8,00000000,D7F0CEE4,6CC88058,6CB42DF8,00000000,6CC9DBD8,?,D7F0CEE4), ref: 6CC3A5E1

VariantClear.OLEAUT32(?), ref: 6CB48AB8

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AllocClearExceptionException@8RaiseStringThrowVariantstd::exception::exception
String ID:
API String ID: 2354423826-0
Opcode ID: b6120307080743ead99171307204307524cce21c2680804cd5bccb15f149f7d7
Instruction ID: e8137c091b6e01dffd3e75c645d70b28693bb58445cea2ba34ae8790f7fb6fce
Opcode Fuzzy Hash: b6120307080743ead99171307204307524cce21c2680804cd5bccb15f149f7d7
Instruction Fuzzy Hash: 97716972D04258AFCB00DFE8C880A9EFBB5FF49308F24852EE515AB654D772A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB63AE4 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 6CB63BBB
IsWindow.USER32(?), ref: 6CB63C0B
SetRectEmpty.USER32(?), ref: 6CB63C87
SetRectEmpty.USER32(?), ref: 6CB63C8D

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EmptyRect$Window
String ID:
API String ID: 1945993337-0
Opcode ID: 82a16dbea7170303e2dff398632b8db4d633948e7902799c932e80419f822af1
Instruction ID: 16e46a14cea6fd15874a548457ea11e10a42a007127783b147b5021c4fe5b755
Opcode Fuzzy Hash: 82a16dbea7170303e2dff398632b8db4d633948e7902799c932e80419f822af1
Instruction Fuzzy Hash: E451A131A01605CFDB06CF69C880BEA77F9FF45318F1902A9EC19AFA56DB70A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC3F43 Relevance: 6.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CBC4009
GetSysColorBrush.USER32(0000000F), ref: 6CBC4072
SetClassLongW.USER32(?,000000F6,00000000), ref: 6CBC407E
GetWindowRect.USER32(?,?), ref: 6CBC40A1

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: BrushClassColorLongRectWindow_memset
String ID:
API String ID: 2638262843-0
Opcode ID: fa50e994ff339eac5fefc8ee7b71684ad0c835eb7503f9eee7ae0f9644b7ccf1
Instruction ID: b2268c52f83d0e556b781926d99db4acf1fbda18c9fa986e163936599afb3edc
Opcode Fuzzy Hash: fa50e994ff339eac5fefc8ee7b71684ad0c835eb7503f9eee7ae0f9644b7ccf1
Instruction Fuzzy Hash: F06148B0A00249AFDF10CFA9C884AEEBBF9FF48314F10452AE959E7750EB3499058F51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4AC00 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CB4AC87
__CxxThrowException@8.LIBCMT ref: 6CB4ACA4
std::exception::exception.LIBCMT ref: 6CB4AD23
__CxxThrowException@8.LIBCMT ref: 6CB4AD40

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 2f5fe74fe94e5c7c14cd80dcf406f0fbcdab16947b3ff1d440eb03305bcedd70
Instruction ID: 259bec9e2de732d155f5f33c6a71fe711ff2671e770ce02eb12ec1bdd57245cb
Opcode Fuzzy Hash: 2f5fe74fe94e5c7c14cd80dcf406f0fbcdab16947b3ff1d440eb03305bcedd70
Instruction Fuzzy Hash: DC615CB1A04259EFDB00DF94C980ADEBBB8FF48314F248159E904AB744E735AD05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB861D Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CBB86B9
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CBB86FF
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 6CBB870F
IsWindowVisible.USER32(?), ref: 6CBB87B4

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSendWindow$RedrawVisible
String ID:
API String ID: 2376333906-0
Opcode ID: b97ee6f1241c6580c0623707cd48b20f37e3755aa1703765e13ddafc1c2763a7
Instruction ID: d97c33eeb860bf2627e678d48c95fbdb53470b6bb50a20d89b00920b0d9e4dc5
Opcode Fuzzy Hash: b97ee6f1241c6580c0623707cd48b20f37e3755aa1703765e13ddafc1c2763a7
Instruction Fuzzy Hash: EC519070200641AFCB159F66C888DBE37B6FF89708B344569E146ABE90DF32E841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0B40D Relevance: 6.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CC0B43F
SetRectEmpty.USER32(?), ref: 6CC0B4D1
SetRect.USER32(?,0000000A,?,?), ref: 6CC0B508
CopyRect.USER32(?,?), ref: 6CC0B541

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$CopyEmptyWindow
String ID:
API String ID: 2176940440-0
Opcode ID: c0cfd6ad770fc8b10d7456dcfc39cfd794c3e8b93b18684d2b520b087b7b5e5c
Instruction ID: 1b520afa1f027f8398c50a59c1cc1d25f6ee87f492356b909e0cc176ef46e877
Opcode Fuzzy Hash: c0cfd6ad770fc8b10d7456dcfc39cfd794c3e8b93b18684d2b520b087b7b5e5c
Instruction Fuzzy Hash: D751E5B1E01219EFCB05DFE9C9948EEBBB8EF89704B20415AE415B7604E771AA45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5B65C Relevance: 6.2, APIs: 4, Instructions: 155timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB5B67F
GetFileTime.KERNEL32(?,?,?,?), ref: 6CB5B6BD
GetFileSizeEx.KERNEL32(?,?), ref: 6CB5B6D5

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: 825d3bb923d36f2ece85effe11a61149fe8ca311aff6448536fc4d776755f97f
Instruction ID: 88d6a32e3190d49ee650aec30cfe24a7e12cfbc3ef5ecae3f6bc94bc5b5241a3
Opcode Fuzzy Hash: 825d3bb923d36f2ece85effe11a61149fe8ca311aff6448536fc4d776755f97f
Instruction Fuzzy Hash: AC514E71A04745EFC714DFA9D880CAAB7F8FF19314B508A2DE066D3A90E730E954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D483 Relevance: 6.1, APIs: 4, Instructions: 149COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 6CB5D49C
_wcslen.LIBCMT ref: 6CB5D4BE
_wcslen.LIBCMT ref: 6CB5D4FF
_wcslen.LIBCMT ref: 6CB5D5D4

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e593da9d0bfca90ab36559fc60afaf7f3ebe11769362c2a317cc1b0965092a2a
Instruction ID: a1bda4953cebec6aff464bd11694b04121e0fc653709f4f5e445149d8207a392
Opcode Fuzzy Hash: e593da9d0bfca90ab36559fc60afaf7f3ebe11769362c2a317cc1b0965092a2a
Instruction Fuzzy Hash: A751A332D04669EFCF11DFB8E9808DEB7B5EF48318B50861AE814B7604DB30AE55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB560FE Relevance: 6.1, APIs: 4, Instructions: 132windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB56105
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 6CB56251

Part of subcall function 6CB4BAB7: _malloc.LIBCMT ref: 6CB4BAD5

SendDlgItemMessageW.USER32(?,?,0000040B,00000000,?), ref: 6CB561DD

Part of subcall function 6CB5A54D: __EH_prolog3.LIBCMT ref: 6CB5A554

SendDlgItemMessageW.USER32(?,?,0000037C,?,?), ref: 6CB5620F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ItemMessageSend$H_prolog3$_malloc
String ID:
API String ID: 2480034192-0
Opcode ID: 9ca580215aff20e289d4155b9c9366feb9db6bd8a1b299d55728872c26f35123
Instruction ID: 98a8c7b7acdf3a90603d3cb4bc8688d17015ce2058a3bbe1007934349e8f4eea
Opcode Fuzzy Hash: 9ca580215aff20e289d4155b9c9366feb9db6bd8a1b299d55728872c26f35123
Instruction Fuzzy Hash: 5D41F170904584ABDF109FA9CC00BFE36B4FF40328F904219F965EBBD4DB718A629B91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBB185 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBBB18C

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Part of subcall function 6CB4BAF7: __EH_prolog3_catch.LIBCMT ref: 6CB4BAFE

GetWindowRect.USER32(?,?), ref: 6CBBB280
GetSystemMetrics.USER32(00000010), ref: 6CBBB28E
GetSystemMetrics.USER32(00000011), ref: 6CBBB299

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$Exception@8H_prolog3H_prolog3_H_prolog3_catchRectThrowWindow
String ID:
API String ID: 3575448974-0
Opcode ID: 593c002e137a8c617e9b1655bd21f6076586c9faed91775b6d529958a419604f
Instruction ID: f986fe1322ec459b4a39638800331ccb2845398efc5dce45e3ebc222bde1c552
Opcode Fuzzy Hash: 593c002e137a8c617e9b1655bd21f6076586c9faed91775b6d529958a419604f
Instruction Fuzzy Hash: FA415871A006599FCB04DFA8C889AEEBBB5FF48304F044569E906FB790CB70A904CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA4267 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CBA4327
SetRectEmpty.USER32(?), ref: 6CBA4334
SetRectEmpty.USER32(?), ref: 6CBA43E2
SetRectEmpty.USER32 ref: 6CBA443F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: d1a377fbddf61d01ea7fcfaccf5243adfbb25852e4e8c5cd0aabdd4c38a5d222
Instruction ID: e9a6508906c9d19d54c037b0ee27e8cc617ca4a64296d373b066589ea7b8f8bb
Opcode Fuzzy Hash: d1a377fbddf61d01ea7fcfaccf5243adfbb25852e4e8c5cd0aabdd4c38a5d222
Instruction Fuzzy Hash: 4B5178B1905B858EC760CF7AC6846DBFAF8FF95304F104A2FD0AAD2661DBB064858F51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB65D1C Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB65DA9
RedrawWindow.USER32(?,?,00000000,00000105), ref: 6CB65DC4
IsRectEmpty.USER32(?), ref: 6CB65E16
RedrawWindow.USER32(?,?,00000000,00000105), ref: 6CB65E31

Part of subcall function 6CB639E5: RedrawWindow.USER32(00000000,?,00000000,00000105), ref: 6CB63A4F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: RedrawWindow$EmptyRect
String ID:
API String ID: 138230908-0
Opcode ID: e5ff0e274eb7e4f916aaca820984807b2a81cae1dec690c98e48b2cac0f83fe6
Instruction ID: e58464e3f2ba8394efee37de46c847465a0d2074a699eec35faff648db1e977f
Opcode Fuzzy Hash: e5ff0e274eb7e4f916aaca820984807b2a81cae1dec690c98e48b2cac0f83fe6
Instruction Fuzzy Hash: D8419E72A00556DFDF00CFA5C884FEE77B9EB49300F140175E905ABA92D770A955CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6CB79F16 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB79FE2
ClientToScreen.USER32(?,?), ref: 6CB79FF2
IsWindow.USER32(?), ref: 6CB7A014
ClientToScreen.USER32(?,?), ref: 6CB7A049

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientScreenWindow
String ID:
API String ID: 1643562046-0
Opcode ID: 8be87debeeb943179cd2f6fb6ee588d4f022d6e4267eb21b812ccf496d045718
Instruction ID: d8a0829b00f05a05d8adef25f2b45987327b4fa1f807ae93fb7f153c1c04723f
Opcode Fuzzy Hash: 8be87debeeb943179cd2f6fb6ee588d4f022d6e4267eb21b812ccf496d045718
Instruction Fuzzy Hash: 8441B571900641EEEF218F54C894EEE7BB9EF04304F204869ED65D6950E731E951DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7A8BC Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB7A988
ClientToScreen.USER32(?,?), ref: 6CB7A998
IsWindow.USER32(?), ref: 6CB7A9BA
ClientToScreen.USER32(?,?), ref: 6CB7A9EF

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientScreenWindow
String ID:
API String ID: 1643562046-0
Opcode ID: bc830e870ce18a5c35956bc686f942c5fca09234b5e3621d7dc49b9cf7c0ac5a
Instruction ID: b2618a29ba36ad1e3e8fd0763a3d9850f2471143155f9f3f2c73bd0333f53dc3
Opcode Fuzzy Hash: bc830e870ce18a5c35956bc686f942c5fca09234b5e3621d7dc49b9cf7c0ac5a
Instruction Fuzzy Hash: 4941C271500684EEDF618F64CC90EBE77B8EF05344F214469EDA5E29A0EB31DA60CF22

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB1BEF Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CBB1C18
GetWindowRect.USER32(?,?), ref: 6CBB1C4F
GetClientRect.USER32(?,?), ref: 6CBB1C6D

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: eabb0ea20e4c8d8fa10983644e9210ac1ac2ed95fb9d56eb33dd9229d8307943
Instruction ID: 4a6b2315682133580efaae46da2bfd4ecce5e31be4089a30bdf042a6c6b943a7
Opcode Fuzzy Hash: eabb0ea20e4c8d8fa10983644e9210ac1ac2ed95fb9d56eb33dd9229d8307943
Instruction Fuzzy Hash: D4314DB1A04149EFCB04DF68C984AAEB7F4FF09304B148169E41AEB650DB30ED10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CC0B6A7 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CC0B6FD
IsRectEmpty.USER32(?), ref: 6CC0B707
SetRectEmpty.USER32(?), ref: 6CC0B75E
SetRectEmpty.USER32(?), ref: 6CC0B764

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 548ce9a34b9f0a02b65af135828a15a6b960f1be5253d1aa701c62759eb57159
Instruction ID: 6711b9cb71ab40acec5794b58adc77a91e8d951cfe1d719bf9346a51e99bc668
Opcode Fuzzy Hash: 548ce9a34b9f0a02b65af135828a15a6b960f1be5253d1aa701c62759eb57159
Instruction Fuzzy Hash: D131CD71B00608DBCF05CFA8C8D08DEB7B8EF49719B2051ABE904AB605E772D945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB49900 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CB49931
std::exception::exception.LIBCMT ref: 6CB49979

Part of subcall function 6CC3963D: std::exception::operator=.LIBCMT ref: 6CC39656

__CxxThrowException@8.LIBCMT ref: 6CB49996

Part of subcall function 6CC3A59F: RaiseException.KERNEL32(6CB42DF8,00000000,D7F0CEE4,6CC88058,6CB42DF8,00000000,6CC9DBD8,?,D7F0CEE4), ref: 6CC3A5E1

VariantClear.OLEAUT32(?), ref: 6CB499E5

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Variant$ClearExceptionException@8InitRaiseThrowstd::exception::exceptionstd::exception::operator=
String ID:
API String ID: 727364679-0
Opcode ID: a81befc7011d2971f00be7beea722bf430da082ff96fcd077efef867efbe2c29
Instruction ID: d0ad7df78c237671680234a64c317dac733524e187be7d86e89a940c12cf9ba5
Opcode Fuzzy Hash: a81befc7011d2971f00be7beea722bf430da082ff96fcd077efef867efbe2c29
Instruction Fuzzy Hash: 193138B2D012289FCB00CF98D984ADEBBF8FF48714F15855AE515A7750E774A9048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB64C1F Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 6CB64C40
ScreenToClient.USER32(?,00000000), ref: 6CB64C4D
SetCursor.USER32 ref: 6CB64C7A
PtInRect.USER32(?,00000000,00000000), ref: 6CB64CE4

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Cursor$ClientRectScreen
String ID:
API String ID: 2390797981-0
Opcode ID: 05990429f7f943734d330630685e91cc13b371c43ab56ac98076be2c6e4238f7
Instruction ID: fdf0620e2588f9d16509474b29c06e53d035ed0c8cb1cc69e8082f0d6c57f850
Opcode Fuzzy Hash: 05990429f7f943734d330630685e91cc13b371c43ab56ac98076be2c6e4238f7
Instruction Fuzzy Hash: F221A932600A49EFCF11DFA6C958A8EBBBAEF41319F100558E40AE2A00DB35EA44CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6D239 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB6D240
GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 6CB6D2A8
CreatePalette.GDI32(00000000), ref: 6CB6D2F3

Part of subcall function 6CB6CE1C: GetObjectW.GDI32(?,00000002,?), ref: 6CB6CE2B

Part of subcall function 6CB4BAB7: _malloc.LIBCMT ref: 6CB4BAD5

GetPaletteEntries.GDI32(00000000,00000000,00000000,00000004), ref: 6CB6D2DA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Palette$Entries$CreateH_prolog3ObjectSystem_malloc
String ID:
API String ID: 437169817-0
Opcode ID: ac728ab4eb3c3ceb42796ea7ab16988cc6fbe1169a1aed4e73f74318c2811c27
Instruction ID: 2fbcb6a5901fd33282cf926afc78b3a371033a2a99ba346dd320230ba5faf8aa
Opcode Fuzzy Hash: ac728ab4eb3c3ceb42796ea7ab16988cc6fbe1169a1aed4e73f74318c2811c27
Instruction Fuzzy Hash: 2A21DE72604280AFEB44DFA4C844FCE77B4EF49314F248029E659DBA90DF70D408CB22

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3C6EB Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 1780868761b4bf14572f925e0fb6ccfb06f9a2e83f5122ee51ba0e2777922850
Instruction ID: fbc583480f652f49283cd8fa0024a5094ca7c6101e15075ca53c53b9a9a60697
Opcode Fuzzy Hash: 1780868761b4bf14572f925e0fb6ccfb06f9a2e83f5122ee51ba0e2777922850
Instruction Fuzzy Hash: 7011B476A00235BFDF116FA5EC4DA8E3BB8EB86768F105314ED0997690EB318D51C790

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1ED62 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005,00000005,?,00000000,?,6CC1F045,00000005,?), ref: 6CC1ED82
LoadResource.KERNEL32(?,00000000,?,00000000,?,6CC1F045,00000005,?), ref: 6CC1ED97
LockResource.KERNEL32(00000000,?,00000000,?,6CC1F045,00000005,?), ref: 6CC1EDA9
GlobalFree.KERNEL32(?), ref: 6CC1EDE3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 972e2d09289062cdfc2e2e45e05ad0bba4348162ea8919d9b05b82b7821d94a3
Instruction ID: 4d59019054c24491507fde0ae29c70f1237b4aa36e150ca7ec7809a3c5952a14
Opcode Fuzzy Hash: 972e2d09289062cdfc2e2e45e05ad0bba4348162ea8919d9b05b82b7821d94a3
Instruction Fuzzy Hash: 8111B2352046409FDB11AF67C848F5A7BF5EF857A9B14806DE829D7E10FB30D815AB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4D284 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB4D28B

Part of subcall function 6CB4BAB7: _malloc.LIBCMT ref: 6CB4BAD5

__CxxThrowException@8.LIBCMT ref: 6CB4D2D0
FormatMessageW.KERNEL32(00001100,00000000,00000007,00000800,8007000E,00000000,00000000,?,6CB44E17,6CC91C3C,00000004,6CB459F8,6CB44E17,?,6CB482C3,8007000E), ref: 6CB4D2FA
LocalFree.KERNEL32(8007000E,6CB482C3,8007000E,?,6CB44E17), ref: 6CB4D328

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: c7f7a6bc7cb592698e19452162239af33b90538cc5e9c797b68f14fa7e1d8283
Instruction ID: a0770198263870d60409ed7eb4c109c3cbffea74d86c00413be171b1a747c871
Opcode Fuzzy Hash: c7f7a6bc7cb592698e19452162239af33b90538cc5e9c797b68f14fa7e1d8283
Instruction Fuzzy Hash: 1B11E671504298EFDF018FA4DC00AEE37B5EF44714F10C618F9249AA94E770CA60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB77ADE Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB77AEF
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CB77B32
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 6CB77B3E
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CB77B1D

Part of subcall function 6CBB80A9: SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6CBB8124
Part of subcall function 6CBB80A9: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CBB814B
Part of subcall function 6CBB80A9: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CBB8168
Part of subcall function 6CBB80A9: SendMessageW.USER32(?,00000222,?,00000000), ref: 6CBB817F

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$ParentRedrawWindow
String ID:
API String ID: 2139789815-0
Opcode ID: 45189346facbd85dfe934f582f585670d8458673ffcb9498dde0b5f9fd5bb6e1
Instruction ID: ce8f400841fec9e3a7582d7fb93689ae9085adaeed878b7bddefdafbd75da0e2
Opcode Fuzzy Hash: 45189346facbd85dfe934f582f585670d8458673ffcb9498dde0b5f9fd5bb6e1
Instruction Fuzzy Hash: 7E11A371200244BFEB225FA1CCD8E6E7A79FB84388F204129F915A7650DBB19C548B61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6FF47 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 6CB6FF72
LoadResource.KERNEL32(?,00000000), ref: 6CB6FF7A
LockResource.KERNEL32(00000000), ref: 6CB6FF8C
FreeResource.KERNEL32(00000000), ref: 6CB6FFDA

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 2c92f90b833913a2d563f7efe7047433af807fc6dcb999af17112a4a94658559
Instruction ID: c68d3087a02b6d25af6396f2b458b720ee573a7a831fcbf5a0ac6b77c118edfa
Opcode Fuzzy Hash: 2c92f90b833913a2d563f7efe7047433af807fc6dcb999af17112a4a94658559
Instruction Fuzzy Hash: 84110131202650EFEB109FA2C884B6BB3B4FF05359F108129F86253E90E774ED54EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB58191 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB5670A: GetDlgItem.USER32(?,?), ref: 6CB5671B

GetWindowLongW.USER32(?,000000F0), ref: 6CB581AE
GetWindowTextLengthW.USER32(?), ref: 6CB581DB
GetWindowTextW.USER32(?,00000000,00000100), ref: 6CB5820A
SendMessageW.USER32(?,0000014D,000000FF,?), ref: 6CB5822B

Part of subcall function 6CB56ABF: lstrlenW.KERNEL32(?,?,?), ref: 6CB56AEB
Part of subcall function 6CB56ABF: _memset.LIBCMT ref: 6CB56B09
Part of subcall function 6CB56ABF: GetWindowTextW.USER32(00000000,?,00000100), ref: 6CB56B23
Part of subcall function 6CB56ABF: lstrcmpW.KERNEL32(?,?,?,?), ref: 6CB56B35
Part of subcall function 6CB56ABF: SetWindowTextW.USER32(00000000,?), ref: 6CB56B41

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Text$ItemLengthLongMessageSend_memsetlstrcmplstrlen
String ID:
API String ID: 205973220-0
Opcode ID: ae2b3e673c3cf297feae5b3849b537dae3b627938099dc0a35ce5d7df25f0f21
Instruction ID: 49aed0e335bb72cdb2eb09a5f0a653158192991f2d4a4e587c296334cb650768
Opcode Fuzzy Hash: ae2b3e673c3cf297feae5b3849b537dae3b627938099dc0a35ce5d7df25f0f21
Instruction Fuzzy Hash: F7118E31184289BFCF019F60CC00EEE3B65EF09324F54821AF929666E0CB72D8A1DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4FE74 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00000000,?), ref: 6CB4FEB0

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

GetFocus.USER32 ref: 6CB4FEC6
GetParent.USER32(?), ref: 6CB4FED4
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 6CB4FEE7

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: 70aef3bbd0d8c895eefe4a54db5b6de45bfd2b6f6143426ba831cdb6476f7b18
Instruction ID: 30969120288792dfd7d691d8b937f08cd5c4d6363a214dcc20f9b918b9d44d7e
Opcode Fuzzy Hash: 70aef3bbd0d8c895eefe4a54db5b6de45bfd2b6f6143426ba831cdb6476f7b18
Instruction Fuzzy Hash: DA11E172105644EFDB249F20CC84C5FBBBAFF8531A710CA29F14693DA8CB30E855DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB72DA4 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 6CB72DC2
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 6CB72DDB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 6CB72E0E
DragFinish.SHELL32(?), ref: 6CB72E36

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 3ecf08f24daef4fe63042ac5f274c3c9010f17757efc1ca2e5a44f736fb58af9
Instruction ID: ddb83f696c3f7f529455e972635d6573eb495568948349b00b12997e256f2cdb
Opcode Fuzzy Hash: 3ecf08f24daef4fe63042ac5f274c3c9010f17757efc1ca2e5a44f736fb58af9
Instruction Fuzzy Hash: DA115E71A4021CABCB10EB64CC8CBDEB7B8FB59315F500599E129A7281CB709A448F61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB61329 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB61366
GetSystemMetrics.USER32(0000002D), ref: 6CB6137A
GetSystemMetrics.USER32(00000002), ref: 6CB61382
SendMessageW.USER32(?,0000101E,00000000,00000000), ref: 6CB6139A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$ClientMessageRectSend
String ID:
API String ID: 2251314529-0
Opcode ID: 42cb785072ea22690641a772204cef3ecd8cb242f9094cd0e98acf4d75b62aa3
Instruction ID: 78c69d06fdcd5856b0bd12b3f3539634c6e3e7fc74d678e00ababe591f2a2d64
Opcode Fuzzy Hash: 42cb785072ea22690641a772204cef3ecd8cb242f9094cd0e98acf4d75b62aa3
Instruction Fuzzy Hash: 83016172F01218AFDF04DFBAC949AAE7BF4EB48300F55016AE905F7584DA70D900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB53D4A Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6CB53D5A
GetTopWindow.USER32(00000000), ref: 6CB53D99
GetWindow.USER32(00000000,00000002), ref: 6CB53DB7

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: d402e1c773295c3017a00c7bfd51912c16746681f91f92bb5d538e8bbcaaf260
Instruction ID: 0d25b66963903466cd80df37f53ca785c5602871040a8d04f52f7d8727240fa0
Opcode Fuzzy Hash: d402e1c773295c3017a00c7bfd51912c16746681f91f92bb5d538e8bbcaaf260
Instruction Fuzzy Hash: DE01E93A1012AABBCF125E958C04EDE3A36EF45354F808010FA14666A0C73AC535DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB75A2 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00000000), ref: 6CBB75BF

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CountItemMenu
String ID:
API String ID: 1409047151-0
Opcode ID: 307b4a9fd484069f19042b958567f759a548975e8a9837ac2afdab0b5cba028e
Instruction ID: 287cbb59cb1fe6506de53c96bbcf952678bf69d969593fec730ea5f28f2e1f29
Opcode Fuzzy Hash: 307b4a9fd484069f19042b958567f759a548975e8a9837ac2afdab0b5cba028e
Instruction Fuzzy Hash: 2701D671A0018ABFDB024B69CDD497E7AB9EB45344F200529F801F7500DFB0CE4087B1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5344A Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6CB53457
GetTopWindow.USER32(00000000), ref: 6CB5346A

Part of subcall function 6CB5344A: GetWindow.USER32(00000000,00000002), ref: 6CB534B1

GetTopWindow.USER32(?), ref: 6CB5349A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: ae1e5305dbe3d78cb7dc54ad4c1089a754a18b6abf9a84b58c38935302da3ad9
Instruction ID: 4d5f66d2a409a3970ac4d77bc4494c97e2abeea5953c51dacdc063709ae67f45
Opcode Fuzzy Hash: ae1e5305dbe3d78cb7dc54ad4c1089a754a18b6abf9a84b58c38935302da3ad9
Instruction Fuzzy Hash: 060186321026A5BBCF135E629C14EDF3B79EF42798F848220FD14A7B10D739C5358AA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB80A1B Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,00000002,00000002), ref: 6CB80A57
InvalidateRect.USER32(?,?,00000001), ref: 6CB80A68
UpdateWindow.USER32(?), ref: 6CB80A71
SetRectEmpty.USER32(?), ref: 6CB80A7E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$EmptyInflateInvalidateUpdateWindow
String ID:
API String ID: 3040190709-0
Opcode ID: e333fbec87f9c08ec465c612869d0cf9bdc2f3903483308697c1ad57c999037b
Instruction ID: 5858868197b0e797abb9fe1232076e66501832c71b00449a7c5251a2ef002ba3
Opcode Fuzzy Hash: e333fbec87f9c08ec465c612869d0cf9bdc2f3903483308697c1ad57c999037b
Instruction Fuzzy Hash: 960192726001199FCF00DFA9C889ADA7BB8FF06324F510275AD1AEF096CB709605CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB63A66 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,00000001,?,?,6CB63E7E), ref: 6CB63A85
InvalidateRect.USER32(?,?,00000001), ref: 6CB63AA6
InvalidateRect.USER32(?,?,00000001,00000000), ref: 6CB63ACB
UpdateWindow.USER32(?), ref: 6CB63ADB

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: InvalidateRect$UpdateWindow
String ID:
API String ID: 488614814-0
Opcode ID: 75bf96959b3e65afff1255c74c211d77c1cb592f049352cf4e826c89223d29df
Instruction ID: f2d2595ef44ce100ee7abd924e0dc77c740b1366854f54d4566ea8258dff3e02
Opcode Fuzzy Hash: 75bf96959b3e65afff1255c74c211d77c1cb592f049352cf4e826c89223d29df
Instruction Fuzzy Hash: 1D014472201640EFE711CB2ACC80F96BBF9FF48314F550659E1A997AA1D7B1E880DB10

Uniqueness

Uniqueness Score: -1.00%

Function 6CB565FE Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 6CB56624
LoadResource.KERNEL32(?,00000000), ref: 6CB56630
LockResource.KERNEL32(00000000), ref: 6CB5663D
FreeResource.KERNEL32(00000000,00000000), ref: 6CB56659

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 77e814dfa29c4d6bdf6be58a4c7c34c8096c016526bb1e13c41513ab1b449b09
Instruction ID: 792e80b209c77f07540e8ea5349660f0bebab20627de7faad0fa19c1e0c71f3f
Opcode Fuzzy Hash: 77e814dfa29c4d6bdf6be58a4c7c34c8096c016526bb1e13c41513ab1b449b09
Instruction Fuzzy Hash: 0FF0C272301285BFAB005FE588C8DAFB6BCEF855A97A04038FA15E3740DE70C82086A5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6BD8F Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6CB6BDB5
PtInRect.USER32(?,?,?), ref: 6CB6BDC8
SetCapture.USER32(?), ref: 6CB6BDD5
RedrawWindow.USER32(?,00000000,00000000,00000401,00000000), ref: 6CB6BDF4

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CaptureClientRectRedrawScreenWindow
String ID:
API String ID: 2178243973-0
Opcode ID: fc74bfbd1aa5582c65406497d21d0fcfc4e9ab53cd72ec21fc570ebc726282c6
Instruction ID: 35b23f9bc766dbde954123fd02fa07e49da6da1acdfed06c1ffce6133a323501
Opcode Fuzzy Hash: fc74bfbd1aa5582c65406497d21d0fcfc4e9ab53cd72ec21fc570ebc726282c6
Instruction Fuzzy Hash: A5014B71600258AFDF109FA1C808F8EBBB8FB08304F404559F65AE2650DB70E954DF10

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56991 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB569A6
GetParent.USER32(?), ref: 6CB569B5
GetParent.USER32(?), ref: 6CB569CB
SetFocus.USER32(?,00000000), ref: 6CB569E1

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: 279cc4fd3e2dbe235c82b18237abc3da14c8dc2a6dfe80663f7b375fec0d9cee
Instruction ID: 918ac4bec23acb069c8b244c4c5cc2d9537c7706c1da5ed53a45332b4f0f85ee
Opcode Fuzzy Hash: 279cc4fd3e2dbe235c82b18237abc3da14c8dc2a6dfe80663f7b375fec0d9cee
Instruction Fuzzy Hash: 40F03C726016909BDB216F71C80CE8E76B9FF88318F950969A49196A60DB34D824CE51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB703F3 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005), ref: 6CB7040F
LoadResource.KERNEL32(?,00000000), ref: 6CB70417
LockResource.KERNEL32(00000000), ref: 6CB70424
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 6CB7043C

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 517c968d815360d5b425f3c3f19659895bd9b0e844414948d0bebfac5a371d64
Instruction ID: 6ad63e66d38e5207f0db39ffa36e94ce3e1943d3fa8319bb0ec13f86b7a1d2d5
Opcode Fuzzy Hash: 517c968d815360d5b425f3c3f19659895bd9b0e844414948d0bebfac5a371d64
Instruction Fuzzy Hash: 73F0BE32301214BFDB156BE98C4CC9FBBBDEF8A6A57008019FA19E3200DA74CD1087A4

Uniqueness

Uniqueness Score: -1.00%

Function 6CC2386F Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 6CB568C1: ShowWindow.USER32(?,?,?,?,?,6CB528E8,00000001), ref: 6CB568D2

UpdateWindow.USER32(?), ref: 6CC2389C
UpdateWindow.USER32(?), ref: 6CC238A8
SetRectEmpty.USER32(?), ref: 6CC238B4
SetRectEmpty.USER32(?), ref: 6CC238BD

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$EmptyRectUpdate$Show
String ID:
API String ID: 1262231214-0
Opcode ID: c2ee2baecaa02be5dd7671499af34fc0a59270759ee2cf65904010c4e5a52409
Instruction ID: ecc76d48e81ad0695514257fb13755bc40d0399eb4e3eee9eb2087c4f250f06d
Opcode Fuzzy Hash: c2ee2baecaa02be5dd7671499af34fc0a59270759ee2cf65904010c4e5a52409
Instruction Fuzzy Hash: 28F08232300B149FE721AB25CD00B4777FDBF81715F1A056AD599A7560DB74E805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB77BAB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 6CB777E5: GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,6CBBC1DD), ref: 6CB7785C
Part of subcall function 6CB777E5: GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6CB7786C

Part of subcall function 6CB63307: __EH_prolog3.LIBCMT ref: 6CB6330E

GetWindowRect.USER32(?,?), ref: 6CB77C1E
SetWindowRgn.USER32(?,00000000,00000001), ref: 6CB77C6B

Strings

, xrefs: 6CB77C47

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$AddressH_prolog3HandleModuleProcRect
String ID:
API String ID: 2106468464-3916222277
Opcode ID: 282a27e3bcb0d9ee9969199fc1b6bce0a37230b3d7b544de0a15e3d3b779e301
Instruction ID: 97bce8200fd4414c31b33db0e74781c856e6328b44a58ac75a95a72f3c1d19f0
Opcode Fuzzy Hash: 282a27e3bcb0d9ee9969199fc1b6bce0a37230b3d7b544de0a15e3d3b779e301
Instruction Fuzzy Hash: 42513C70A00648DFCB26CF75C9449EFBBF5FF88344F20492EE86AA2610DB719950CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7BB36 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CB7BBA5
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 6CB7BC42

Strings

, xrefs: 6CB7BBD0

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: InfoParametersRectSystemWindow
String ID:
API String ID: 85510744-3916222277
Opcode ID: 46fe3bc37abd7583e3b4148ebd7e04b8f949b01ba684ce6b61397d1963709bbf
Instruction ID: e72d912bb9a2f76051afe4aa9ac3406ada8f9033668d5a915e81860288de038d
Opcode Fuzzy Hash: 46fe3bc37abd7583e3b4148ebd7e04b8f949b01ba684ce6b61397d1963709bbf
Instruction Fuzzy Hash: 6A416071A00648EFCB25CF79C8849EEBBF5FF84344F10856EE86AA6210DB319644CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC62DF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CBC63B3
KillTimer.USER32(?,00000002), ref: 6CBC63E2

Strings

, xrefs: 6CBC6397

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: KillRectTimerWindow
String ID:
API String ID: 1987732032-3916222277
Opcode ID: fa23dbe259d934a9c2bac07c93eefa03cdaaeb13b90e428da1b377389574e0f2
Instruction ID: 6f878a3070f11bcb320e29e90f13b73b3e00cc029a671fc124b0150552843bb8
Opcode Fuzzy Hash: fa23dbe259d934a9c2bac07c93eefa03cdaaeb13b90e428da1b377389574e0f2
Instruction Fuzzy Hash: 13319A71B046499FCB10CF68C884EEFB7B1FF88314F11452AE42AD7A41DB74A845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CB8E98C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB8E993

Part of subcall function 6CB596A4: MoveToEx.GDI32(?,?,?,?), ref: 6CB596CE
Part of subcall function 6CB596A4: MoveToEx.GDI32(?,?,?,?), ref: 6CB596DF

Part of subcall function 6CB59138: MoveToEx.GDI32(?,?,?,00000000), ref: 6CB59155
Part of subcall function 6CB59138: LineTo.GDI32(?,?,?), ref: 6CB59164

Part of subcall function 6CB59C76: SelectObject.GDI32(?,00000000), ref: 6CB59C9C
Part of subcall function 6CB59C76: SelectObject.GDI32(?,?), ref: 6CB59CB2

Strings

iii, xrefs: 6CB8E9B5
iii, xrefs: 6CB8E9C2

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Move$ObjectSelect$H_prolog3Line
String ID: iii$iii
API String ID: 3726201289-3499908146
Opcode ID: 83eaf7fea848127e191fac8095c6961adc14bc9bc571b085170fd64547846ad6
Instruction ID: 6026a8fb5ab6b37359577cc01154ee877debb08409c31329f7afa16e1a557361
Opcode Fuzzy Hash: 83eaf7fea848127e191fac8095c6961adc14bc9bc571b085170fd64547846ad6
Instruction Fuzzy Hash: E831A2B5A0019AEFCF01DFA4CD408EE7B76AF58308F404019F905A7790CB359A2ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41A90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB41B43

Strings

invalid vector<T> subscript, xrefs: 6CB41B3E
[CUIxMarket::GetRegionCodeAt] Exception was generated., xrefs: 6CB41B48

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: [CUIxMarket::GetRegionCodeAt] Exception was generated.$invalid vector<T> subscript
API String ID: 909987262-317599069
Opcode ID: 96bccbd88fcaafad37a956088d36efd170d6b2c88a2d4b654ee36e0c8109ad58
Instruction ID: f1dff66e70bae9572698bafb0baf90f46e666daed2386a7dcd460af9e057d72e
Opcode Fuzzy Hash: 96bccbd88fcaafad37a956088d36efd170d6b2c88a2d4b654ee36e0c8109ad58
Instruction Fuzzy Hash: D331E872E096589FCB00CFA8C884B9EB7A4EB44714F14C669D804EB754E731E916D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6C0D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

LoadImageW.USER32(?,-00004288,00000000,00000000,00000000,00002000), ref: 6CB6C12E
GetObjectW.GDI32(00000000,00000018,?), ref: 6CB6C145

Strings

Pl)u, xrefs: 6CB6C145

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ImageLoadObject
String ID: Pl)u
API String ID: 2222342736-3484285090
Opcode ID: cf3cc83ff8ce610ca2408128736551870bf160c056d5db87cd390153929769fd
Instruction ID: 97c1de0b0e50f86f5d32f6f70596f03cbbf118e964ce9fee2941c10d3a2d0099
Opcode Fuzzy Hash: cf3cc83ff8ce610ca2408128736551870bf160c056d5db87cd390153929769fd
Instruction Fuzzy Hash: B521EA713403846FEB2067B6CC85FAE72ADDB81748F20452EF615DBE91DE60D8448661

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9EBA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018,?), ref: 6CB9EBD3
IntersectRect.USER32(00000000,?,00000000), ref: 6CB9EC3B

Strings

Pl)u, xrefs: 6CB9EBD3

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: IntersectObjectRect
String ID: Pl)u
API String ID: 3895296623-3484285090
Opcode ID: 3847d5135fbc1ea36d7ea1f03eef1dbc6dee2e895a58dbe7b74a9d9d411b96ae
Instruction ID: b91b96977dc9a24fcad895bfc993543b9603ce5f8ecf59f16a3199aeeabadf0f
Opcode Fuzzy Hash: 3847d5135fbc1ea36d7ea1f03eef1dbc6dee2e895a58dbe7b74a9d9d411b96ae
Instruction Fuzzy Hash: AA318271E11118AFDF04CFA5D945AEEBBB9FF89310F14412AE515F6280DB709A04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9CEE8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000054,?), ref: 6CB9CF04

Strings

Pl)u, xrefs: 6CB9CF04
, xrefs: 6CB9CF15

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object
String ID: $Pl)u
API String ID: 2936123098-1824918255
Opcode ID: 62b02e57764231dd330ac7162b90ffd15cd344ae6a0387be1d64f3dfe618c205
Instruction ID: 660b81f50a7bd31a2df0a08eed40dd64a99695362c9a85151cdb4e20323cdcad
Opcode Fuzzy Hash: 62b02e57764231dd330ac7162b90ffd15cd344ae6a0387be1d64f3dfe618c205
Instruction Fuzzy Hash: D221AB32B082C19FDB00DFA584407AAFBB6EF97308B2A80BAD44BDB545D232D50E8751

Uniqueness

Uniqueness Score: -1.00%

Function 6CB84677 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB8467E
SetRectEmpty.USER32(?), ref: 6CB8470E

Strings

Afx:ToolBar, xrefs: 6CB84714

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EmptyH_prolog3_Rect
String ID: Afx:ToolBar
API String ID: 2941628838-177727192
Opcode ID: 0f049ee51b7b43fb35dacac0f5aa3316c955fe7518207867c5ad4a286c44e7bd
Instruction ID: 07d5ec0e56d700415563e056d1073b22884c2fc52bd9a44522a0924a5ea64112
Opcode Fuzzy Hash: 0f049ee51b7b43fb35dacac0f5aa3316c955fe7518207867c5ad4a286c44e7bd
Instruction Fuzzy Hash: D121E071A1125A9FCB00DFB4C995ADE7BF9FF48358F14062AE419E3680DB30C914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB42B20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB42B2F

Part of subcall function 6CC4F971: std::exception::exception.LIBCMT ref: 6CC4F986
Part of subcall function 6CC4F971: __CxxThrowException@8.LIBCMT ref: 6CC4F99B
Part of subcall function 6CC4F971: std::exception::exception.LIBCMT ref: 6CC4F9AC

_memmove.LIBCMT ref: 6CB42B6A

Strings

invalid string position, xrefs: 6CB42B2A

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 076e8b316386dc3bf2fe2ba3f84f5381aba9617a25b1e8e30a92d211710ecf3c
Instruction ID: 7b9903460f00053eb2326f39a2bd27e2b983e5b44807b41c75fbc1cae1dd4d27
Opcode Fuzzy Hash: 076e8b316386dc3bf2fe2ba3f84f5381aba9617a25b1e8e30a92d211710ecf3c
Instruction Fuzzy Hash: F40175313086528BC720CFBCD98481AB3F6AFD47083248A2DD095CBE1CEB31D846A792

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5CA84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 6CB5CAA9
CopyRect.USER32(?,?), ref: 6CB5CABB

Strings

(, xrefs: 6CB5CAA2

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 6607bb36fe1e772408639408a792f763cad9488a48f76241240b0527ec463ec3
Instruction ID: ae3e4ba92d45655d9f9bb9fa019cdf15a710287c06df5514b235f41de5ceb633
Opcode Fuzzy Hash: 6607bb36fe1e772408639408a792f763cad9488a48f76241240b0527ec463ec3
Instruction Fuzzy Hash: 7D11E5B5A00649EFCB00DFA8C58499EBBF5FF09340BA08859E45AE3604EB70F955CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5C34A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB529E3: GetModuleHandleW.KERNEL32(?,?,6CB52A2F,InitCommonControls), ref: 6CB529F1
Part of subcall function 6CB529E3: LoadLibraryW.KERNEL32(?,?,6CB52A2F,InitCommonControls), ref: 6CB52A01

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6CB5C37D
_memset.LIBCMT ref: 6CB5C396

Strings

DllGetVersion, xrefs: 6CB5C377

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: f211ecb19b5d2cecf42329d0b3b46f706894a3ec757f49bf591c7ac31620ba18
Instruction ID: 5446f03e49b36c2ed5fc4565e266f4ef0ec4167a702258ec0a6d7fd15ef71f02
Opcode Fuzzy Hash: f211ecb19b5d2cecf42329d0b3b46f706894a3ec757f49bf591c7ac31620ba18
Instruction Fuzzy Hash: 9401B571F0021D9BDB00EFE9D845AEEB7F8AB08318F500165EA14E3691E730DD088795

Uniqueness

Uniqueness Score: -1.00%

Function 6CB47A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB47A33

Part of subcall function 6CC4F924: std::exception::exception.LIBCMT ref: 6CC4F939
Part of subcall function 6CC4F924: __CxxThrowException@8.LIBCMT ref: 6CC4F94E
Part of subcall function 6CC4F924: std::exception::exception.LIBCMT ref: 6CC4F95F

_memmove.LIBCMT ref: 6CB47A5E

Strings

vector<T> too long, xrefs: 6CB47A2E

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: e67deae9ed46b7de42f2e6cafafdce4e475f9c6fbea4f97b80d7b7a21c4b3053
Instruction ID: 22fef0d08f3cae825cb007014a831fdf474f8c0da7d6891f6cbde28704814833
Opcode Fuzzy Hash: e67deae9ed46b7de42f2e6cafafdce4e475f9c6fbea4f97b80d7b7a21c4b3053
Instruction Fuzzy Hash: 76018FB26042069FD724CE68CC9186BB3E8EB54318314892DE49AD3B44EB70F904C761

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD8282 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registrywindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBD8289
RegisterWindowMessageW.USER32(00000010,00000004,6CBD8341,00000000,00000000,00000000,00000000,0000005C,6CB80ADA,?), ref: 6CBD82D2

Strings

ToolbarButton%p, xrefs: 6CBD82C0

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3MessageRegisterWindow
String ID: ToolbarButton%p
API String ID: 875023513-899657487
Opcode ID: f09a7d080d90e81455c28d53309966e65d374840577af72be9f3211dc88b905b
Instruction ID: e02390b0219c41ad3aff467d9a43d8f0aa339d031a3e7e93840a71ee6044a756
Opcode Fuzzy Hash: f09a7d080d90e81455c28d53309966e65d374840577af72be9f3211dc88b905b
Instruction Fuzzy Hash: 06F0AF749085A0CADF10EBE8D8086DE7774FF0131DF845646D01067A82EB35951C8BA9

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB710B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB7112
GetProcAddress.KERNEL32(00000000,?), ref: 6CBB714B

Part of subcall function 6CB51D28: ActivateActCtx.KERNEL32(?,?,6CC92060,00000010,6CB54749,hhctrl.ocx,6CB5397B,0000000C), ref: 6CB51D48

Strings

UxTheme.dll, xrefs: 6CBB712B

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ActivateAddressH_prolog3Proc
String ID: UxTheme.dll
API String ID: 323876227-352951104
Opcode ID: 5d14f5c80435e218de65096108a570949e7bbb39a219e85c048bf3f6c06e9cc3
Instruction ID: bb29445934ac21734b53cdf70a08c50d35575df01ddbfec6f4fbcba2678e3af8
Opcode Fuzzy Hash: 5d14f5c80435e218de65096108a570949e7bbb39a219e85c048bf3f6c06e9cc3
Instruction Fuzzy Hash: BCE0ED327442509BDF88AFA4D9087AC37F4FB00318F544084E858FBB80EB7AC9508721

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4C312 Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CCA8EF8,?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C34C
InitializeCriticalSection.KERNEL32(?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C35E
LeaveCriticalSection.KERNEL32(6CCA8EF8,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C36B
EnterCriticalSection.KERNEL32(?,?,?,?,?,6CB4BE77,00000010,00000008,6CB4CB84,6CB4CB1B,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4C37B

Part of subcall function 6CB4BCE0: __CxxThrowException@8.LIBCMT ref: 6CB4BCF6
Part of subcall function 6CB4BCE0: __EH_prolog3.LIBCMT ref: 6CB4BD03

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 0f239f9fdf80a2c29af62f5e4ca39c5246ce2e054a131cb4f719a48b5d137185
Instruction ID: 7587dfb620cb9185a5673573e7c6e3969aaf49edf77b84ca91cf49c97b7eca70
Opcode Fuzzy Hash: 0f239f9fdf80a2c29af62f5e4ca39c5246ce2e054a131cb4f719a48b5d137185
Instruction Fuzzy Hash: 0FF04673A0418AAFDB102BD9CC88F0EB77AFBD2754F404413E20057904D73098858AA6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4BE0A Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CCA8D44,?,?,?,?,6CB4C2AB,?,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4BE18
TlsGetValue.KERNEL32(6CCA8D28,?,?,?,6CB4C2AB,?,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4BE2C
LeaveCriticalSection.KERNEL32(6CCA8D44,?,?,?,6CB4C2AB,?,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4BE42
LeaveCriticalSection.KERNEL32(6CCA8D44,?,?,?,6CB4C2AB,?,00000004,6CB4CB65,6CB4BCFC,6CB4CFFC,6CB46F10,?), ref: 6CB4BE4D

Memory Dump Source

Source File: 00000003.00000002.1798929030.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.1798911270.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799032696.000000006CC5F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799070787.000000006CCA3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799090953.000000006CCAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1799108821.000000006CCB1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 653f8e41359166f4916f33f1ebda3ed66609d124f4e06fbf3d65ce383756b053
Instruction ID: 463571c5e6ed3bd54bac9afd1265a627501b8aaee1f6eeadc73799b964bdb923
Opcode Fuzzy Hash: 653f8e41359166f4916f33f1ebda3ed66609d124f4e06fbf3d65ce383756b053
Instruction Fuzzy Hash: 0AF0BE76348A149FE7248F59C888C0FB7BEEFC536031A8926FB05A3605D730F8019AA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UIxMarketPlugin.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6a4b12cc5ab5a864a1114bf7acfd58aabbffc_7522e4b5_2ed9bbc9-d9dc-40e8-8bc1-c2b2b18dc67e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6a4b12cc5ab5a864a1114bf7acfd58aabbffc_7522e4b5_6d591dea-2ba8-4815-b033-90e29eb221c5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f4a2262f4d43d5b9ac2196a348f57232fa6b6712_7522e4b5_4a8c2699-ff11-4fe9-b765-eff75ae06606\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f4a2262f4d43d5b9ac2196a348f57232fa6b6712_7522e4b5_881e2de0-372e-410d-9f8d-be4be5931c9d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C48.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C67.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E8B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F28.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F76.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26A8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2716.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER27D3.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E85.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EE4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F14.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
UIxMarketPlugin.dll

Function 6CB5E019 Relevance: 105.6, APIs: 48, Strings: 12, Instructions: 557
libraryloaderstringCOMMON

Function 6CB5DAE7 Relevance: 64.8, APIs: 43, Instructions: 304
COMMON

Function 6CBA18F3 Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 421
windowCOMMON