Edit tour

Windows Analysis Report
relay.dll

Overview

General Information

Sample name:	relay.dll
Analysis ID:	1429047
MD5:	3e58f05e392aab774479ca857b93c692
SHA1:	2839d32656227e73c4a1e51050ed181907f99dd1
SHA256:	04db97c97e4ac3e718ba049348e99dabea0aac5c401972580470b396427f4c27
Tags:	dll
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4024 cmdline: loaddll32.exe "C:\Users\user\Desktop\relay.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6200 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\relay.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 3356 cmdline: rundll32.exe "C:\Users\user\Desktop\relay.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 4052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 632 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 6540 cmdline: rundll32.exe C:\Users\user\Desktop\relay.dll,Cancel MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 1684 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 672 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 5756 cmdline: rundll32.exe C:\Users\user\Desktop\relay.dll,Finalize MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 620 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 2132 cmdline: rundll32.exe C:\Users\user\Desktop\relay.dll,Initialize MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 4500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 624 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 1816 cmdline: rundll32.exe "C:\Users\user\Desktop\relay.dll",Cancel MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7208 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 668 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 3580 cmdline: rundll32.exe "C:\Users\user\Desktop\relay.dll",Finalize MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5368 cmdline: rundll32.exe "C:\Users\user\Desktop\relay.dll",Initialize MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4128 cmdline: rundll32.exe "C:\Users\user\Desktop\relay.dll",Run MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7216 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 664 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 4052 cmdline: rundll32.exe "C:\Users\user\Desktop\relay.dll",PrepareRun MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 7180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 668 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: relay.dll	ReversingLabs: Detection: 15%
Source: relay.dll	Virustotal: Detection: 15%			Perma Link

Source: relay.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, DLL

Source: relay.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: rundll32.exe, 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.2142085582.000000006CC57000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2139436485.000000006CC57000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2139594840.000000006CC57000.00000002.00000001.01000000.00000003.sdmp, relay.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB5261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,

3_2_6CB5261E

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_43a5166fcb246f7d77dda47518c3ad7a1b5fed0_7522e4b5_947ae66e-1b85-463a-8ce6-0cbc4dae92d4\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_41a576617a4d91b2fca1f808095b0ff5072ae_7522e4b5_42b45446-5eab-40ec-af17-0c0f836199b4\	Jump to behavior

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CBB3CD5 IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,

3_2_6CBB3CD5

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB76981 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_6CB76981
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB6C909 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	3_2_6CB6C909
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB6F967 ScreenToClient,_memset,_free,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	3_2_6CB6F967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB74AA6 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	3_2_6CB74AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB63BFA MessageBeep,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,	3_2_6CB63BFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBBFB15 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	3_2_6CBBFB15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB647FF GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,	3_2_6CB647FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB23B4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	3_2_6CBB23B4

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\AppCompat\Programs\Amcache.hve.tmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC34D8F	3_2_6CC34D8F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC33D16	3_2_6CC33D16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB6A5AD	3_2_6CB6A5AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC4371C	3_2_6CC4371C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBAD24D	3_2_6CBAD24D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_007ED270	19_2_007ED270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_007ED5A0	19_2_007ED5A0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC3476A appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC34701 appears 185 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CC36320 appears 41 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 672

Source: relay.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, DLL

Source: classification engine

Classification label: mal48.winDLL@29/32@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB564F8 CoInitialize,CoCreateInstance,

3_2_6CB564F8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB4FDFF FindResourceW,LoadResource,LockResource,FreeResource,

3_2_6CB4FDFF

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6540
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4052
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1816
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2132
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3356
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5756
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4128

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\37ea3b7b-1b3c-494a-a995-172e4d53bea4

Jump to behavior

Source: relay.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\relay.dll,Cancel

Source: relay.dll	ReversingLabs: Detection: 15%
Source: relay.dll	Virustotal: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\relay.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\relay.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\relay.dll,Cancel
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 672
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 632
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\relay.dll,Finalize
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 620
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\relay.dll,Initialize
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 624
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",Cancel
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",Finalize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",Initialize
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",Run
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",PrepareRun
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 668
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 668
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 664
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\relay.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\relay.dll,Cancel	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\relay.dll,Finalize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\relay.dll,Initialize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",Cancel	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",Finalize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",Initialize	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",Run	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 632	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: relay.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: relay.dll

Static file information: File size 1596416 > 1048576

Source: relay.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x115c00

Source: relay.dll

Static PE information: More than 200 imports for USER32.dll

Source: relay.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: relay.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: relay.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: relay.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: relay.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: relay.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: relay.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: relay.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: relay.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: relay.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: relay.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: relay.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: relay.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC444FF LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_6CC444FF

Source: relay.dll

Static PE information: real checksum: 0x18dd31 should be: 0x18e248

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC347D9 push ecx; ret	3_2_6CC347EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC36365 push ecx; ret	3_2_6CC36378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_007DCC0C pushad ; retf	19_2_007DCC11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_007DCDD0 pushad ; retf 007Dh	19_2_007DCDD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_007DE3BA push esp; retf	19_2_007DE3BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_007DD3A4 pushad ; retf	19_2_007DD3A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_0012CBD8 pushfd ; iretd	22_2_0012CBD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_0012CC64 push eax; iretd	22_2_0012CC91

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB3CD5 IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	3_2_6CBB3CD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB7CFAF SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	3_2_6CB7CFAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB489A IsIconic,PostMessageW,	3_2_6CBB489A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB297F IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	3_2_6CBB297F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB340E GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_6CBB340E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB340E GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_6CBB340E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB340E GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	3_2_6CBB340E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CBB370E IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	3_2_6CBB370E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB72065 SetForegroundWindow,IsIconic,	3_2_6CB72065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB6D12B IsWindowVisible,IsIconic,	3_2_6CB6D12B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB72109 IsIconic,	3_2_6CB72109

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB575A5 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_6CB575A5

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 4.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB5261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,

3_2_6CB5261E

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_43a5166fcb246f7d77dda47518c3ad7a1b5fed0_7522e4b5_947ae66e-1b85-463a-8ce6-0cbc4dae92d4\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_41a576617a4d91b2fca1f808095b0ff5072ae_7522e4b5_42b45446-5eab-40ec-af17-0c0f836199b4\	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

graph_3-38629

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC32782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_6CC32782

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6CC444FF

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC32782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6CC32782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CC390E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6CC390E9

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\relay.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CB43470 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

3_2_6CB43470

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6CB43470

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CC37F77 GetSystemTimeAsFileTime,__aulldiv,

3_2_6CC37F77

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6CB575A5

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
relay.dll	16%	ReversingLabs	Win32.Trojan.Rugmi
relay.dll	16%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429047
Start date and time:	2024-04-20 11:35:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	relay.dll
Detection:	MAL
Classification:	mal48.winDLL@29/32@0/0
EGA Information:	Successful, ratio: 10%
HCA Information:	Successful, ratio: 86% Number of executed functions: 18 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target loaddll32.exe, PID 4024 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 1816 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 2132 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 3356 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 3580 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4052 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 4128 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5368 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5756 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
11:36:05	API Interceptor	1x Sleep call for process: loaddll32.exe modified
11:36:09	API Interceptor	4x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_41a576617a4d91b2fca1f808095b0ff5072ae_7522e4b5_42b45446-5eab-40ec-af17-0c0f836199b4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9417110099368401
Encrypted:	false
SSDEEP:	192:7MwiSzO6Oz0BU/wjeTidZrSqfzuiFnZ24IO8dci:3iS6rgBU/wjegfzuiFnY4IO8dci
MD5:	6AC79BF07665E52F7995FC0F2D749E1C
SHA1:	F3BDC854720CFCD61A2166A03BB60138E505C021
SHA-256:	3479D5957372D2B2044B0AC319F9D980C8BCB0E112CE2B82F3201DDB24785052
SHA-512:	633579A3C14C3BA70D6310606B4349ADD1471D2EC6C11801C12FEEE1E5060A514F6910FD43507F0A2C6257D81F85EEFA478D9B9DC3C66F75BD48DFFDCBBD1EBC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.3.6.6.2.3.0.0.0.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.7.9.3.6.7.2.3.0.0.1.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.b.4.5.4.4.6.-.5.e.a.b.-.4.0.e.c.-.a.f.1.7.-.0.c.0.f.8.3.6.1.9.9.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.4.b.a.f.3.1.-.a.f.8.4.-.4.f.2.8.-.9.a.2.7.-.4.5.3.b.f.4.1.f.0.4.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.2.0.-.0.0.0.1.-.0.0.1.4.-.3.7.e.6.-.a.3.2.a.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_43a5166fcb246f7d77dda47518c3ad7a1b5fed0_7522e4b5_947ae66e-1b85-463a-8ce6-0cbc4dae92d4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9419639799193403
Encrypted:	false
SSDEEP:	192:7MiszOLI0BU/wjeTidZrSqfzuiFnZ24IO8dci:gis6LjBU/wjegfzuiFnY4IO8dci
MD5:	2D5E3BB1DEBD0B11BC5E22D96DBCCF27
SHA1:	CDA40C0444D1D56E5C4A396A7C908F48049EE40D
SHA-256:	9D788611D3B265736E839A5E7EDDBE10AE2A03D4FF3D9B45C3B7F69C5265E846
SHA-512:	2B7048549DFD2D1554CCF30E2CE12EE481189ABC005D3575066C251D133BB6125CCB26A9765CA095107BB27B3F31FD1369A3432588606D032448A90EC4731161
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.3.5.6.9.7.4.1.7.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.7.9.3.5.7.5.9.9.1.8.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.7.a.e.6.6.e.-.1.b.8.5.-.4.6.3.a.-.8.c.e.6.-.0.c.b.c.4.d.a.e.9.2.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.b.4.0.0.b.4.-.6.9.4.5.-.4.5.7.d.-.9.7.a.3.-.3.c.f.a.9.2.d.8.f.e.5.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.c.-.0.0.0.1.-.0.0.1.4.-.0.2.1.7.-.3.8.2.5.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_43a5166fcb246f7d77dda47518c3ad7a1b5fed0_7522e4b5_e91ff5ac-65a9-46ed-9bba-93ef15ff2f0b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9417373395483982
Encrypted:	false
SSDEEP:	192:ue5in9zOw7I0BU/wjeTidZrSqfzuiFnZ24IO8dci:Z5in96UjBU/wjegfzuiFnY4IO8dci
MD5:	2C5A73E2C5ABED79F777DA9199426E6D
SHA1:	2E76F7624AA9FAC9DE6B74D6BAAADF72EE6B80CD
SHA-256:	6EDF0ACEDBF057209CCE500E8112B9B5D68554E13DD83C2274A21F0E0FC79635
SHA-512:	B6B01E38320D69A4AE6A8864FFBBE535DE17BFA009F36DCE671BF680C0A6BEB24F3D5C4A25AB399C59F594A53025CEDBE3378F5C38DF5ACA117A378BF8A341F3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.3.6.6.2.1.0.6.1.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.7.9.3.6.7.1.0.1.2.4.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.1.f.f.5.a.c.-.6.5.a.9.-.4.6.e.d.-.9.b.b.a.-.9.3.e.f.1.5.f.f.2.f.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.8.1.1.b.8.3.-.3.6.9.6.-.4.7.d.9.-.9.2.f.5.-.f.d.7.1.9.6.a.7.1.8.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.1.8.-.0.0.0.1.-.0.0.1.4.-.1.4.b.1.-.a.0.2.a.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58917a6b9efbc14a7f3eb3b1b9c8b1b9253d4_7522e4b5_1b83567d-f16f-46b8-80f9-995180bfbf98\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9417192089377782
Encrypted:	false
SSDEEP:	192:N1KiOzOr/l0BU/wjeTidZrSqfzuiFnZ24IO8dci:6iO6zGBU/wjegfzuiFnY4IO8dci
MD5:	A6FB81635C018AA0AF120ACE7E9C7661
SHA1:	4D018D1792690C071104F570E0B1E58E7DB36D4C
SHA-256:	21DE984ACC322AFA0ECB515934A8FAE3213B516B64F7AE5F6192ACF83D471E7E
SHA-512:	858E8825E5C17279E3FF78F41BDDDB283408C77BA68F7B010EFBC423819516667BF55167888571CF5395A585BA836F4A58DC953F4EA4F4FFE9C5DF178AB88CDD
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.3.6.6.2.4.8.2.5.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.7.9.3.6.7.2.3.2.6.3.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.8.3.5.6.7.d.-.f.1.6.f.-.4.6.b.8.-.8.0.f.9.-.9.9.5.1.8.0.b.f.b.f.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.0.0.9.d.4.2.-.c.8.a.7.-.4.2.7.2.-.a.e.a.3.-.c.9.8.5.0.2.6.a.c.e.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.d.4.-.0.0.0.1.-.0.0.1.4.-.5.5.e.4.-.a.4.2.a.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7b66fce5118c38f37fd6766cbdd34cc5acf99d_7522e4b5_2e868f36-de62-4ba6-9b84-fedb1c24e82b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9377917063140495
Encrypted:	false
SSDEEP:	192:JRijzOUp04+q1jeTsPZrl/8zuiFnZ24IO84ci:vij6UK4+q1jeY8zuiFnY4IO84ci
MD5:	01BC5FEDE9C03215F6062A925D2E5E9E
SHA1:	E090C8B49BDAEC29C5B0BDBEE9622DD030D8C63D
SHA-256:	0E982FAADBCF58FC05BA0C6E1022A93724BE82D30A778D2A367D6F6574EDEEFB
SHA-512:	3106DA522ED32A2026D154C8908EC57B4334A304AE03B1865DA6F4D7B911D652F114FB599AF6012AD963E48B7DC8E8108B8E487F5113D84EB663A86AE63453BF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.3.5.9.6.9.8.7.3.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.8.6.8.f.3.6.-.d.e.6.2.-.4.b.a.6.-.9.b.8.4.-.f.e.d.b.1.c.2.4.e.8.2.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.9.7.8.c.7.7.-.f.1.7.9.-.4.9.7.8.-.8.e.2.c.-.7.4.7.e.8.0.0.5.1.5.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.c.-.0.0.0.1.-.0.0.1.4.-.6.6.6.1.-.0.5.2.7.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.6././.0.8././.2.6.:.1.6.:.5.8.:.3.3.!.1.8.d.1.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7b66fce5118c38f37fd6766cbdd34cc5acf99d_7522e4b5_80a7260b-cf6e-489e-a566-6a270c8c0270\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9375855007596133
Encrypted:	false
SSDEEP:	192:v2iYzO+p04+q1jeTidZrSq8zuiFnZ24IO84ci:v2iY6+K4+q1jeg8zuiFnY4IO84ci
MD5:	8BD1B6AE3E5AFC750F8117CAF822243A
SHA1:	D2D92F97421CF7C963C2F3C82F5668BE63EE74F0
SHA-256:	4FDA8E2753C3102084DB7179FF665721E71CF701122DF357D0204A3E45F27AA0
SHA-512:	A2C29B41AC3D3F560F108B1FAAC309207CEBB08E0E58925A7D793622263F70BE24CE72622892DDFCE7EC9C66981FEFE648EFC1647ADDE8280467F084C5BC7331
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.3.6.2.8.9.1.5.5.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.a.7.2.6.0.b.-.c.f.6.e.-.4.8.9.e.-.a.5.6.6.-.6.a.2.7.0.c.8.c.0.2.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.c.a.0.2.d.b.-.6.2.5.5.-.4.a.6.9.-.8.a.4.2.-.3.6.2.b.b.2.9.0.6.0.e.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.5.4.-.0.0.0.1.-.0.0.1.4.-.4.7.9.3.-.d.1.2.8.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.6././.0.8././.2.6.:.1.6.:.5.8.:.3.3.!.1.8.d.1.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7b66fce5118c38f37fd6766cbdd34cc5acf99d_7522e4b5_d55df6fc-a234-4ca2-8311-086d43100733\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.937199758961924
Encrypted:	false
SSDEEP:	192:2AbilzO7p04+q1jeTidZrSq8zuiFnZ24IO84ci:2Abil67K4+q1jeg8zuiFnY4IO84ci
MD5:	A176AC768392317C85BDC7CF2E0A5A8F
SHA1:	FB9D0DA1E26AC8B6B5B6F9144975CF6E83953B31
SHA-256:	A7FCC154B8C32A94F98344D3E6668A25CB1D72B20ED364D169B0D749FA9D539D
SHA-512:	437FC9EDBF027F1248E91EF75A4D8F0024C0796BF37DDC725F940EC338EE6BE8DB91C095BCB62FA10885A3B208A8846AF6DFA9E3ECD0E6B1C3048CC6801C58F6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.7.9.3.5.6.9.6.8.3.2.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.5.d.f.6.f.c.-.a.2.3.4.-.4.c.a.2.-.8.3.1.1.-.0.8.6.d.4.3.1.0.0.7.3.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.d.2.8.0.8.f.-.f.6.f.5.-.4.9.8.3.-.8.5.5.3.-.f.7.d.a.3.8.d.a.d.1.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.1.c.-.0.0.0.1.-.0.0.1.4.-.2.6.d.9.-.3.9.2.5.0.6.9.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.6././.0.8././.2.6.:.1.6.:.5.8.:.3.3.!.1.8.d.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8376
Entropy (8bit):	3.6923295900569477
Encrypted:	false
SSDEEP:	192:R6l7wVeJ3P65YsGP6YIo6Lgmf8yEpBM89bXEsfit9m:R6lXJ/65YsO6Y36Lgmf8yKX3fim
MD5:	AD4A6A03BD2E21064D0BE391288A771E
SHA1:	5239D032A7CFA203C2883B38014184E3DC383A15
SHA-256:	1E7E4ACE68BC5DC6EB72C8C424ABF88316C3753AA1746FF227EF1BC15AFAF4F3
SHA-512:	9CDFBE8AB45BEE236325B7A61D052FCD932439218BA27E3DCD330B20751D171869824203646F620ECDDCF427997AC1D261C3483544EA860F9E8D412325A6AF19
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER14B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.481158314740184
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI93sWpW8VY3oYm8M4JCdP+FrU+q8vjP2KGScSDd:uIjf1I7hF7V4JQKVJ3Dd
MD5:	623657D0289A721FBEED8D7F81B33294
SHA1:	0B09AB34DB250BE4B79890EDB724742B4CA1548D
SHA-256:	30180DA3E09D74E49F25AB469960D901B74B378733F885A2041E737513E5885F
SHA-512:	A2836A1A86D6E99AAC7590393C7FE883BFD66760C597E671AC9E1A3BDB3105DBF0B33B7CE86549A5ACDC948C10D6950ECFDB91176EA2F4B06F19C01920546E01
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Apr 20 09:36:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	49940
Entropy (8bit):	1.8942917034817017
Encrypted:	false
SSDEEP:	192:dGny7XEXIXQIKbKO5H4Jao+qq3bzEn6uq37Bq1Qo43dkZp1:kPbV5H1JqgzEn6uyq1uU1
MD5:	B75D8BA37B968BD258C62F85999FC6C1
SHA1:	40AD9AA512F5BD72BD05175447178BF951B99670
SHA-256:	E2FE968B1C36AA29B5D8AC3CB3A63178F4A207317F8EEF16586C964DFC63B681
SHA-512:	E3A84479EA9BE47DC25A390E31F33887D6BA4CC1F834B2F98D9F7A296FE9E3733A6DBC8F2F3E398096CD8D0E58E76B9809768A968881C5BE97061D2B01BD8163
Malicious:	false
Preview:	MDMP..a..... .........#f....................................<................0..........`.......8...........T...............d.......................................................................................................eJ..............GenuineIntel............T.......T.....#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Apr 20 09:36:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44668
Entropy (8bit):	1.9925338022895371
Encrypted:	false
SSDEEP:	192:JzVS3XtiX7X+BXO5H4JaEqkyIspuXeZGJLNjIx0ze2EaqL2agR+:9Vu+5H19kybgTNO0zeNe
MD5:	EF09B6F84C5E0A133754640A7E749388
SHA1:	E640F09FFF35273763CCA9B5C284A79AD18BDA62
SHA-256:	71D308652DE0995629E92C2F9B2DB391604537A5756AE0B0CE095D0CFEF1E71D
SHA-512:	449519BFD4CD8BDFF6C8381C4744BD6ACCE634CE3AEF0A6FB4E7494130FF1BFA844E5A1A28FCB409F7FAE65795D984316C2EA265E24E664CE2A85E7EBB418F41
Malicious:	false
Preview:	MDMP..a..... .........#f........................l................-..........T.......8...........T...........x...........................................................................................................eJ..............GenuineIntel............T.............#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Apr 20 09:36:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44464
Entropy (8bit):	1.9755679055363438
Encrypted:	false
SSDEEP:	192:JUHVJ3XtiX7XawyXO5H4JagEloZYwa+a5fCYH+jeoYWH4Uuz:6HVD+5H1bl4Yw3ZYHntUu
MD5:	A155B26C5C3218F5C5912C5DFDC77306
SHA1:	81C87455D7C68E7D82C35E1E08BF9914B3BC66C1
SHA-256:	CA8AB170E5EA9E68EEACA66AF23AF4E32F867FE5D45CC81A5CB14600F371E2CE
SHA-512:	6DC15F16D326C76378D9E043A7A94281036EE0CC29DF114758D8C61CF47F4B36745856497558F8D41E9BFA99F71DC868F498413534E0BEC171B1783CB80B7DB2
Malicious:	false
Preview:	MDMP..a..... .........#f........................l................-..........T.......8...........T...........x...8.......................................................................................................eJ..............GenuineIntel............T....... .....#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Apr 20 09:36:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	42524
Entropy (8bit):	2.0579503955249177
Encrypted:	false
SSDEEP:	192:JHTkVN3XtiX7XyRgXO5H4Ja8BGs8bvHl5ga5fdMITtId0Tpv8:xTkVq+5H18BGs8bd6EMITtP
MD5:	BE61467485B40A2D49C80E33788A94A1
SHA1:	4020AE05196F2E495735F14D920F0B82BC970865
SHA-256:	9EB15C2EB142A09040B9A4F03D242E715B58FF13559E5E0CAA002B8907D45909
SHA-512:	FC60E6FC0B3FB43D6098A08904627F5272E16BCE2D32B962AE375AF9A7B000B7BF69A81A3AB0274C8169BC3A0872F38BDCA05130642979A9D2C3842CA92B534C
Malicious:	false
Preview:	MDMP..a..... .........#f........................l................-..........T.......8...........T...........x...........................................................................................................eJ..............GenuineIntel............T.............#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE93D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Apr 20 09:35:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45180
Entropy (8bit):	1.9875410566815042
Encrypted:	false
SSDEEP:	192:WFl6Vb3XtiX7XluluO5H4JaP0tle0FzXikFjIx2bZmdahr6R:kl6VwO5H1ctleuO2b8DR
MD5:	580DEE6780E07083565C82DFC3BCF480
SHA1:	7B0654E5C33A3D20FACA2C7BFF44675289014B75
SHA-256:	D7DBA85A41F102A1623BAE6CBD5A74CE8D0CA3E3C9AFD31F5397C08A58864751
SHA-512:	F782FA2453F65DAF5323A171938CA6C71B9A8FBEDA2BB78D2F981AED2B69B03A2E07111AD239FE56830899ED203A1F9FD828D1E122E247E96D06DD21E5ECFF2F
Malicious:	false
Preview:	MDMP..a..... .......}.#f........................l................-..........T.......8...........T...........x...........................................................................................................eJ..............GenuineIntel............T...........\|.#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE94D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Apr 20 09:35:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	52038
Entropy (8bit):	1.8521811351525055
Encrypted:	false
SSDEEP:	192:36BE7XEXIXG5O5H4JaNqJt3Qn+zN9PE6HnaKTtD4/:qa5H12tgaPBHn/x4/
MD5:	5A0159ADDC0D775E3968A0BB4D0A1669
SHA1:	D54F8BE292B44BD2E3B4E0164D473FD17EBE5569
SHA-256:	8588543E1214C42D56C0403F63A36D2158F6C6B11500E85F0DC8D420D0B238A8
SHA-512:	4F795940F2C9AE36FC63A24520A8BCC0BD4060D3045E84164F1A176F773F9DF4FF10FE05F1D4FA5837F1DEB7BA5ADD51B9112ACEB82A95BA9FB79B20C7753701
Malicious:	false
Preview:	MDMP..a..... .......}.#f....................................<................0..........`.......8...........T...........P...........................................................................................................eJ..............GenuineIntel............T...........\|.#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE99.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8280
Entropy (8bit):	3.692487001665092
Encrypted:	false
SSDEEP:	192:R6l7wVeJzjSl6I1BBl6YIDZ6xgmfTMtprOx89bqSsfYum:R6lXJ/O6I1BBl6YiZ6xgmfTMBqRfI
MD5:	949545B961CBC7572D40CC85E83C8791
SHA1:	20096A84DBFCBE472F0C7A07C2DB95E3469E6883
SHA-256:	71548F322C4939C652A46F4A1E3FD1A3D0E89A3EFE36A5F356E2CB7CE3C6C1C3
SHA-512:	BC62B015F817CDED1C098E6116FE4B75607DBE6CED7E62853F9438917FDD544543DD776A03FA15564C41F1560F181FC186A1D082B66466D6CE2FC2AD03BDCE49
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA67.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8364
Entropy (8bit):	3.6961993995877354
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2P6IrIclOLJ6YPJ6tgmf8yEpBj89bV2zsfOHHm:R6lXJm6IrBl86YB6tgmf8y3V2YfOm
MD5:	4B69A9599F40061F04A1636CD5EB5FCD
SHA1:	457D24361BC2DF109019A38D9F803763431B8882
SHA-256:	80EB8A0AB5B4BC07F4B5E6811B24E334E03573A7CAB670724CDAB7600680C941
SHA-512:	BA17C785D8DFE561A4A044A9DFD8E4478B60802A53E745940D4798DF6FB173C8BA08A46C9700460EAAEE2E9DDE89DDE04BD9CFD5CC45E475C16CED5DB471F04A
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA68.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8258
Entropy (8bit):	3.6897207779136756
Encrypted:	false
SSDEEP:	192:R6l7wVeJyM63x1v6YI+61gmfTMtprt89bVpsfDHm:R6lXJB63x1v6Y561gmfTMaVCf6
MD5:	BE519DF2E73B8C5861BFC2D7C5AF9B00
SHA1:	E9456960785923A61074E7D241BBD30F2A14F7C7
SHA-256:	18096DC0D5796191B1677131E1B6F58F76442CCC4625E373A4A15EEBF83DF1DF
SHA-512:	C093DFE78AD86FF3B89325ED8E1790064CE2419520EA6183AF2AD520FDAA8D10F7FE4367F3F66A753CDFE2AEC12C80624D8162B0D603C697AA81E31E5FF76943
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAA7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.482844973515693
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI93sWpW8VYUYm8M4JCdP+FcI+q8vjPOGScSMd:uIjf1I7hF7VwJkIK6J3Md
MD5:	0097B0EE5D03F3E018E662200878C116
SHA1:	FE028F80ABE3E8A148DB204EA961A5713D371B45
SHA-256:	4075CAA9ABA4AF7874AD478B1DE579105BD9474365D82818532E711FA649DBA5
SHA-512:	CABA12F809103DF41E32B45115C8A937C3ADD2BEAEA2237E8FA64F338CF135FFC4AB89E6B0EC2435619E1F1DF35DB9848222CB349460F94711A90BA264FF4444
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAB6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.456481409081792
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI93sWpW8VYAYm8M4JCdP5Fl+q8/hmGScSpd:uIjf1I7hF7VEJu1J3pd
MD5:	AD8E0EA56B022C12C57770D6A563B1D0
SHA1:	816BB8334DED0C507529F592C22CFFEEE197D6A7
SHA-256:	56594874649169B83D70941B616CA08F80F559C30D27B172E56398049551D25F
SHA-512:	A799B8E22E90322C3EAD205E877E5434C251CFA9286A7DDDAA9BC87C57D239FEBB61BF1B23F52AEBC60D03003DDCBB480FCCF058886481F5F64E6F00979F55D5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8276
Entropy (8bit):	3.692856993906382
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+jP6m15q6YIDj60gmfT7tpr189bqjsfklum:R6lXJQP6m15q6Yij60gmfT7yqIfc
MD5:	17E8813119510EE5E81A83CFEC1B9CFC
SHA1:	2A22C2F492DC00EE372C0DCA0DE0A4E8EA9DAA90
SHA-256:	5D5FB55BE3A7BCBD934A885A193E796BBE7F66A9862ABA52F49BA027F268DE56
SHA-512:	7157CBDE1D0C75300B79BFFCF04F0183C3C55342D309C4583932625D0198E1174FEB93EE8D74C30C5B1C9E5C3583AE36BE1F7620058F4C03410A67406A133299
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.4563390486916346
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI93sWpW8VYuYm8M4JCdP5Fo9+q8/hBGScSeMd:uIjf1I7hF7VaJd9uJ37d
MD5:	925512E2487D6DF4D4DFAA7CD598FBC7
SHA1:	92902E638EFC1CF4026F29BABC257DDB4EA743A5
SHA-256:	9B2400FE622AE0D1E1F5F747A91FDA626AB564791A5DD18689BCCF908F469498
SHA-512:	467DFF66DB6D61129A25CC6B14C4656F6E66C8955D0A2CF3000129517BCD7A1E4DD34ADB0DD29738C77481D8835F6FBBA79F0F4ECA957357A135A963CB191DB7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8276
Entropy (8bit):	3.6916018618645636
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6k6yD8k6YIDC6vgmfT9tprQ89bqmsfPum:R6lXJZ6yD8k6YiC6vgmfT99qFf/
MD5:	20B1B05289EB0C665ED2420216E2C9FC
SHA1:	509058E3F0F6EE2DB9A89FC1916D38936C89DAA3
SHA-256:	5C2B652996B140FEF46424A51ED922355D9C8A09565FCC3AF3E081D6ACA5A691
SHA-512:	3250D6BE87397CF4806706D0754F1604D947C8009E2DF66E9C9F8F387DEA01469CF25046AD6883D6ACCDE02940CE2329B9DD59E2A418E61DD4DBDE1269CF4707
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF07.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.454302804896009
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI93sWpW8VYRYm8M4JCdP4FC+q8/hj/GScS/d:uIjf1I7hF7VVJMYJ3/d
MD5:	29B911B0CB94A391BE35C97AA040DE8B
SHA1:	75C62A8B6DAC2293634E25F59DC78CFD75F645D1
SHA-256:	4BD733E52DBA877B9251C45B450123015077CBE7FC9AF984723554CD4FD02C18
SHA-512:	76F19450555FD55451AEF05E7567C7E5E7761F2E1FC55A25675C4F0E4F1550386C2AE64944A933F7D08976ABFE581982A4C641E3D57C34407753FE62104A5FCF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3DC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Apr 20 09:35:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44452
Entropy (8bit):	1.972231717640527
Encrypted:	false
SSDEEP:	192:R/v6XrXHXITqO5H4haC6fK7jrPKif65QwdDyjAj:pT15HdC6fK7jLRCqwz
MD5:	CD9E44DFB847932000EA7D02B1919C24
SHA1:	1D0BDCD5C0DC12F836D1D1BC28E4D2D963E4D9A1
SHA-256:	77E884DA9BFB4C37C72C366BF54AD48E41052036C942026D33C6EA9053077C84
SHA-512:	B1D6E6C9E0B1F24BDAD9E33CF028970C24066C5129BEC6E0559135BE61A17FF405637A7C6D41D344783F27C5AD913EBC6D1E432E5F2BDD51A723A28781A9B4BB
Malicious:	false
Preview:	MDMP..a..... .........#f....................................<................-..........`.......8...........T.......................................................................................................................eJ......h.......GenuineIntel............T.......\|.....#f.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF44A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8372
Entropy (8bit):	3.695454890871645
Encrypted:	false
SSDEEP:	192:R6l7wVeJU669od+6YIy6mgmf8yEpBG89brLsf05m:R6lXJx69od+6Y96mgmf8ycrQfH
MD5:	010085C414A1D6ACFFABA9887552C4D6
SHA1:	3F87F09EAE1501BBA581CE10E7D5D6D0D3D16F98
SHA-256:	9FC96DF73B464BB5D6B9B8559904718CDB93356B740C437BA4C268D777745FFC
SHA-512:	0937660E9501F1DFB01B51A0F556684975A56B846495FEEE3BDD820BB7843543F20F4917B2D9A07B84A7CD6DB72F30BCAF743DF706477C63B491E5B2E45533DD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF47A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4791
Entropy (8bit):	4.483336841637472
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI93sWpW8VYZYm8M4JCdP+F++q8vjPNNkGScSvd:uIjf1I7hF7VlJWKEJ3vd
MD5:	245FD99D8CD1685C3041DF106CC41651
SHA1:	FD53730B740CD6A52AEE0A55F3EFBBA88BBED387
SHA-256:	46B613161F1F2DA6C827866F7997CBD2BE30C0FE50FF6EBB965B167C6F09545A
SHA-512:	B8BDED6F84F03C948AD105FC1F1BBBB162C2ABA121E0A0149DD52CFBB4B3F646AB1D63976CEE0259CAF424F29AFA34457BF48E853AA25BB2059894D49C38E138
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF55.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.455193052225387
Encrypted:	false
SSDEEP:	48:cvIwWl8zsbJg77aI93sWpW8VYGYm8M4JCdPqF0+q8/hfGScSkd:uIjf1I7hF7VGJk8J3kd
MD5:	8059D2A27123C95248A4B6877A809A5F
SHA1:	F34CD23919D0163FA5350D3BF34D9D3E2EE5C287
SHA-256:	FB3040F6B6A40981ED464FF54E94D9202B6E1D2F62A47332FAC132337B27979B
SHA-512:	34C8190004A4BA1C481A74171D3901F21FBEC4811EA7C621079457A450914331F3F08C87BCE652ED92C156864190C8594AF219E77452A51C2237EFAE0CE8289B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="288038" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422296205199028
Encrypted:	false
SSDEEP:	6144:XSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNP0uhiTw:CvloTyW+EZMM6DFyl03w
MD5:	31DFB4961E0744E4C034949CE3F4056C
SHA1:	F370D0FFB36D355B35C48FADCE1F20EC504EB5B7
SHA-256:	3F84ADBAD7598DD4A52D91F5074ED80A54726227A3B900AA674D31640B79964E
SHA-512:	90964418961488E53AD840C881F9609B7A1C08A5375B7A13E4C73B442A03708E3E3462B7D1078A402DD1C14C1507444C1AE1A769A8157B0F3DAF85387444CF80
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..o%................................................................................................................................................................................................................................................................................................................................................6.y.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.tmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.0952858012137607
Encrypted:	false
SSDEEP:	48:4HVa18letnr0/4x1xpznsbOS3eX2PjXl9pl7vlplDplEIld7FgJ6x3onsSK:4IeleNIC5zwrFZ9LzlLDLEAlF
MD5:	D82B402CA161133FBACA9DB7ED754ED3
SHA1:	720CB1EAA8278AE823A9C9F28ABDCBF8EFF7F5C1
SHA-256:	0C447ED7BD19C8B0CF602EA67DC9E654155FAFB02A4E4F199F37E73253851831
SHA-512:	504A5921521D570A3C1B5F026EFCF6DE4D7F13C9EB0936D377D8F41633B235C3AD8EF37D38B905A007AD8AFEE49A1491E49ECDD8372E5436892CF5658A6CB301
Malicious:	false
Preview:	regf.........j..................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p.....2=.b...,...W....2=.b...,...W........2=.b...,...W..rmtm"...................................................................................................................................................................................................................................................................................................................................................$@.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.9080089733810557
Encrypted:	false
SSDEEP:	24:y/cuHVaH2T2/k7rlEnw1tn+s0Wg4x+fBOUPB0FIpzn:eHVaT8flNtnr0/4xgxpzn
MD5:	024C7FBBB0BAE145460B24F80AE56E80
SHA1:	F54551878274FAE1C6E5A06CE8FA0E956111DE80
SHA-256:	BCD848C8685492BDD71FB7E0A42E8EE500CF9D2E11F504E74C9D9541E286C76D
SHA-512:	68D5813BDCF43D4F62E7C025D344B9F04092779F5728FF49A8C49D8E4732827F3456AEE605002CC60C969CA8DD8FB55C4F5A9BF207026002A1CF258D350DF8E4
Malicious:	false
Preview:	regf.........j..................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p.....2=.b...,...W....2=.b...,...W........2=.b...,...W..rmtm"...................................................................................................................................................................................................................................................................................................................................................$@.HvLE......................d.E.7.[.o.O.r!........hbin.................j.............nk,.!........... ......................8.......................f.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk......................\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..f...`.........,.CreatingCommand.....C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.W.e.r.F.a.u.l.t...e.x.e. .-.u. .-.p. .1.8.1.

C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG2

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.1282849190023345
Encrypted:	false
SSDEEP:	48:OHVap0fletnr0/4x1xpznsbOS3eX2PjXl9pl7vlplDplEIld7FgJ6x3onsSK:OI6fleNIC5zwrFZ9LzlLDLEAlF
MD5:	88DD2B6AC7ECC05F016931B4AA3A48CF
SHA1:	03FF3145924E8DD6B6B2A5D72A075D8EE4F9FB8E
SHA-256:	ECF1F04EA2AED14818FC18B052BF7EC012BEDD44ADEE0FDD368770AC574967B0
SHA-512:	53FF3AB711FBB2EB6F612D3C40E274D4E455D0128184AD9506D8A4CCDA5C29FE400AB3050A1A6912F327CDB058BE2F45567E9D1D0D5FC4EC7ABEF0D4AF2ABA84
Malicious:	false
Preview:	regf.........j..................... ...........C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...t.m.p.....2=.b...,...W....2=.b...,...W........2=.b...,...W..rmtm"...................................................................................................................................................................................................................................................................................................................................................$@.HvLE.....................6.....4..vA........hbin.................j.............nk,.!........... ......................8.......................f.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk......................\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..f...`.........,.CreatingCommand.....C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.W.e.r.F.a.u.l.t...e.x.e. .-.u. .-.p. .1.8.1.

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4667847958152445
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	relay.dll
File size:	1'596'416 bytes
MD5:	3e58f05e392aab774479ca857b93c692
SHA1:	2839d32656227e73c4a1e51050ed181907f99dd1
SHA256:	04db97c97e4ac3e718ba049348e99dabea0aac5c401972580470b396427f4c27
SHA512:	e8c496294c8af6e126426d4a62097e26d72470d3817364b19a7be07f2e33ecfb33d8afac8b4a346dfc11e68ab2c6dc830d9b856ad13d4b6fd8ce711274eb17ec
SSDEEP:	49152:c2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz09U:ymtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
TLSH:	4B758E223E90C076D16F3331875EA7BCB6BE917049F582477D900E397E7288296297DB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&..<PB.x&...PB.x&..cQB..(...PB..(..>PB..PC..SB.x&...PB.x&...PB.x&...PB.x&...PB.Rich.PB.........PE..L.....kU...

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100f3084
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x556BF8F8 [Mon Jun 1 06:17:28 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	b621df906e0394d025a0242c6a967904

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FC434835D47h
call 00007FC43483CE5Eh
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007FC434835C31h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
call 00007FC43483C11Dh
test eax, eax
je 00007FC434835D49h
push eax
call 00007FC43483C2D5h
pop ecx
push dword ptr [ebp+08h]
call dword ptr [10117248h]
int3
push 0000000Ch
push 101544E8h
call 00007FC434838F93h
call 00007FC43483C170h
and dword ptr [ebp-04h], 00000000h
push dword ptr [eax+58h]
call dword ptr [eax+54h]
push eax
call 00007FC434835D05h
mov eax, dword ptr [ebp-14h]
mov ecx, dword ptr [eax]
mov ecx, dword ptr [ecx]
mov dword ptr [ebp-1Ch], ecx
push eax
push ecx
call 00007FC43483CC90h
pop ecx
pop ecx
ret
mov esp, dword ptr [ebp-18h]
push dword ptr [ebp-1Ch]
call 00007FC434839798h
int3
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007FC43483BF7Ah
call 00007FC43483BF6Fh
push eax
call 00007FC43483BF4Fh
test eax, eax
jne 00007FC434835D6Ch
mov esi, dword ptr [ebp+08h]
push esi
call 00007FC43483BF5Ch
push eax
call 00007FC43483BF90h
test eax, eax
jne 00007FC434835D4Fh
call dword ptr [10117414h]
push eax
call dword ptr [10117248h]
call dword ptr [10117348h]
mov dword ptr [esi], eax
jmp 00007FC434835D5Dh

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[EXP] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1582a0	0xaa	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x155064	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x167000	0x4e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x168000	0x196be	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x117d10	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1400e0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x117000	0x92c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x115a36	0x115c00	5786059ad519455bca2f941a9e86c1b9	False	0.5607059729410441	data	6.577229692115642	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x117000	0x4134a	0x41400	550f70f8f6cd31678a5a06b73f27ee9d	False	0.26228747605363983	DOS executable (COM, 0x8C-variant)	5.157374268616712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x159000	0xd15c	0x5a00	c89378fbbfa219ac7d36ad568c58498a	False	0.28702256944444443	data	4.9034639828439275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x167000	0x4e0	0x600	bfe53defdd1c1072e73cb1f041e08440	False	0.390625	data	4.563294424426587	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x168000	0x28636	0x28800	26a75417f93a345c4b050a330917f053	False	0.2642505787037037	data	4.928913010323536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1670a0	0x2e4	data	Japanese	Japan	0.4756756756756757
RT_MANIFEST	0x167384	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	InterlockedExchange, GetLocaleInfoW, GetUserDefaultUILanguage, GetFileAttributesExW, GetFileSizeEx, GetCurrentDirectoryW, GetWindowsDirectoryW, GetNumberFormatW, GetTempFileNameW, GetTempPathW, InitializeCriticalSectionAndSpinCount, GetTickCount, GetProfileIntW, SearchPathW, VirtualProtect, FindResourceExW, DecodePointer, GetCommandLineA, ExitThread, CreateThread, HeapAlloc, HeapFree, EncodePointer, RtlUnwind, RaiseException, HeapReAlloc, HeapSize, HeapQueryInformation, ExitProcess, GetSystemTimeAsFileTime, VirtualAlloc, GetSystemInfo, VirtualQuery, SetStdHandle, GetFileType, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, SetHandleCount, GetStdHandle, GetStartupInfoW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringW, GetTimeZoneInformation, GetStringTypeW, GetConsoleCP, GetConsoleMode, WriteConsoleW, SetEnvironmentVariableA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GetFileSize, lstrcmpiW, GlobalFlags, FreeResource, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, GetVersionExW, lstrcmpW, lstrlenA, lstrcmpA, GlobalGetAtomNameW, CompareStringW, InterlockedIncrement, SetErrorMode, GetCurrentThreadId, ResumeThread, SetThreadPriority, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, InterlockedDecrement, ActivateActCtx, ReleaseActCtx, CreateActCtxW, DeactivateActCtx, WideCharToMultiByte, GlobalFree, GlobalSize, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageW, MulDiv, lstrlenW, SetLastError, FileTimeToLocalFileTime, FileTimeToSystemTime, MultiByteToWideChar, GetFileTime, CreateFileW, GetProcAddress, FreeLibrary, LoadLibraryW, VerifyVersionInfoW, VerSetConditionMask, GetFileAttributesW, CopyFileW, FindClose, FindFirstFileW, lstrcpyW, ProcessIdToSessionId, GetCurrentProcessId, LocalFree, LocalAlloc, GetCurrentProcess, GetCurrentThread, CreateProcessW, GetLastError, FindResourceW, LoadResource, LockResource, SizeofResource, GetModuleFileNameW, GetModuleHandleW, Sleep, GetFullPathNameW, GetVolumeInformationW, DuplicateHandle, GetExitCodeProcess, WaitForSingleObject, GetProcessId, CloseHandle
USER32.dll	GetKeyboardState, CreateAcceleratorTableW, SetCursorPos, LockWindowUpdate, GetKeyNameTextW, OpenClipboard, SetClipboardData, CloseClipboard, EmptyClipboard, IsCharLowerW, MapVirtualKeyExW, UnionRect, UpdateLayeredWindow, MonitorFromPoint, IsMenu, PostThreadMessageW, WaitMessage, DefFrameProcW, DefMDIChildProcW, DrawMenuBar, TranslateMDISysAccel, CreateMenu, SetMenuDefaultItem, IsClipboardFormatAvailable, FrameRect, GetUpdateRect, RegisterClipboardFormatW, CopyIcon, CharUpperBuffW, GetDoubleClickTime, SubtractRect, MapDialogRect, DrawIcon, DestroyCursor, GetWindowRgn, CopyImage, GetIconInfo, OffsetRect, GetNextDlgTabItem, MessageBeep, NotifyWinEvent, EnableScrollBar, HideCaret, DrawFocusRect, InvertRect, ReleaseCapture, GetAsyncKeyState, SetCapture, MapVirtualKeyW, IsRectEmpty, CreatePopupMenu, GetMenuDefaultItem, RedrawWindow, SetLayeredWindowAttributes, EnumDisplayMonitors, KillTimer, DeleteMenu, ShowOwnedPopups, SetCursor, InvalidateRect, SetRectEmpty, IsIconic, IntersectRect, SystemParametersInfoW, DestroyMenu, GetMenuItemInfoW, InflateRect, CharUpperW, DestroyIcon, EndPaint, BeginPaint, GetWindowDC, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, FillRect, GetDesktopWindow, RealChildWindowFromPoint, ClientToScreen, ShowWindow, MoveWindow, SetWindowTextW, IsDialogMessageW, CheckDlgButton, RegisterWindowMessageW, LoadIconW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetKeyboardLayout, GetClassLongW, SetPropW, GetPropW, RemovePropW, IsWindow, SetFocus, GetForegroundWindow, SetActiveWindow, BeginDeferWindowPos, EndDeferWindowPos, GetDlgItem, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MonitorFromWindow, GetMonitorInfoW, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, UpdateWindow, GetClientRect, GetClassInfoExW, GetClassInfoW, RegisterClassW, AdjustWindowRectEx, GetWindowRect, ScreenToClient, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, CopyRect, PtInRect, SetWindowPlacement, GetWindowPlacement, GetDlgCtrlID, CallWindowProcW, GetMenu, SetWindowLongW, SetWindowPos, GetWindow, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, GetFocus, ModifyMenuW, EnableMenuItem, CheckMenuItem, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, GetParent, GetWindowLongW, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxW, LoadCursorW, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, UnregisterClassW, SetWindowsHookExW, CallNextHookEx, GetActiveWindow, IsWindowVisible, SendMessageW, FindWindowExW, PostMessageW, RegisterClassExW, CreateWindowExW, GetSystemMetrics, GetKeyState, PeekMessageW, GetCursorPos, ValidateRect, UnhookWindowsHookEx, GetMenuState, GetMenuStringW, AppendMenuW, GetMenuItemID, InsertMenuW, GetMenuItemCount, GetSubMenu, RemoveMenu, GetClassNameW, GetMessageW, TranslateMessage, DispatchMessageW, PostQuitMessage, DefWindowProcW, ToUnicodeEx, CopyAcceleratorTableW, DrawFrameControl, DrawEdge, DrawStateW, GetSystemMenu, SetClassLongW, DestroyAcceleratorTable, SetWindowRgn, SetParent, IsZoomed, WindowFromPoint, SetRect, UnpackDDElParam, ReuseDDElParam, LoadMenuW, LoadAcceleratorsW, InsertMenuItemW, BringWindowToTop, TranslateAcceleratorW, CreateDialogIndirectParamW, EndDialog, DrawIconEx, GetNextDlgGroupItem, GetCapture, LoadImageW, SetTimer
MSIMG32.dll	TransparentBlt, AlphaBlend
COMCTL32.dll	ImageList_GetIconSize
SHLWAPI.dll	PathStripToRootW, PathFindExtensionW, PathFindFileNameW, PathRemoveFileSpecW, PathIsUNCW
OLEACC.dll	CreateStdAccessibleObject, LresultFromObject, AccessibleObjectFromWindow
gdiplus.dll	GdipDrawImageI, GdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipFree, GdipAlloc, GdipDeleteGraphics, GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdiplusStartup, GdiplusShutdown, GdipCreateFromHDC, GdipSetInterpolationMode, GdipDrawImageRectI, GdipCloneImage, GdipGetImageWidth, GdipGetImageHeight, GdipGetImagePixelFormat, GdipGetImagePaletteSize
IMM32.dll	ImmReleaseContext, ImmGetContext, ImmGetOpenStatus
WINMM.dll	PlaySoundW
NETAPI32.dll	NetUserGetInfo, NetApiBufferFree
WTSAPI32.dll	WTSFreeMemory, WTSQuerySessionInformationW
GDI32.dll	SetLayout, SelectClipRgn, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, BitBlt, GetPixel, PtVisible, RectVisible, TextOutW, ExtTextOutW, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, GetLayout, SetTextAlign, MoveToEx, LineTo, GetClipBox, SetMapMode, ExtSelectClipRgn, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetROP2, SetPolyFillMode, SetBkMode, DeleteDC, CreatePatternBrush, CreateCompatibleDC, RestoreDC, SelectPalette, GetObjectType, CreatePen, CreateSolidBrush, IntersectClipRect, CreateFontIndirectW, GetTextExtentPoint32W, CreateRectRgnIndirect, SetRectRgn, CombineRgn, PatBlt, DPtoLP, CreateCompatibleBitmap, CreateDIBitmap, GetTextMetricsW, EnumFontFamiliesW, GetTextCharsetInfo, GetBkColor, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, GetSystemPaletteEntries, CreateDIBSection, CreateRoundRectRgn, CreatePolygonRgn, GetTextColor, CreateEllipticRgn, Polyline, Ellipse, Polygon, SetDIBColorTable, StretchBlt, SetPixel, Rectangle, OffsetRgn, GetRgnBox, EnumFontFamiliesExW, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, SetPixelV, GetTextFaceW, ExcludeClipRect, CreateHatchBrush, SaveDC, DeleteObject, GetObjectW, SetBkColor, SetTextColor, CreateBitmap, CreateDCW, CopyMetaFileW, ScaleWindowExtEx, SetWindowExtEx, GetStockObject, GetDeviceCaps, OffsetWindowOrgEx
WINSPOOL.DRV	DocumentPropertiesW, ClosePrinter, OpenPrinterW
COMDLG32.dll	GetFileTitleW
ADVAPI32.dll	FreeSid, IsValidSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, AddAccessAllowedAce, InitializeAcl, GetLengthSid, InitializeSecurityDescriptor, AllocateAndInitializeSid, DuplicateToken, OpenProcessToken, OpenThreadToken, AccessCheck, RegCloseKey, RegOpenKeyExW, RegCreateKeyExW, RegDeleteKeyW, RegDeleteValueW, RegSetValueExW, RegEnumKeyExW, RegQueryValueExW
SHELL32.dll	SHAppBarMessage, DragQueryFileW, DragFinish, ShellExecuteW, SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetFileInfoW, ShellExecuteExW, SHBrowseForFolderW
ole32.dll	OleGetClipboard, CoLockObjectExternal, RevokeDragDrop, DoDragDrop, OleLockRunning, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, CoTaskMemFree, CreateStreamOnHGlobal, CoInitializeEx, CoInitialize, CoUninitialize, CoCreateInstance, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, RegisterDragDrop
OLEAUT32.dll	VariantClear, VariantChangeType, SysFreeString, VariantTimeToSystemTime, SystemTimeToVariantTime, SysStringLen, SysAllocStringLen, VarBstrFromDate, VariantInit, SysAllocString

Exports

Name	Ordinal	Address
Cancel	11	0x10002400
Finalize	2	0x10002290
Initialize	1	0x10002180
PrepareRun	12	0x10002360
Run	10	0x10002380

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan
English	United States

Target ID:	0
Start time:	11:35:56
Start date:	20/04/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\relay.dll"
Imagebase:	0x160000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:35:56
Start date:	20/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:35:56
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\relay.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:35:56
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\relay.dll,Cancel
Imagebase:	0x900000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:35:56
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\relay.dll",#1
Imagebase:	0x900000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:35:56
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 672
Imagebase:	0x600000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:35:56
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 632
Imagebase:	0x600000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:35:59
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\relay.dll,Finalize
Imagebase:	0x900000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:35:59
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 620
Imagebase:	0x600000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:36:02
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\relay.dll,Initialize
Imagebase:	0x900000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:36:02
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 624
Imagebase:	0x600000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:36:05
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\relay.dll",Cancel
Imagebase:	0x900000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:36:05
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\relay.dll",Finalize
Imagebase:	0x900000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:36:05
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\relay.dll",Initialize
Imagebase:	0x900000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:36:05
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\relay.dll",Run
Imagebase:	0x900000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:36:05
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\relay.dll",PrepareRun
Imagebase:	0x900000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:36:05
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 668
Imagebase:	0x600000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:36:05
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 668
Imagebase:	0x600000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:36:05
Start date:	20/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 664
Imagebase:	0x600000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1%
Total number of Nodes:	592
Total number of Limit Nodes:	15

Executed Functions

Function 6CB575A5 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB575AF

Part of subcall function 6CB51242: __EH_prolog3.LIBCMT ref: 6CB51249
Part of subcall function 6CB51242: GetWindowDC.USER32(00000000,00000004,6CB570CF,00000000,?,?,6CC63080), ref: 6CB51275

GetDeviceCaps.GDI32(?,00000058), ref: 6CB575D5
DeleteObject.GDI32(00000000), ref: 6CB57636
DeleteObject.GDI32(00000000), ref: 6CB57653
DeleteObject.GDI32(00000000), ref: 6CB57670
DeleteObject.GDI32(00000000), ref: 6CB57687
DeleteObject.GDI32(00000000), ref: 6CB576A4
DeleteObject.GDI32(00000000), ref: 6CB576BB
DeleteObject.GDI32(00000000), ref: 6CB576D2
DeleteObject.GDI32(00000000), ref: 6CB576E9
DeleteObject.GDI32(00000000), ref: 6CB57706
DeleteObject.GDI32(00000000), ref: 6CB5771D
_memset.LIBCMT ref: 6CB57734
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6CB57744
lstrcpyW.KERNEL32(?,?), ref: 6CB57793
EnumFontFamiliesW.GDI32(?,00000000,Function_0001755C), ref: 6CB577BA
lstrcpyW.KERNEL32(?), ref: 6CB577CA
EnumFontFamiliesW.GDI32(?,00000000,Function_0001755C), ref: 6CB577E5
lstrcpyW.KERNEL32(?), ref: 6CB577FD
CreateFontIndirectW.GDI32(?), ref: 6CB57809
CreateFontIndirectW.GDI32(?), ref: 6CB57859
CreateFontIndirectW.GDI32(?), ref: 6CB57894
CreateFontIndirectW.GDI32(?), ref: 6CB578BC
CreateFontIndirectW.GDI32(?), ref: 6CB578D9
GetSystemMetrics.USER32(00000048), ref: 6CB578F4
lstrcpyW.KERNEL32(?), ref: 6CB57908
CreateFontIndirectW.GDI32(?), ref: 6CB5790E
GetStockObject.GDI32(00000011), ref: 6CB5793C
GetObjectW.GDI32(?,0000005C,?), ref: 6CB5795E
lstrcpyW.KERNEL32(?), ref: 6CB57997
CreateFontIndirectW.GDI32(?), ref: 6CB579A1
CreateFontIndirectW.GDI32(?), ref: 6CB579C0
GetStockObject.GDI32(00000011), ref: 6CB579D6
GetObjectW.GDI32(?,0000005C,?), ref: 6CB579E7
CreateFontIndirectW.GDI32(?), ref: 6CB579F1
CreateFontIndirectW.GDI32(?), ref: 6CB57A14
__EH_prolog3_GS.LIBCMT ref: 6CB57A9F
GetVersionExW.KERNEL32(?,0000011C,00000000), ref: 6CB57BF5
GetSystemMetrics.USER32(00001000), ref: 6CB57C00
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 6CB57C85
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 6CB57C98
GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 6CB57CAB
GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 6CB57CBE
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 6CB57CD1
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 6CB57CE4
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 6CB57D2D
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 6CB57D40
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 6CB57D53

Strings

EndBufferedPaint, xrefs: 6CB57CD3
DwmIsCompositionEnabled, xrefs: 6CB57D42
BeginBufferedPaint, xrefs: 6CB57CC0
BufferedPaintUnInit, xrefs: 6CB57CAD
dwmapi.dll, xrefs: 6CB57D12
DrawThemeTextEx, xrefs: 6CB57C87
BufferedPaintInit, xrefs: 6CB57C9A
DrawThemeParentBackground, xrefs: 6CB57C7F
UxTheme.dll, xrefs: 6CB57C64
DwmDefWindowProc, xrefs: 6CB57D2F
DwmExtendFrameIntoClientArea, xrefs: 6CB57D27

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3_MetricsStockSystem$CapsCharsetDeviceH_prolog3InfoTextVersionWindow_memset
String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 3153784359-1174303547
Opcode ID: 8bd070fef16785762ff97271326a71e0c354cff5e0cfebfed131a3139cc94758
Instruction ID: 65a2280a016b569e4384e1350a699e202f1ae4f350af3d8aabd6383ca87e150f
Opcode Fuzzy Hash: 8bd070fef16785762ff97271326a71e0c354cff5e0cfebfed131a3139cc94758
Instruction Fuzzy Hash: 6D3257B09017989FCB21CFB9C844BDEBBF8AF55304F4089AED5AAA7640DBB09554CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB57073 Relevance: 64.8, APIs: 43, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CB5707A
GetSysColor.USER32(00000016), ref: 6CB57089
GetSysColor.USER32(0000000F), ref: 6CB57096
GetSysColor.USER32(00000015), ref: 6CB570A9
GetSysColor.USER32(0000000F), ref: 6CB570B1
GetDeviceCaps.GDI32(?,0000000C), ref: 6CB570D7
GetSysColor.USER32(0000000F), ref: 6CB570E5
GetSysColor.USER32(00000010), ref: 6CB570EF
GetSysColor.USER32(00000015), ref: 6CB570F9
GetSysColor.USER32(00000016), ref: 6CB57103
GetSysColor.USER32(00000014), ref: 6CB5710D
GetSysColor.USER32(00000012), ref: 6CB57117
GetSysColor.USER32(00000011), ref: 6CB57121
GetSysColor.USER32(00000006), ref: 6CB57128
GetSysColor.USER32(0000000D), ref: 6CB5712F
GetSysColor.USER32(0000000E), ref: 6CB57136
GetSysColor.USER32(00000005), ref: 6CB5713D
GetSysColor.USER32(00000008), ref: 6CB57147
GetSysColor.USER32(00000009), ref: 6CB5714E
GetSysColor.USER32(00000007), ref: 6CB57155
GetSysColor.USER32(00000002), ref: 6CB5715C
GetSysColor.USER32(00000003), ref: 6CB57163
GetSysColor.USER32(0000001B), ref: 6CB5716A
GetSysColor.USER32(0000001C), ref: 6CB57174
GetSysColor.USER32(0000000A), ref: 6CB5717E
GetSysColor.USER32(0000000B), ref: 6CB57188
GetSysColor.USER32(00000013), ref: 6CB57192
GetSysColor.USER32(0000001A), ref: 6CB571AC
GetSysColorBrush.USER32(00000010), ref: 6CB571C7
GetSysColorBrush.USER32(00000014), ref: 6CB571DE
GetSysColorBrush.USER32(00000005), ref: 6CB571F0
CreateSolidBrush.GDI32(?), ref: 6CB57214
CreateSolidBrush.GDI32(?), ref: 6CB57230
CreateSolidBrush.GDI32(?), ref: 6CB5724C
CreateSolidBrush.GDI32(?), ref: 6CB57268
CreateSolidBrush.GDI32(?), ref: 6CB57284
CreateSolidBrush.GDI32(?), ref: 6CB572A0
CreateSolidBrush.GDI32(?), ref: 6CB572BC
CreatePen.GDI32(00000000,00000001,00000000), ref: 6CB572E5
CreatePen.GDI32(00000000,00000001,00000000), ref: 6CB57308
CreatePen.GDI32(00000000,00000001,00000000), ref: 6CB5732B
CreateSolidBrush.GDI32(?), ref: 6CB573AF
CreatePatternBrush.GDI32(00000000), ref: 6CB573F0

Part of subcall function 6CB51447: DeleteObject.GDI32(00000000), ref: 6CB51456

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: af998860cf166b0b461e35739c2fe72c28ac8c0429d8df9b6685cae3dda08304
Instruction ID: cb05d45e619daa2c2175e8f44f1775a233290b54ba1429f99d1f7614d4be4eca
Opcode Fuzzy Hash: af998860cf166b0b461e35739c2fe72c28ac8c0429d8df9b6685cae3dda08304
Instruction Fuzzy Hash: CEB17C70A00B849ED721EFB18C94BEFBAF0AF41304F44892ED19797A90DBB1A559DF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9AF84 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 421
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CB9AF8E
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 6CB9B150
GetObjectW.GDI32(00000082,00000018,?), ref: 6CB9B162
CreateCompatibleDC.GDI32(00000000), ref: 6CB9B1B4
GetObjectW.GDI32(00000082,00000018,?), ref: 6CB9B1CF
SelectObject.GDI32(?,00000082), ref: 6CB9B1E3
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB9B207
SelectObject.GDI32(?,00000000), ref: 6CB9B21A
CreateCompatibleDC.GDI32(?), ref: 6CB9B230
SelectObject.GDI32(?,?), ref: 6CB9B245
SelectObject.GDI32(?,00000000), ref: 6CB9B254
DeleteObject.GDI32(?), ref: 6CB9B259
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CB9B279
GetPixel.GDI32(?,?,?), ref: 6CB9B298
SetPixel.GDI32(?,?,?,00000000), ref: 6CB9B2CE
SelectObject.GDI32(?,?), ref: 6CB9B2F0
SelectObject.GDI32(?,00000000), ref: 6CB9B2F8
DeleteObject.GDI32(00000082), ref: 6CB9B2FD
DeleteObject.GDI32(00000082), ref: 6CB9B32F
__EH_prolog3.LIBCMT ref: 6CB9B363
CreateCompatibleDC.GDI32(00000000), ref: 6CB9B42E
CreateCompatibleDC.GDI32(00000000), ref: 6CB9B43A

Strings

, xrefs: 6CB9B168

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$H_prolog3Pixel$BitmapImageLoad
String ID:
API String ID: 1197801157-3916222277
Opcode ID: 0afa68de2d2b1eee9939b7b482ae2a09b0e6d53b26365cf6e38984900ca42058
Instruction ID: c77e908d86961e639c8c5e4c8873b73dc3846f0c22583d819054bba793b1fcd0
Opcode Fuzzy Hash: 0afa68de2d2b1eee9939b7b482ae2a09b0e6d53b26365cf6e38984900ca42058
Instruction Fuzzy Hash: 3B0267B0D01268DFCF15CFA8C884ADEBBB5FF0A704F10816AE819AB655D7708945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB464C6 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(6CC9E99C,?,?,?,6CC9E980,6CC9E980,?,6CB4691C,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB464D9
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,6CC9E980,6CC9E980,?,6CB4691C,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE), ref: 6CB4652F
GlobalHandle.KERNEL32(02C70B38), ref: 6CB46538
GlobalUnlock.KERNEL32(00000000,?,?,?,6CC9E980,6CC9E980,?,6CB4691C,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46542
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 6CB4655B
GlobalHandle.KERNEL32(02C70B38), ref: 6CB4656D
GlobalLock.KERNEL32(00000000,?,?,?,6CC9E980,6CC9E980,?,6CB4691C,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46574
LeaveCriticalSection.KERNEL32(00000000,?,?,?,6CC9E980,6CC9E980,?,6CB4691C,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB4657D
GlobalLock.KERNEL32(00000000,?,?,?,6CC9E980,6CC9E980,?,6CB4691C,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46589
_memset.LIBCMT ref: 6CB465A3
LeaveCriticalSection.KERNEL32(00000000), ref: 6CB465D1

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 9cd79fd558c8266d9d5bae52191a00f72543c1d5604b34ca987781d23c59d205
Instruction ID: c0d53afc8784413c4dc5bd3deb545d0c8319783bff23d2bce900ea596ad6a6d9
Opcode Fuzzy Hash: 9cd79fd558c8266d9d5bae52191a00f72543c1d5604b34ca987781d23c59d205
Instruction Fuzzy Hash: 3F31CF71A04748AFDB208F64CC89A4ABBF9FF44315B00C969E952E3A54EB30FD94DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB43D10 Relevance: 10.6, APIs: 7, Instructions: 146
memoryfilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,00000001,00000001,00000000,00000003,00000080,00000000,6CB433E9,?,?), ref: 6CB43D2D
GetFileSize.KERNEL32(00000000,00000000), ref: 6CB43D40
HeapCreate.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CB43D52
HeapAlloc.KERNEL32(00000000), ref: 6CB43D59
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 6CB43D7C
GetProcAddress.KERNEL32(?,00000001), ref: 6CB43DC9
GetProcAddress.KERNEL32(?,00000001), ref: 6CB43DDF

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: File$AddressCreateHeapProc$AllocReadSize
String ID:
API String ID: 4047308675-0
Opcode ID: f13feaebec54686fa0e6c71806a9ce78fa88b041081fe33f232cd87f3e8033c3
Instruction ID: 1e29cb910c4d4b7fe937b858c89cddf3588155b9dbdd606a24cce63f84a3c3f5
Opcode Fuzzy Hash: f13feaebec54686fa0e6c71806a9ce78fa88b041081fe33f232cd87f3e8033c3
Instruction Fuzzy Hash: 5D51F275209246AFE701CF24C884D6AB7FDFF8A208F09851AF959C7211EB30E9158B61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBE39EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CBE39F3

Part of subcall function 6CB46A75: EnterCriticalSection.KERNEL32(6CC9EB58,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46AAF
Part of subcall function 6CB46A75: InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46AC1
Part of subcall function 6CB46A75: LeaveCriticalSection.KERNEL32(6CC9EB58,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46ACE
Part of subcall function 6CB46A75: EnterCriticalSection.KERNEL32(?,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46ADE

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6CBE3A4B
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6CBE3A5D

Strings

DragDelay, xrefs: 6CBE3A52
DragMinDist, xrefs: 6CBE3A40
windows, xrefs: 6CBE3A45, 6CBE3A4A, 6CBE3A57

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 3965097884-2101198082
Opcode ID: 9acc261b3d0ca1dcf3ec925f6fb00143ecd29b06920ea8e19aa454522c575736
Instruction ID: 706ea505388e94d41623f6630d6378128eb45d0a2a4ee8af03ba66abeea2fbc2
Opcode Fuzzy Hash: 9acc261b3d0ca1dcf3ec925f6fb00143ecd29b06920ea8e19aa454522c575736
Instruction Fuzzy Hash: E8019EB0940710AAEA20AF2B8A8A70EFAF4FF95704F40590ED18997F50DBB1A141CF84

Uniqueness

Uniqueness Score: -1.00%

Function 6CC34A8B Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 6CC34A99

Part of subcall function 6CC33284: __FF_MSGBANNER.LIBCMT ref: 6CC3329D
Part of subcall function 6CC33284: __NMSG_WRITE.LIBCMT ref: 6CC332A4
Part of subcall function 6CC33284: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,00000000,UIxFramework,?,6CB44655,?,00000000,?,6CB439CF,0000001C,?,6CB421C5,C43828F3), ref: 6CC332C9

_free.LIBCMT ref: 6CC34AAC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 699bafdd902597b112e5f8107a77a57c14ffff6d9f086582fd51a6e8552a8415
Instruction ID: 476121d97fc4a9f20aa565b22e0f552f93a0820185fb95a72413dc440119a5ae
Opcode Fuzzy Hash: 699bafdd902597b112e5f8107a77a57c14ffff6d9f086582fd51a6e8552a8415
Instruction Fuzzy Hash: 0511C832544A35ABCB11DA75B8046C93EA8AB413BAB146525F84CA7A50FF3688808698

Uniqueness

Uniqueness Score: -1.00%

Function 6CB459C2 Relevance: 7.6, APIs: 5, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 6CB459F5
SetLastError.KERNEL32(0000006F), ref: 6CB45A0C
CreateActCtxWWorker.KERNEL32(?), ref: 6CB45A54
CreateActCtxW.KERNEL32(00000020), ref: 6CB45A72
CreateActCtxW.KERNEL32(00000020), ref: 6CB45A94

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Create$ErrorFileLastModuleNameWorker
String ID:
API String ID: 1816906465-0
Opcode ID: 2b78c0adda2e81e8371a18988aab6881f321b2b488ac7c4b0ab3ae14d672f21c
Instruction ID: a5cde22c83ea1829fac2d928fb31fd6c1731df92c9da90dba44b63d2f67549b8
Opcode Fuzzy Hash: 2b78c0adda2e81e8371a18988aab6881f321b2b488ac7c4b0ab3ae14d672f21c
Instruction Fuzzy Hash: 5F215E709006199EDB20DF65C8887DAB7F8FF44324F108699D469E3180DB749A89DF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB415B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowExW.USER32(000000FD,00000000,?,00000000), ref: 6CB4163F
PostMessageW.USER32(00000000,00008451,00000000,00000000), ref: 6CB41659
PostMessageW.USER32(00000000,000084B0,00000000,00000000), ref: 6CB41670

Strings

Canon.IC.UniversalInstaller.v2.Install, xrefs: 6CB415E7

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessagePost$FindWindow
String ID: Canon.IC.UniversalInstaller.v2.Install
API String ID: 2066994869-3435139002
Opcode ID: 5c75e9e5d81ab98d1083654456f150f40c8792a45390024f9ea83ad66675bdd9
Instruction ID: 451727fc0fe405a2b87f007364226dea0ad742bec5925b8bd0e4cf38eaf7930a
Opcode Fuzzy Hash: 5c75e9e5d81ab98d1083654456f150f40c8792a45390024f9ea83ad66675bdd9
Instruction Fuzzy Hash: 4021AD71E08249ABDF00CFA4D845FDEB7B9FB05714F48C519E515A7A84EB30E514CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9B35C Relevance: 4.6, APIs: 3, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CB9B363
CreateCompatibleDC.GDI32(00000000), ref: 6CB9B42E
CreateCompatibleDC.GDI32(00000000), ref: 6CB9B43A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CompatibleCreate$H_prolog3
String ID:
API String ID: 2193723985-0
Opcode ID: a34b0868c4264179d2f30b738129079bac909a5a07a32a699ab6cd29bd4c957a
Instruction ID: 857534d5f5570430128a4d14287226c293745405b3f2e26dce4f3b1117a7112b
Opcode Fuzzy Hash: a34b0868c4264179d2f30b738129079bac909a5a07a32a699ab6cd29bd4c957a
Instruction Fuzzy Hash: 4251CBB09117618FCF48CF69C4802897BB8BF0AB14F1081ABED19DF64ADBB08545DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB42EC0 Relevance: 3.1, APIs: 2, Instructions: 111
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CB4528E: __CxxThrowException@8.LIBCMT ref: 6CB452A4

_memmove_s.LIBCMT ref: 6CB42F8A

Part of subcall function 6CB42EC0: _memcpy_s.LIBCMT ref: 6CB42F97

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8Throw_memcpy_s_memmove_s
String ID:
API String ID: 1845472808-0
Opcode ID: 3f8a6ebd6dd006d4df12b144eca305172c0d587c743d20c9ba974ad4f9aa774b
Instruction ID: 0bfc080bdbbbde27b1f837a95b643a57f0fa3b7b3df7b4d33567ceb12229ddf6
Opcode Fuzzy Hash: 3f8a6ebd6dd006d4df12b144eca305172c0d587c743d20c9ba974ad4f9aa774b
Instruction Fuzzy Hash: B93193316085489FCB04CFA9D888D5EF3B9EF84318B50C259E804DBB18DB31AD55BBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB476DB Relevance: 3.0, APIs: 2, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000000,00000000,?,6CB44547,?,00000000,6CC7FC44,00000000,?,?,?,?,6CC32FFA,?), ref: 6CB476E9
SetErrorMode.KERNELBASE(00000000,?,6CB44547,?,00000000,6CC7FC44,00000000,?,?,?,?,6CC32FFA,?,?,?,?), ref: 6CB476F1

Part of subcall function 6CB459C2: GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 6CB459F5
Part of subcall function 6CB459C2: SetLastError.KERNEL32(0000006F), ref: 6CB45A0C

Part of subcall function 6CB474FF: GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,00000000), ref: 6CB4753C
Part of subcall function 6CB474FF: PathFindExtensionW.SHLWAPI(?), ref: 6CB47556
Part of subcall function 6CB474FF: __wcsdup.LIBCMT ref: 6CB475A0
Part of subcall function 6CB474FF: __wcsdup.LIBCMT ref: 6CB475DE
Part of subcall function 6CB474FF: __wcsdup.LIBCMT ref: 6CB47612

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Error__wcsdup$FileModeModuleName$ExtensionFindLastPath
String ID:
API String ID: 972848482-0
Opcode ID: 3ae7f202bfc90d475b3b63a06c9b82f54a13c9d94e9ef12afbac36c56021da36
Instruction ID: 8bda7250c0309ffc074e2c39b9882408953a654b4d2d74c45cebf8a34fa3245d
Opcode Fuzzy Hash: 3ae7f202bfc90d475b3b63a06c9b82f54a13c9d94e9ef12afbac36c56021da36
Instruction Fuzzy Hash: 06F0CD70A182A4AFCB14EF64C400A9D3BE8AF04324F06C09AE958DB751DB70D844EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4B536 Relevance: 3.0, APIs: 2, Instructions: 24
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ActivateActCtx.KERNEL32(?,?,6CC89010,00000010,6CB4DF4A,hhctrl.ocx,6CB4D17C,0000000C), ref: 6CB4B556
LoadLibraryW.KERNELBASE(?), ref: 6CB4B56D

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ActivateLibraryLoad
String ID:
API String ID: 389599620-0
Opcode ID: 28d648afc129995b50fb21babae62cca47d8531d1888e3af3ee300f9097eb089
Instruction ID: 1c38dbe2bc453f9836e1c9f819642dc131d2c09a74858b858326562db13123d3
Opcode Fuzzy Hash: 28d648afc129995b50fb21babae62cca47d8531d1888e3af3ee300f9097eb089
Instruction Fuzzy Hash: F0F0A970C00628EBCF409FA0C804ACDBEB0BF08720F508525E806E6A50D7348A95EF80

Uniqueness

Uniqueness Score: -1.00%

Function 6CB42D40 Relevance: 1.6, APIs: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memcpy_s.LIBCMT ref: 6CB42D8E

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: 81879d606138e99ccb7bfb809fc27e240f57bace7f2ac6ab6a08bae9a63c8454
Instruction ID: 13e362583ea9f55e73efc9cc436633ec90c6de162b15e30409a38a0c98529364
Opcode Fuzzy Hash: 81879d606138e99ccb7bfb809fc27e240f57bace7f2ac6ab6a08bae9a63c8454
Instruction Fuzzy Hash: 72118C76604A04AFC309CF6CC884CAAB3B9FF89320714866EE5598B750EB31ED01DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB468C8 Relevance: 1.5, APIs: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 6CB468CF

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 1d8619cb247aff319f7ad891127ba71bbef3406c1fe833869cbf52c0e47d51c3
Instruction ID: 871b916bb2b403a64bec03ee7982ce7aaafebae7eed099b7e315b93e1405eab0
Opcode Fuzzy Hash: 1d8619cb247aff319f7ad891127ba71bbef3406c1fe833869cbf52c0e47d51c3
Instruction Fuzzy Hash: CF01B1302096829BDB049F36C41039D36B2FB49369B25C52DD490CBB84EF31C808EB41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB454FE Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CB4551D

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: c22795ef8571add31f3584934238efb8a1a1ee976bed04b4fb4f6337499c00b7
Instruction ID: 75f985d4a78ff2944b8467eb267ded107c4efc5acf5c84f97e39b862768c983f
Opcode Fuzzy Hash: c22795ef8571add31f3584934238efb8a1a1ee976bed04b4fb4f6337499c00b7
Instruction Fuzzy Hash: 06E092335146555BC7008F8AD404B9AFBEDDF91375F1AC42AD808CF652DB71E9089BA4

Uniqueness

Uniqueness Score: -1.00%

Function 6CC338ED Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CC36919: __lock.LIBCMT ref: 6CC3691B

__onexit_nolock.LIBCMT ref: 6CC33905

Part of subcall function 6CC33806: DecodePointer.KERNEL32(?,?,?,?,?,6CC3390A,?,6CC94508,0000000C,6CC33936,?,?,6CC369CF,6CC39FEB), ref: 6CC3381B
Part of subcall function 6CC33806: DecodePointer.KERNEL32(?,?,?,?,?,6CC3390A,?,6CC94508,0000000C,6CC33936,?,?,6CC369CF,6CC39FEB), ref: 6CC33828
Part of subcall function 6CC33806: __realloc_crt.LIBCMT ref: 6CC33865
Part of subcall function 6CC33806: __realloc_crt.LIBCMT ref: 6CC3387B
Part of subcall function 6CC33806: EncodePointer.KERNEL32(00000000,?,?,?,?,?,6CC3390A,?,6CC94508,0000000C,6CC33936,?,?,6CC369CF,6CC39FEB), ref: 6CC3388D
Part of subcall function 6CC33806: EncodePointer.KERNEL32(?,?,?,?,?,?,6CC3390A,?,6CC94508,0000000C,6CC33936,?,?,6CC369CF,6CC39FEB), ref: 6CC338A1
Part of subcall function 6CC33806: EncodePointer.KERNEL32(-00000004,?,?,?,?,?,6CC3390A,?,6CC94508,0000000C,6CC33936,?,?,6CC369CF,6CC39FEB), ref: 6CC338A9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 3715ec2f70716ab2b533f4ba0a7556a4c69c875d0fad61f7e0b07e3dee5f2993
Instruction ID: fcb81698b6b385780235aa9895f554736081111162ca2c7b1fd4a026a2fce5e6
Opcode Fuzzy Hash: 3715ec2f70716ab2b533f4ba0a7556a4c69c875d0fad61f7e0b07e3dee5f2993
Instruction Fuzzy Hash: 70D05E70C01718EACB10EFE8F840BCC7B70BF00229F606114D02DEABD0EB78460A8A41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB51447 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 6CB51456

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: d2f29c9da51af6dae442c27403cee5ae0c14a55937c4538a5bc4d8b8ab1b044b
Instruction ID: 3f24b8dcc39a409fc532d688485cc878abc48770fb76bba5061947ac6743b8c9
Opcode Fuzzy Hash: d2f29c9da51af6dae442c27403cee5ae0c14a55937c4538a5bc4d8b8ab1b044b
Instruction Fuzzy Hash: 27B01270911140AECF009F308A0D31B35749B8330EF8CECA8E40ED3901DB39C065DE10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6CBB3CD5 Relevance: 42.5, APIs: 28, Instructions: 452windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBB3D0A
GetWindowRect.USER32(?,?), ref: 6CBB3D2D
PtInRect.USER32(?,?,?), ref: 6CBB3D3B

Part of subcall function 6CBC0119: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CBC0190

GetAsyncKeyState.USER32(00000012), ref: 6CBB3D60
ScreenToClient.USER32(?,?), ref: 6CBB3DAE
IsWindow.USER32(?), ref: 6CBB3DF5
IsWindow.USER32(?), ref: 6CBB3E38
GetWindowRect.USER32(?,?), ref: 6CBB3E58
PtInRect.USER32(?,?,?), ref: 6CBB3E68
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB3E9D
PtInRect.USER32(-00000054,?,?), ref: 6CBB3EE8
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB3F0D
ScreenToClient.USER32(?,?), ref: 6CBB3F65
PtInRect.USER32(?,?,?), ref: 6CBB3F75
GetParent.USER32(?), ref: 6CBB3FFF
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB4092
GetFocus.USER32 ref: 6CBB4098
WindowFromPoint.USER32(?,?,00000000), ref: 6CBB40D0
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB411A
GetSystemMenu.USER32(?,00000000,?,?,75A8A000,?), ref: 6CBB41A3
IsMenu.USER32(?), ref: 6CBB41C5
EnableMenuItem.USER32(?,0000F030,00000000), ref: 6CBB41E2
EnableMenuItem.USER32(?,0000F120,00000000), ref: 6CBB41ED
IsZoomed.USER32(?), ref: 6CBB41FB
IsIconic.USER32(?), ref: 6CBB421A
EnableMenuItem.USER32(?,0000F120,00000003), ref: 6CBB422E
TrackPopupMenu.USER32(?,00000100,?,?,00000000,?,00000000), ref: 6CBB4256
SendMessageW.USER32(?,00000112,00000000,00000000), ref: 6CBB4270

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$MenuRect$MessageSend$EnableItem$ClientScreen$AsyncFocusFromIconicParentPointPopupRedrawStateSystemTrackVisibleZoomed
String ID:
API String ID: 3398603409-0
Opcode ID: 5f369e2904251206db6568dd4ea4d4c53534763561ee6a0136a091a088c72677
Instruction ID: 9a2df4eda1e9d455a02a91b78244fdb5f91c79fd1630bfd7feb0c2115c6a75d8
Opcode Fuzzy Hash: 5f369e2904251206db6568dd4ea4d4c53534763561ee6a0136a091a088c72677
Instruction Fuzzy Hash: 4AF16871A11299AFDF109FA8C888AAEBBB9FF08348B104569F515F7A50DF31D850DF21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB63BFA Relevance: 27.4, APIs: 18, Instructions: 386windowkeyboardCOMMON

Download Yara Rule

APIs

MessageBeep.USER32 ref: 6CB63C21
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63C66
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63D13
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63EAD
GetKeyState.USER32(00000010), ref: 6CB63EE2
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63EF8
GetKeyState.USER32(00000011), ref: 6CB63F24
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63F3A
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63F82

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Send$State$Beep
String ID:
API String ID: 4138746095-0
Opcode ID: 1cb937dc25f58a72420beb7849b4b83432a791f96c0a43f0196c50c141d9e517
Instruction ID: 7ca5fb75ab69d3aa77cbdca12bd01989a96255d42b17ca0c1f43ac9ddba03cb3
Opcode Fuzzy Hash: 1cb937dc25f58a72420beb7849b4b83432a791f96c0a43f0196c50c141d9e517
Instruction Fuzzy Hash: 26D12472240689BFDF01CE56CC84EDE37B9FB09718F10861AFA25D7980D730EA558B61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB43470 Relevance: 27.2, APIs: 18, Instructions: 172memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 6CB434D6
OpenThreadToken.ADVAPI32(00000000), ref: 6CB434DD
GetLastError.KERNEL32 ref: 6CB434E7
GetCurrentProcess.KERNEL32(0000000A,?), ref: 6CB434FE
OpenProcessToken.ADVAPI32(00000000), ref: 6CB43505
DuplicateToken.ADVAPI32(?,00000002,?), ref: 6CB4351D
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6CB43542
LocalAlloc.KERNEL32(00000040,00000014), ref: 6CB43554
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 6CB4356A
GetLengthSid.ADVAPI32(?), ref: 6CB4357C
LocalAlloc.KERNEL32(00000040,00000010), ref: 6CB43588
InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 6CB4359F
AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,?), ref: 6CB435B6
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 6CB435C6
SetSecurityDescriptorGroup.ADVAPI32(00000000,?,00000000), ref: 6CB435D7
SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 6CB435E4
IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 6CB435EB
AccessCheck.ADVAPI32(00000000,?,00000001,00000001,?,00000014,?,?), ref: 6CB4362C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: DescriptorSecurity$InitializeToken$AccessAllocCurrentLocalOpenProcessThread$AllocateAllowedCheckDaclDuplicateErrorGroupLastLengthOwnerValid
String ID:
API String ID: 1293491508-0
Opcode ID: 64f68ccbc0b3455880db1ee7165d321ba95bb799bc549dcd1b910579a32b729a
Instruction ID: 0dc735bde7467b75b3e2318764f497b311707544929a74361a0da2122926a6d0
Opcode Fuzzy Hash: 64f68ccbc0b3455880db1ee7165d321ba95bb799bc549dcd1b910579a32b729a
Instruction Fuzzy Hash: 58516B71A04249ABEB00CFE5CC49FDEBBBCFB49710F408119F212AB684D7749945DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBAD24D Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBAD254

Part of subcall function 6CB96BE5: FillRect.USER32(?,00000020), ref: 6CB96BF9

Strings

d, xrefs: 6CBAD2AC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FillH_prolog3Rect
String ID: d
API String ID: 1863035756-2564639436
Opcode ID: 79e55dbdac18fc34770283ffaab5883d12066099efeeee7f1f5513dea0f29d8b
Instruction ID: 82993a3e1e0739f7608abd157d5963879fe6cdd21143874db71eb47f2741e9fe
Opcode Fuzzy Hash: 79e55dbdac18fc34770283ffaab5883d12066099efeeee7f1f5513dea0f29d8b
Instruction Fuzzy Hash: C7C1BD71A04259DFCB00CFF8DD849EEBBB4EF09318F104629F891A6A90D734D956DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB76981 Relevance: 21.3, APIs: 14, Instructions: 280keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB76A65
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CB76A81
GetCapture.USER32 ref: 6CB76AFB
GetKeyState.USER32(00000011), ref: 6CB76B5D
GetKeyState.USER32(00000010), ref: 6CB76B6A
ImmGetContext.IMM32(?), ref: 6CB76B78
ImmGetOpenStatus.IMM32(00000000,?), ref: 6CB76B85
ImmReleaseContext.IMM32(?,00000000,?), ref: 6CB76BA7
GetFocus.USER32 ref: 6CB76BD1
IsWindow.USER32(?), ref: 6CB76C12
IsWindow.USER32(?), ref: 6CB76C98
ClientToScreen.USER32(?,?), ref: 6CB76CA8
IsWindow.USER32(?), ref: 6CB76CCE
ClientToScreen.USER32(?,?), ref: 6CB76CFD

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: 643000921926374f9c3169e847a696fd11a6aa329d54454d978cc4fd68df090e
Instruction ID: d8f3895304ce4ef709c5a237fb941d0da1f40c3890b1d4c98cb8fbf0ad454de8
Opcode Fuzzy Hash: 643000921926374f9c3169e847a696fd11a6aa329d54454d978cc4fd68df090e
Instruction Fuzzy Hash: 02A1E631A00686EFDF248FA5C994AAEB7B4FF05308F108639E975E5D50DB30D894DB22

Uniqueness

Uniqueness Score: -1.00%

Function 6CB74AA6 Relevance: 21.3, APIs: 14, Instructions: 268keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB74B7F
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 6CB74B9B
GetCapture.USER32 ref: 6CB74C1B
GetKeyState.USER32(00000011), ref: 6CB74C6E
GetKeyState.USER32(00000010), ref: 6CB74C7B
ImmGetContext.IMM32(?), ref: 6CB74C89
ImmGetOpenStatus.IMM32(00000000,?), ref: 6CB74C96
ImmReleaseContext.IMM32(00000000,00000000,?), ref: 6CB74CB8
GetFocus.USER32 ref: 6CB74CE2
IsWindow.USER32(?), ref: 6CB74D23
IsWindow.USER32(?), ref: 6CB74DA9
ClientToScreen.USER32(?,?), ref: 6CB74DB9
IsWindow.USER32(?), ref: 6CB74DDF
ClientToScreen.USER32(?,?), ref: 6CB74E0E

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: df2881b3dfb8862ace9aad56ec8260745faae74ebafbb596af96ff0b3689916d
Instruction ID: 4b7707cec6436014ad4851da71a3a996351c21223893c7f95f158325ecbbd0ca
Opcode Fuzzy Hash: df2881b3dfb8862ace9aad56ec8260745faae74ebafbb596af96ff0b3689916d
Instruction Fuzzy Hash: 8991C431600285AFDF348FA5C994BADB7B8EF0530AF208529E97592E50DB70DD94DF22

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7CFAF Relevance: 21.3, APIs: 14, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB7D02C
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6CB7D04A
ReleaseCapture.USER32 ref: 6CB7D050
SetCapture.USER32(?), ref: 6CB7D063
ReleaseCapture.USER32 ref: 6CB7D0D8
SetCapture.USER32(?), ref: 6CB7D0EB
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6CB7D1C4
UpdateWindow.USER32(?), ref: 6CB7D227
SendMessageW.USER32(?,00000111,000000FF,00000000), ref: 6CB7D26F
IsWindow.USER32(?), ref: 6CB7D27A
IsIconic.USER32(?), ref: 6CB7D287
IsZoomed.USER32(?), ref: 6CB7D294
IsWindow.USER32(?), ref: 6CB7D2A8
UpdateWindow.USER32(?), ref: 6CB7D2F4

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2500574155-0
Opcode ID: c03ae285399718c885270ff8ff421fcb2c432e7eb5e0aa761a15acebf5c288a5
Instruction ID: c0f9a67f8d8ad1959078dc13e6fec220f27d444d1977a1ac83aa7155f51b1699
Opcode Fuzzy Hash: c03ae285399718c885270ff8ff421fcb2c432e7eb5e0aa761a15acebf5c288a5
Instruction Fuzzy Hash: 82A17930600241AFDF219F74C888AAD3BB6FF45355F1442B8FC2AAB6A5DB31D945DB20

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB297F Relevance: 16.7, APIs: 11, Instructions: 220windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CBB29AD
GetFocus.USER32 ref: 6CBB29BB
IsChild.USER32(?,?), ref: 6CBB29EF
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB2A23
IsChild.USER32(?,?), ref: 6CBB2A3F
SendMessageW.USER32(?,00000100,?,00000000), ref: 6CBB2A6E
IsIconic.USER32(?), ref: 6CBB2AAF
GetAsyncKeyState.USER32(00000011), ref: 6CBB2B35
GetAsyncKeyState.USER32(00000012), ref: 6CBB2B47
GetAsyncKeyState.USER32(00000010), ref: 6CBB2B54
IsWindowVisible.USER32(?), ref: 6CBB2BB5

Part of subcall function 6CBBF101: RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 6CBBF12E

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AsyncStateWindow$ChildMessageSend$FocusIconicRedrawVisible
String ID:
API String ID: 763474574-0
Opcode ID: 79f54f6aca16ed9dc90dfbe957403268d2705e922dffae9147885bf08e1ea2a0
Instruction ID: b869c5eaf9382382fb3a1dbb2a37e72339dbb25797173acfa38db680a35b9f28
Opcode Fuzzy Hash: 79f54f6aca16ed9dc90dfbe957403268d2705e922dffae9147885bf08e1ea2a0
Instruction Fuzzy Hash: 4071E0316042869FEF209FA5C88CAAE7BB5EF05318F114169E955FBA50DF31E844DB13

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB340E Relevance: 16.6, APIs: 11, Instructions: 99windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000021), ref: 6CBB3430
GetSystemMetrics.USER32(00000020), ref: 6CBB3437
IsIconic.USER32(?), ref: 6CBB344B
GetWindowRect.USER32(?,00000020), ref: 6CBB348C
IsIconic.USER32(?), ref: 6CBB34B0
GetSystemMetrics.USER32(00000004), ref: 6CBB34BC
OffsetRect.USER32(00000020,?,?), ref: 6CBB34CE
GetSystemMetrics.USER32(00000004), ref: 6CBB34D6
IsIconic.USER32(?), ref: 6CBB3504
GetSystemMetrics.USER32(00000021), ref: 6CBB3510
GetSystemMetrics.USER32(00000020), ref: 6CBB3517

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$Iconic$RectWindow$LongOffset
String ID:
API String ID: 993849457-0
Opcode ID: ef4a0778f6402aa95c70d1abcd8f4d4cd5fcb945a41450e02f6760733a6e5b70
Instruction ID: 76195e3714da19fc2be00650e90d1fbb0001a3cd6f232fc913493960c58b8dfa
Opcode Fuzzy Hash: ef4a0778f6402aa95c70d1abcd8f4d4cd5fcb945a41450e02f6760733a6e5b70
Instruction Fuzzy Hash: 5D41F771A0024A9FCF04DFA9C985BAEBBF5FF48304F148469EA19E7251DB34A940CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6A5AD Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 418COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB6A5B4
_wcslen.LIBCMT ref: 6CB6A657
_wcslen.LIBCMT ref: 6CB6A661
_wcslen.LIBCMT ref: 6CB6A6CD
_memcpy_s.LIBCMT ref: 6CB6A711
_wcslen.LIBCMT ref: 6CB6A724
_memcpy_s.LIBCMT ref: 6CB6A76D

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

PathRemoveFileSpecW.SHLWAPI(?,00000000,00000000,00000000), ref: 6CB6A888

Part of subcall function 6CB42D40: _memcpy_s.LIBCMT ref: 6CB42D8E

Strings

, xrefs: 6CB6AAB5

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _wcslen$_memcpy_s$H_prolog3$Exception@8FilePathRemoveSpecThrow
String ID:
API String ID: 25407458-3916222277
Opcode ID: 6d4bad32a68b27790381e4f9f03ff52ae39da46755f5452599879829efe9ecb4
Instruction ID: a8387318f05165e082b9ec7a773380aed3c892edc46f902b2925fee14368c69e
Opcode Fuzzy Hash: 6d4bad32a68b27790381e4f9f03ff52ae39da46755f5452599879829efe9ecb4
Instruction Fuzzy Hash: BEF1C1319012A68FDF08CFA9C945AEEB7B4FF04319F24426DE926ABA95D7309901CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6F967 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6CB6F9F7
_memset.LIBCMT ref: 6CB6FA05
_free.LIBCMT ref: 6CB6FA31
IsWindow.USER32(?), ref: 6CB6FB52

Strings

0, xrefs: 6CB6FA1B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientScreenWindow_free_memset
String ID: 0
API String ID: 2869304798-4108050209
Opcode ID: 2ad73d26276626a9c4b8df6eff69785a471540e9dcbffbba25484ec8604991d3
Instruction ID: db3ddb7287f80b558d99281fa75431c550484a7be237ceb702160773324cf298
Opcode Fuzzy Hash: 2ad73d26276626a9c4b8df6eff69785a471540e9dcbffbba25484ec8604991d3
Instruction Fuzzy Hash: A351B130A01284AFDF10DFAAD898B9DBBB1FF05318F144529E816E7ED0DB719881CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB370E Relevance: 15.1, APIs: 10, Instructions: 146windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBB3734
ScreenToClient.USER32(?,?), ref: 6CBB37B2
GetSystemMetrics.USER32(00000021), ref: 6CBB37C0
GetSystemMetrics.USER32(00000020), ref: 6CBB37C9
IsIconic.USER32(?), ref: 6CBB37D7
GetSystemMetrics.USER32(00000004), ref: 6CBB37E3
PtInRect.USER32(00000000,?,?), ref: 6CBB382A
PtInRect.USER32(?,?,?), ref: 6CBB3853
GetSystemMetrics.USER32(00000004), ref: 6CBB3869
PtInRect.USER32(00000020,?,?), ref: 6CBB3881

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$Rect$ClientIconicScreenVisibleWindow
String ID:
API String ID: 1122842830-0
Opcode ID: 08b1271ed8ede83cab5c708122b23339cd90302893b565826718810a572c026c
Instruction ID: 55caec6749b7b29b2662b59a0202b8c58b53ffb4034113fb4cb421ee26a391e8
Opcode Fuzzy Hash: 08b1271ed8ede83cab5c708122b23339cd90302893b565826718810a572c026c
Instruction Fuzzy Hash: CE516F71A0025AAFDF00CFA9C994AAEB7B5FF08354F108265E915FB650DF30E911CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBFB15 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CBBFB4B

Part of subcall function 6CBBF498: GetParent.USER32(?), ref: 6CBBF4AE
Part of subcall function 6CBBF498: GetSystemMenu.USER32(?,00000000,?,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF4CD
Part of subcall function 6CBBF498: SetMenuDefaultItem.USER32(?,0000F060,00000000,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF4F6
Part of subcall function 6CBBF498: GetParent.USER32(?), ref: 6CBBF4FF
Part of subcall function 6CBBF498: IsZoomed.USER32(?), ref: 6CBBF50A
Part of subcall function 6CBBF498: EnableMenuItem.USER32(?,0000F000,00000003), ref: 6CBBF524
Part of subcall function 6CBBF498: EnableMenuItem.USER32(?,0000F010,00000003), ref: 6CBBF530
Part of subcall function 6CBBF498: EnableMenuItem.USER32(?,0000F030,00000003), ref: 6CBBF53C
Part of subcall function 6CBBF498: EnableMenuItem.USER32(?,0000F030,00000000), ref: 6CBBF573
Part of subcall function 6CBBF498: GetParent.USER32(?), ref: 6CBBF57B
Part of subcall function 6CBBF498: DeleteMenu.USER32(?,0000F120,00000000,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF5A1
Part of subcall function 6CBBF498: DeleteMenu.USER32(?,0000F030,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF5AD
Part of subcall function 6CBBF498: GetParent.USER32(?), ref: 6CBBF5B5
Part of subcall function 6CBBF498: DeleteMenu.USER32(?,0000F020,00000000,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF5D5
Part of subcall function 6CBBF498: GetParent.USER32(?), ref: 6CBBF5E7

Strings

y, xrefs: 6CBBFB8C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$ItemParent$Enable$Delete$DefaultRectSystemWindowZoomed
String ID: y
API String ID: 540879578-4225443349
Opcode ID: 83c270f78b3d8482f20369973f06cc514f4359756e6b152151d1db007db57bbe
Instruction ID: f02279e143727cc729c74d356f3c4792d06b466a0e981b5f822c9d53449f920d
Opcode Fuzzy Hash: 83c270f78b3d8482f20369973f06cc514f4359756e6b152151d1db007db57bbe
Instruction Fuzzy Hash: 7531D53DA042899FCF10DFA9C8557AD77B4EB09359F64852AEC15FB541DF309980CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5261E Relevance: 12.1, APIs: 8, Instructions: 132filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB52628
GetFullPathNameW.KERNEL32(00000000,00000104,?,?,00000268,6CB52803,?,?,00000000), ref: 6CB52666

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

PathIsUNCW.SHLWAPI(?,00000000), ref: 6CB526E2
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6CB52709
CharUpperW.USER32(?), ref: 6CB5273C
FindFirstFileW.KERNEL32(?,?), ref: 6CB52758
FindClose.KERNEL32(00000000), ref: 6CB52764
lstrlenW.KERNEL32(?), ref: 6CB52782

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: c2bd7a45a94d43ac15979312c1e494dd6957a5b716656dd948baaa3f65007a58
Instruction ID: 45cbbda8faa467a4ab88ba066b3a30f60c46e9a40986a2a49cf74963db389cfc
Opcode Fuzzy Hash: c2bd7a45a94d43ac15979312c1e494dd6957a5b716656dd948baaa3f65007a58
Instruction Fuzzy Hash: BF41D8719092559BDF14AF60CC9CBEE763CEF11318F4042D8E919A1995DF318DA4DF22

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6C909 Relevance: 9.1, APIs: 6, Instructions: 116keyboardwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 6CB6C98B
UpdateWindow.USER32(?), ref: 6CB6C9A2
GetKeyState.USER32(00000079), ref: 6CB6C9C7
GetKeyState.USER32(00000012), ref: 6CB6C9D4
GetParent.USER32(?), ref: 6CB6CA8A
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6CB6CAA6

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageState$Exception@8H_prolog3ParentPostSendThrowUpdateWindow
String ID:
API String ID: 2390574533-0
Opcode ID: 8dd76e2c6ec43b7280ca8f25de4b1f85cba95d10e8b0b70a8222950014a4e2ea
Instruction ID: e10839a4df58de00171df03bc4dbdb903131df8db329f77ed621a0b0d24fddcc
Opcode Fuzzy Hash: 8dd76e2c6ec43b7280ca8f25de4b1f85cba95d10e8b0b70a8222950014a4e2ea
Instruction Fuzzy Hash: 8541E3312017819FEB21EF62C848F9A77B5FF45398F248A28E49A57DD4DB70A880DB11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB647FF Relevance: 7.6, APIs: 5, Instructions: 86keyboardwindowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB64833
GetKeyState.USER32(00000012), ref: 6CB64865
GetKeyState.USER32(00000011), ref: 6CB6486E
SendMessageW.USER32(?,00000157,00000000,00000000), ref: 6CB64887
SendMessageW.USER32(?,0000014F,00000001,00000000), ref: 6CB64898

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSendState$Parent
String ID:
API String ID: 1284845784-0
Opcode ID: c2d120fac90914ef6f957aa51bfc76fad971d68ee7563c6f042e37806f6b9ea9
Instruction ID: 2ee61cada7de36425f085b81e157a0490c922b6a6610d8703ae984ca8f4e2143
Opcode Fuzzy Hash: c2d120fac90914ef6f957aa51bfc76fad971d68ee7563c6f042e37806f6b9ea9
Instruction Fuzzy Hash: B8216B32350EC09BDE02E727CC64E6E3BB6FBC174EF204629E1015BF84DA609841AF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CC32782 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CC38E1F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CC38E34
UnhandledExceptionFilter.KERNEL32(6CC7C070), ref: 6CC38E3F
GetCurrentProcess.KERNEL32(C0000409), ref: 6CC38E5B
TerminateProcess.KERNEL32(00000000), ref: 6CC38E62

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: ae210f249c086f69c9aa3866c1c38242588881718e9fc174ae8b965068f28758
Instruction ID: 560e7c08a1cfa884dd29dee701b09fba6a18b75407108a985d0f2b7909cd615e
Opcode Fuzzy Hash: ae210f249c086f69c9aa3866c1c38242588881718e9fc174ae8b965068f28758
Instruction Fuzzy Hash: 342112B8A10305CFCF00CFAAF94DA483BB4FB1A305F51A05AE509D7740EBB08996AF41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4FDFF Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 6CB4FE25
LoadResource.KERNEL32(?,00000000), ref: 6CB4FE31
LockResource.KERNEL32(00000000), ref: 6CB4FE3E
FreeResource.KERNEL32(00000000,00000000), ref: 6CB4FE5A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 744ad3b88261caa1c2286f7bd7fa642ae64e59bf920ba1d01ceeb270df7c943a
Instruction ID: b14f5e1d44cea35134f3b91ae940a012868fc067679d47a9c400a84561bdb4ac
Opcode Fuzzy Hash: 744ad3b88261caa1c2286f7bd7fa642ae64e59bf920ba1d01ceeb270df7c943a
Instruction Fuzzy Hash: A7F0F472700255BBAB005FE98C84DABBBBDDB81266710C038BA01A3601DB70C840AB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB23B4 Relevance: 4.5, APIs: 3, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 6CBB23DF
GetKeyState.USER32(00000011), ref: 6CBB23E8
GetKeyState.USER32(00000012), ref: 6CBB23F1

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: dc5c7560fa0a11502b27d8bb99ba8878da1516ce33ab34d2d353691762d4c7a6
Instruction ID: eebd3dec21273aafe0de593a4203ba7e310da108cbdd90938f0dd1e6a4369f25
Opcode Fuzzy Hash: dc5c7560fa0a11502b27d8bb99ba8878da1516ce33ab34d2d353691762d4c7a6
Instruction Fuzzy Hash: 63F0A0312412DD9FEF086354AC0CFB77E64DF00784F448061AA44B7880DEB09551A7A3

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB489A Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 6CBB48EE
PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 6CBB493E

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: IconicLongMessagePostWindow
String ID:
API String ID: 1855654840-0
Opcode ID: 8a26fbd9aaffbf13d5584ae178f88fa586fc59fc064be0e99fd63302f86f8729
Instruction ID: 72e736a4c5a8bbeb435540ce40dd65d4872e35d7666fef29df0a5543793d5a8b
Opcode Fuzzy Hash: 8a26fbd9aaffbf13d5584ae178f88fa586fc59fc064be0e99fd63302f86f8729
Instruction Fuzzy Hash: BE11C877260A914FD7308A38DC84B7A72A5FB45719F180B29E1D1E39D5DB34D8048A15

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6D12B Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CB6D13F
IsIconic.USER32(?), ref: 6CB6D151

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 520adcfe1c68cca200b9ec1a33675171b0e4e68b02846114d0fb092ca6dab178
Instruction ID: 1a4a0cf0834069164ab1a20294511960134ee4abe7b1d4e4fa091f57717ebf98
Opcode Fuzzy Hash: 520adcfe1c68cca200b9ec1a33675171b0e4e68b02846114d0fb092ca6dab178
Instruction Fuzzy Hash: 94F08232350594278A11163BEC1495EB67EEBC2B78730032AE526D3EE0ABA189529151

Uniqueness

Uniqueness Score: -1.00%

Function 6CB564F8 Relevance: 3.0, APIs: 2, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 6CB56526
CoCreateInstance.OLE32(6CC7F9EC,00000000,00000001,6CC59DCC,6CCA0B2C,-0000043C,?,?,6CB70FB0,00000000,?,6CBB593B), ref: 6CB56544

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: 6d2ca74deb3deb312415d62f07f1753dc30256303d14469fa0e0cc802c901bce
Instruction ID: ac3cf14c54664e32d344c1ebd611f0bd8440b3a11918b16785e2960e32091c53
Opcode Fuzzy Hash: 6d2ca74deb3deb312415d62f07f1753dc30256303d14469fa0e0cc802c901bce
Instruction Fuzzy Hash: 4BF0E9B128118A9FD7209E54ECCCAC537B9E780309FB404BCF104D6608D7325DA3CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB72065 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 6CB72092
IsIconic.USER32(?), ref: 6CB7209B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ForegroundIconicWindow
String ID:
API String ID: 1248896474-0
Opcode ID: f9cc36c1b57395315a6e579a7de353b8d41b3ccc738e537267d524ba09fbc580
Instruction ID: bb55a9996c9ebe024c2393b0ef14579278c762371ad135be8752b598aafe956c
Opcode Fuzzy Hash: f9cc36c1b57395315a6e579a7de353b8d41b3ccc738e537267d524ba09fbc580
Instruction Fuzzy Hash: DBE0553230C6809FE6301A38DC0CE6E3779FF80331B60021AF82996AE4EE1188418772

Uniqueness

Uniqueness Score: -1.00%

Function 6CB72109 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 6CB72129

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 10f14f0c7123e6ef8f642ac4ecc15a0bb452a985eae7b297139ae2e9af680f9d
Instruction ID: d15320290770ad966550e8614d85e3204e6b18b1f1dadf03bf1d89a1391143e4
Opcode Fuzzy Hash: 10f14f0c7123e6ef8f642ac4ecc15a0bb452a985eae7b297139ae2e9af680f9d
Instruction Fuzzy Hash: 00E0DF333DC881ABD6151A38E948A7A26E5EB85625B100529E92AD3D94EE1198065261

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9AA83 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 323fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB9AA8D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,6CC59B2C,00000000,6CC7FEAC,00000000,6CC7FC0C,00000000,?,?,00000A90,6CB9B041,?,00000000,00000084), ref: 6CB9AB3C
__wsplitpath_s.LIBCMT ref: 6CB9AB68
__wsplitpath_s.LIBCMT ref: 6CB9AB87
__wmakepath_s.LIBCMT ref: 6CB9ABB4
_wcslen.LIBCMT ref: 6CB9ABC0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,6CC7FC0C,00000000,?,?,00000A90,6CB9B041,?,00000000,00000084), ref: 6CB9ABF8

Strings

, xrefs: 6CB9AF34

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: File__wsplitpath_s$CreateH_prolog3_ModuleName__wmakepath_s_wcslen
String ID:
API String ID: 1221639053-3916222277
Opcode ID: 03baedc81cd1497e6988073e18f1449570c72f3eaa773f3f20f4030110511b0d
Instruction ID: 6447a2cf95e3e56714b2da3779482e02ce0f37db59d48fb3b7a0ef6e1cc5f298
Opcode Fuzzy Hash: 03baedc81cd1497e6988073e18f1449570c72f3eaa773f3f20f4030110511b0d
Instruction Fuzzy Hash: DDD13A71E00268ABDF219F60CC84ADEBB79EF0A318F5041E9F509A2A50DB355E94DF52

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7C526 Relevance: 41.0, APIs: 27, Instructions: 457keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB7C52D
GetParent.USER32(?), ref: 6CB7C588
GetParent.USER32(?), ref: 6CB7C5A4
UpdateWindow.USER32(?), ref: 6CB7C5EC
SetCursor.USER32(?,00000000), ref: 6CB7C611
GetAsyncKeyState.USER32(00000012), ref: 6CB7C673
UpdateWindow.USER32(?), ref: 6CB7C779
InflateRect.USER32(?,00000002,00000002), ref: 6CB7C7D9
SetCapture.USER32(?), ref: 6CB7C7E2
SetCursor.USER32(00000000), ref: 6CB7C7FA
IsWindow.USER32(?), ref: 6CB7C898
GetCursorPos.USER32(?), ref: 6CB7C8D7
ScreenToClient.USER32(?,?), ref: 6CB7C8E4
PtInRect.USER32(?,?,?), ref: 6CB7C900
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?,?,?,?,?,?,00000000), ref: 6CB7C974
GetParent.USER32(?), ref: 6CB7C98F
GetParent.USER32(?), ref: 6CB7C9A3
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,?,?,?,?,?,?,00000000), ref: 6CB7C9B5
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?,?,?,?,?,?,00000000), ref: 6CB7C9D7
GetParent.USER32(?), ref: 6CB7C9E0
GetParent.USER32(?), ref: 6CB7C9FB
GetParent.USER32(?), ref: 6CB7CA06
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,?,00000000), ref: 6CB7CA3E
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 6CB7CB76

Part of subcall function 6CB79D14: InvalidateRect.USER32(?,?,00000001,?), ref: 6CB79D89
Part of subcall function 6CB79D14: InflateRect.USER32(?,?,?), ref: 6CB79DCF
Part of subcall function 6CB79D14: RedrawWindow.USER32(?,?,00000000,00000401,?,?,00000000,00000000), ref: 6CB79DE2

UpdateWindow.USER32(?), ref: 6CB7CAD6
UpdateWindow.USER32(?), ref: 6CB7CB35
SetCapture.USER32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 6CB7CB40

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Parent$RectRedraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientH_prolog3_ScreenState
String ID:
API String ID: 991125134-0
Opcode ID: d3c5b4e5fe327a9a2365364bba4062cef36d284fd7ec9e7150153b4b41b968d5
Instruction ID: 193044c83ae1c8c3710ae18b0e405b6c7698d6a4f462f66089d3f2149b4dff4c
Opcode Fuzzy Hash: d3c5b4e5fe327a9a2365364bba4062cef36d284fd7ec9e7150153b4b41b968d5
Instruction Fuzzy Hash: 1C02BD706006949FCF11AFA4C988A9D3BB5FF09355F24427DEC2AAB6A5CB318844DF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA0438 Relevance: 40.8, APIs: 27, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 6CB4FF85: GetWindowLongW.USER32(?,000000EC), ref: 6CB4FF90

GetClientRect.USER32(?,00000000), ref: 6CBA04AA
CopyRect.USER32(?,?), ref: 6CBA04DC

Part of subcall function 6CB50F4E: ScreenToClient.USER32(?,?), ref: 6CB50F5F
Part of subcall function 6CB50F4E: ScreenToClient.USER32(?,?), ref: 6CB50F6C

IntersectRect.USER32(?,?,?), ref: 6CBA052B
SetRectEmpty.USER32(?), ref: 6CBA0539
IntersectRect.USER32(?,?,?), ref: 6CBA056B
SetRectEmpty.USER32(?), ref: 6CBA0579
IsRectEmpty.USER32(?), ref: 6CBA0589
IsRectEmpty.USER32(?), ref: 6CBA0593
GetWindowRect.USER32(?,?), ref: 6CBA05BE
GetWindowRect.USER32(?,?), ref: 6CBA05E1
UnionRect.USER32(?,?,?), ref: 6CBA05FE
EqualRect.USER32(?,?), ref: 6CBA060C
GetWindowRect.USER32(?,?), ref: 6CBA0697
IsRectEmpty.USER32(?), ref: 6CBA0701
MapWindowPoints.USER32(?,?,?,00000002), ref: 6CBA071E
RedrawWindow.USER32(?,?,00000000,00000185), ref: 6CBA0732
IsRectEmpty.USER32(?), ref: 6CBA074C
EqualRect.USER32(?,?), ref: 6CBA075A
MapWindowPoints.USER32(?,?,?,00000002), ref: 6CBA0777
RedrawWindow.USER32(?,?,00000000,00000185), ref: 6CBA078B
UpdateWindow.USER32(?), ref: 6CBA07A0
IsRectEmpty.USER32(?), ref: 6CBA07E4
InvalidateRect.USER32(?,?,00000001), ref: 6CBA07F9
IsRectEmpty.USER32(?), ref: 6CBA07FF
EqualRect.USER32(?,?), ref: 6CBA0811
InvalidateRect.USER32(?,?,00000001), ref: 6CBA0824
UpdateWindow.USER32(?), ref: 6CBA0829

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyLongUnion
String ID:
API String ID: 4119827998-0
Opcode ID: 957f9d792c7e54382c3a35b4a4f541b84e29d1a5f28f376b115bacee4242d395
Instruction ID: 5904fb318f40249798f7e8cc6dc522bd19a1b44d538fcd44cdea7cfeb08ba547
Opcode Fuzzy Hash: 957f9d792c7e54382c3a35b4a4f541b84e29d1a5f28f376b115bacee4242d395
Instruction Fuzzy Hash: 10D11771A012599FCF10DFA8C984AEEB7B9FF09304F6041AAE90AF7144DB70AA45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CC396B9 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6CC32E53,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC396C1
__mtterm.LIBCMT ref: 6CC396CD

Part of subcall function 6CC39398: DecodePointer.KERNEL32(00000006,6CC32F16,6CC32EFC,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC393A9
Part of subcall function 6CC39398: TlsFree.KERNEL32(00000018,6CC32F16,6CC32EFC,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC393C3
Part of subcall function 6CC39398: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6CC32F16,6CC32EFC,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC405EB
Part of subcall function 6CC39398: _free.LIBCMT ref: 6CC405EE
Part of subcall function 6CC39398: DeleteCriticalSection.KERNEL32(00000018,?,?,6CC32F16,6CC32EFC,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC40615

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6CC396E3
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6CC396F0
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6CC396FD
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6CC3970A
TlsAlloc.KERNEL32(?,?,6CC32E53,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC3975A
TlsSetValue.KERNEL32(00000000,?,?,6CC32E53,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC39775
__init_pointers.LIBCMT ref: 6CC3977F
EncodePointer.KERNEL32(?,?,6CC32E53,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC39790
EncodePointer.KERNEL32(?,?,6CC32E53,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC3979D
EncodePointer.KERNEL32(?,?,6CC32E53,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC397AA
EncodePointer.KERNEL32(?,?,6CC32E53,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC397B7
DecodePointer.KERNEL32(Function_000F951C,?,?,6CC32E53,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC397D8
__calloc_crt.LIBCMT ref: 6CC397ED
DecodePointer.KERNEL32(00000000,?,?,6CC32E53,6CC944A8,00000008,6CC32FE7,?,?,?,6CC944C8,0000000C,6CC330A2,?), ref: 6CC39807
GetCurrentThreadId.KERNEL32 ref: 6CC39819

Strings

FlsGetValue, xrefs: 6CC396E5
FlsFree, xrefs: 6CC396FF
FlsAlloc, xrefs: 6CC396DD
KERNEL32.DLL, xrefs: 6CC396BC
FlsSetValue, xrefs: 6CC396F2

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: ea84abe9cba876079ba7bddb08e55d7b84aed65290e6b5d2b640f3c5d76ac581
Instruction ID: d7764fcc08c13d985e1ebe9e2c7dabd028d2f609af75da99d94e7464a61ebd63
Opcode Fuzzy Hash: ea84abe9cba876079ba7bddb08e55d7b84aed65290e6b5d2b640f3c5d76ac581
Instruction Fuzzy Hash: 49317571A023209ADF10AFB5B80C64D3EF0FB6B775B506A1AE81493690FF348095DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9B4F0 Relevance: 37.8, APIs: 25, Instructions: 260COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB9B4FA
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 6CB9B53D
GetObjectW.GDI32(?,00000018,?), ref: 6CB9B577
DeleteObject.GDI32(?), ref: 6CB9B5F4
CreateCompatibleDC.GDI32(00000000), ref: 6CB9B62E
GetObjectW.GDI32(?,00000018,?), ref: 6CB9B64A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$CompatibleCopyCreateDeleteH_prolog3_Image
String ID:
API String ID: 641560573-0
Opcode ID: b6b39247dd22b8d9c2095a3c05da1cb84fd5b87834f2bebdf16208ad74ddebe6
Instruction ID: cd963eb7e81799df69dbc21e8edfe8fa5562e84077f6142b1de59ed6b59b8ef0
Opcode Fuzzy Hash: b6b39247dd22b8d9c2095a3c05da1cb84fd5b87834f2bebdf16208ad74ddebe6
Instruction Fuzzy Hash: EEC1F2719002A8DBDF219F64CC84BEDBBB5FF0A308F5081E9E559A2660DB705EA4DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9BE7C Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 278windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 6CB9BF65
GetObjectW.GDI32(?,00000018,?), ref: 6CB9BF96
DeleteObject.GDI32(?), ref: 6CB9BFA3
CreateCompatibleDC.GDI32(00000000), ref: 6CB9BFE7
GetObjectW.GDI32(?,00000018,?), ref: 6CB9BFFF
SelectObject.GDI32(?,?), ref: 6CB9C025
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB9C043
SelectObject.GDI32(?,?), ref: 6CB9C056
CreateCompatibleDC.GDI32(?), ref: 6CB9C06C
SelectObject.GDI32(?,?), ref: 6CB9C081
SelectObject.GDI32(?,?), ref: 6CB9C090
DeleteObject.GDI32(?), ref: 6CB9C095
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CB9C0B5
GetPixel.GDI32(?,?,?), ref: 6CB9C0D4
SetPixel.GDI32(?,?,?,00000000), ref: 6CB9C10A
SelectObject.GDI32(?,?), ref: 6CB9C12C
SelectObject.GDI32(?,?), ref: 6CB9C134
DeleteObject.GDI32(?), ref: 6CB9C139
DeleteObject.GDI32(?), ref: 6CB9C1BB
__EH_prolog3.LIBCMT ref: 6CB9BE83

Part of subcall function 6CB503E5: DeleteObject.GDI32(00000000), ref: 6CB503FE

Strings

, xrefs: 6CB9BFAB

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate$Pixel$BitmapH_prolog3ImageLoad
String ID:
API String ID: 2657855633-3916222277
Opcode ID: 33b711a415a0e1c4bc8988e48f244ddbada0807d30635ca99bfcaf6acefeaa5a
Instruction ID: 969a8e78b9b21efb54758023523e8fc67adeceecb9e288799236cf75f0ec3370
Opcode Fuzzy Hash: 33b711a415a0e1c4bc8988e48f244ddbada0807d30635ca99bfcaf6acefeaa5a
Instruction Fuzzy Hash: 90B15F71900299EFCF11EFA4CC84AEDBB74FF0A308F50813AE915A6A50DB319A95DF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9952A Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB99534
GetObjectW.GDI32(?,00000018,?), ref: 6CB99576
CreateCompatibleDC.GDI32(00000000), ref: 6CB995B2
SelectObject.GDI32(?,?), ref: 6CB995D5
_memset.LIBCMT ref: 6CB99605
GetObjectW.GDI32(?,00000054,?), ref: 6CB99626
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CB99688
CreateCompatibleDC.GDI32(?), ref: 6CB996CD
SelectObject.GDI32(?,?), ref: 6CB996EB

Strings

(, xrefs: 6CB99681

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Create$CompatibleSelect$H_prolog3_Section_memset
String ID: (
API String ID: 1904682052-3887548279
Opcode ID: 01b7864dc2037e0c3159131042d27ac02448680dc12be8a98f9577eabd627042
Instruction ID: a94bf5ae6aaf157a23313232d4f76eb84f95111283a524b9f67a58ae0bb02439
Opcode Fuzzy Hash: 01b7864dc2037e0c3159131042d27ac02448680dc12be8a98f9577eabd627042
Instruction Fuzzy Hash: 7AB13870900654DFDB61CF64CC84FDABBB5FF4A304F1081AAE84EA6651EB309A94DF21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4BE06 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

GetParent.USER32(?), ref: 6CB4BE40
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 6CB4BE61
GetWindowRect.USER32(?,?), ref: 6CB4BE80
GetWindowLongW.USER32(00000000,000000F0), ref: 6CB4BEB2
MonitorFromWindow.USER32(00000000,00000001), ref: 6CB4BEE6
GetMonitorInfoW.USER32(00000000), ref: 6CB4BEED
CopyRect.USER32(?,?), ref: 6CB4BF01
CopyRect.USER32(?,?), ref: 6CB4BF0B
GetWindowRect.USER32(00000000,?), ref: 6CB4BF14
MonitorFromWindow.USER32(00000000,00000002), ref: 6CB4BF21
GetMonitorInfoW.USER32(00000000), ref: 6CB4BF28
CopyRect.USER32(?,?), ref: 6CB4BF36

Strings

(, xrefs: 6CB4BEC8

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
String ID: (
API String ID: 783970248-3887548279
Opcode ID: d8ffb1490bc15bffbc914a04439227995000686fef1989e883282cae647cdf6c
Instruction ID: 02dc7bcb8f2054235f4251dd910e4d6f8afad58e1c665048c7bd95e33d97f579
Opcode Fuzzy Hash: d8ffb1490bc15bffbc914a04439227995000686fef1989e883282cae647cdf6c
Instruction Fuzzy Hash: 7C614A71A14629AFCF00CFA8CD889DEBBB9FF48714F548516E615F3644C730A941DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB58C57 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 315windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

SendMessageW.USER32(?,00001032,00000000,00000000), ref: 6CB58CBC
SendMessageW.USER32(?,0000100C,00000000,00000002), ref: 6CB58CEF
ClientToScreen.USER32(?,?), ref: 6CB58D29
ScreenToClient.USER32(?,?), ref: 6CB58D41
SendMessageW.USER32(?,00001012,00000000,?), ref: 6CB58D5B
_memset.LIBCMT ref: 6CB58D97
SendMessageW.USER32(?,0000104B,00000000,00000004), ref: 6CB58DC9
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 6CB58DFB
SendMessageW.USER32(?,0000104B,00000000,00000004), ref: 6CB58E18
CreatePopupMenu.USER32 ref: 6CB58EA7
TrackPopupMenu.USER32(?,00000102,?,?,00000000,?,00000000), ref: 6CB58EEC
GetMenuDefaultItem.USER32(?,00000000,00000000), ref: 6CB58F08
GetParent.USER32(?), ref: 6CB58F58
GetParent.USER32(?), ref: 6CB58F95
GetParent.USER32(?), ref: 6CB58FA8
SendMessageW.USER32(?,?,00000000,00000000), ref: 6CB58FC1

Strings

$, xrefs: 6CB58F4E

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$MenuParent$ClientPopupScreen$CreateDefaultException@8H_prolog3ItemThrowTrack_memset
String ID: $
API String ID: 3041658061-3993045852
Opcode ID: b98ef5217db2d692405ff7d2cdeb098b51de67504f0440f37a953427fdd9f724
Instruction ID: 031591b0acfffc3af3c92f7c490738fe31a8f69638002acf507b2c0bbb2ad819
Opcode Fuzzy Hash: b98ef5217db2d692405ff7d2cdeb098b51de67504f0440f37a953427fdd9f724
Instruction Fuzzy Hash: 1BC124B1A10249AFDF10DFA8D884DAEBBBAFF48304F50896AF515E7650D7329951CF20

Uniqueness

Uniqueness Score: -1.00%

Function 6CB970CA Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 263windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB970D4
CreateCompatibleDC.GDI32(00000000), ref: 6CB97109
GetObjectW.GDI32(?,00000018,?), ref: 6CB9712A
SelectObject.GDI32(?,?), ref: 6CB9717C
CreateCompatibleDC.GDI32(?), ref: 6CB971A9
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CB97211
SelectObject.GDI32(?,?), ref: 6CB9722D
SelectObject.GDI32(?,00000000), ref: 6CB9724A
SelectObject.GDI32(?,?), ref: 6CB97262
DeleteObject.GDI32(?), ref: 6CB9726A
BitBlt.GDI32(?,00000000,00000000,?,000000FF,?,00000000,00000000,00CC0020), ref: 6CB97293
GetObjectW.GDI32(?,00000054,?), ref: 6CB972C9
SelectObject.GDI32(?,?), ref: 6CB974BE
SelectObject.GDI32(?,?), ref: 6CB974CC
DeleteObject.GDI32(?), ref: 6CB974D4

Strings

(, xrefs: 6CB971EE
, xrefs: 6CB972D7

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$Create$CompatibleDelete$H_prolog3_Section
String ID: $(
API String ID: 339215182-55695022
Opcode ID: 462b2570206e4d800c14bfb5cf747d5eba71de3872b45eea50851bf040215e42
Instruction ID: f318b114633f7d7ea036cb555e493ef598a7277a653f887646534d4fd26dad5d
Opcode Fuzzy Hash: 462b2570206e4d800c14bfb5cf747d5eba71de3872b45eea50851bf040215e42
Instruction Fuzzy Hash: 7CC14970900268DBDB25DF64CD44BEDBBB5EF4A304F0081EAE58DB6251CB708A98CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB93CA2 Relevance: 28.9, APIs: 19, Instructions: 446windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB93CAC
IsWindow.USER32(?), ref: 6CB93D4E
GetMenuItemCount.USER32(00000001), ref: 6CB93EAC
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 6CB93EC2
AppendMenuW.USER32(00000001,00000000,00000000,00000000), ref: 6CB93EDD
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 6CB93F53
SendMessageW.USER32(?,0000041C,00000000,?), ref: 6CB93F90
GetMenuItemCount.USER32(00000001), ref: 6CB93FE6
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 6CB93FFC
AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 6CB9401D
GetMenuItemCount.USER32(00000001), ref: 6CB94084
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 6CB9409A
AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 6CB940BB
AppendMenuW.USER32(00000002,00000000,00000000,?), ref: 6CB941A3
GetWindow.USER32(?,00000005), ref: 6CB941D4
AppendMenuW.USER32(00000003,00000000,00000000,?), ref: 6CB9425A
GetMenuItemCount.USER32(00000000), ref: 6CB9429F
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 6CB942B5
AppendMenuW.USER32(00000000,00000000,00000000,?), ref: 6CB942CA

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow$H_prolog3_
String ID:
API String ID: 2495817426-0
Opcode ID: 749b720b22b5d3dbc03d646088823659c9abe3e34d03ff98ac123ad7289444f9
Instruction ID: 0256bb60bba05bfacff35c6d904b1e84fbc2242ed661ce6ba161d64c48cb0023
Opcode Fuzzy Hash: 749b720b22b5d3dbc03d646088823659c9abe3e34d03ff98ac123ad7289444f9
Instruction Fuzzy Hash: 81028F30A042999FEF149FA4CC94B9DBBB5FF06308F1081B9E519A7A91DF309958DF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBF498 Relevance: 28.6, APIs: 19, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CBBF4AE
GetSystemMenu.USER32(?,00000000,?,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF4CD
SetMenuDefaultItem.USER32(?,0000F060,00000000,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF4F6
GetParent.USER32(?), ref: 6CBBF4FF
IsZoomed.USER32(?), ref: 6CBBF50A
EnableMenuItem.USER32(?,0000F000,00000003), ref: 6CBBF524
EnableMenuItem.USER32(?,0000F010,00000003), ref: 6CBBF530
EnableMenuItem.USER32(?,0000F030,00000003), ref: 6CBBF53C

Part of subcall function 6CB4DDFE: GetParent.USER32(?), ref: 6CB4DE08

EnableMenuItem.USER32(?,0000F120,00000003), ref: 6CBBF54F
EnableMenuItem.USER32(?,0000F000,00000000), ref: 6CBBF55B
EnableMenuItem.USER32(?,0000F010,00000000), ref: 6CBBF567
EnableMenuItem.USER32(?,0000F030,00000000), ref: 6CBBF573
GetParent.USER32(?), ref: 6CBBF57B
DeleteMenu.USER32(?,0000F120,00000000,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF5A1
DeleteMenu.USER32(?,0000F030,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF5AD
GetParent.USER32(?), ref: 6CBBF5B5
DeleteMenu.USER32(?,0000F020,00000000,00000000,?,?,?,6CBBFB6E,?), ref: 6CBBF5D5
GetParent.USER32(?), ref: 6CBBF5E7
TrackPopupMenu.USER32(?,00000004,6CBBFB6E,6AFFFFFF,00000000,?,00000000), ref: 6CBBF632

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Item$Enable$Parent$Delete$DefaultPopupSystemTrackZoomed
String ID:
API String ID: 4239930045-0
Opcode ID: de5ebbc1b87fc70f25d9e1711a964f4c9332e749a7022d864a70693e30790dba
Instruction ID: cbd98ec3de6f6187fc766956927f29ae68d37b8cc26c8875b328f260fc79240f
Opcode Fuzzy Hash: de5ebbc1b87fc70f25d9e1711a964f4c9332e749a7022d864a70693e30790dba
Instruction Fuzzy Hash: F2418E35240245BFEB21ABA5CD06F6E7BB9EF85B04F104464F605AB9B0CBB0ED11EB14

Uniqueness

Uniqueness Score: -1.00%

Function 6CB96DEA Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 237windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB96DF4
CreateCompatibleDC.GDI32(00000000), ref: 6CB96E5B
GetObjectW.GDI32(?,00000018,000000FF), ref: 6CB96E79
SelectObject.GDI32(?,?), ref: 6CB96EB7
CreateCompatibleDC.GDI32(?), ref: 6CB96ED5
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CB96F2B
SelectObject.GDI32(?,?), ref: 6CB96F40
SelectObject.GDI32(?,00000000), ref: 6CB96F56
SelectObject.GDI32(?,?), ref: 6CB96F65
DeleteObject.GDI32(?), ref: 6CB96F6C
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CB96FBE
GetPixel.GDI32(?,?,00000000), ref: 6CB97086
SetPixel.GDI32(?,?,00000000,?), ref: 6CB9709B
SelectObject.GDI32(?,?), ref: 6CB970B8
SelectObject.GDI32(?,?), ref: 6CB970C0

Strings

(, xrefs: 6CB96F0B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$Create$CompatiblePixel$DeleteH_prolog3_Section
String ID: (
API String ID: 1942225872-3887548279
Opcode ID: bb48cb95bf8808d9d2848c8f8dc547a6d60cb6c560663ea8788dd66bb172805a
Instruction ID: fa67b5d5488e95e5b261cf87a227aa58dca8210dc4b09d7329e54cf2b38aa48a
Opcode Fuzzy Hash: bb48cb95bf8808d9d2848c8f8dc547a6d60cb6c560663ea8788dd66bb172805a
Instruction Fuzzy Hash: EFA12470D00298DFCF11DFA4C984ADDBBB5FF0A308F60822AE416A7650DB305A9ADF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56679 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4B536: ActivateActCtx.KERNEL32(?,?,6CC89010,00000010,6CB4DF4A,hhctrl.ocx,6CB4D17C,0000000C), ref: 6CB4B556

GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 6CB566A3
GetProcAddress.KERNEL32(74580000,DrawThemeTextEx), ref: 6CB566B6
GetProcAddress.KERNEL32(74580000,BeginBufferedPaint), ref: 6CB566C9
GetProcAddress.KERNEL32(74580000,EndBufferedPaint), ref: 6CB566DC
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 6CB56726
GetProcAddress.KERNEL32(73AE0000,DwmDefWindowProc), ref: 6CB56739
GetProcAddress.KERNEL32(73AE0000,DwmIsCompositionEnabled), ref: 6CB5674C

Strings

EndBufferedPaint, xrefs: 6CB566CB
DwmIsCompositionEnabled, xrefs: 6CB5673B
BeginBufferedPaint, xrefs: 6CB566B8
dwmapi.dll, xrefs: 6CB56706
DrawThemeTextEx, xrefs: 6CB566A5
DrawThemeParentBackground, xrefs: 6CB5669D
UxTheme.dll, xrefs: 6CB5667E
DwmDefWindowProc, xrefs: 6CB56728
DwmExtendFrameIntoClientArea, xrefs: 6CB56720

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressProc$Activate
String ID: BeginBufferedPaint$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 2388279185-3875329446
Opcode ID: b0b4b8c4d32495dc42bfde347e36c8a983bb38044c74cc029fd2bc3684d42eca
Instruction ID: 4f3e634bca458f2e779a2c03513e4c04a1014bae06552bd0ffa92d52ed5262d9
Opcode Fuzzy Hash: b0b4b8c4d32495dc42bfde347e36c8a983bb38044c74cc029fd2bc3684d42eca
Instruction Fuzzy Hash: 34214FB1901B829BC7216FB588889DBFAE4EF54308F914C7EE5BA93610DB746461CA44

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5C45F Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB5C466
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 6CB5C4B1
ClientToScreen.USER32(?,?), ref: 6CB5C4E6
_memset.LIBCMT ref: 6CB5C526
SendMessageW.USER32 ref: 6CB5C545
SHGetDesktopFolder.SHELL32(?), ref: 6CB5C56D
GetParent.USER32(?), ref: 6CB5C595
CreatePopupMenu.USER32 ref: 6CB5C5D7

Strings

$, xrefs: 6CB5C67F

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$ClientCreateDesktopFolderH_prolog3_MenuParentPopupScreen_memset
String ID: $
API String ID: 937397865-3993045852
Opcode ID: adb44ae8b6b7392bd24148c07291cbea5ecc321e2a1d0233a8713eaa8b7a9112
Instruction ID: 95132068f8468761353f775a4b00ef28763117674f2073b3c4959e646d6de610
Opcode Fuzzy Hash: adb44ae8b6b7392bd24148c07291cbea5ecc321e2a1d0233a8713eaa8b7a9112
Instruction Fuzzy Hash: 259136B0A01258AFCB01EFA4C8889DDBBBAFF0D714F608119F115E7A90D7719950DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB854A7 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4B536: ActivateActCtx.KERNEL32(?,?,6CC89010,00000010,6CB4DF4A,hhctrl.ocx,6CB4D17C,0000000C), ref: 6CB4B556

GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 6CB85509
GetProcAddress.KERNEL32(?,CloseThemeData), ref: 6CB85516
GetProcAddress.KERNEL32(?,DrawThemeBackground), ref: 6CB85523
GetProcAddress.KERNEL32(?,GetThemeColor), ref: 6CB85530
GetProcAddress.KERNEL32(?,GetThemeSysColor), ref: 6CB8553D
GetProcAddress.KERNEL32(?,GetCurrentThemeName), ref: 6CB8554A
GetProcAddress.KERNEL32(?,GetWindowTheme), ref: 6CB85557

Strings

CloseThemeData, xrefs: 6CB8550B
GetCurrentThemeName, xrefs: 6CB8553F
GetThemeSysColor, xrefs: 6CB85532
GetThemeColor, xrefs: 6CB85525
DrawThemeBackground, xrefs: 6CB85518
GetWindowTheme, xrefs: 6CB8554C
UxTheme.dll, xrefs: 6CB854AF
OpenThemeData, xrefs: 6CB85503

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressProc$Activate
String ID: CloseThemeData$DrawThemeBackground$GetCurrentThemeName$GetThemeColor$GetThemeSysColor$GetWindowTheme$OpenThemeData$UxTheme.dll
API String ID: 2388279185-1975976892
Opcode ID: 2078977d87cf2322cea2658ade2daffa879e16d0e98a6675a522b6f2cf0378cc
Instruction ID: c9354071065279065a14502591137db49c1be19b3c2f5b876696fa43a8c5f390
Opcode Fuzzy Hash: 2078977d87cf2322cea2658ade2daffa879e16d0e98a6675a522b6f2cf0378cc
Instruction Fuzzy Hash: BF3144B0811B90AFC7309F6B8A8484AFBF9FFA46053118D1FE58692E20E7B5E444DF44

Uniqueness

Uniqueness Score: -1.00%

Function 6CC050EB Relevance: 24.4, APIs: 16, Instructions: 368COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CC050F2
GetCursorPos.USER32(?), ref: 6CC051A4
IsRectEmpty.USER32(00000000), ref: 6CC051D8
IsRectEmpty.USER32(?), ref: 6CC051FE
IsRectEmpty.USER32(00000000), ref: 6CC0521A
GetWindowRect.USER32(?,00000000), ref: 6CC05240
SetRectEmpty.USER32(?), ref: 6CC052F7

Part of subcall function 6CB44632: _malloc.LIBCMT ref: 6CB44650

GetWindowRect.USER32(?,00000000), ref: 6CC05274
PtInRect.USER32(00000000,?,00000000), ref: 6CC052B4
OffsetRect.USER32(00000000,?,00000000), ref: 6CC052CC

Part of subcall function 6CBCA68D: __EH_prolog3.LIBCMT ref: 6CBCA694
Part of subcall function 6CBCA68D: SetRectEmpty.USER32(?), ref: 6CBCA79B
Part of subcall function 6CBCA68D: SetRectEmpty.USER32(?), ref: 6CBCA7A4

OffsetRect.USER32(00000000,?,?), ref: 6CC05456
IsRectEmpty.USER32(?), ref: 6CC0547B
IsRectEmpty.USER32(?), ref: 6CC054A0
PtInRect.USER32(00000000,?,?), ref: 6CC054B0
OffsetRect.USER32(00000000,?,?), ref: 6CC054D9
IsRectEmpty.USER32(?), ref: 6CC054F0

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3__malloc
String ID:
API String ID: 1330315114-0
Opcode ID: db4368f67854f31d3646eb2157c98ce8bef93081abea59369c14b53c0fc51423
Instruction ID: 2485052787c740b44e98f133eec49b4c2d2b327c934e78ae1cf8e6882c8cef68
Opcode Fuzzy Hash: db4368f67854f31d3646eb2157c98ce8bef93081abea59369c14b53c0fc51423
Instruction Fuzzy Hash: A5E18D31A01614DFCF05CFA8C884A9EBBB9FF09704F248169E905EB649EB32D945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6CB54881 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB54888
CreateRectRgnIndirect.GDI32(?), ref: 6CB548C5
CopyRect.USER32(?,?), ref: 6CB548DB
InflateRect.USER32(?,?,?), ref: 6CB548F1
IntersectRect.USER32(?,?,?), ref: 6CB548FF
CreateRectRgnIndirect.GDI32(?), ref: 6CB54909
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB5491E

Part of subcall function 6CB546A9: CombineRgn.GDI32(?,?,?,?), ref: 6CB546CE

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB54986
SetRectRgn.GDI32(?,0000000A,?,?,?), ref: 6CB549A3
CopyRect.USER32(?,0000000A), ref: 6CB549AE
InflateRect.USER32(?,?,?), ref: 6CB549C4
IntersectRect.USER32(?,?,0000000A), ref: 6CB549D0
SetRectRgn.GDI32(?,?,?,?,0000000A), ref: 6CB549E5
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB54A11

Part of subcall function 6CB546D8: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 6CB54721
Part of subcall function 6CB546D8: CreatePatternBrush.GDI32(00000000), ref: 6CB5472E
Part of subcall function 6CB546D8: DeleteObject.GDI32(00000000), ref: 6CB5473A

Part of subcall function 6CB51500: SelectObject.GDI32(?,00000000), ref: 6CB51526
Part of subcall function 6CB51500: SelectObject.GDI32(?,?), ref: 6CB5153C

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6CB54A82
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 6CB54AD7

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
String ID:
API String ID: 3107162742-0
Opcode ID: 73e046e1d9c011fdcff1c5f0d6bc88acb0bc48b5e186df9e791fee9c59857556
Instruction ID: 1134d63e06865958247229e87d694ad8cbfaad617a87e87c932de025f790cfb0
Opcode Fuzzy Hash: 73e046e1d9c011fdcff1c5f0d6bc88acb0bc48b5e186df9e791fee9c59857556
Instruction Fuzzy Hash: E4A103B1A00149AFCF06DFE4C994DEEBBB9BF48304F588159F506B6640DB349A69DF20

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBC2B5 Relevance: 24.2, APIs: 16, Instructions: 182windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000201,00000201,00000001), ref: 6CBBC34E
SendMessageW.USER32(00000000,00000084,00000000,?), ref: 6CBBC36B
ReleaseCapture.USER32 ref: 6CBBC3A6
GetMessageW.USER32(?,00000000,000000A1,000000A1), ref: 6CBBC3B5
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 6CBBC3C9
DispatchMessageW.USER32(?), ref: 6CBBC3D0
DispatchMessageW.USER32(?), ref: 6CBBC47B
GetCursorPos.USER32(?), ref: 6CBBC485
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 6CBBC4A6

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Peek$Dispatch$CaptureCursorReleaseSend
String ID:
API String ID: 597789953-0
Opcode ID: e22c1e1b560f87080046c38253d705216f215b0ae3fd6ea92094b83d13b38a0a
Instruction ID: 54613002d7d954019f655f84b6d5f926d9bb29c96b5f1fe160fcd1cc9f3f80f8
Opcode Fuzzy Hash: e22c1e1b560f87080046c38253d705216f215b0ae3fd6ea92094b83d13b38a0a
Instruction Fuzzy Hash: EF51AF70601680BFEB21EA65CC88EBF7ABCEF46745F904419F552F6980CB749A81C722

Uniqueness

Uniqueness Score: -1.00%

Function 6CB96C03 Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB96C0A
CreateCompatibleDC.GDI32(00000000), ref: 6CB96C40
GetObjectW.GDI32(?,00000018,?), ref: 6CB96C57
SelectObject.GDI32(?,?), ref: 6CB96C83
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB96CA5
SelectObject.GDI32(?,00000000), ref: 6CB96CB8
CreateCompatibleDC.GDI32(?), ref: 6CB96CCB
SelectObject.GDI32(?,?), ref: 6CB96CDC
SelectObject.GDI32(?,00000000), ref: 6CB96CED
DeleteObject.GDI32(?), ref: 6CB96CF2
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CB96D1E
GetPixel.GDI32(?,?,?), ref: 6CB96D3D
SetPixel.GDI32(?,?,?,00000000), ref: 6CB96D84
SelectObject.GDI32(?,?), ref: 6CB96DA8
SelectObject.GDI32(?,00000000), ref: 6CB96DB0
DeleteObject.GDI32(?), ref: 6CB96DB8

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
String ID:
API String ID: 3639146769-0
Opcode ID: 59e01599a777fddf29633134707fa2a59fef3ba1870bb1e582854cb020a1efc4
Instruction ID: e7a3dff917a80a860a6d5fb991c3e5978b163cf21239235b55b82b79e4c14592
Opcode Fuzzy Hash: 59e01599a777fddf29633134707fa2a59fef3ba1870bb1e582854cb020a1efc4
Instruction Fuzzy Hash: DB514730800199EBCF42DFA4CD45AEEBF71FF4A314F648125E425B25A0DB314A66EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB410F0 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 284synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB42470: GetModuleHandleW.KERNEL32(UniversalInstaller.exe,C43828F3,install,00000000,00000000), ref: 6CB424B3
Part of subcall function 6CB42470: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6CB424C6

Part of subcall function 6CB41C00: std::_Xinvalid_argument.LIBCPMT ref: 6CB41C18
Part of subcall function 6CB41C00: std::_Xinvalid_argument.LIBCPMT ref: 6CB41C36
Part of subcall function 6CB41C00: _memmove.LIBCMT ref: 6CB41C7A

_memmove.LIBCMT ref: 6CB4126E

Part of subcall function 6CB43140: _memset.LIBCMT ref: 6CB43191
Part of subcall function 6CB43140: ShellExecuteExW.SHELL32(0000003C), ref: 6CB4320A

GetProcessId.KERNEL32(?,?,00000010,0000000A,?), ref: 6CB41302
__ultoa_s.LIBCMT ref: 6CB41309

Part of subcall function 6CC32E10: _xtow_s@20.LIBCMT ref: 6CC32E23

WaitForSingleObject.KERNEL32(?,000000FF,?), ref: 6CB41338
GetExitCodeProcess.KERNEL32(?,?), ref: 6CB41349
CloseHandle.KERNEL32(?), ref: 6CB41361

Strings

Canon.IC.UniversalInstaller.v2.Relay, xrefs: 6CB411CA
invalid string position, xrefs: 6CB413AF
--windowname, xrefs: 6CB4119E
install, xrefs: 6CB41110
Install\install.exe, xrefs: 6CB4117A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: HandleModuleProcessXinvalid_argument_memmovestd::_$CloseCodeExecuteExitFileNameObjectShellSingleWait__ultoa_s_memset_xtow_s@20
String ID: --windowname$Canon.IC.UniversalInstaller.v2.Relay$Install\install.exe$install$invalid string position
API String ID: 3960633454-3677554512
Opcode ID: c7ee1906546e5bbdaf8003c7058a336bb23fd6249faec0d0b700d1b7704eaa8b
Instruction ID: 16c78acf2e38f35f732caed87c7951543e23e834e3456dfa027ea65011f8a98e
Opcode Fuzzy Hash: c7ee1906546e5bbdaf8003c7058a336bb23fd6249faec0d0b700d1b7704eaa8b
Instruction Fuzzy Hash: C3B18D71D042489BCB14CFA8D884ADEBBB5FF44348F14C62DE416ABB84EB30A569DF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6CC6B Relevance: 22.7, APIs: 15, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 6CB6CCD5
GetDlgItem.USER32(?,?), ref: 6CB6CD5F
ShowWindow.USER32(00000000,00000000), ref: 6CB6CD6A
GetMenu.USER32(?), ref: 6CB6CD7C
InvalidateRect.USER32(?,00000000,00000001), ref: 6CB6CD97

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

GetDlgItem.USER32(?,0000E900), ref: 6CB6CDD4
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 6CB6CDF1
GetDlgItem.USER32(0000EA21,0000EA21), ref: 6CB6CE0A
GetDlgItem.USER32(0000E900,0000E900), ref: 6CB6CE20
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 6CB6CE32
SetWindowLongW.USER32(?,000000F4,0000E900), ref: 6CB6CE3E
InvalidateRect.USER32(00000001,00000000,00000001), ref: 6CB6CE51
SetMenu.USER32(00000000,00000000), ref: 6CB6CE68
GetDlgItem.USER32(?,00000000), ref: 6CB6CEAF
ShowWindow.USER32(?,00000005), ref: 6CB6CEBD

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ItemWindow$Long$InvalidateMenuRectShow$CtrlException@8H_prolog3Throw
String ID:
API String ID: 3935238147-0
Opcode ID: 95d9a63d925c5e227405ec9fdcd80538e5f7c54205aa2987a5323450ac5d511a
Instruction ID: aa17de0ed53ef613034cd1f019acbb0abf8580bd6c59b4414c0d43f3c7f22afd
Opcode Fuzzy Hash: 95d9a63d925c5e227405ec9fdcd80538e5f7c54205aa2987a5323450ac5d511a
Instruction Fuzzy Hash: 68816F30601650EFCF11AF69C888B9A7BF1FF45304F208969F45A9BAA0DB31E890DF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB675A3 Relevance: 22.7, APIs: 15, Instructions: 161windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB675AA
GetIconInfo.USER32(?,?), ref: 6CB6765B
GetObjectW.GDI32(?,00000018,?), ref: 6CB6766A
CreateCompatibleDC.GDI32(00000000), ref: 6CB67696
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 6CB676B0
SelectObject.GDI32(?,00000000), ref: 6CB676C1
FillRect.USER32(?,?), ref: 6CB676EE
DrawIconEx.USER32(?,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 6CB6770C
SelectObject.GDI32(?,00000000), ref: 6CB6771A
DeleteObject.GDI32(?), ref: 6CB67723
DeleteObject.GDI32(?), ref: 6CB6773B
DeleteObject.GDI32(?), ref: 6CB67744
DestroyCursor.USER32(?), ref: 6CB67796
DestroyCursor.USER32(?), ref: 6CB677A0
DestroyCursor.USER32(?), ref: 6CB677AA

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$CursorDeleteDestroy$IconSelect$CompatibleCopyCreateDrawFillH_prolog3_ImageInfoRect
String ID:
API String ID: 233185908-0
Opcode ID: 062a3a066f85af6c76a59d8f53732a3ce5e71e58dff558e970d785a2bc588ea9
Instruction ID: ecba915ce16272defad304499fd9a8fefe8d4bc1ed7dc470fb28630273e48d90
Opcode Fuzzy Hash: 062a3a066f85af6c76a59d8f53732a3ce5e71e58dff558e970d785a2bc588ea9
Instruction Fuzzy Hash: CB613870D01648EFCF12DFA5C8849DEBBB5FF49310F60852AE415B2A20D7729951DF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB54308 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB5430F

Part of subcall function 6CB44632: _malloc.LIBCMT ref: 6CB44650

Part of subcall function 6CB67244: __EH_prolog3.LIBCMT ref: 6CB6724B

Strings

MFCColorButton, xrefs: 6CB54364
MFCMaskedEdit, xrefs: 6CB54440
MFCFontComboBox, xrefs: 6CB543D2
MFCButton, xrefs: 6CB5432A
MFCShellList, xrefs: 6CB544E5
MFCShellTree, xrefs: 6CB54515
MFCMenuButton, xrefs: 6CB54477
MFCEditBrowse, xrefs: 6CB5439B
MFCLink, xrefs: 6CB54409
MFCPropertyGrid, xrefs: 6CB544AE
MFCVSListBox, xrefs: 6CB54545

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 1683881009-2110171958
Opcode ID: c26f8559f3cd67ecad9f3c403654a7804d6d506ff6bb0e2be0d354a285f2b086
Instruction ID: 16417d8c14d32a23f4a47378ddbabfead89a3119fa55c0056d576b33eeebfeab
Opcode Fuzzy Hash: c26f8559f3cd67ecad9f3c403654a7804d6d506ff6bb0e2be0d354a285f2b086
Instruction Fuzzy Hash: D151B620A492C4A5DF05DF78E8107EC6AE05F0434CF90806DE55A96F88EBB09A788E97

Uniqueness

Uniqueness Score: -1.00%

Function 6CB43140 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 180processCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB433C0: _memset.LIBCMT ref: 6CB433F4

_memset.LIBCMT ref: 6CB43191
ShellExecuteExW.SHELL32(0000003C), ref: 6CB4320A
GetLastError.KERNEL32(?,?,?,?,00000000,00000000), ref: 6CB43225
_memset.LIBCMT ref: 6CB432AE
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,00000001), ref: 6CB43300

Strings

D, xrefs: 6CB432BC
Elevate Launch %s, xrefs: 6CB431F1
ShellExecuteEx ErrorCode=%d, xrefs: 6CB4322C
<, xrefs: 6CB4319C
CreateProcess ErrorCode=%d, xrefs: 6CB4331F
Launch %s, xrefs: 6CB432D4

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _memset$CreateErrorExecuteLastProcessShell
String ID: <$CreateProcess ErrorCode=%d$D$Elevate Launch %s$Launch %s$ShellExecuteEx ErrorCode=%d
API String ID: 3251077001-348882183
Opcode ID: dbd720b00d37b13d9af74f16381f16912e0a3a4abc47b04c083789713a443e7c
Instruction ID: ffc764d0585d0af50d7be3416c8f3728de04db47525163ca77f8810ff56fa101
Opcode Fuzzy Hash: dbd720b00d37b13d9af74f16381f16912e0a3a4abc47b04c083789713a443e7c
Instruction Fuzzy Hash: 9051D4B1A48344EFDB24CFA8CC45BAEBBB8FB45304F14895DE505AB781D7319504CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB975C1 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB975CB
GetObjectW.GDI32(00000000,00000018,?), ref: 6CB975FD
GetObjectW.GDI32(?,00000054,?), ref: 6CB97635
CreateCompatibleDC.GDI32(00000000), ref: 6CB976CB
SelectObject.GDI32(?,?), ref: 6CB976EA
GetPixel.GDI32(?,?,00000000), ref: 6CB97777
GetPixel.GDI32(?,?,00000000), ref: 6CB97789
SetPixel.GDI32(?,?,00000000,00000000), ref: 6CB97798
SetPixel.GDI32(?,?,00000000,?), ref: 6CB977AA
SelectObject.GDI32(?,?), ref: 6CB977E1

Strings

, xrefs: 6CB97613
, xrefs: 6CB9763B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
String ID: $
API String ID: 1266819874-227171996
Opcode ID: 51da36920febc980b885981339e519ebb22a39e18d16f04356a98bc5820829bb
Instruction ID: 993ed5ea6a5f3ebed11fc41e51db93120c3a648023841e2bb0dce4547832e617
Opcode Fuzzy Hash: 51da36920febc980b885981339e519ebb22a39e18d16f04356a98bc5820829bb
Instruction Fuzzy Hash: 77711270E00258CBDF20CFA9CC84A9DBBB5FF5A318F2081A9E508B7611EB719985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 6CBACE56 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBACE5D
GetObjectW.GDI32(00000018,00000018,6CC63080), ref: 6CBACE79
_memmove.LIBCMT ref: 6CBACED7

Strings

, xrefs: 6CBACEC3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3Object_memmove
String ID:
API String ID: 107514201-3916222277
Opcode ID: 85f4bd12a54549c421892608c2f81480241a30f7ace9cde9958043b44df3b765
Instruction ID: f5b942b83eef5f3764a3ed553f53a6745dc6634cd19d360555330ba500835df6
Opcode Fuzzy Hash: 85f4bd12a54549c421892608c2f81480241a30f7ace9cde9958043b44df3b765
Instruction Fuzzy Hash: DC416B71D04159AFCF05EFE4CC808EEBBB5EF08308F60812AE411B7690DB325A0ADB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB416D0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 94windowregistryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB416ED
RegisterClassExW.USER32 ref: 6CB4171C
GetSystemMetrics.USER32(00000011), ref: 6CB4174B
GetSystemMetrics.USER32(00000010), ref: 6CB41755
CreateWindowExW.USER32(00000080,?,00000000,00000000,00000000), ref: 6CB4176B
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6CB4178B
TranslateMessage.USER32(?), ref: 6CB417A5
DispatchMessageW.USER32(?), ref: 6CB417AC
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6CB417B9

Strings

Canon.IC.UniversalInstaller.v2.Relay, xrefs: 6CB41714
0, xrefs: 6CB41700

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$MetricsSystem$ClassCreateDispatchRegisterTranslateWindow_memset
String ID: 0$Canon.IC.UniversalInstaller.v2.Relay
API String ID: 3910511604-3219865983
Opcode ID: 81cae1f0790e63d82673bbef1cffb3ac9b8f34081cdd88ebfaefd9cc6f91611f
Instruction ID: e41d25baf79e0f6e4587f675ff3850e57dabcdcdb0ba88f96f848b346c7f04fc
Opcode Fuzzy Hash: 81cae1f0790e63d82673bbef1cffb3ac9b8f34081cdd88ebfaefd9cc6f91611f
Instruction Fuzzy Hash: 0831E3B27143046FE600CFA4EC46F9B77B8EB84B90F548619F6049B1C0DBB0E415CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB998E4 Relevance: 18.2, APIs: 12, Instructions: 226windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB998EB
TransparentBlt.MSIMG32(?,?,?,?,?,?,?,00000000,?,?,?,00000048,6CB9A514,?,?,?), ref: 6CB99943
CreateCompatibleDC.GDI32(?), ref: 6CB99988
CreateCompatibleDC.GDI32(?), ref: 6CB999A5
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB999C3
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,00000000,?,?,00CC0020), ref: 6CB99A27
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 6CB99A55
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 6CB99A62
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CB99A9B
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 6CB99AC9
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,008800C6), ref: 6CB99AF6
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00EE0086), ref: 6CB99B11

Part of subcall function 6CB515D4: __EH_prolog3_catch_GS.LIBCMT ref: 6CB515DE

Part of subcall function 6CB5119A: DeleteDC.GDI32(00000000), ref: 6CB511AC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Create$Compatible$Bitmap$DeleteH_prolog3H_prolog3_catch_StretchTransparent
String ID:
API String ID: 650092443-0
Opcode ID: 119e0e3fc3d227163c47a91591aab4d9f1f52d8660569176109e2aff47a90b02
Instruction ID: 46e50d74bb0eec1e3b57fbc57e615d8180f4e1fcf47f542fa5b9d96814df00c9
Opcode Fuzzy Hash: 119e0e3fc3d227163c47a91591aab4d9f1f52d8660569176109e2aff47a90b02
Instruction Fuzzy Hash: 1D91EF71800189AFCF02DFA0CD84DEEBB7AFF09358F684168F51566660D7329E29EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBC4B5 Relevance: 18.2, APIs: 12, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBBC13D: LoadCursorW.USER32(00000000,00007F8B), ref: 6CBBC15E
Part of subcall function 6CBBC13D: LoadCursorW.USER32(?,00007901), ref: 6CBBC177

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6CBBC4ED
PostMessageW.USER32(?,00000111,0000E145,00000000), ref: 6CBBC550
SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 6CBBC572
GetCursorPos.USER32(?), ref: 6CBBC58D
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6CBBC5B9
ReleaseCapture.USER32 ref: 6CBBC606
SetCapture.USER32(?), ref: 6CBBC60B
ReleaseCapture.USER32 ref: 6CBBC617
SendMessageW.USER32(?,00000362,?,00000000), ref: 6CBBC62B
SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 6CBBC656
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6CBBC674

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: d79dd4273ca268ea0a677ca95c572a1392c25fd17358070c9f562e3e2cff8c55
Instruction ID: 88c0bc048a90f3bd4ed074bd25ea3f1598eb52d8834f87cf9c31dc8af98fb397
Opcode Fuzzy Hash: d79dd4273ca268ea0a677ca95c572a1392c25fd17358070c9f562e3e2cff8c55
Instruction Fuzzy Hash: 2A5178B1A00249AFDB11EFA0CC85EAEBBB9FF45348F608469E557F6690DB309940DB10

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6693E Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 234windowCOMMON

Download Yara Rule

APIs

RealizePalette.GDI32(?), ref: 6CB66986
InflateRect.USER32(?,000000FE,000000FE), ref: 6CB66A5D
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB66A79

Part of subcall function 6CB66809: __EH_prolog3.LIBCMT ref: 6CB66810
Part of subcall function 6CB66809: GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 6CB66878
Part of subcall function 6CB66809: CreatePalette.GDI32(00000000), ref: 6CB668C3

InflateRect.USER32(?,000000FF,000000FF), ref: 6CB66A95
GetNearestPaletteIndex.GDI32(?,000000FF), ref: 6CB66AB8
FillRect.USER32(?,?,?), ref: 6CB66ADE
InflateRect.USER32(?,000000FE,000000FE), ref: 6CB66B05
FillRect.USER32(?,?), ref: 6CB66B57
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB66B9E

Strings

iii, xrefs: 6CB66A7B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Inflate$Palette$Fill$CreateEntriesH_prolog3IndexNearestRealizeSystem
String ID: iii
API String ID: 1028858568-940974255
Opcode ID: 7fd6355938f424ddf76940da39a744adc831f4caec58748b8e9658bcd79b86dc
Instruction ID: 1f28c9af1a3750efad924f57230e381cfc31f8ead15ec890f2bb5cb458a620cb
Opcode Fuzzy Hash: 7fd6355938f424ddf76940da39a744adc831f4caec58748b8e9658bcd79b86dc
Instruction Fuzzy Hash: BE918E71A00649AFCF01DFA4CC84ADEB7BAFF49324F244269E825B7290CB71A915CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBC0D57 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBC0D61
GetSystemMenu.USER32(?,00000000,00000214,6CB74A72,00000000,00000000,00000001,?), ref: 6CBC0DC3
IsMenu.USER32(?), ref: 6CBC0DDC
IsMenu.USER32(?), ref: 6CBC0DF6
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 6CBC0E2B
GetClassLongW.USER32(?,000000DE), ref: 6CBC0E41
GetWindowLongW.USER32(?,000000F0), ref: 6CBC0E8C

Strings

0, xrefs: 6CBC0F69

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Long$ClassH_prolog3_MessageSendSystemWindow
String ID: 0
API String ID: 859179710-4108050209
Opcode ID: cef9e424532cfd4e9e91bb7c7295022a030f66678c96dd56fc27aa6b17b96163
Instruction ID: 3991d021b2d70ce3b07da0a10fbfa9a18f8b066ff0359f1d8dc7fc02e4bbd0fb
Opcode Fuzzy Hash: cef9e424532cfd4e9e91bb7c7295022a030f66678c96dd56fc27aa6b17b96163
Instruction Fuzzy Hash: B7816F70600795DFDB21CF64D888BEEB7B8FF44704F204669D4A9A7691DB309A81DF41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB586ED Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB58702
SendMessageW.USER32(?,0000104B,00000000,?), ref: 6CB58724
SHGetDesktopFolder.SHELL32(?), ref: 6CB58763
CreatePopupMenu.USER32 ref: 6CB587D7
GetMenuDefaultItem.USER32(00000000,00000000,00000000), ref: 6CB58806
GetParent.USER32(?), ref: 6CB58833
GetParent.USER32(?), ref: 6CB58878
GetParent.USER32(?), ref: 6CB58887
SendMessageW.USER32(?,?,00000000,00000000), ref: 6CB5889C

Strings

$, xrefs: 6CB58829

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$MenuMessageSend$CreateDefaultDesktopFolderItemPopup_memset
String ID: $
API String ID: 2190390364-3993045852
Opcode ID: 5e2c60380b01c4ba69c295ea2e322f6ae92b3e77545be077f53cb1821bd0fce4
Instruction ID: 376663eeaa149b4ff12e51729c1eefffca68f1f9f9728af37dcfe645ac76a5e5
Opcode Fuzzy Hash: 5e2c60380b01c4ba69c295ea2e322f6ae92b3e77545be077f53cb1821bd0fce4
Instruction Fuzzy Hash: 92515871A10218EFDB109FA5C888E9E7FB9EF89715F60815AF909EB250D732D950CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB474FF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,00000000), ref: 6CB4753C
PathFindExtensionW.SHLWAPI(?), ref: 6CB47556
__wcsdup.LIBCMT ref: 6CB475A0
__wcsdup.LIBCMT ref: 6CB475DE
__wcsdup.LIBCMT ref: 6CB47612
__wcsdup.LIBCMT ref: 6CB47678
__wcsdup.LIBCMT ref: 6CB476B9

Strings

.CHM, xrefs: 6CB47650
.HLP, xrefs: 6CB47657
.INI, xrefs: 6CB4769A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2477486372-4017452060
Opcode ID: 71ad2d2f1ad39a1af1ca56dc31ed31de3466cebe41b7d8dbf4f72562608a7f7b
Instruction ID: 7758abee61b184c03997d5dd11387b5e91154b2c61c095006e8a2d652ba91224
Opcode Fuzzy Hash: 71ad2d2f1ad39a1af1ca56dc31ed31de3466cebe41b7d8dbf4f72562608a7f7b
Instruction Fuzzy Hash: 0251E1B09047999ADB20DF74C944BDA77FDEF44308F10C8AAD445E6A44EBB0D988DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7183D Relevance: 16.8, APIs: 11, Instructions: 269COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CB718DB
GetParent.USER32(?), ref: 6CB718E8
IsZoomed.USER32(?), ref: 6CB7194C
SetWindowRgn.USER32(?,00000000,00000001), ref: 6CB719AB
GetClientRect.USER32(?,?), ref: 6CB719D3
GetClientRect.USER32(?,?), ref: 6CB719E8

Part of subcall function 6CB50F8F: ClientToScreen.USER32(?,?), ref: 6CB50FA0
Part of subcall function 6CB50F8F: ClientToScreen.USER32(?,?), ref: 6CB50FAD

GetWindowRect.USER32(?,?), ref: 6CB71A08

Part of subcall function 6CB50154: SetWindowPos.USER32(?,00000000,?,00000015,000000FF,000000FF,?,?,6CB4BFED,00000000,?,?,000000FF,000000FF,00000015), ref: 6CB5017C

SetWindowRgn.USER32(?,00000000,00000001), ref: 6CB71B93

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ClientRect$Screen$ParentZoomed
String ID:
API String ID: 2314217310-0
Opcode ID: 9b5b8f2dc2fa213ca3624593adaaad04a682257ba35dc58b3a731365218cf90b
Instruction ID: 0938f956b1b50dd8b20379fd5e6676e4bc17720c00cf9aaac718f6847fdc52d7
Opcode Fuzzy Hash: 9b5b8f2dc2fa213ca3624593adaaad04a682257ba35dc58b3a731365218cf90b
Instruction Fuzzy Hash: 75B18B71A002599FCF10CFA8C994AEEBBB9FF09704F184169ED19AB615DB30D944CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5E51D Relevance: 16.6, APIs: 11, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 6CB5E559
ReleaseCapture.USER32 ref: 6CB5E563
GetClientRect.USER32(?,?), ref: 6CB5E57C
GetSystemMetrics.USER32(00000015), ref: 6CB5E5A3
GetSystemMetrics.USER32(00000015), ref: 6CB5E5C7
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6CB5E600
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6CB5E622
GetCapture.USER32 ref: 6CB5E647
ReleaseCapture.USER32 ref: 6CB5E651
GetClientRect.USER32(?,?), ref: 6CB5E66A
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CB5E6B8

Part of subcall function 6CB5D87D: __EH_prolog3_GS.LIBCMT ref: 6CB5D884
Part of subcall function 6CB5D87D: IsRectEmpty.USER32(?), ref: 6CB5D89F
Part of subcall function 6CB5D87D: InvertRect.USER32(?,?), ref: 6CB5D8B5
Part of subcall function 6CB5D87D: SetRectEmpty.USER32(?), ref: 6CB5D8C3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Capture$ClientEmptyMessageMetricsReleaseSendSystem$H_prolog3_InvertRedrawWindow
String ID:
API String ID: 174338775-0
Opcode ID: 323445f1047651ddbb8a1c82eccade50d3d05df3de3812808ef96c8a70346d58
Instruction ID: 22241404d2cff9923a1a897b753ddbd155456e809a5a89a4992e4a2c97736373
Opcode Fuzzy Hash: 323445f1047651ddbb8a1c82eccade50d3d05df3de3812808ef96c8a70346d58
Instruction Fuzzy Hash: BE516871A00649DFCB10CFB8C9849AEBBB6FF48304F61452DE45AA7240DB30AA51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB98D95 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB95D85: GdipGetImagePixelFormat.GDIPLUS(?,6CCA2208,00000000,00000000,?,6CB98DBF,00000000,00000000,6CCA2208), ref: 6CB95D95

_free.LIBCMT ref: 6CB98EC8
_free.LIBCMT ref: 6CB98F14
GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,6CCA2208), ref: 6CB98FDD
_free.LIBCMT ref: 6CB9900D

Part of subcall function 6CB95DA7: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,6CB98E79,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6CB95DBB

GdipBitmapUnlockBits.GDIPLUS(00000005,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,6CCA2208), ref: 6CB99089
_free.LIBCMT ref: 6CB99104

Strings

&, xrefs: 6CB98E15

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
String ID: &
API String ID: 4092590016-3042966939
Opcode ID: 73b2f1dede7f96293aa94f1ee0f18cbf70b4f73252195348cfe96ab65b8d8d7a
Instruction ID: d28d39934d674dda17ac69b6459ae39ffee884eeeaca825a3e1e7957ca41485c
Opcode Fuzzy Hash: 73b2f1dede7f96293aa94f1ee0f18cbf70b4f73252195348cfe96ab65b8d8d7a
Instruction Fuzzy Hash: 94A19CB19006689BDB208F14CC80BD9B7B5EF45318F1085F9DA09A7A51DB319EC9CF69

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB2EEC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CBB2F55
MonitorFromPoint.USER32(?,?,00000002), ref: 6CBB2F8E
GetMonitorInfoW.USER32(00000000), ref: 6CBB2F95
CopyRect.USER32(?,?), ref: 6CBB2FAD
CopyRect.USER32(?,?), ref: 6CBB2FB7

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6CBB2FEE
GetSystemMetrics.USER32(00000022), ref: 6CBB306C
GetSystemMetrics.USER32(00000023), ref: 6CBB3073

Strings

(, xrefs: 6CBB2F87

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: RectSystem$CopyInfoMetricsMonitor$Exception@8FromH_prolog3ParametersPointThrowWindow
String ID: (
API String ID: 348238172-3887548279
Opcode ID: ff867f53df2c87f92f7f7ceb3c0b23fe0e8ea419fba88b5e55adfa169dfefdc6
Instruction ID: 02d0239351d273b42a9ff94762f3327a687430c6af90eb74de652dcc8164602b
Opcode Fuzzy Hash: ff867f53df2c87f92f7f7ceb3c0b23fe0e8ea419fba88b5e55adfa169dfefdc6
Instruction Fuzzy Hash: E05109B1E016099FCB01CFA9C985AEEBBF9FF88304F50416AD515F7614DB30AA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5E9AC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB5E9D5
LoadCursorW.USER32(?,00007904), ref: 6CB5E9FC
LoadCursorW.USER32(?,00007905), ref: 6CB5EA1E
SendMessageW.USER32(?,0000120A,00000000,00000006), ref: 6CB5EA65
SendMessageW.USER32(?,0000120A,00000001,00000006), ref: 6CB5EA89
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 6CB5EAC3
SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 6CB5EADD
GetParent.USER32(?), ref: 6CB5EB07

Strings

d, xrefs: 6CB5EA72

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$CursorLoad$EmptyParentRect
String ID: d
API String ID: 2284761715-2564639436
Opcode ID: 0b9e4d369126d508e10a02f548fa9684538fd67b48f4d0d8714ef0fd7f9bd3ed
Instruction ID: d5a57ee25f7377f73effd28360bfde5cc7f60938657cf1b84fdd5d2174ccd0b7
Opcode Fuzzy Hash: 0b9e4d369126d508e10a02f548fa9684538fd67b48f4d0d8714ef0fd7f9bd3ed
Instruction Fuzzy Hash: 4B516970A00284AFDB01DFB4CD89EAEBBF9FF49304F504569F116E76A0DB71A9158B90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6E63B Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB6E642

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

swprintf.LIBCMT ref: 6CB6E68C
_wcslen.LIBCMT ref: 6CB6E695

Part of subcall function 6CB44310: _memcpy_s.LIBCMT ref: 6CB443A9

_wcslen.LIBCMT ref: 6CB6E6B0
_wcslen.LIBCMT ref: 6CB6E6E7
swprintf.LIBCMT ref: 6CB6E713
_wcslen.LIBCMT ref: 6CB6E71C

Strings

:%d, xrefs: 6CB6E681, 6CB6E708
- , xrefs: 6CB6E6AA, 6CB6E6AF, 6CB6E6B7, 6CB6E6E1, 6CB6E6E6, 6CB6E6EE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _wcslen$swprintf$H_prolog3_LongWindow_memcpy_s
String ID: - $:%d
API String ID: 3834591121-2359489159
Opcode ID: 6bb064f07f411383486725e428c972257c6824d719506e17864bb621cd5f9058
Instruction ID: 741852fe6d7f597a0dad135c4663407e986c0e62a7f350112ba395dd1cc9918a
Opcode Fuzzy Hash: 6bb064f07f411383486725e428c972257c6824d719506e17864bb621cd5f9058
Instruction Fuzzy Hash: 68318972A001546BDB05DBE0DD84EEF737CAF11308F044825A502ABF54EB78AA1DDB94

Uniqueness

Uniqueness Score: -1.00%

Function 6CB62F90 Relevance: 15.4, APIs: 10, Instructions: 368windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB62F97

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

SendMessageW.USER32(?,000000B0,?,?), ref: 6CB62FE2
MessageBeep.USER32(000000FF), ref: 6CB63059

Part of subcall function 6CC37B4A: __towupper_l.LIBCMT ref: 6CC37B54

SendMessageW.USER32(?,000000C2,00000001,00000000), ref: 6CB630D1
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63107
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63172
MessageBeep.USER32(000000FF), ref: 6CB6321D
SendMessageW.USER32(?,000000C2,00000001,?), ref: 6CB63316

Part of subcall function 6CB44090: _wmemcpy_s.LIBCMT ref: 6CB4416E

Part of subcall function 6CB44310: _memcpy_s.LIBCMT ref: 6CB443A9

SendMessageW.USER32(?,000000B0,?,?), ref: 6CB6337F
MessageBeep.USER32(000000FF), ref: 6CB63395

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Send$Beep$H_prolog3LongWindow__towupper_l_memcpy_s_wmemcpy_s
String ID:
API String ID: 197502079-0
Opcode ID: e503b63d6925d48e41c8d083162c7b24960ba89e35f2cc695de46761c49b9760
Instruction ID: 7f7a6d1e862bed81083b627070895b36aab41c292180340e09b724740faf7352
Opcode Fuzzy Hash: e503b63d6925d48e41c8d083162c7b24960ba89e35f2cc695de46761c49b9760
Instruction Fuzzy Hash: 76D1BB71A00599AFDF05CFA5CC84FEEBBB9FF08318F104209E516A7A90DB30A945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB9A39 Relevance: 15.3, APIs: 10, Instructions: 269COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CBB9A71
GetWindowRect.USER32(?,00000000), ref: 6CBB9AC7
CopyRect.USER32(00000000,?), ref: 6CBB9ADF
PtInRect.USER32(?,?,?), ref: 6CBB9BB6
PtInRect.USER32(?,?,?), ref: 6CBB9BE2
PtInRect.USER32(?,?,?), ref: 6CBB9C17
PtInRect.USER32(?,?,?), ref: 6CBB9C3F
PtInRect.USER32(?,?,?), ref: 6CBB9CAB
PtInRect.USER32(?,?,?), ref: 6CBB9CD9
PtInRect.USER32(?,?,?), ref: 6CBB9D19

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$CopyParentWindow
String ID:
API String ID: 642869531-0
Opcode ID: 40f55f793135e98b6accd1617c8eac6d91c602b77adb1a845d9c6378eede30ab
Instruction ID: 3135310e9e0576bfde896f8d34aa680815ad638265e0286c4458d7ff79a63864
Opcode Fuzzy Hash: 40f55f793135e98b6accd1617c8eac6d91c602b77adb1a845d9c6378eede30ab
Instruction Fuzzy Hash: 52B1F371E1021A9BCF11CFA9C984AEEBBF4EF58344F20426AE815F7254EB759A40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB3089 Relevance: 15.1, APIs: 10, Instructions: 112windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 6CBB30BC
IsWindowVisible.USER32(00000000), ref: 6CBB30CB
GetSystemMetrics.USER32(00000021), ref: 6CBB30FD
GetSystemMetrics.USER32(00000021), ref: 6CBB3104
GetSystemMetrics.USER32(00000020), ref: 6CBB310A

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

IsWindowVisible.USER32(00000000), ref: 6CBB3132
IsWindowVisible.USER32(00000000), ref: 6CBB3141
IsZoomed.USER32(00000000), ref: 6CBB3167
GetSystemMetrics.USER32 ref: 6CBB3183
GetSystemMetrics.USER32(00000004), ref: 6CBB31C6

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$VisibleWindow$Exception@8H_prolog3ThrowZoomed
String ID:
API String ID: 1383962431-0
Opcode ID: 8311253c9fc52a1688146a9de47872b4b9995ceaaf71e03c83ea30d644630338
Instruction ID: 3227bd5bbcea1c18bc7c91d8d0325272b818fbfd3f74a9c252252fe5bfc81d52
Opcode Fuzzy Hash: 8311253c9fc52a1688146a9de47872b4b9995ceaaf71e03c83ea30d644630338
Instruction Fuzzy Hash: F241BF702407819FE7118B66C948BFA77F9FF04358F048568E9AD9BA91EF74D840CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6EEC2 Relevance: 15.1, APIs: 10, Instructions: 109COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,00000000,?), ref: 6CB6EEE8
GetWindowRect.USER32(?,?), ref: 6CB6EF0B
SetRect.USER32(?,?,00000000,?,?), ref: 6CB6EF4B
InvalidateRect.USER32(?,?,00000001), ref: 6CB6EF5A
SetRect.USER32(?,?,00000000,?,?), ref: 6CB6EF71
InvalidateRect.USER32(?,?,00000001), ref: 6CB6EF80
SetRect.USER32(?,00000000,?,?,?), ref: 6CB6EFB1
InvalidateRect.USER32(?,?,00000001), ref: 6CB6EFBC
SetRect.USER32(?,00000000,?,00000001,?), ref: 6CB6EFD3
InvalidateRect.USER32(?,?,00000001), ref: 6CB6EFDE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 48e31ff7ca676f83af1b37e57def660053aa11aa914c1415d2cabb81ce3d6fbf
Instruction ID: b627e8e60914787973dd6c31937e6754481e2585665fde1c04a675d64bcb3e6a
Opcode Fuzzy Hash: 48e31ff7ca676f83af1b37e57def660053aa11aa914c1415d2cabb81ce3d6fbf
Instruction Fuzzy Hash: 4F41EA72A1021AAFDF04DFA4CD89EAFBBB8FB09300F504119F601B7580D770AA54DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D87D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB5D884

Part of subcall function 6CB511B3: __EH_prolog3.LIBCMT ref: 6CB511BA
Part of subcall function 6CB511B3: GetDC.USER32(00000000), ref: 6CB511E6

IsRectEmpty.USER32(?), ref: 6CB5D89F
InvertRect.USER32(?,?), ref: 6CB5D8B5
SetRectEmpty.USER32(?), ref: 6CB5D8C3
GetClientRect.USER32(?,?), ref: 6CB5D90A
GetSystemMetrics.USER32(00000015), ref: 6CB5D931
GetSystemMetrics.USER32(00000015), ref: 6CB5D955
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6CB5D98E
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6CB5D9B0
InvertRect.USER32(?,?), ref: 6CB5D9B8

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$EmptyInvertMessageMetricsSendSystem$ClientH_prolog3H_prolog3_
String ID:
API String ID: 3401445556-0
Opcode ID: 95be4f0118b88763fd7bf62dd69e5838f73b419df17716711a0ebd1332a99adc
Instruction ID: 8b0e6d467c5d0bf52dfc1004ab78276149244b34d94cd58f9989435952869eb2
Opcode Fuzzy Hash: 95be4f0118b88763fd7bf62dd69e5838f73b419df17716711a0ebd1332a99adc
Instruction Fuzzy Hash: 84415371A10218DFDF05CFA4D988AEE7BB4FF0A305F454269E908BB250DB306A54CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBC19A Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 6CBBC1B8
WindowFromPoint.USER32(?,?,?,00000001,?,00000000), ref: 6CBBC1C7
GetActiveWindow.USER32 ref: 6CBBC1E9
GetCurrentThreadId.KERNEL32 ref: 6CBBC201
GetWindowThreadProcessId.USER32(?,00000000), ref: 6CBBC210
GetDesktopWindow.USER32 ref: 6CBBC21C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: 7e8839f76d3fcb1ee528ea5bd3d0d42e0f2ffe6f3ab78dc8ce2776db1525d9e2
Instruction ID: 6b3b7f4587e86ec3668800e073e80bd1d5081faf68d05d69a7f3b7644335ea07
Opcode Fuzzy Hash: 7e8839f76d3fcb1ee528ea5bd3d0d42e0f2ffe6f3ab78dc8ce2776db1525d9e2
Instruction Fuzzy Hash: 98317E71A04695DFCF01EFE8C4488ADBBB5FB4A705B604169E815F7600DF30C990DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4E120 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6CB4E16E
SetActiveWindow.USER32(?), ref: 6CB4E180
SendMessageW.USER32(?,00000112,?,?), ref: 6CB4E196
IsWindow.USER32(?), ref: 6CB4E1A3
SetActiveWindow.USER32(?), ref: 6CB4E1AA
IsWindow.USER32(?), ref: 6CB4E1AF
SetFocus.USER32(?), ref: 6CB4E1B9

Strings

u, xrefs: 6CB4E1C1

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: d7c9fc89b0853e87bb37b43c7cc7ef54834ecb50cf5abadaadbdf2dbe104c45b
Instruction ID: 4921c2ad94cc18b166c53d43412fa4f236fb696d6d8970e0952b7034ef4eec1a
Opcode Fuzzy Hash: d7c9fc89b0853e87bb37b43c7cc7ef54834ecb50cf5abadaadbdf2dbe104c45b
Instruction Fuzzy Hash: F011E1326D92C5EBEF109F39CC04E6EBA75EB41358B10C130E911A6998DA38E910FBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBAFAD9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 6CBAFB01
GetStockObject.GDI32(0000000D), ref: 6CBAFB09
GetObjectW.GDI32(00000000,0000005C,?), ref: 6CBAFB16
GetDC.USER32(00000000), ref: 6CBAFB25
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6CBAFB39
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 6CBAFB45
ReleaseDC.USER32(00000000,00000000), ref: 6CBAFB51

Strings

System, xrefs: 6CBAFAFC, 6CBAFB66

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: a1081cf302063e6050fc616cd9aa521ce5fc67ad32a50455f6187f5512cf2f59
Instruction ID: d1a7456493cd16fe34d613f0df14836e3936ffb0968cb5803b136d64b2a6d339
Opcode Fuzzy Hash: a1081cf302063e6050fc616cd9aa521ce5fc67ad32a50455f6187f5512cf2f59
Instruction Fuzzy Hash: 43119A31704358ABEB009BE1CD49FEE7BB8EB02785F800019FA46AB280DB708901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3316C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 6CC33191
__calloc_crt.LIBCMT ref: 6CC3319D
__getptd.LIBCMT ref: 6CC331AA
CreateThread.KERNEL32(00000000,00000000,6CC33107,00000000,00000000,6CB42245), ref: 6CC331E1
GetLastError.KERNEL32(?,6CB42245,00000000,00000000,6CB416D0,00000000,00000000,?), ref: 6CC331EB
_free.LIBCMT ref: 6CC331F4
__dosmaperr.LIBCMT ref: 6CC331FF

Part of subcall function 6CC34966: __getptd_noexit.LIBCMT ref: 6CC34966

Strings

UIxFramework, xrefs: 6CC33171

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID: UIxFramework
API String ID: 155776804-1847128417
Opcode ID: b70a37f532f33031e54af0914eb269636399498a3a7277b10b392fd19f0aed7b
Instruction ID: 5d11d73fde24068edc0643b247562593635317f67fc22f93f70ecdcc671d938b
Opcode Fuzzy Hash: b70a37f532f33031e54af0914eb269636399498a3a7277b10b392fd19f0aed7b
Instruction Fuzzy Hash: 3F112172204726AFD7009FA9FC009DB3BA8EF01338B185129F81CC7A90FF32C8468664

Uniqueness

Uniqueness Score: -1.00%

Function 6CC22DA4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CC22DAB

Part of subcall function 6CB46A75: EnterCriticalSection.KERNEL32(6CC9EB58,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46AAF
Part of subcall function 6CB46A75: InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46AC1
Part of subcall function 6CB46A75: LeaveCriticalSection.KERNEL32(6CC9EB58,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46ACE
Part of subcall function 6CB46A75: EnterCriticalSection.KERNEL32(?,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46ADE

GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 6CC22DFB
GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 6CC22E0A
GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 6CC22E19

Strings

DragScrollInterval, xrefs: 6CC22E0E
DragScrollInset, xrefs: 6CC22DF0
DragScrollDelay, xrefs: 6CC22DFF
windows, xrefs: 6CC22DF5, 6CC22DFA, 6CC22E04, 6CC22E13

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 4229786687-1024936294
Opcode ID: 5c77485d5ee2e6642fa4e83e353924765d2c59a989345e7ad93c519c57096bf5
Instruction ID: b72409aed8d6980664b76592e10650d0730ba72ee23514bc48b2e1bc2fc5e1d0
Opcode Fuzzy Hash: 5c77485d5ee2e6642fa4e83e353924765d2c59a989345e7ad93c519c57096bf5
Instruction Fuzzy Hash: C201DFB0A41344AAEB22DFA5980AB4EFAF4FF45710F44652EE1059BF80E7B48540EF14

Uniqueness

Uniqueness Score: -1.00%

Function 6CB633B2 Relevance: 13.9, APIs: 9, Instructions: 366windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB633B9
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB633D7
MessageBeep.USER32(000000FF), ref: 6CB63476
MessageBeep.USER32(000000FF), ref: 6CB637C7

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Beep$H_prolog3Send
String ID:
API String ID: 491126482-0
Opcode ID: 3a906e73141b3ff0ea7ba7eef4d32d36618ccba5a8d94a5eae44c24af63a3236
Instruction ID: c029bbc2dea3cb04b2b380e1ba89a02badbbfa68dea38c07d04e637a4e50ed3e
Opcode Fuzzy Hash: 3a906e73141b3ff0ea7ba7eef4d32d36618ccba5a8d94a5eae44c24af63a3236
Instruction Fuzzy Hash: 1AD19C71A005999FDB15CF96C880EFFF7B9FF48318F144219E122A7A90DB31AA44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB637E4 Relevance: 13.9, APIs: 9, Instructions: 354windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB637EB
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63809
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63817
MessageBeep.USER32(000000FF), ref: 6CB63883
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63A19
MessageBeep.USER32(000000FF), ref: 6CB63AB6
SendMessageW.USER32(?,000000C2,00000001,?), ref: 6CB63B6B
SendMessageW.USER32(?,000000B0,?,?), ref: 6CB63BC7
MessageBeep.USER32(000000FF), ref: 6CB63BDD

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Send$Beep$H_prolog3
String ID:
API String ID: 204075910-0
Opcode ID: e07ddc241d36c97c4a823be04b264997f68d48f92b71744a4115b0966329efee
Instruction ID: fc875864621d1c6304ee0a0ebf8a2d5c2e0cb3dc7941c5c291f038356f0a9b44
Opcode Fuzzy Hash: e07ddc241d36c97c4a823be04b264997f68d48f92b71744a4115b0966329efee
Instruction Fuzzy Hash: 79D1B031E00699ABDF11CFA5C980EEEF7BAFF48704F144219E512A7B90DB31A945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB726CD Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB726D7
GetWindowRect.USER32(?,?), ref: 6CB72726
OffsetRect.USER32(?,?,?), ref: 6CB7273C

Part of subcall function 6CB511B3: __EH_prolog3.LIBCMT ref: 6CB511BA
Part of subcall function 6CB511B3: GetDC.USER32(00000000), ref: 6CB511E6

CreateCompatibleDC.GDI32(?), ref: 6CB727AD
SelectObject.GDI32(?,?), ref: 6CB727CD
SelectObject.GDI32(?,?), ref: 6CB7280F
CreateCompatibleDC.GDI32(?), ref: 6CB72928
SelectObject.GDI32(?,?), ref: 6CB72948
SelectObject.GDI32(?,00000000), ref: 6CB72978

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateRect$H_prolog3H_prolog3_OffsetWindow
String ID:
API String ID: 2818906880-0
Opcode ID: b886d283bd66e0f75bc68bac7478b90c15215429899dc65ea39ccf217f6af383
Instruction ID: 548deb11ae9c50372607136a1c468663402bd7b65eda8e983b557f461231a4d8
Opcode Fuzzy Hash: b886d283bd66e0f75bc68bac7478b90c15215429899dc65ea39ccf217f6af383
Instruction Fuzzy Hash: 55A10271D0025AEFCF21DFA4C988AEDBBB5FF09304F1481AAE919B7650DB305A45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB44F3B Relevance: 13.7, APIs: 9, Instructions: 233filecomstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB44F42
OleDuplicateData.OLE32(?,?,00000000), ref: 6CB44FC3
GlobalLock.KERNEL32(00000000,0000005C,6CC1EFDD,?,?,?), ref: 6CB44FF2
CopyMetaFileW.GDI32(?,00000000), ref: 6CB44FFE
GlobalUnlock.KERNEL32(?), ref: 6CB4500E
GlobalFree.KERNEL32(?), ref: 6CB45017
GlobalUnlock.KERNEL32(?), ref: 6CB45023
lstrlenW.KERNEL32(?,0000005C,6CC1EFDD,?,?,?), ref: 6CB45083
CopyFileW.KERNEL32(?,?,00000000,?,?,0000005C,6CC1EFDD,?,?,?), ref: 6CB4517B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3_LockMetalstrlen
String ID:
API String ID: 3489744035-0
Opcode ID: 8547a3990ee1aa4f71c583eb5374b894a86ec5a38e685de57f8e118392c415b3
Instruction ID: 182c494cd60557bf95c00e47a0c68f5c436ff6ff4b621a5bcd1f8931073c1837
Opcode Fuzzy Hash: 8547a3990ee1aa4f71c583eb5374b894a86ec5a38e685de57f8e118392c415b3
Instruction Fuzzy Hash: C681CEB5908646EFDB008FA4C988D2ABBB8FF45709720C518F45AD7A44D730EC61EF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5DB75 Relevance: 13.7, APIs: 9, Instructions: 189COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB5DBE8
InvalidateRect.USER32(?,?,00000001), ref: 6CB5DC4B
InvalidateRect.USER32(?,?,00000001), ref: 6CB5DC56

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Invalidate$Empty
String ID:
API String ID: 1126320529-0
Opcode ID: 768575b8f00979c04d2d2560c02bd5e21d74eccd1ec6f16ffcb6a403fb04e837
Instruction ID: da44597585359b7673bfe53e14b4be734622bde819fd87d30d742ebf169927c3
Opcode Fuzzy Hash: 768575b8f00979c04d2d2560c02bd5e21d74eccd1ec6f16ffcb6a403fb04e837
Instruction Fuzzy Hash: 7A617B31A00249DFDF01CF69C984AEE77B5FF49304F654169E814EB251DBB1AA50CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB70C28 Relevance: 13.7, APIs: 9, Instructions: 168windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CBB0F1D: GetParent.USER32(?), ref: 6CBB0F29
Part of subcall function 6CBB0F1D: GetParent.USER32(00000000), ref: 6CBB0F2C

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

GetParent.USER32(?), ref: 6CB70C89
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CB70C9E
GetClientRect.USER32(?,?), ref: 6CB70D05
GetClientRect.USER32(?,?), ref: 6CB70D1A

Part of subcall function 6CB50F8F: ClientToScreen.USER32(?,?), ref: 6CB50FA0
Part of subcall function 6CB50F8F: ClientToScreen.USER32(?,?), ref: 6CB50FAD

GetWindowRect.USER32(?,?), ref: 6CB70D3A

Part of subcall function 6CB50154: SetWindowPos.USER32(?,00000000,?,00000015,000000FF,000000FF,?,?,6CB4BFED,00000000,?,?,000000FF,000000FF,00000015), ref: 6CB5017C

GetParent.USER32(?), ref: 6CB70D89
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CB70D9D
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CB70DF2
PostMessageW.USER32(?,00000000,00000000), ref: 6CB70E14

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientMessageParent$RectSendWindow$Screen$LongPost
String ID:
API String ID: 3884207962-0
Opcode ID: c8b296bd43cf5c3a9e8df4bbfd38c8d2ff4444c7187aa7e74be16d56cb51eb65
Instruction ID: c8657d393e12b16235d91c13db2dc768dbe870f9984bcd0769ce5abae6ea448e
Opcode Fuzzy Hash: c8b296bd43cf5c3a9e8df4bbfd38c8d2ff4444c7187aa7e74be16d56cb51eb65
Instruction Fuzzy Hash: 35614CB1A10249AFCF00CFA9D984AEEBBF5FF89304F10416AE905B7251CB31A944DF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6C75E Relevance: 13.6, APIs: 9, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB506A2: GetFocus.USER32 ref: 6CB506A8
Part of subcall function 6CB506A2: GetParent.USER32(00000000), ref: 6CB506D0
Part of subcall function 6CB506A2: GetWindowLongW.USER32(?,000000F0), ref: 6CB506EB
Part of subcall function 6CB506A2: GetParent.USER32(?), ref: 6CB506F9
Part of subcall function 6CB506A2: GetDesktopWindow.USER32 ref: 6CB506FD
Part of subcall function 6CB506A2: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6CB50711

GetMenu.USER32(?), ref: 6CB6C7D8
GetMenuItemCount.USER32(?), ref: 6CB6C808
GetSubMenu.USER32(?,00000000), ref: 6CB6C819
GetMenuItemCount.USER32(?), ref: 6CB6C83B
GetMenuItemID.USER32(?,00000000), ref: 6CB6C85C
GetSubMenu.USER32(?,00000000), ref: 6CB6C874
GetMenuItemID.USER32(?,00000000), ref: 6CB6C88C
GetMenuItemCount.USER32(?), ref: 6CB6C8C3
GetMenuItemID.USER32(?,00000000), ref: 6CB6C8DE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: a8c74762fbcb7cb5f88d073f5b38d491e7e160532cd5bd1cce2b95ec22bc7772
Instruction ID: 2397953ad6c608d479b37d05358cba2777506aff83155c7fdf7b7738186f07f1
Opcode Fuzzy Hash: a8c74762fbcb7cb5f88d073f5b38d491e7e160532cd5bd1cce2b95ec22bc7772
Instruction Fuzzy Hash: 7B51C230A00249DFCF22AFA6C884AAEB7B5FF49345F204566D425E6E50D730D940DF21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6ED4F Relevance: 13.6, APIs: 9, Instructions: 134timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 6CB6ED5C
GetCursorPos.USER32(?), ref: 6CB6ED83
ScreenToClient.USER32(?,?), ref: 6CB6ED90
GetCapture.USER32 ref: 6CB6EDE5

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

ClientToScreen.USER32(?,?), ref: 6CB6EE2C
WindowFromPoint.USER32(?,?), ref: 6CB6EE38
IsChild.USER32(?,00000000), ref: 6CB6EE4D
KillTimer.USER32(?,0000E001), ref: 6CB6EE8A
KillTimer.USER32(?,0000E000), ref: 6CB6EEA6

Part of subcall function 6CB4F224: GetForegroundWindow.USER32 ref: 6CB4F238
Part of subcall function 6CB4F224: GetLastActivePopup.USER32(?), ref: 6CB4F249

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorException@8ForegroundFromH_prolog3LastPointPopupStateThrow
String ID:
API String ID: 1544770960-0
Opcode ID: 156ed32f2954374bdd47502c704834ff023132ce8ba6453e4094fc50b6a0d7ca
Instruction ID: 69d770c8d30400a5964b1dd1afdc8f724682cc6d8e8cf846f5b7d0c6e939ab00
Opcode Fuzzy Hash: 156ed32f2954374bdd47502c704834ff023132ce8ba6453e4094fc50b6a0d7ca
Instruction Fuzzy Hash: 5041C231A002D5EFDF509F6ACC48A9E7BB5FF44328B108669E461E7AE0DB30D950DB81

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7B2DE Relevance: 13.6, APIs: 9, Instructions: 129windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,0000420F,00000001), ref: 6CB7B332
EnableMenuItem.USER32(?,0000420E,00000001), ref: 6CB7B34E
CheckMenuItem.USER32(?,00004213,00000008), ref: 6CB7B383
EnableMenuItem.USER32(?,00004212,00000001), ref: 6CB7B3A3
EnableMenuItem.USER32(?,00004212,00000001), ref: 6CB7B3C7
EnableMenuItem.USER32(?,00004213,00000001), ref: 6CB7B3D3
EnableMenuItem.USER32(?,00004214,00000001), ref: 6CB7B3DF
EnableMenuItem.USER32(?,00004215,00000001), ref: 6CB7B427
CheckMenuItem.USER32(?,00004215,00000008), ref: 6CB7B43B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 5153304a891400402f5f52e2d7a5f79d1f6c4c61f89db8d90fc0fb7736063aa8
Instruction ID: 8a29bd2603c40d812122df7a84ae279dc290acea833e5ae999b5301e0de8c643
Opcode Fuzzy Hash: 5153304a891400402f5f52e2d7a5f79d1f6c4c61f89db8d90fc0fb7736063aa8
Instruction Fuzzy Hash: D941BF70780241EBEB208A25CD85B5A77B5EB01708F558165FE24AFDE1D7B0D8E0CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5C32C Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB5C333
_memset.LIBCMT ref: 6CB5C353
SendMessageW.USER32 ref: 6CB5C37B
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CB5C39B
SHGetDesktopFolder.SHELL32(?), ref: 6CB5C3C3
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CB5C3EC
SendMessageW.USER32(?,00001115,00000000,?), ref: 6CB5C423
SendMessageW.USER32(6CB5B8AF,0000000B,00000001,00000000), ref: 6CB5C42D
RedrawWindow.USER32(6CB5B8AF,00000000,00000000,00000105), ref: 6CB5C439

Part of subcall function 6CB4F42C: __EH_prolog3_catch_GS.LIBCMT ref: 6CB4F436

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$DesktopFolderH_prolog3H_prolog3_catch_RedrawWindow_memset
String ID:
API String ID: 3540180273-0
Opcode ID: 8a35784ff06b5d75b74d6c15e5056abab16534c3de727c994fc1df2355c4e989
Instruction ID: 72c91d3dcd1459ae2c9544c3094b063187e548e0836ba40ea452355eaf364692
Opcode Fuzzy Hash: 8a35784ff06b5d75b74d6c15e5056abab16534c3de727c994fc1df2355c4e989
Instruction Fuzzy Hash: 8D416DB0A00209AFDB10DFA0CC85DEEBBB9FF48348F504528E645A76A0E7319D55DF10

Uniqueness

Uniqueness Score: -1.00%

Function 6CB46685 Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CB4668C
EnterCriticalSection.KERNEL32(00000000,00000010,6CB46948,?,00000000,?,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA,?), ref: 6CB4669D
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA,?,?,?,?), ref: 6CB466BB
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB466EF
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA,?), ref: 6CB4675B
_memset.LIBCMT ref: 6CB4677A
TlsSetValue.KERNEL32(?,00000000), ref: 6CB4678B
LeaveCriticalSection.KERNEL32(00000000,?,00000000,?,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA,?,?,?,?), ref: 6CB467AC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 15f33beb92c80a8a82d2905620d9deb842e23fa651ebf17a302965123640aabd
Instruction ID: 2487085d3b08082b1fd6c6e03bd3e98b78b362e8916256fc3400a72ee87e4d6d
Opcode Fuzzy Hash: 15f33beb92c80a8a82d2905620d9deb842e23fa651ebf17a302965123640aabd
Instruction Fuzzy Hash: E531C271508645EFDB10DF24D884C9EBBB4FF01324B20C629E916E7E58CB31A9A4EF81

Uniqueness

Uniqueness Score: -1.00%

Function 6CB68585 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB6858C

Part of subcall function 6CB4DE36: GetWindowTextLengthW.USER32(?), ref: 6CB4DE47
Part of subcall function 6CB4DE36: GetWindowTextW.USER32(?,00000000,00000001), ref: 6CB4DE5E

InflateRect.USER32(?,?,?), ref: 6CB686A9
SetRectEmpty.USER32(?), ref: 6CB686B5
InflateRect.USER32(?,00000000,00000000), ref: 6CB68746
OffsetRect.USER32(?,00000001,00000001), ref: 6CB687D3
IsRectEmpty.USER32(?), ref: 6CB68860

Strings

mmm, xrefs: 6CB687F4

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$EmptyInflateTextWindow$H_prolog3_LengthOffset
String ID: mmm
API String ID: 2648887860-1545505134
Opcode ID: 3a6a82e94d5c7e68a9a0104ab49fbf8c0d4be9069851c59efc9c40f10ec75f29
Instruction ID: 85e265d3bdf1ff8f8837cdeec54a9630ec64d858b46bdf39f4f32d1a8a09fdbd
Opcode Fuzzy Hash: 3a6a82e94d5c7e68a9a0104ab49fbf8c0d4be9069851c59efc9c40f10ec75f29
Instruction Fuzzy Hash: 6BE17031900649DFCF01CFA9C884AEE77B5FF4A305F18417AE816ABA55DB31A945CF21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB47F6C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB47EBA: GetParent.USER32(?), ref: 6CB47F0E
Part of subcall function 6CB47EBA: GetLastActivePopup.USER32(?), ref: 6CB47F1F
Part of subcall function 6CB47EBA: IsWindowEnabled.USER32(?), ref: 6CB47F33
Part of subcall function 6CB47EBA: EnableWindow.USER32(?,00000000), ref: 6CB47F46

EnableWindow.USER32(?,00000001), ref: 6CB47FB9
GetWindowThreadProcessId.USER32(?,?), ref: 6CB47FCD
GetCurrentProcessId.KERNEL32(?,?), ref: 6CB47FD7
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 6CB47FEF
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 6CB4806B
EnableWindow.USER32(00000000,00000001), ref: 6CB480B2

Strings

0, xrefs: 6CB48044

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: c8e14b04f38102169b229c6f01f150b426a57e6ac05e85aa5378ecc95c23b794
Instruction ID: 52955ce62ec805b888fedc305a98055474b1861c1f8ceeec38299a034ff45a11
Opcode Fuzzy Hash: c8e14b04f38102169b229c6f01f150b426a57e6ac05e85aa5378ecc95c23b794
Instruction Fuzzy Hash: B7410431A542989BDB218F64CC88BDE77B8EF04315F208596E918E7684D771CE80EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5BED0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100windowmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB5BED7
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,00000078,6CB5C1BE,?,6CB5C23C), ref: 6CB5BEFA

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

SHGetDesktopFolder.SHELL32(?,?,6CB5C23C), ref: 6CB5BF0F
GlobalAlloc.KERNEL32(00000040,0000000C,?,6CB5C23C), ref: 6CB5BF24
SendMessageW.USER32(?,00001132,00000000,?), ref: 6CB5BFCD
SendMessageW.USER32(?,00001102,00000002,00000000), ref: 6CB5BFDA

Strings

g, xrefs: 6CB5BF1D

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FolderH_prolog3MessageSend$AllocDesktopException@8GlobalLocationSpecialThrow
String ID: g
API String ID: 2027722222-30677878
Opcode ID: 43b5b8f46b733e81bf6c926209deeb5255000ebc8722c62d98f567f1281bd9d2
Instruction ID: 0c8717a178920fbacdf06ff7f2ac540ae5a78ee649ccb87fe045a45a92ca54c0
Opcode Fuzzy Hash: 43b5b8f46b733e81bf6c926209deeb5255000ebc8722c62d98f567f1281bd9d2
Instruction Fuzzy Hash: E7316A71A0021A9FDF00DFA4CC88AEEBBB9FF49304F004569E509EB290DB319841DF20

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5C717 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,?), ref: 6CB5C75E
_memset.LIBCMT ref: 6CB5C76B
SendMessageW.USER32(?,00001102,00008001,?), ref: 6CB5C7D4

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 6CB5C79D
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 6CB5C7A8
SendMessageW.USER32(?,0000110B,00000009,?), ref: 6CB5C7C2

Strings

@, xrefs: 6CB5C77C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Exception@8H_prolog3Throw_memset
String ID: @
API String ID: 3199205413-2766056989
Opcode ID: a7c11c50d70cc998f60ee1210a57300035b95ee27edf9cf85e93dd086f080d34
Instruction ID: e9814ec9daeb57de5c7ea00e0998cc71790e39f89324c45a3d7e3d3d5385cf4b
Opcode Fuzzy Hash: a7c11c50d70cc998f60ee1210a57300035b95ee27edf9cf85e93dd086f080d34
Instruction Fuzzy Hash: 47219272650308BFEB11AF55DC81FCA7BBAFB5C798F504011F604AA990E7B0D8508B54

Uniqueness

Uniqueness Score: -1.00%

Function 6CB437F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB44632: _malloc.LIBCMT ref: 6CB44650

LoadLibraryW.KERNEL32(?,0000000D), ref: 6CB43814
GetProcAddress.KERNEL32(?,Initialize), ref: 6CB43867
GetProcAddress.KERNEL32(?,Finalize), ref: 6CB43880
GetProcAddress.KERNEL32(?,Run), ref: 6CB438A1

Strings

Run, xrefs: 6CB4389B
Initialize, xrefs: 6CB43861
Finalize, xrefs: 6CB4387A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressProc$LibraryLoad_malloc
String ID: Finalize$Initialize$Run
API String ID: 1541204599-1393568065
Opcode ID: c7e3e77eab662f8e01fb24156cddcb16530b452f6270edd147b789d037048e17
Instruction ID: 38fe260b2bcde1116773f0cd5ec832f15ff45e91267911c033d540506c4ea5fe
Opcode Fuzzy Hash: c7e3e77eab662f8e01fb24156cddcb16530b452f6270edd147b789d037048e17
Instruction Fuzzy Hash: 9321C071A087409FC320CFAEC984806FBE9FF447A1B59C96AE05DC7A14E330E8409BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D517 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB5D521

Part of subcall function 6CB59EAC: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 6CB59EB5

SendMessageW.USER32(FFFFFFFF,00000030,?,00000001), ref: 6CB5D58D
SendMessageW.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 6CB5D59A
SendMessageW.USER32(FFFFFFFF,00000030,?,00000001), ref: 6CB5D5BA
SendMessageW.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 6CB5D5C4
~_Task_impl.LIBCPMT ref: 6CB5D5E4

Strings

d, xrefs: 6CB5D55A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$H_prolog3_Task_impl
String ID: d
API String ID: 731318678-2564639436
Opcode ID: a6a77eceefc355b69043abda3be1264219f0f2369cde4714f4a8d5c9f542c037
Instruction ID: 7daf61540a158cce333ce91a8132677f161ecb8f8ef9c0f1cfe16bcef821f1da
Opcode Fuzzy Hash: a6a77eceefc355b69043abda3be1264219f0f2369cde4714f4a8d5c9f542c037
Instruction Fuzzy Hash: F7218170A00218AEEF11DF71CD81FEDBAB9FF05348F90426AA218A7691DB705E55CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7CB84 Relevance: 12.3, APIs: 8, Instructions: 309timewindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB7CB8B
SetCursor.USER32(00000040,6CB7D31A,00000000,00000000,?), ref: 6CB7CC25

Part of subcall function 6CB511B3: __EH_prolog3.LIBCMT ref: 6CB511BA
Part of subcall function 6CB511B3: GetDC.USER32(00000000), ref: 6CB511E6

Part of subcall function 6CB54881: __EH_prolog3_GS.LIBCMT ref: 6CB54888
Part of subcall function 6CB54881: CreateRectRgnIndirect.GDI32(?), ref: 6CB548C5
Part of subcall function 6CB54881: CopyRect.USER32(?,?), ref: 6CB548DB
Part of subcall function 6CB54881: InflateRect.USER32(?,?,?), ref: 6CB548F1
Part of subcall function 6CB54881: IntersectRect.USER32(?,?,?), ref: 6CB548FF
Part of subcall function 6CB54881: CreateRectRgnIndirect.GDI32(?), ref: 6CB54909
Part of subcall function 6CB54881: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB5491E
Part of subcall function 6CB54881: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CB54986

Part of subcall function 6CB51207: __EH_prolog3.LIBCMT ref: 6CB5120E
Part of subcall function 6CB51207: ReleaseDC.USER32(?,00000000), ref: 6CB5122B

GetFocus.USER32 ref: 6CB7CCC4
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 6CB7CD84
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6CB7CE29
KillTimer.USER32(?,00000014,?,?,00000040,6CB7D31A,00000000,00000000,?), ref: 6CB7CF55
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 6CB7CF72
UpdateWindow.USER32(?), ref: 6CB7CF91

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Create$Timer$H_prolog3H_prolog3_Indirect$CopyCursorFocusInflateIntersectKillMessageReleaseSendUpdateWindow
String ID:
API String ID: 2399994607-0
Opcode ID: 110ae1ac52de8e44d99f8a38d8155821a81d3c83bf00429642fa00a95c5580be
Instruction ID: 9dfa7f504a2b4ce3ff08e494d8addf7a9127d52f88e7ca711886e96db893fb2e
Opcode Fuzzy Hash: 110ae1ac52de8e44d99f8a38d8155821a81d3c83bf00429642fa00a95c5580be
Instruction Fuzzy Hash: B5C18070605294DFDF219F24C884B9D3BB1EB49318F28427DEC39AEAD5DB709884CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB3923 Relevance: 12.2, APIs: 8, Instructions: 239windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBB3952
IsWindowVisible.USER32(?), ref: 6CBB3961
GetWindowRect.USER32(?,?), ref: 6CBB39B3
IsZoomed.USER32(?), ref: 6CBB39C2
SetWindowRgn.USER32(?,00000000,00000001), ref: 6CBB3A2F
_memset.LIBCMT ref: 6CBB3A4F
GetSystemMetrics.USER32(00000004), ref: 6CBB3A99
_memset.LIBCMT ref: 6CBB3B6A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Visible_memset$MetricsRectSystemZoomed
String ID:
API String ID: 3274878110-0
Opcode ID: ac95b307667193d84f9d1cd20108743c55ad149538d9014c9db6aae173f91a91
Instruction ID: 6cef4681deeb2949ef28e0393847a3fd9451d28544315558571d3696e1407276
Opcode Fuzzy Hash: ac95b307667193d84f9d1cd20108743c55ad149538d9014c9db6aae173f91a91
Instruction Fuzzy Hash: 149159B1E012989FCF14CFA9C984AEEBBB5FF49704F144169E815BB659DB309801CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB98320 Relevance: 12.2, APIs: 8, Instructions: 204windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB98327
EnterCriticalSection.KERNEL32(6CCA2208,00000014,6CB68996,?,00000000,00000000,00000000), ref: 6CB9834C
SelectObject.GDI32(?,00000014), ref: 6CB9843B
LeaveCriticalSection.KERNEL32(6CCA2208,00000020,?,00000014,6CB68996,?,00000000,00000000,00000000), ref: 6CB9845A
CreateBitmap.GDI32(-00000002,-00000002,00000001,00000001,00000000), ref: 6CB9847D
SelectObject.GDI32(00000000), ref: 6CB9848C
CreateCompatibleDC.GDI32(00000000), ref: 6CB98516
CreateCompatibleBitmap.GDI32(?,-00000002,-00000002), ref: 6CB98536

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 4255533662-0
Opcode ID: e7badd57bebcb650754123a406acc7cd6d61b04bf101a289ba94786fa5a13a6c
Instruction ID: 6bd87ea5ad5ddd5b88d175380f9f998a58d0fdcde5a475308ff0a3d184a75da1
Opcode Fuzzy Hash: e7badd57bebcb650754123a406acc7cd6d61b04bf101a289ba94786fa5a13a6c
Instruction Fuzzy Hash: 34714A31604B81CBCB21CF65C88495B77B5FF46308F648A3AE166D7A50E772E895CB12

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBF63F Relevance: 12.2, APIs: 8, Instructions: 183windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBBF646
GetSystemMenu.USER32(?,00000000,00000038,6CB74AA0,00000000,00000000,?), ref: 6CBBF6F4
IsMenu.USER32(?), ref: 6CBBF709
IsMenu.USER32(?), ref: 6CBBF71A
GetWindowLongW.USER32(?,000000F0), ref: 6CBBF742
_memset.LIBCMT ref: 6CBBF824
GetMenuItemInfoW.USER32(00000000,0000F060,00000000,?), ref: 6CBBF83F
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CBBF894

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Window$H_prolog3InfoItemLongRedrawSystem_memset
String ID:
API String ID: 428562733-0
Opcode ID: 5eec4b9f756570a627a42a5ae6b4ef84ad38db850ade819a6a61b9ea5e78a81d
Instruction ID: 244de3ce95215d216fc8266179545ab1a570572ab2c3807c8812d89328f98f46
Opcode Fuzzy Hash: 5eec4b9f756570a627a42a5ae6b4ef84ad38db850ade819a6a61b9ea5e78a81d
Instruction Fuzzy Hash: 8171BD79A00245AFDB01CFA5C888BBEB7F8FF44314F208659E829A6690DB70A945DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD3AB1 Relevance: 12.1, APIs: 8, Instructions: 149windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 6CBD3AE1
IsWindow.USER32(?), ref: 6CBD3B02
DestroyWindow.USER32(?), ref: 6CBD3B12
GetParent.USER32(?), ref: 6CBD3B2E
IsRectEmpty.USER32(?), ref: 6CBD3BDA
IsWindowVisible.USER32(?), ref: 6CBD3C1C
MapWindowPoints.USER32(?,?,?,00000001), ref: 6CBD3C33
SendMessageW.USER32(?,00000202,?,?), ref: 6CBD3C52

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID:
API String ID: 3509494761-0
Opcode ID: 5ff3671d912b7d91b805e208985429f042528d553f6f6c2345ece247cc564bdf
Instruction ID: 53bce25fab3ea2930b35f166c40dad71669695ca8c352b3ca6749f4a47d0beff
Opcode Fuzzy Hash: 5ff3671d912b7d91b805e208985429f042528d553f6f6c2345ece247cc564bdf
Instruction Fuzzy Hash: D35189303007459BEF019F65C899BEA3BB5EF05305F5941B8E80A9F696DB70E904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5A96C Relevance: 12.1, APIs: 8, Instructions: 146windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6CB5A9B5
ScreenToClient.USER32(00000000,?), ref: 6CB5A9FA
SendMessageW.USER32(?,0000102C,00000000,00000003), ref: 6CB5AA38
SetCapture.USER32(?), ref: 6CB5AA5E
ReleaseCapture.USER32 ref: 6CB5AA99
ScreenToClient.USER32(?,?), ref: 6CB5AAB8
GetSystemMetrics.USER32(00000044), ref: 6CB5AAF3
GetSystemMetrics.USER32(00000045), ref: 6CB5AB0F

Part of subcall function 6CB59F26: SendMessageW.USER32(6CB5A99C,00001018,00000000,00000000), ref: 6CB59F32

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CaptureClientMessageMetricsScreenSendSystem$FocusRelease
String ID:
API String ID: 3871486171-0
Opcode ID: 910dd4061a22947b0001cebe6bd5c19d9814b1861ba8caa7d7ce171616d4dcb8
Instruction ID: 06ea806e07d603d39e53734f0f1356444215979f7e4bc6d35230becfb9cad8ce
Opcode Fuzzy Hash: 910dd4061a22947b0001cebe6bd5c19d9814b1861ba8caa7d7ce171616d4dcb8
Instruction Fuzzy Hash: 2651B371A00644AFCB00DFB8C944AEEBBF5FF15304F508529E59AE7650EB70A990CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4CCC4 Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB4CD07
BeginDeferWindowPos.USER32(00000008), ref: 6CB4CD1F
GetTopWindow.USER32(?), ref: 6CB4CD34
GetDlgCtrlID.USER32(00000000), ref: 6CB4CD43
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 6CB4CD75
GetWindow.USER32(00000000,00000002), ref: 6CB4CD7E
CopyRect.USER32(?,?), ref: 6CB4CD9C
EndDeferWindowPos.USER32(00000000), ref: 6CB4CE13

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: dc9410494bbd2de03a3f8ee4cdf0359c511ae186717391597dd0e1156acdc586
Instruction ID: 18ca5e284d0b07cf95d1fa76d7a836c1554a8bfc07aab18153a02ea1686eb9ee
Opcode Fuzzy Hash: dc9410494bbd2de03a3f8ee4cdf0359c511ae186717391597dd0e1156acdc586
Instruction Fuzzy Hash: 8951AC71904668EFCF01EFA9C8849DEBBB4FF49704F20812AE815B7208D7309958DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1CF67 Relevance: 12.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CC1CF6E
EqualRect.USER32(?,?), ref: 6CC1CF8D
EqualRect.USER32(?,?), ref: 6CC1CF9E
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 6CC1CFEE
CreateRectRgn.GDI32(?,00000000,?,?), ref: 6CC1D021
CreateRectRgnIndirect.GDI32(?), ref: 6CC1D02D
SetWindowRgn.USER32(?,?,00000000), ref: 6CC1D054
RedrawWindow.USER32(?,00000000,00000000,00000105,6CCA0420,?,?,?,00000001,00000058), ref: 6CC1D0CC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Create$EqualWindow$H_prolog3IndirectRedraw
String ID:
API String ID: 1234839666-0
Opcode ID: 4e059b74a2bad0f838f32bfc6da2cb2fad786fdf3ebbabb57e12b8bd05203b59
Instruction ID: 11c51439976c06426257365e564a892d447e4d5a92cae29ee2a049db41451f86
Opcode Fuzzy Hash: 4e059b74a2bad0f838f32bfc6da2cb2fad786fdf3ebbabb57e12b8bd05203b59
Instruction Fuzzy Hash: 6C515B7190010AEFCF01DFA9C888EEF7BB9BF05304F008159BC15AB645DB71AA56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB79E00 Relevance: 12.1, APIs: 8, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 6CBD4A4E: ReleaseCapture.USER32 ref: 6CBD4A7C
Part of subcall function 6CBD4A4E: IsWindow.USER32(?), ref: 6CBD4AA0
Part of subcall function 6CBD4A4E: DestroyWindow.USER32(?,?,6CB7D8D9,?,?,?,?,?,6CB732D8,00000000,?,6CB73786), ref: 6CBD4AB0

SetRectEmpty.USER32(?), ref: 6CB79E33
ReleaseCapture.USER32 ref: 6CB79E39
SetCapture.USER32(?,?,6CB7D8D9,?,?,?,?,?,6CB732D8,00000000,?,6CB73786), ref: 6CB79E48
GetCapture.USER32 ref: 6CB79E8A
ReleaseCapture.USER32 ref: 6CB79E9A
SetCapture.USER32(?,?,6CB7D8D9,?,?,?,?,?,6CB732D8,00000000,?,6CB73786), ref: 6CB79EA9
RedrawWindow.USER32(?,?,?,00000505), ref: 6CB79F14
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 6CB79F53

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
String ID:
API String ID: 2209428161-0
Opcode ID: 1a267e534f62a331f6d0715702b98067bab6a9ff35bb1827e203e3416aab2af7
Instruction ID: 811a457d5883067ae0da24a924e4eb8dbc2f10cead20ce46805b493124d7d9f8
Opcode Fuzzy Hash: 1a267e534f62a331f6d0715702b98067bab6a9ff35bb1827e203e3416aab2af7
Instruction Fuzzy Hash: 2C419F316007419FEB219B34C848F9F7BF5EF84719F64461CE86A976A0DB70E844DB20

Uniqueness

Uniqueness Score: -1.00%

Function 6CB61B06 Relevance: 12.1, APIs: 8, Instructions: 109windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CB61B4A
InvalidateRect.USER32(?,00000000,00000001), ref: 6CB61B8B
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 6CB61BD8
GetParent.USER32(?), ref: 6CB61BE7
SendMessageW.USER32(?,00000111,?,?), ref: 6CB61C1D
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 6CB61C3B
UpdateWindow.USER32(?), ref: 6CB61C44
ReleaseCapture.USER32 ref: 6CB61C53

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$InvalidateWindow$CaptureMenuMessageParentPopupReleaseSendTrackUpdate
String ID:
API String ID: 2465089168-0
Opcode ID: 346dc6914edc57f37a5d8bbbec4a01d6f2678ad666b9b1b731b5c9877541d78b
Instruction ID: 1924c97a3de4a567b035bc9a5850802a47b42d3003a899decb915ed5dc1cb9d6
Opcode Fuzzy Hash: 346dc6914edc57f37a5d8bbbec4a01d6f2678ad666b9b1b731b5c9877541d78b
Instruction Fuzzy Hash: 6A412B70A00B44EFCB118FB5C844AABBBF9FF89705F54091AE49AA2610D775A890DF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6AB7B Relevance: 12.1, APIs: 8, Instructions: 105windowstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 6CB6AB91
_memset.LIBCMT ref: 6CB6ABB0
GetFocus.USER32 ref: 6CB6ABB8

Part of subcall function 6CB4C5F9: UnhookWindowsHookEx.USER32(?), ref: 6CB4C629

IsWindowEnabled.USER32(?), ref: 6CB6ABED
EnableWindow.USER32(?,00000000), ref: 6CB6AC09
EnableWindow.USER32(00000000,00000001), ref: 6CB6AC9C
IsWindow.USER32(?), ref: 6CB6ACA1
SetFocus.USER32(?), ref: 6CB6ACAE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$EnableFocus$EnabledHookUnhookWindows_memsetlstrlen
String ID:
API String ID: 3424750955-0
Opcode ID: 02b15f22c6a2737eef4f35dd04f6aafef6047b064f2cccf7320a361c49ea29c8
Instruction ID: 850b50fcfdacc8a694651aa41d9019251ecf0d09b9020392b58993eaad63fc94
Opcode Fuzzy Hash: 02b15f22c6a2737eef4f35dd04f6aafef6047b064f2cccf7320a361c49ea29c8
Instruction Fuzzy Hash: 47418930600650EFDB119F79CA84B9ABBF6EF45708F208469E51A9BA52CB31E846CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB68240 Relevance: 12.1, APIs: 8, Instructions: 102windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB682DA
SendMessageW.USER32(?,00000111,?,?), ref: 6CB68308
IsWindow.USER32(?), ref: 6CB68317
RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,6CB61DBD,?,?,?), ref: 6CB68327
IsWindow.USER32(?), ref: 6CB68337
ReleaseCapture.USER32 ref: 6CB68345
KillTimer.USER32(?,00000001,?,?,?,?,?,6CB61DBD,?,?,?), ref: 6CB6835E
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 6CB6837D

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$MessageSend$CaptureKillParentRedrawReleaseTimer
String ID:
API String ID: 3014619129-0
Opcode ID: 3d0efabe12714882a7a678efc1eda6c56e0bb1cec614f2dcc0e646dc9f73b54b
Instruction ID: fc0ccced8302a99351ece482fa86cb1bdd90245be43666a5cfd6e3ee56b3c3a9
Opcode Fuzzy Hash: 3d0efabe12714882a7a678efc1eda6c56e0bb1cec614f2dcc0e646dc9f73b54b
Instruction Fuzzy Hash: 46319570611F40DFCB219B36C844BABB6F5FF86705F20452FE0AA52A55D772A480DF12

Uniqueness

Uniqueness Score: -1.00%

Function 6CBE72FE Relevance: 12.1, APIs: 8, Instructions: 100COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6CBE731B
GetParent.USER32(?), ref: 6CBE7332
GetClientRect.USER32(?,?), ref: 6CBE73C0
MapWindowPoints.USER32(?,?,?,00000002), ref: 6CBE73D3
PtInRect.USER32(?,?,?), ref: 6CBE73E3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientRect$ParentPointsScreenWindow
String ID:
API String ID: 1402249346-0
Opcode ID: 624ffa1a2102a0c37dd5cef4c0d97559b879ed6ca6f37a44d3123ffe926c12d8
Instruction ID: a621b5d5b73eb7874a4edec5df652ab3e0a2250fe8ea6917c3d1eccfb9cc27e2
Opcode Fuzzy Hash: 624ffa1a2102a0c37dd5cef4c0d97559b879ed6ca6f37a44d3123ffe926c12d8
Instruction Fuzzy Hash: 6731CE7261010AAFCF019FA9C8488EFBBB9FF493807504129F805E7651EB70D951EB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4493C Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 6CB4494E
GetMenuItemCount.USER32(?), ref: 6CB44956
GetSubMenu.USER32(?,-00000001), ref: 6CB44973
GetMenuItemCount.USER32(00000000), ref: 6CB44983
GetSubMenu.USER32(00000000,00000000), ref: 6CB44994
RemoveMenu.USER32(00000000,00000000,00000400), ref: 6CB449B1
GetSubMenu.USER32(?,?), ref: 6CB449CB
RemoveMenu.USER32(?,?,00000400), ref: 6CB449E9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: 9069c93f72cb2dc9d750e9cec3f2b23dc1356174f32bacd134cf580674daaf78
Instruction ID: dcae98a91c6049f71575b029060a53b31a930b2480991533396e69ca967bc440
Opcode Fuzzy Hash: 9069c93f72cb2dc9d750e9cec3f2b23dc1356174f32bacd134cf580674daaf78
Instruction Fuzzy Hash: F8213535A08289FFDF02DFA8CD4198EBBB5FB04345F2084A2E910B2558D7319A61FF59

Uniqueness

Uniqueness Score: -1.00%

Function 6CB53C06 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?,?,?,?,?,?,6CB4E24B,?), ref: 6CB53C25
lstrcmpW.KERNEL32(00000000,?,?,?,?,?,?,6CB4E24B,?), ref: 6CB53C32
OpenPrinterW.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,6CB4E24B,?), ref: 6CB53C44
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,6CB4E24B,?), ref: 6CB53C64
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 6CB53C6C
GlobalLock.KERNEL32(00000000,?,?,?,?,?,6CB4E24B,?), ref: 6CB53C76
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,6CB4E24B,?), ref: 6CB53C83
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,6CB4E24B,?), ref: 6CB53C9B

Part of subcall function 6CB5040C: GlobalFlags.KERNEL32(?), ref: 6CB5041B
Part of subcall function 6CB5040C: GlobalUnlock.KERNEL32(?,?,6CB53C95,?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,6CB4E24B), ref: 6CB5042C
Part of subcall function 6CB5040C: GlobalFree.KERNEL32(?), ref: 6CB50436

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: f2fe140ba02203b44bd963aa28cb6a71425862fbe28ca3dd85edc50d579798e4
Instruction ID: d7c21603f2839e8fe3a44f0a8bd5c96a579148f870251feab5e4977c9ce2f5b9
Opcode Fuzzy Hash: f2fe140ba02203b44bd963aa28cb6a71425862fbe28ca3dd85edc50d579798e4
Instruction Fuzzy Hash: 0B118C72140644BEDF129FA6CD48CAF7BFDEB85B48B908019FA05E6A20D731D960E720

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56042 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 6CB56058
GetSystemMetrics.USER32(00000032), ref: 6CB56062
SetRectEmpty.USER32(6CCA0A6C), ref: 6CB56071
EnumDisplayMonitors.USER32(00000000,00000000,Function_00015FBD,6CCA0A6C,?,?,6CBBD3CE,?,?,?,6CB78C2E,?,?), ref: 6CB56081
SystemParametersInfoW.USER32(00000030,00000000,6CCA0A6C,00000000), ref: 6CB5609C
SystemParametersInfoW.USER32(00001002,00000000,6CCA0A98,00000000), ref: 6CB560BC
SystemParametersInfoW.USER32(00001012,00000000,6CCA0A9C,00000000), ref: 6CB560D4
SystemParametersInfoW.USER32 ref: 6CB560F4

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: 849973125f7bc29977026945254b8f8f854998cafffcc23414b9a6b8bd112793
Instruction ID: 555ccbfcf2e6ffc8b08898cae2f96ce132233bbb2563edbfd6c0d95aeab9d825
Opcode Fuzzy Hash: 849973125f7bc29977026945254b8f8f854998cafffcc23414b9a6b8bd112793
Instruction Fuzzy Hash: FD110AB1601740AFE2318F668D88ED3BBFCEFC6B40F40491EE5AA86240D7B0A541CB21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB44B6A Relevance: 12.1, APIs: 8, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 6CB44B7B
GlobalAlloc.KERNEL32(00002002,00000000), ref: 6CB44B8D
GlobalSize.KERNEL32(?), ref: 6CB44B9E
GlobalLock.KERNEL32(?), ref: 6CB44BAF
GlobalLock.KERNEL32(?), ref: 6CB44BB5
GlobalSize.KERNEL32(?), ref: 6CB44BC0
GlobalUnlock.KERNEL32(?), ref: 6CB44BD3
GlobalUnlock.KERNEL32(?), ref: 6CB44BD8

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc
String ID:
API String ID: 2344174106-0
Opcode ID: d52b702cceb2614efc0758bf611a00edb4869cedfd994eacb1fd1cd87b8d8faa
Instruction ID: b3ad663f9f1586279621c4b4adeaada9686b4c1623d609fbf7edc7a9a9f203d1
Opcode Fuzzy Hash: d52b702cceb2614efc0758bf611a00edb4869cedfd994eacb1fd1cd87b8d8faa
Instruction Fuzzy Hash: 40015E71604218BF9B016FA68C85C9E7F7CEF452A47008465FD08A6211D6709D60EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB479E6 Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 6CB479F5
GetSystemMetrics.USER32(0000000C), ref: 6CB479FC
GetSystemMetrics.USER32(00000002), ref: 6CB47A03
GetSystemMetrics.USER32(00000003), ref: 6CB47A0D
GetDC.USER32(00000000), ref: 6CB47A17
GetDeviceCaps.GDI32(00000000,00000058), ref: 6CB47A28
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6CB47A30
ReleaseDC.USER32(00000000,00000000), ref: 6CB47A38

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: cf6eb6bdf70cc6902b9fd3e8ba6ba6e7294cdf624e9aa687cbec0e291d49c69d
Instruction ID: 87e5b98bf40105a5721ba19171f73af3706c5113fa32b0f8602403ee605ff807
Opcode Fuzzy Hash: cf6eb6bdf70cc6902b9fd3e8ba6ba6e7294cdf624e9aa687cbec0e291d49c69d
Instruction Fuzzy Hash: A3F017B1F40714BAEB106F728C49F167FB8FB46761F00846BE605AB2C0DAB598618FD0

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB7D80 Relevance: 10.8, APIs: 7, Instructions: 348COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB7D87
GetWindow.USER32(?,00000005), ref: 6CBB7DEB

Part of subcall function 6CBB7471: __EH_prolog3.LIBCMT ref: 6CBB7478
Part of subcall function 6CBB7471: GetWindow.USER32(?,00000005), ref: 6CBB7498
Part of subcall function 6CBB7471: GetWindow.USER32(?,00000002), ref: 6CBB74CE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$H_prolog3
String ID:
API String ID: 1351209170-0
Opcode ID: 63a5121041207f42924b7d1852b6d4e541846022a8651436a5d0e46bb9f284f5
Instruction ID: e41d012da0ce2feaae18a151fa43ca1c588624a02359f083931a4eff6db96b6c
Opcode Fuzzy Hash: 63a5121041207f42924b7d1852b6d4e541846022a8651436a5d0e46bb9f284f5
Instruction Fuzzy Hash: BED15930A012869FDF04DFA4C888AFEBBB5FF08308F144569E916AB791DF719844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBE2473 Relevance: 10.8, APIs: 7, Instructions: 325windowstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBE247D
GetMenuItemCount.USER32(0000000D), ref: 6CBE24C6
GetMenuItemID.USER32(0000000D,?), ref: 6CBE24E9

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Part of subcall function 6CBD2B17: __EH_prolog3.LIBCMT ref: 6CBD2B1E

Part of subcall function 6CB55E88: __EH_prolog3.LIBCMT ref: 6CB55E8F

lstrlenW.KERNEL32(00000000,?), ref: 6CBE260B
CharUpperBuffW.USER32(00000002,00000001), ref: 6CBE2620
lstrlenW.KERNEL32(00000000), ref: 6CBE2628
GetSubMenu.USER32(00000000,?), ref: 6CBE275A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3Menu$Itemlstrlen$BuffCharCountException@8H_prolog3_ThrowUpper
String ID:
API String ID: 1336055891-0
Opcode ID: 72a113df6eddd63d893fa86f0a6efcd335a2179c5d4b2be52f58598af3688570
Instruction ID: 24e52f54a5dbbafcaec02e520f9d28e1741ffc28124755511ded8bb797d012af
Opcode Fuzzy Hash: 72a113df6eddd63d893fa86f0a6efcd335a2179c5d4b2be52f58598af3688570
Instruction Fuzzy Hash: 5CD1BF309052A9ABDF25CB64CC58BEDB774EF09718F1082D9E429636D0DB305E88DF52

Uniqueness

Uniqueness Score: -1.00%

Function 6CBAD8EE Relevance: 10.7, APIs: 7, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBAD8F5
CreateCompatibleDC.GDI32(00000002), ref: 6CBAD952

Part of subcall function 6CB96BE5: FillRect.USER32(?,00000020), ref: 6CB96BF9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CompatibleCreateFillH_prolog3Rect
String ID:
API String ID: 2215992850-0
Opcode ID: 1764e1497e4ededd7690b6234e7314f2066ae86f656b02a031d9efbc244dda33
Instruction ID: 8fb1c0dfb4014226c32112f448c207b2613357574c2ee920e86ac281d9fbaf5e
Opcode Fuzzy Hash: 1764e1497e4ededd7690b6234e7314f2066ae86f656b02a031d9efbc244dda33
Instruction Fuzzy Hash: 9A91AB71A0429A9BCB00DFF9DC44AEEBBB4FF48304F444259E8A1E7690D734D91ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1EF69 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CC1EF70

Part of subcall function 6CC1EEE1: OleGetClipboard.OLE32(?), ref: 6CC1EEF9

ReleaseStgMedium.OLE32(?), ref: 6CC1EFE5
ReleaseStgMedium.OLE32(?), ref: 6CC1F02A
CoTaskMemFree.OLE32(?), ref: 6CC1F0D2
ReleaseStgMedium.OLE32(?), ref: 6CC1F04A

Part of subcall function 6CB44632: _malloc.LIBCMT ref: 6CB44650

Strings

', xrefs: 6CC1EFAC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask_malloc
String ID: '
API String ID: 3930503942-1997036262
Opcode ID: 582d044ca6791a7f30aaf9a0120fb67797d2f478026ddbb7fb39a8892feee3f9
Instruction ID: 6944665116e5949e17b66912c698d60c5ab64c0b401de2fc4e810959ff848b09
Opcode Fuzzy Hash: 582d044ca6791a7f30aaf9a0120fb67797d2f478026ddbb7fb39a8892feee3f9
Instruction Fuzzy Hash: 67517371909149EFDF00DFA9C884ADD7BF5BF09308F20846AE505E7E40EB719A45EB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB43EB0 Relevance: 10.6, APIs: 7, Instructions: 139COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB43F07
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000000,00000000), ref: 6CB43F28
VerifyVersionInfoW.KERNEL32(0000011C,00000002,00000000), ref: 6CB43F48
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001), ref: 6CB43F78
VerifyVersionInfoW.KERNEL32(0000011C,00000001,00000000), ref: 6CB43F95
VerSetConditionMask.KERNEL32(00000000,?,00000020,00000001,?,?,00000001,00000001), ref: 6CB43FC5
VerifyVersionInfoW.KERNEL32(0000011C,00000020,00000000), ref: 6CB43FE0

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ConditionInfoMaskVerifyVersion$_memset
String ID:
API String ID: 2276291344-0
Opcode ID: bd8c5b4308b5cd99b59f9df01a87bd12860a44058950ebeb428233b121152a10
Instruction ID: bbd9962daa3f4817abb4c1f053fcc6c7b6a8436ea429685d5fa1b26c3fbd854b
Opcode Fuzzy Hash: bd8c5b4308b5cd99b59f9df01a87bd12860a44058950ebeb428233b121152a10
Instruction Fuzzy Hash: E4413731A142A85BDB20CB18CC99BC9BBB9EB4A314F5440D9F94CA7780D7B14ED1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9B948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB9B94F

Part of subcall function 6CB51242: __EH_prolog3.LIBCMT ref: 6CB51249
Part of subcall function 6CB51242: GetWindowDC.USER32(00000000,00000004,6CB570CF,00000000,?,?,6CC63080), ref: 6CB51275

CreateCompatibleDC.GDI32(00000000), ref: 6CB9B984
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 6CB9BA08
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6CB9BA54

Part of subcall function 6CB514A4: SelectObject.GDI32(6CBAD9C2,?), ref: 6CB514AF

FillRect.USER32(?,?,?), ref: 6CB9BA8F

Strings

(, xrefs: 6CB9B9E9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
String ID: (
API String ID: 2680359821-3887548279
Opcode ID: 303a91be2f76f8c5550b69fca8377f6418badeddf49fb5fca255e6a3726364c2
Instruction ID: bfac8f12d8c45692dbc6dfadc09d099d15db6f0e580b418ed88c84f38ad7e86c
Opcode Fuzzy Hash: 303a91be2f76f8c5550b69fca8377f6418badeddf49fb5fca255e6a3726364c2
Instruction Fuzzy Hash: 435122B1D00298EFCB11CFE5C9849DDBBB9FF09318F64812AE415AB650DB309A59CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB266D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 6CBB274F
GetMonitorInfoW.USER32(00000000), ref: 6CBB2756
CopyRect.USER32(?,?), ref: 6CBB2768
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 6CBB2778
IntersectRect.USER32(?,?,?), ref: 6CBB27AB

Strings

(, xrefs: 6CBB2748

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
String ID: (
API String ID: 2931574886-3887548279
Opcode ID: 999b6cbca94fb3534fb207c8a01cf00d7032c504aa6c077f98ec2b18ad75b807
Instruction ID: de40d42d9ff8aa59fff9f025caecbc9f8c81e6544775dd21c677a3fb18cbd6c2
Opcode Fuzzy Hash: 999b6cbca94fb3534fb207c8a01cf00d7032c504aa6c077f98ec2b18ad75b807
Instruction Fuzzy Hash: 4E51E7B5D012499FCB10CFAAC9889EEFBF9FF59304B10455AE415E7650DB30AA44CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7A146 Relevance: 10.6, APIs: 7, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 6CBD1A66: __EH_prolog3_catch.LIBCMT ref: 6CBD1A6D

UpdateWindow.USER32(?), ref: 6CB7A1DA
EqualRect.USER32(?,?), ref: 6CB7A210
InflateRect.USER32(?,00000002,00000002), ref: 6CB7A228
InvalidateRect.USER32(?,?,00000001), ref: 6CB7A237
InflateRect.USER32(?,00000002,00000002), ref: 6CB7A24C
InvalidateRect.USER32(?,?,00000001), ref: 6CB7A25E
UpdateWindow.USER32(?), ref: 6CB7A267

Part of subcall function 6CB79D14: InvalidateRect.USER32(?,?,00000001,?), ref: 6CB79D89
Part of subcall function 6CB79D14: InflateRect.USER32(?,?,?), ref: 6CB79DCF
Part of subcall function 6CB79D14: RedrawWindow.USER32(?,?,00000000,00000401,?,?,00000000,00000000), ref: 6CB79DE2

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
String ID:
API String ID: 1041772997-0
Opcode ID: ce8cedb93e7947e4e20d09c4defc7c196c2c0b5150e90254e2b832984b184340
Instruction ID: 75baf82fae5da037337659942c0c5c161e57fddc183a650ba23d824202cdff38
Opcode Fuzzy Hash: ce8cedb93e7947e4e20d09c4defc7c196c2c0b5150e90254e2b832984b184340
Instruction Fuzzy Hash: 38417B716002059FCF11CF68C888B9A77B9FF49315F144279EC1AEB295DB319945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6838A Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 6CB683CD
GetParent.USER32(?), ref: 6CB683FD
SendMessageW.USER32(?,00000111,?), ref: 6CB68422
GetParent.USER32(?), ref: 6CB68445
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 6CB684AD
GetParent.USER32(?), ref: 6CB684B6
GetWindowLongW.USER32(?,000000F4), ref: 6CB684D0

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$MessageSendWindow$LongRedraw
String ID:
API String ID: 4271267155-0
Opcode ID: 134b1cfc4c98d17b3816d8f89450da70d59016ca0d50cf810d645e33ab9dfbac
Instruction ID: f94bf453b8f8ca66c76e32562c9845a0114d80f6369556e9a9721602c97752ac
Opcode Fuzzy Hash: 134b1cfc4c98d17b3816d8f89450da70d59016ca0d50cf810d645e33ab9dfbac
Instruction Fuzzy Hash: 1F411931204380EBEB105B23DC84B6B7BB9FF46318F14862BE5559BD90C7B6D880DB12

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4BFFE Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB4C031
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6CB4C055
UpdateWindow.USER32(?), ref: 6CB4C070
SendMessageW.USER32(?,00000121,00000000,?), ref: 6CB4C091
SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 6CB4C0A9
UpdateWindow.USER32(?), ref: 6CB4C0EC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 6CB4C11D

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: ed26a7efd9d88267414dc36272c8cf8414a60bd9ce4dfef01a9c022dba6a018c
Instruction ID: 6a5a02f66ac239b7931ebf4a4893edd2438e85b7f4b67fc44a7674e1224f4084
Opcode Fuzzy Hash: ed26a7efd9d88267414dc36272c8cf8414a60bd9ce4dfef01a9c022dba6a018c
Instruction Fuzzy Hash: C741DB30A086C4EBDF21AFA6CC44E9EBFB9FF81B49F10C11DE451A6A54D7718944EB12

Uniqueness

Uniqueness Score: -1.00%

Function 6CB61526 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB6152D

Part of subcall function 6CBA6739: __EH_prolog3.LIBCMT ref: 6CBA6740

Part of subcall function 6CBA7761: SetRectEmpty.USER32(?), ref: 6CBA7791

SetRectEmpty.USER32(?), ref: 6CB61675
SetRectEmpty.USER32(?), ref: 6CB61684
SetRectEmpty.USER32(?), ref: 6CB6168D

Strings

True, xrefs: 6CB61698
False, xrefs: 6CB616E4

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: 4951a037c30ad94b366ce5110a81cd7481e6e6e957e5c17b98f9e90677161911
Instruction ID: a024f758bf6acf6673cf85d41da27a7152bebdb38f356bcfbb7d1480456dd543
Opcode Fuzzy Hash: 4951a037c30ad94b366ce5110a81cd7481e6e6e957e5c17b98f9e90677161911
Instruction Fuzzy Hash: 0A51AEB0805B808FC362DF7AC5847DAFBE8BF65304F50895ED0AE96660DBB02644DB55

Uniqueness

Uniqueness Score: -1.00%

Function 6CB72242 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 6CB721AF: _malloc.LIBCMT ref: 6CB721C2

_free.LIBCMT ref: 6CB7226B
_memset.LIBCMT ref: 6CB72284
_memset.LIBCMT ref: 6CB722BE
_memcpy_s.LIBCMT ref: 6CB722D8
CreateDIBSection.GDI32(00000000,00000000,00000000,00000008,00000000,00000000), ref: 6CB722F1
_free.LIBCMT ref: 6CB72303
_free.LIBCMT ref: 6CB72336

Part of subcall function 6CC335B4: HeapFree.KERNEL32(00000000,00000000,?,6CC394F3,00000000,?,6CB44655,?,00000000,?,6CB439CF,0000001C,?,6CB421C5,C43828F3), ref: 6CC335CA
Part of subcall function 6CC335B4: GetLastError.KERNEL32(00000000,?,6CC394F3,00000000,?,6CB44655,?,00000000,?,6CB439CF,0000001C,?,6CB421C5,C43828F3), ref: 6CC335DC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _free$_memset$CreateErrorFreeHeapLastSection_malloc_memcpy_s
String ID:
API String ID: 2204576675-0
Opcode ID: 464ddb47256fa09132974e57293fdae9be99cfa653368278e2cabfc50dd9d49a
Instruction ID: 533147ef6b69cf1a579f8d31ce81efdc477ee786d102ab50bb050e65a914bbf2
Opcode Fuzzy Hash: 464ddb47256fa09132974e57293fdae9be99cfa653368278e2cabfc50dd9d49a
Instruction Fuzzy Hash: 1931FE72A44251EFEB348F25DC08A9B77A8EF01368F164529EC55E7B40E770EE0487B2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4C692 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB4C72B
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 6CB4C754
GetWindowLongW.USER32(?,000000FC), ref: 6CB4C766
GetWindowLongW.USER32(?,000000FC), ref: 6CB4C777
SetWindowLongW.USER32(?,000000FC,?), ref: 6CB4C793

Strings

,, xrefs: 6CB4C74A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 73e0b78592557a1f59ac5d01aebf1b7d43e1c1579d47514cf490b6e8a8bf3644
Instruction ID: 4c06b28be3445b791d42b6cd05bcde6f85d51c1c0aac2a09e536e27aed56d66d
Opcode Fuzzy Hash: 73e0b78592557a1f59ac5d01aebf1b7d43e1c1579d47514cf490b6e8a8bf3644
Instruction Fuzzy Hash: D2419F70605740AFDB00EF75D884A9EB7F5FF48718F108669E45697A91DB30E808EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB32BB Relevance: 10.6, APIs: 7, Instructions: 110windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBB32EE

Part of subcall function 6CBC0119: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CBC0190

IsWindowVisible.USER32(?), ref: 6CBB3318
IsWindowVisible.USER32(?), ref: 6CBB335C
RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 6CBB337E
RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 6CBB3390
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CBB33B2
RedrawWindow.USER32(?,?,00000000,00000541), ref: 6CBB33E3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Redraw$Visible
String ID:
API String ID: 1637130220-0
Opcode ID: 915b54e85aae3efd96aa9c6589e8c10a2c7a9866a012d991f89e8aa3720f64d1
Instruction ID: 263c55c277c3543843efe4693e3d3def8c28f286086d7116a637d0725cb9028d
Opcode Fuzzy Hash: 915b54e85aae3efd96aa9c6589e8c10a2c7a9866a012d991f89e8aa3720f64d1
Instruction Fuzzy Hash: 5D418AB160028ADFEB109FA5C985ABFBBB9FF04348F20057DE55AA7620DF31D9408B51

Uniqueness

Uniqueness Score: -1.00%

Function 6CC318D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB463B4: __EH_prolog3_catch.LIBCMT ref: 6CB463BB

GetUserDefaultUILanguage.KERNEL32(00000000,00000005,6CC318B2,00000000,?,?,6CC18257,00000000,?,6CC185F2,00000000,0000001C,6CC18385,00000000,6CC185F2), ref: 6CC31919
FindResourceExW.KERNEL32(00000000,00000005,?,0000FC11,?,?,6CC18257,00000000,?,6CC185F2,00000000,0000001C,6CC18385,00000000,6CC185F2), ref: 6CC31957
FindResourceW.KERNEL32(00000000,?,00000005,?,?,6CC18257,00000000,?,6CC185F2,00000000,0000001C,6CC18385,00000000,6CC185F2), ref: 6CC31970
LoadResource.KERNEL32(00000000,00000000,?,?,6CC18257,00000000,?,6CC185F2,00000000,0000001C,6CC18385,00000000,6CC185F2), ref: 6CC3197E
GlobalAlloc.KERNEL32(00000040,00000000,00000005,6CC318B2,00000000,?,?,6CC18257,00000000,?,6CC185F2,00000000,0000001C,6CC18385,00000000,6CC185F2), ref: 6CC319AE

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Strings

MS UI Gothic, xrefs: 6CC31933

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$Find$AllocDefaultException@8GlobalH_prolog3H_prolog3_catchLanguageLoadThrowUser
String ID: MS UI Gothic
API String ID: 2010067809-1905310704
Opcode ID: b4b5c456d4f18915703a315f156cfeb5d924c4eac394c8d1f63b679700247757
Instruction ID: 34291c01e187edf96449f65b1bfa4d1c346a8040128bd6c065450ff430ba7ce8
Opcode Fuzzy Hash: b4b5c456d4f18915703a315f156cfeb5d924c4eac394c8d1f63b679700247757
Instruction Fuzzy Hash: DE31E375600211AFEB009F69DC49DAA77B9EF41318B04C028FC49DBB90EB30DD85EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CC49740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 6CC49814
std::bad_exception::bad_exception.LIBCMT ref: 6CC4983E
__CxxThrowException@8.LIBCMT ref: 6CC4984C

Strings

Bad dynamic_cast!, xrefs: 6CC49836

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8OffsetThrowstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 1176828985-2956939130
Opcode ID: 5da6b96699b10bfa5e2ddae97e8a250c58502d996b11532b573db6bf1d3c6f29
Instruction ID: f5871fa4725403f17eb5c6a13a3b7328ed3e907811606111dc741659ac07045a
Opcode Fuzzy Hash: 5da6b96699b10bfa5e2ddae97e8a250c58502d996b11532b573db6bf1d3c6f29
Instruction Fuzzy Hash: B7319E76A042259FCB04CF68DA84ADEBBB8BF09325F14C559E805E7B40F734E901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB72A5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB72109: IsIconic.USER32(?), ref: 6CB72129

GetWindowRect.USER32(?,?), ref: 6CB72AD5

Part of subcall function 6CB50F4E: ScreenToClient.USER32(?,?), ref: 6CB50F5F
Part of subcall function 6CB50F4E: ScreenToClient.USER32(?,?), ref: 6CB50F6C

Part of subcall function 6CB726CD: __EH_prolog3_GS.LIBCMT ref: 6CB726D7
Part of subcall function 6CB726CD: GetWindowRect.USER32(?,?), ref: 6CB72726
Part of subcall function 6CB726CD: OffsetRect.USER32(?,?,?), ref: 6CB7273C
Part of subcall function 6CB726CD: CreateCompatibleDC.GDI32(?), ref: 6CB727AD
Part of subcall function 6CB726CD: SelectObject.GDI32(?,?), ref: 6CB727CD

GetModuleHandleW.KERNEL32(DWMAPI), ref: 6CB72B0D
GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6CB72B1D
DeleteObject.GDI32(00000000), ref: 6CB72B34

Strings

DWMAPI, xrefs: 6CB72B08
DwmSetIconicLivePreviewBitmap, xrefs: 6CB72B17

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$ClientObjectScreenWindow$AddressCompatibleCreateDeleteH_prolog3_HandleIconicModuleOffsetProcSelect
String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
API String ID: 3205686482-239049650
Opcode ID: e41c6e6adf7cac9a9a1e52880a605b567c8dddb8932a92ea05cae03a8e476d47
Instruction ID: edf7ce5804001abff329b5dbfb9819b09a2475a72f0176ebde07964d262118d7
Opcode Fuzzy Hash: e41c6e6adf7cac9a9a1e52880a605b567c8dddb8932a92ea05cae03a8e476d47
Instruction Fuzzy Hash: FD319171A0060ADFCB04DFA9C988CBFBBF9FF88304B204519E516E3610DB709A04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB919D9 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32(00000000,00000000,?,?,?,6CC04ECA,00000000), ref: 6CB91A1A
ValidateRect.USER32(?,00000000,?,?,6CC04ECA,00000000), ref: 6CB91A4F
UpdateWindow.USER32(?), ref: 6CB91A54
LockWindowUpdate.USER32(00000000,?,6CC04ECA,00000000), ref: 6CB91A67
ValidateRect.USER32(?,00000000,?,?,6CC04ECA,00000000), ref: 6CB91A8E
UpdateWindow.USER32(?), ref: 6CB91A93
LockWindowUpdate.USER32(00000000,?,6CC04ECA,00000000), ref: 6CB91AA6

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: 9fa246bd464d56d459516e27e497835dd63993a15e63ea97b807f1bc26d18f48
Instruction ID: 41c7849013385dbf5e65227745065307290da612c4a029dcbef4c92c345e1a47
Opcode Fuzzy Hash: 9fa246bd464d56d459516e27e497835dd63993a15e63ea97b807f1bc26d18f48
Instruction Fuzzy Hash: 6F219E33601681EFDB018F94C884B58F7B9FF46354F2A8139E46967A60D730EC90EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB2D08 Relevance: 10.6, APIs: 7, Instructions: 80windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CBB2D20
SendMessageW.USER32(?,0000020A,?,?), ref: 6CBB2D52
GetFocus.USER32 ref: 6CBB2D66
IsChild.USER32(?,?), ref: 6CBB2D88
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB2DB9
IsWindowVisible.USER32(?), ref: 6CBB2DCE
SendMessageW.USER32(?,0000020A,?,?), ref: 6CBB2DEC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Window$ChildFocusVisible
String ID:
API String ID: 1252167185-0
Opcode ID: f61220e151f8bb580bee1eaf4914e8141f7981debde890b788ae37c6c906cf9b
Instruction ID: 994d8c4aace5d80b4f219f66ebf3e2082e43487c0f56b7e7f13c4adbd1925ff7
Opcode Fuzzy Hash: f61220e151f8bb580bee1eaf4914e8141f7981debde890b788ae37c6c906cf9b
Instruction Fuzzy Hash: B4218D323102669FEB108F65C94CF6A3BB9FF09714F114264E959ABA60DF70E810DB42

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6D49A Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 6CB6D4BA
GetParent.USER32(?), ref: 6CB6D4C8
GetWindowThreadProcessId.USER32(?,?), ref: 6CB6D4E3
GetCurrentProcessId.KERNEL32 ref: 6CB6D4E9
GetActiveWindow.USER32 ref: 6CB6D53C
SendMessageW.USER32(?,00000006,00000001,00000000), ref: 6CB6D550
SendMessageW.USER32(?,00000086,00000001,00000000), ref: 6CB6D564

Part of subcall function 6CB50104: EnableWindow.USER32(?,?), ref: 6CB50115

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
String ID:
API String ID: 2169720751-0
Opcode ID: 80c5020057cfe4bdcdd0ac103cc87b76f64c7ad9faea3bf83fe53a0f5ab4554e
Instruction ID: 79b4c1fbd8726958d33c6d65742e31c0f3e2e917c25d6a800aa2047f6ad28b64
Opcode Fuzzy Hash: 80c5020057cfe4bdcdd0ac103cc87b76f64c7ad9faea3bf83fe53a0f5ab4554e
Instruction Fuzzy Hash: A221F171250780ABCB229F3AD8C8B9E7BF1FF40758F304218F48697DA0C770A8809B91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBE3A9E Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBE3AA5

Part of subcall function 6CBE39EC: __EH_prolog3.LIBCMT ref: 6CBE39F3
Part of subcall function 6CBE39EC: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 6CBE3A4B
Part of subcall function 6CBE39EC: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 6CBE3A5D

CopyRect.USER32(?,?), ref: 6CBE3AD3
GetCursorPos.USER32(?), ref: 6CBE3AE5
SetRect.USER32(?,?,?,?,?), ref: 6CBE3AFB
IsRectEmpty.USER32(?), ref: 6CBE3B16
InflateRect.USER32(?,00000002,00000002), ref: 6CBE3B28
DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 6CBE3B7F

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: e5c4be25466b62c0988b9434e0a17cff1f0f972614e30a4124ffaba48d247eef
Instruction ID: 081de1fa6dbbf16d1d0b8b603e90a4a0680fed7c09ca332b8fcbcc93955bc6f1
Opcode Fuzzy Hash: e5c4be25466b62c0988b9434e0a17cff1f0f972614e30a4124ffaba48d247eef
Instruction Fuzzy Hash: C0219E31A00294AFCF01DFE0C8889EEBBB5FF49B44B408418E412FBA54DB30A845DF10

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4A4AE Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB4A4D0
GetWindowRect.USER32(?,?), ref: 6CB4A4F4
ScreenToClient.USER32(?,?), ref: 6CB4A507
ScreenToClient.USER32(?,?), ref: 6CB4A510
EqualRect.USER32(?,?), ref: 6CB4A517
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 6CB4A541
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 6CB4A54B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 16a2725cfcffb580161657ba99968d6d97694eed12ae16cf01c1a68fd88ce8de
Instruction ID: 35e421636658b8086482c5b976df00bce0237ea65ec96d468d8f3ff5c69057ab
Opcode Fuzzy Hash: 16a2725cfcffb580161657ba99968d6d97694eed12ae16cf01c1a68fd88ce8de
Instruction Fuzzy Hash: 4421E275A01209AFDB00DFA9CD84DAFBBB9FF49304B50842AE915E3244DB30EA50DF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB505E0 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 6CB50605
ClientToScreen.USER32(?,?), ref: 6CB50624
GetWindow.USER32(?,00000005), ref: 6CB50687

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID:
API String ID: 2518355518-0
Opcode ID: 215c99ad25a067cad225765e70490459200a23de89688eb0050c58e9a294f006
Instruction ID: 2d71b4ca211b4fa74d9baa5dc76b14a94dea47f25c595f0d49e1f41a0b999f87
Opcode Fuzzy Hash: 215c99ad25a067cad225765e70490459200a23de89688eb0050c58e9a294f006
Instruction Fuzzy Hash: BF219D71A1125AAFDF00CFA8DC08BEEB7B8EF4A319F514119E401F2280CB34DA51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB96B0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 6CB96B32

Part of subcall function 6CB503E5: DeleteObject.GDI32(00000000), ref: 6CB503FE

SelectObject.GDI32(?,00000000), ref: 6CB96B48
DeleteObject.GDI32(00000000), ref: 6CB96BB3
DeleteDC.GDI32(00000000), ref: 6CB96BC2
LeaveCriticalSection.KERNEL32(6CCA2208), ref: 6CB96BDB

Strings

, xrefs: 6CB96B63

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Delete$Select$CriticalLeaveSection
String ID:
API String ID: 3849354926-3916222277
Opcode ID: ec37fac0e41000221498e105840e8c3e30837df758eaea2e802754d4644dd536
Instruction ID: 3698009256ccea82776a58f367f9b3c8d321e987ae9be584ee70bcfda74bed31
Opcode Fuzzy Hash: ec37fac0e41000221498e105840e8c3e30837df758eaea2e802754d4644dd536
Instruction Fuzzy Hash: 8421AC31A00204DFCF01DFA9CC8488E7BB5FF86328B548266E918DB226D770D956DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41C00 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB41C18

Part of subcall function 6CC4936E: std::exception::exception.LIBCMT ref: 6CC49383
Part of subcall function 6CC4936E: __CxxThrowException@8.LIBCMT ref: 6CC49398
Part of subcall function 6CC4936E: std::exception::exception.LIBCMT ref: 6CC493A9

std::_Xinvalid_argument.LIBCPMT ref: 6CB41C36
_memmove.LIBCMT ref: 6CB41C7A

Strings

invalid string position, xrefs: 6CB41C13
string too long, xrefs: 6CB41C31
relay.dll, xrefs: 6CB41C06

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$relay.dll$string too long
API String ID: 3404309857-3591289031
Opcode ID: 2ec4ad94a7ffe2f1f451f1ace44191f41cfd7702e5805ad132c40669aab5b9a9
Instruction ID: 5c7f0fd0a0ded251551a43d85cb96eb02a6ea3ff6af0a61b5c96ae36476a35a1
Opcode Fuzzy Hash: 2ec4ad94a7ffe2f1f451f1ace44191f41cfd7702e5805ad132c40669aab5b9a9
Instruction Fuzzy Hash: 1611E431B092119F8714DF6CE9C085873BAFF843147148629E416DFB46EB30E968C792

Uniqueness

Uniqueness Score: -1.00%

Function 6CC31821 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CC31843
_wcslen.LIBCMT ref: 6CC31849
GetDC.USER32(00000000), ref: 6CC31878
EnumFontFamiliesExW.GDI32(00000000,?,6CC317DF,?,00000000,?,?,?,?,?,?,000003EE,?), ref: 6CC31893
ReleaseDC.USER32(00000000,00000000), ref: 6CC3189B

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Strings

MS UI Gothic, xrefs: 6CC31848, 6CC3185B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EnumException@8FamiliesFontH_prolog3ReleaseThrow_memset_wcslen
String ID: MS UI Gothic
API String ID: 2708522728-1905310704
Opcode ID: 981fb45e2f9360f8a5dc5c39097f496a1d1510d4a2619a6e13846901ecd1ac70
Instruction ID: c58faf87b108e7892185f04ae763fa9a2ec068e442aa0a1a7bc4f36fc27a12cd
Opcode Fuzzy Hash: 981fb45e2f9360f8a5dc5c39097f496a1d1510d4a2619a6e13846901ecd1ac70
Instruction Fuzzy Hash: 0601A572901328AFCB10DBA9ED4CDEF7ABDEB4A754B100015F809E7600EB249A05C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 6CC393D5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6CC94650,00000008,6CC394DD,00000000,00000000,?,6CB44655,?,00000000,?,6CB439CF,0000001C,?,6CB421C5,C43828F3), ref: 6CC393E6
__lock.LIBCMT ref: 6CC3941A

Part of subcall function 6CC406FE: __mtinitlocknum.LIBCMT ref: 6CC40714
Part of subcall function 6CC406FE: __amsg_exit.LIBCMT ref: 6CC40720
Part of subcall function 6CC406FE: EnterCriticalSection.KERNEL32(?,?,?,6CC3941F,0000000D), ref: 6CC40728

InterlockedIncrement.KERNEL32(6CC9D4F8), ref: 6CC39427
__lock.LIBCMT ref: 6CC3943B
___addlocaleref.LIBCMT ref: 6CC39459

Strings

KERNEL32.DLL, xrefs: 6CC393E1

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: dcf844e5e836b048e01c9c25102997afe2caa99405b7fc5fa91c31c279036de7
Instruction ID: 5b693d60517391ae96cc5a3fc34981516ba33d80e0d39b3154bd68a98bd86658
Opcode Fuzzy Hash: dcf844e5e836b048e01c9c25102997afe2caa99405b7fc5fa91c31c279036de7
Instruction Fuzzy Hash: 48016D71540B00ABD7209F69D505789BBF0BF50328F10994ED8AAA7FA0EFB0A548DF15

Uniqueness

Uniqueness Score: -1.00%

Function 6CB479A0 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 6CB479AE
GetSysColor.USER32(00000010), ref: 6CB479B5
GetSysColor.USER32(00000014), ref: 6CB479BC
GetSysColor.USER32(00000012), ref: 6CB479C3
GetSysColor.USER32(00000006), ref: 6CB479CA
GetSysColorBrush.USER32(0000000F), ref: 6CB479D7
GetSysColorBrush.USER32(00000006), ref: 6CB479DE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 6ca5d5aaaf070c9e3eae39016a8e4e681b894fc00a06f326a4036c2c30b1ab83
Instruction ID: 1fdaad94668cb6c8c388aa0614cac34bd14839a3b192fa4a5aed617373792eec
Opcode Fuzzy Hash: 6ca5d5aaaf070c9e3eae39016a8e4e681b894fc00a06f326a4036c2c30b1ab83
Instruction Fuzzy Hash: BCF0FE71A407445BD730BB725D09B47BAE1FFC4710F02092ED2458BA90D6B6E441DF40

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9877E Relevance: 9.5, APIs: 6, Instructions: 469COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB98788
GetObjectW.GDI32(?,00000018,?), ref: 6CB9883B
DeleteObject.GDI32(?), ref: 6CB98907
_memset.LIBCMT ref: 6CB98AF6
_memset.LIBCMT ref: 6CB98B3A
DeleteObject.GDI32(?), ref: 6CB98CF0

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Delete_memset$H_prolog3
String ID:
API String ID: 1235337548-0
Opcode ID: 140d0e268a5a68592050453078ea033d70610a53c7e46b6dfe2278d0d29ad117
Instruction ID: b601f4b03da0da3b29bd6f91fd2c58cd8ecbaa4055652a04a061ae5f1bc2a27e
Opcode Fuzzy Hash: 140d0e268a5a68592050453078ea033d70610a53c7e46b6dfe2278d0d29ad117
Instruction Fuzzy Hash: EB1236B0E00269DFCF15CFA4C980ADDBBB4FF0A704F1081AAE459A7651D7319A95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7BE59 Relevance: 9.3, APIs: 6, Instructions: 299COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB7BED3
GetClientRect.USER32(?,?), ref: 6CB7BEE6
GetWindowRect.USER32(?,?), ref: 6CB7BF34
GetParent.USER32(?), ref: 6CB7BF3D
GetParent.USER32(?), ref: 6CB7C15A
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CB7C17E

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: 65db9ece9e8e41e91d048f6b04ad07cb16535d527ed54b7f8f1ad032df13afa7
Instruction ID: f8c4d4863f9fe1b2e58502d3327d8f32d472e13173172e0c793c209072b260c1
Opcode Fuzzy Hash: 65db9ece9e8e41e91d048f6b04ad07cb16535d527ed54b7f8f1ad032df13afa7
Instruction Fuzzy Hash: 44B17C31A01659DFCF14DFA8C8889EEBBB5FF49704F244179E825AB654DB309940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5A008 Relevance: 9.2, APIs: 6, Instructions: 177windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB5A00F
GetClientRect.USER32(?,?), ref: 6CB5A055

Part of subcall function 6CB511B3: __EH_prolog3.LIBCMT ref: 6CB511BA
Part of subcall function 6CB511B3: GetDC.USER32(00000000), ref: 6CB511E6

Part of subcall function 6CB51500: SelectObject.GDI32(?,00000000), ref: 6CB51526
Part of subcall function 6CB51500: SelectObject.GDI32(?,?), ref: 6CB5153C

SendMessageW.USER32(?,00000030,?,00000000), ref: 6CB5A0A6
GetTextMetricsW.GDI32(?,?), ref: 6CB5A0B3
GetParent.USER32(?), ref: 6CB5A198
SendMessageW.USER32(?,00000030,?,00000000), ref: 6CB5A1C3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageObjectSelectSend$ClientH_prolog3H_prolog3_MetricsParentRectText
String ID:
API String ID: 1207058154-0
Opcode ID: c589163aaf14199c14d72e75f14cb687ad5c3959e646f391a0970a17d671efb3
Instruction ID: 1112b7f24695621c7899d53f49026f994afc7f7407a180f3bc78cd6bf0988ff9
Opcode Fuzzy Hash: c589163aaf14199c14d72e75f14cb687ad5c3959e646f391a0970a17d671efb3
Instruction Fuzzy Hash: 7C51CF32A002559FCF15CFA8C884AEE77B9FF49300F558129ED1ABB654DB31A815CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7A2BC Relevance: 9.2, APIs: 6, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a2fe79b27b7d53e3aff10dd3dbc0689b08b5139e2cfff407de73eccb68132b
Instruction ID: 04016944425458748def33b37cd86e4c9e91c4510d263e3100e616faf8eeb2ed
Opcode Fuzzy Hash: a8a2fe79b27b7d53e3aff10dd3dbc0689b08b5139e2cfff407de73eccb68132b
Instruction Fuzzy Hash: BE51C131300640AFDB659F64C888FAE77E5EF44314F214569E866DBAA0DB71D914DF20

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7D916 Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 6CB7D98F
SendMessageW.USER32(00000000,0000040C,00000000,00000000), ref: 6CB7D9CE
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 6CB7D9FD
SetRectEmpty.USER32(?), ref: 6CB7DA57
SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 6CB7DABD
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 6CB7DAE3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: 929c74193a8ffc66f2655f7cc559a70403e588d38d6c9a03aac47a4d06fd986a
Instruction ID: f74d58efac5a1434d50312a53d758310ac15bef910f3ffa011eb88a8289cd08b
Opcode Fuzzy Hash: 929c74193a8ffc66f2655f7cc559a70403e588d38d6c9a03aac47a4d06fd986a
Instruction Fuzzy Hash: C8514931A016499FDB20DFB8C884BADBBF5FF48708F20456AE965E7681EB309944CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6965A Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CB69661
GlobalLock.KERNEL32(?,?,?), ref: 6CB69747
CreateDialogIndirectParamW.USER32(?,?,?,6CB68FDD,00000000), ref: 6CB69776
DestroyWindow.USER32(00000000), ref: 6CB697F0
GlobalUnlock.KERNEL32(?), ref: 6CB69800
GlobalFree.KERNEL32(?), ref: 6CB69809

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: f158aa8539250bcba363d856429701e588be6322eadb950946decc79cebb4424
Instruction ID: 76e0401b31c8a7e7362fe833c7259d18ca01e0a79946d9ba010589ca8734ed92
Opcode Fuzzy Hash: f158aa8539250bcba363d856429701e588be6322eadb950946decc79cebb4424
Instruction Fuzzy Hash: B151D031905289EFCF00DFE5C8849EEBBB5EF05318F24452DE412A7A90DB309989DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5E022 Relevance: 9.1, APIs: 6, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB5E081
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6CB5E0C3
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6CB5E0E5
SendMessageW.USER32(?,00000201,00000000,00000000), ref: 6CB5E15F
SendMessageW.USER32(?,00000202,00000000,00000000), ref: 6CB5E177
PtInRect.USER32(?,?,?), ref: 6CB5E193

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Rect$Client
String ID:
API String ID: 4194289498-0
Opcode ID: 3cbdc9a5388bfd0dfa76436b1f6b53f5b502871ca51b2df8df8924f4eef3d996
Instruction ID: ff180f097cfe3fe2e15f2eaadd322eb228e75700076e35e8356d72665792fa78
Opcode Fuzzy Hash: 3cbdc9a5388bfd0dfa76436b1f6b53f5b502871ca51b2df8df8924f4eef3d996
Instruction Fuzzy Hash: 69518B71A00259DFCF01CF68C988EEE7BB9FF49704F1441A9E808AB215CB75E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB66FD0 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 6CB67089
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB670BA
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB670E9
InflateRect.USER32(?,000000FF,000000FF), ref: 6CB6710B

Part of subcall function 6CB5C89B: __EH_prolog3.LIBCMT ref: 6CB5C8A2

InflateRect.USER32(?,000000FE,000000FE), ref: 6CB67118
InflateRect.USER32(?,000000FE,000000FE), ref: 6CB6714B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: InflateRect$H_prolog3
String ID:
API String ID: 3346915232-0
Opcode ID: f3a136dee7f64445ac57b629e37808a8b3c1e373c9bd833448e6be4d9fd2ba95
Instruction ID: a0c150260b246976de31cc58610d3493ca69364d865b85b06f8f684b8e3c2f01
Opcode Fuzzy Hash: f3a136dee7f64445ac57b629e37808a8b3c1e373c9bd833448e6be4d9fd2ba95
Instruction Fuzzy Hash: AE41CE31605285EBCF028F56CC44A9D37B6EB86374F34436AE8343BAD5CBB18490DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB67A7D Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB67ADC
PtInRect.USER32(?,?,?), ref: 6CB67AEC
SetCapture.USER32(?), ref: 6CB67B36
ReleaseCapture.USER32 ref: 6CB67B7D
InvalidateRect.USER32(?,00000000,00000001), ref: 6CB67B96
UpdateWindow.USER32(?), ref: 6CB67B9F

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Capture$ClientInvalidateReleaseUpdateWindow
String ID:
API String ID: 4118727484-0
Opcode ID: 5ff8736502581860b2e0c6a92f6e974c1362a5f78563e0a01de57c534d683f62
Instruction ID: ea60bcb359611d8b0d1aa1e5d5cf4d22ff3bc891edb0ed2d41507959f8497095
Opcode Fuzzy Hash: 5ff8736502581860b2e0c6a92f6e974c1362a5f78563e0a01de57c534d683f62
Instruction Fuzzy Hash: 54411971D00B49DFCB119FB6C4946ABBBF4FF85305F64462ED1AAA2A10E7709580CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5EFD0 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000120B,00000000,00000001), ref: 6CB5F01F
GetClientRect.USER32(?,?), ref: 6CB5F038
GetSystemMetrics.USER32(00000015), ref: 6CB5F063
GetSystemMetrics.USER32(00000015), ref: 6CB5F08B
InvalidateRect.USER32(?,?,00000001), ref: 6CB5F0AB
UpdateWindow.USER32(?), ref: 6CB5F0B4

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsRectSystem$ClientException@8H_prolog3InvalidateMessageSendThrowUpdateWindow
String ID:
API String ID: 1842141341-0
Opcode ID: 849f396f59be28f7a66e965879ce08526bc80571491aa4f3bd237562ace547da
Instruction ID: f7cdd985231b3d604877def10dae7d07951f1dde4dfc42a635d0b0c3e58eae37
Opcode Fuzzy Hash: 849f396f59be28f7a66e965879ce08526bc80571491aa4f3bd237562ace547da
Instruction Fuzzy Hash: 5431CB32A006489FCF01CFB9C84889EFBF9FF88310F15411AE159A7290DB70AA45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB96254 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

PatBlt.GDI32(00000000,00000000,-00000002,-00000002,00FF0062,00000000), ref: 6CB9627B
SetBkColor.GDI32(00F0F0F0), ref: 6CB9629E
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00CC0020), ref: 6CB962CC
SetBkColor.GDI32 ref: 6CB962DF
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00EE0086), ref: 6CB96307
BitBlt.GDI32(00010EB7,00000001,00000001,00000001,00000001,00010EB7,00000000,00000000,008800C6), ref: 6CB9632A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: bc3eae3f09f5c1eb248975ca2e3403f531a48bc96889f0981f1ca3b3ac19c869
Instruction ID: b975c72efa217a2132b815e732472e93d695b3b22658a725961b025323ab779a
Opcode Fuzzy Hash: bc3eae3f09f5c1eb248975ca2e3403f531a48bc96889f0981f1ca3b3ac19c869
Instruction Fuzzy Hash: CC2130B2300208BFEB249F95DC99D7B7BBDFB4A3587014529F615D3590C6B1AC51EB20

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6445D Relevance: 9.1, APIs: 6, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB64464

Part of subcall function 6CB500E9: IsWindowEnabled.USER32(?), ref: 6CB500F2

InvalidateRect.USER32(?,00000000,00000001,0000000C,6CB64579), ref: 6CB64490
UpdateWindow.USER32(?), ref: 6CB64499

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$EnabledH_prolog3InvalidateRectUpdate
String ID:
API String ID: 262192325-0
Opcode ID: df761a146fa05e6bbf3edae498b7b82f95074099f0bdfb624a996fdeeff9f452
Instruction ID: 4dd0d4a9db96a9509955b68abbb4a139b36d06a422f5148d42d510860f778242
Opcode Fuzzy Hash: df761a146fa05e6bbf3edae498b7b82f95074099f0bdfb624a996fdeeff9f452
Instruction Fuzzy Hash: 2A21A371904A84AFCB20DF79C944AEF7BB8FF46314F50461DE05AA7A90DB30A954DF11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB99190 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,?,?,?,?,6CB992D9,00000000,00000000,?,?,6CB9B114,?,?,?,00000084), ref: 6CB991A0
GlobalLock.KERNEL32(00000000,?,6CB992D9,00000000,00000000,?,?,6CB9B114,?,?,?,00000084,6CB9B4E8,0000000A,0000000A,0000000A), ref: 6CB991B8
_memmove.LIBCMT ref: 6CB991C5
CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000,?), ref: 6CB991D4
EnterCriticalSection.KERNEL32(6CCA2208,00000000), ref: 6CB991ED
LeaveCriticalSection.KERNEL32(6CCA2208,00000000), ref: 6CB99254

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream_memmove
String ID:
API String ID: 861836607-0
Opcode ID: ec7f0881d97444cfebe29f1261f96605453c7ed92e208a1ef4df5f2b6c075e1c
Instruction ID: c244bf5c5f3cb9bb2ee4abc9e2ebe23b7e23cd6690aa6c92a6ac0d7684790177
Opcode Fuzzy Hash: ec7f0881d97444cfebe29f1261f96605453c7ed92e208a1ef4df5f2b6c075e1c
Instruction Fuzzy Hash: AB218E71B40255AFDF109BA5DC1CA9E77B8EB07368F108165EA09E7A40EB30DE50DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB47EBA Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6CB47EED
GetParent.USER32(?), ref: 6CB47EFB
GetParent.USER32(?), ref: 6CB47F0E
GetLastActivePopup.USER32(?), ref: 6CB47F1F
IsWindowEnabled.USER32(?), ref: 6CB47F33
EnableWindow.USER32(?,00000000), ref: 6CB47F46

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: e0f35e7b76983e58d6b77ad38b8fc7b7fd395fd98e306afb2cf5137861dc4fe2
Instruction ID: 16558723c38e2f384b5db58b24850da562b3e91803be57b59eb1ef64f4c301f2
Opcode Fuzzy Hash: e0f35e7b76983e58d6b77ad38b8fc7b7fd395fd98e306afb2cf5137861dc4fe2
Instruction Fuzzy Hash: 2D11C43264D6F16BDF12462A8C40B5A62BDDF45B98F21C254EC14F7A08D7A0CC40E2E2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6B670 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 6CB6B67C
GetWindow.USER32(00000000), ref: 6CB6B683
GetWindowLongW.USER32(00000000,000000F0), ref: 6CB6B6BF
ShowWindow.USER32(00000000,00000000), ref: 6CB6B6DA
ShowWindow.USER32(00000000,00000004), ref: 6CB6B6FE
GetWindow.USER32(00000000,00000002), ref: 6CB6B707

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 28d26683eca5b09cc8fa52a136d5b5ed8c9b06f39c8c3fee4672ab03156297ba
Instruction ID: 7e0958d4b8856e5c9f6b7ead8a8b928049a60aed38246c3a0a2a343919b45ec1
Opcode Fuzzy Hash: 28d26683eca5b09cc8fa52a136d5b5ed8c9b06f39c8c3fee4672ab03156297ba
Instruction Fuzzy Hash: 0011C4B15047C4ABDB11862ACC89F6FB6B5EBA176CF645219F511A2980CB34C841F721

Uniqueness

Uniqueness Score: -1.00%

Function 6CB67BBD Relevance: 9.1, APIs: 6, Instructions: 56windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB67BD0

Part of subcall function 6CB5003E: GetDlgCtrlID.USER32(?), ref: 6CB50047

SendMessageW.USER32(?,00000111,?,?), ref: 6CB67BF9
SetCapture.USER32(?,?,?,?,6CB61D41,?,?,?), ref: 6CB67C22
InvalidateRect.USER32(?,00000000,00000001,?,?,?,6CB61D41,?,?,?), ref: 6CB67C3A
UpdateWindow.USER32(?), ref: 6CB67C43
SetTimer.USER32(?,00000001,?,00000000), ref: 6CB67C5A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CaptureCtrlInvalidateMessageParentRectSendTimerUpdateWindow
String ID:
API String ID: 171814724-0
Opcode ID: e7213bdac710358dcec9b26694a9968b29038b2b28a139337ddab3f83fb57612
Instruction ID: aa3c4f2db8c631d3913028604160f792730d293c3421c1bf5ea692b9ec2b20bf
Opcode Fuzzy Hash: e7213bdac710358dcec9b26694a9968b29038b2b28a139337ddab3f83fb57612
Instruction Fuzzy Hash: AD118F32210B40AFDB215B35CC48F9BBBF9FB85709F404519E18AA2A60DB71A895EB10

Uniqueness

Uniqueness Score: -1.00%

Function 6CB50548 Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 6CB50564
GetDlgCtrlID.USER32(00000000), ref: 6CB50575
GetWindowLongW.USER32(00000000,000000F0), ref: 6CB50585
GetWindowRect.USER32(00000000,00000000), ref: 6CB505A7
PtInRect.USER32(00000000,00000000,00000000), ref: 6CB505B7
GetWindow.USER32(?,00000005), ref: 6CB505C4

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: b568e806969d071f0ab491a881d78b23482d02045a73e62fa32fe9069c6b47e8
Instruction ID: d23449c5a2de55d9e1ff8d7bd6a0f38e9c4d3a5b0bf5ffcfe1853b97ba4bfb15
Opcode Fuzzy Hash: b568e806969d071f0ab491a881d78b23482d02045a73e62fa32fe9069c6b47e8
Instruction Fuzzy Hash: 1811C132A11559AFDF019F54EC48BEE77B8FF06329F908114E800B2180CB74CB218B91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB506A2 Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6CB506A8
GetParent.USER32(00000000), ref: 6CB506D0

Part of subcall function 6CB50495: GetWindowLongW.USER32(?,000000F0), ref: 6CB504B6
Part of subcall function 6CB50495: GetClassNameW.USER32(?,?,0000000A), ref: 6CB504CB
Part of subcall function 6CB50495: CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF,?,6CB4B1F4,?,?), ref: 6CB504E5

GetWindowLongW.USER32(?,000000F0), ref: 6CB506EB
GetParent.USER32(?), ref: 6CB506F9
GetDesktopWindow.USER32 ref: 6CB506FD
SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 6CB50711

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: 46dae511adc58beeb5251b78cf601dbf00c3277b8727dc30369808eb7531d30f
Instruction ID: 781fcb1a5160a52d79d04e6a7ba02fa838b0aee25df20180d499f396cceb91f6
Opcode Fuzzy Hash: 46dae511adc58beeb5251b78cf601dbf00c3277b8727dc30369808eb7531d30f
Instruction Fuzzy Hash: 8E01D6323003C56BEB021E35BCC8F7E3ABDDB95AACFA04125F911B75C08F20C8619A61

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3C034 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CC3C040

Part of subcall function 6CC39502: __getptd_noexit.LIBCMT ref: 6CC39505
Part of subcall function 6CC39502: __amsg_exit.LIBCMT ref: 6CC39512

__amsg_exit.LIBCMT ref: 6CC3C060
__lock.LIBCMT ref: 6CC3C070
InterlockedDecrement.KERNEL32(?), ref: 6CC3C08D
_free.LIBCMT ref: 6CC3C0A0
InterlockedIncrement.KERNEL32(04791668), ref: 6CC3C0B8

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: ce88127452c345feb8e1e7cd39c5678c08a96621a22cdc81b1d2e4a17abad642
Instruction ID: 39ae20a7c040889a5cd3ba36874d614a312de81e8441cf9d6dc7d2420c21564d
Opcode Fuzzy Hash: ce88127452c345feb8e1e7cd39c5678c08a96621a22cdc81b1d2e4a17abad642
Instruction Fuzzy Hash: E901C431A02A709BCB11AF64A40078D7770BF05B28F116205E829B7F80EB38A596DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4FAD4 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB4FB04

Strings

@, xrefs: 6CB4FC10
AfxFrameOrView100su, xrefs: 6CB4FBCA
@, xrefs: 6CB4FCA9
AfxMDIFrame100su, xrefs: 6CB4FBA5

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView100su$AfxMDIFrame100su
API String ID: 2102423945-2639805938
Opcode ID: d7bf3c46164c56cbefb56128810b3083dc0983048f388f0c5ab342ae83a24235
Instruction ID: b1e25acdfc15161760c90e44d80dea1cc429136ba4d40fb1ce3886c501785b72
Opcode Fuzzy Hash: d7bf3c46164c56cbefb56128810b3083dc0983048f388f0c5ab342ae83a24235
Instruction Fuzzy Hash: 9D913072C05259AADB40CFE4D590BDEBBF8EF04388F20C065EE18E7684E7749649D791

Uniqueness

Uniqueness Score: -1.00%

Function 6CB677B4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018,?), ref: 6CB67867
DeleteObject.GDI32(?), ref: 6CB67926
DeleteObject.GDI32(?), ref: 6CB6792B
DeleteObject.GDI32(?), ref: 6CB67935

Strings

, xrefs: 6CB6788C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$Delete
String ID:
API String ID: 774837909-3916222277
Opcode ID: 8d95a9ed01d12545a732519a9c2aea35e9e249b90ed4ff8dd9c038cf74b44380
Instruction ID: 273bb4e52c76f1a5e8adcb824a24898fd67522c8b6b2308048b3cea33c91de7a
Opcode Fuzzy Hash: 8d95a9ed01d12545a732519a9c2aea35e9e249b90ed4ff8dd9c038cf74b44380
Instruction Fuzzy Hash: 52514D31901689DBCB11DFA7C88059E77F1FB8431AF20456AE425B3F40D7B09E95DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBAF9B5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?,75FD5E50,System,0000000A,6CBAFB6C,System,?,?,00000000), ref: 6CBAF9D1
lstrlenW.KERNEL32(?), ref: 6CBAFA1B
_wcslen.LIBCMT ref: 6CBAFA45

Strings

System, xrefs: 6CBAF9CD

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: GlobalLock_wcslenlstrlen
String ID: System
API String ID: 2647411976-3470857405
Opcode ID: 40dde319559e9aff13af18cdd5643502abf8254793ff692f8b056de5bc840fd2
Instruction ID: 37019a4e905b135e5214571fbb82e574dd6f25168ed58cb08b13f8b33fe932c5
Opcode Fuzzy Hash: 40dde319559e9aff13af18cdd5643502abf8254793ff692f8b056de5bc840fd2
Instruction Fuzzy Hash: 5941F57190411AEFDF04CFA8C885AEEB7B5FF04304F10C66AD816E7A45E7349A96CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB499FB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 6CB49A13
_memset.LIBCMT ref: 6CB49A8B
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 6CB49AED
LoadBitmapW.USER32(00000000,00007FE3), ref: 6CB49B05

Strings

, xrefs: 6CB49A6C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 8b59a0d3e6141d4abc4e3ca7043d27cd6f0a58b90baabf369bb5934026356ec2
Instruction ID: e151cea8ba869a6fa655bd40c92dacc3a4ffded22b889fe0d13f8a650fb939de
Opcode Fuzzy Hash: 8b59a0d3e6141d4abc4e3ca7043d27cd6f0a58b90baabf369bb5934026356ec2
Instruction Fuzzy Hash: 01313871F002659FEF10CF68DD84B997BB8FB45304F4180AAE549E7281DF3199889F50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB69178 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Edit, xrefs: 6CB691D2

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 9ddf2f3c100d9b0af247d28ed070c14ec0c48e3136dcc7186f827a93842819bd
Instruction ID: 0bc0f28e01f9c99cafd077bf41cd7d632b2dd28b051bd6df2b540cb270606a05
Opcode Fuzzy Hash: 9ddf2f3c100d9b0af247d28ed070c14ec0c48e3136dcc7186f827a93842819bd
Instruction Fuzzy Hash: 1B11E530B942817BEB211B27DC08B5AB7B9FF42768F604424E615E2DE1CF61D860D661

Uniqueness

Uniqueness Score: -1.00%

Function 6CB729D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI), ref: 6CB729FF
GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6CB72A0F
DeleteObject.GDI32(00000000), ref: 6CB72A49

Strings

DwmSetIconicThumbnail, xrefs: 6CB72A09
DWMAPI, xrefs: 6CB729F4

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressDeleteHandleModuleObjectProc
String ID: DWMAPI$DwmSetIconicThumbnail
API String ID: 3128169092-3761315311
Opcode ID: 8fd072aee56a171e3676b607290f4fae76af89d8f9748ea1d6e72ffc7163271a
Instruction ID: b564120ee640175656090b353abb8faf058e6d2e1ff79f0bc8064e0177f47bf3
Opcode Fuzzy Hash: 8fd072aee56a171e3676b607290f4fae76af89d8f9748ea1d6e72ffc7163271a
Instruction Fuzzy Hash: 3A01AD31600245BBDB10AB7A8C88A9E7BBCEF49714F008125FD21D7640DB74D950DB71

Uniqueness

Uniqueness Score: -1.00%

Function 6CB51FDA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6CB51FEE
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6CB51FFE
CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 6CB5203D

Strings

CreateFileTransactedW, xrefs: 6CB51FF8
kernel32.dll, xrefs: 6CB51FE9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: 364679029767e87411998dca3a97929511ce17a9e982cf372ab7e19179729fe6
Instruction ID: 8078be83f16f11b4d64b716f589128cf2f55786a7d6f857a4893093559039867
Opcode Fuzzy Hash: 364679029767e87411998dca3a97929511ce17a9e982cf372ab7e19179729fe6
Instruction Fuzzy Hash: B901D63210254ABB8F221F95CC0CC9B3F7AEF99760BA48919FA6450420D776C4B1EB92

Uniqueness

Uniqueness Score: -1.00%

Function 6CB51D3F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB51D68
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6CB51D78

Part of subcall function 6CB47C14: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB47C28
Part of subcall function 6CB47C14: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6CB47C38

Strings

Advapi32.dll, xrefs: 6CB51D63
RegDeleteKeyExW, xrefs: 6CB51D72

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: 493f8d0c8493798d1af3d2c4cf8f50e208d1215374d5602115a6968f473909c3
Instruction ID: aec2c51ff0bfcb510d6bdbd888de89bb094c79157056177db9fa98dcdea3b214
Opcode Fuzzy Hash: 493f8d0c8493798d1af3d2c4cf8f50e208d1215374d5602115a6968f473909c3
Instruction Fuzzy Hash: 06F0D135200194FBEF104F96D808F893FF5EB06380F984418F54692860CB32C0B0EB94

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB7471 Relevance: 7.9, APIs: 5, Instructions: 369windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB7478
GetWindow.USER32(?,00000005), ref: 6CBB7498
GetWindow.USER32(?,00000002), ref: 6CBB74CE
IsWindowVisible.USER32(?), ref: 6CBB75B2
GetWindow.USER32(?,00000002), ref: 6CBB7842

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$H_prolog3Visible
String ID:
API String ID: 3969123015-0
Opcode ID: 4e9b3b57a07366beff65eb71cfe17f30a4ac6b4d8a6be6d646a51b4e2f100bbc
Instruction ID: abeb3de5abe7422c0824a1a40bd4dddaecf072d17bf5cd39285574ef8925fd77
Opcode Fuzzy Hash: 4e9b3b57a07366beff65eb71cfe17f30a4ac6b4d8a6be6d646a51b4e2f100bbc
Instruction Fuzzy Hash: E6D18E30A002469FDB05DFA9C888AFE77B5FF48309F144569E856BBB90DF709944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7A5DE Relevance: 7.8, APIs: 5, Instructions: 338COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB7A606
SetRectEmpty.USER32(?), ref: 6CB7A67E
GetClientRect.USER32(?,?), ref: 6CB7A87E
GetClientRect.USER32(?,?), ref: 6CB7A8A6
SetRectEmpty.USER32(?), ref: 6CB7A935

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: a14a3c6ef2c417044223b1ef75ee73133954e6a62fd2988f6ebd169c8369b529
Instruction ID: e6a21d591473e292b7c9c88999a55bdb6a19c691b6f51518f8ab3430b270d52b
Opcode Fuzzy Hash: a14a3c6ef2c417044223b1ef75ee73133954e6a62fd2988f6ebd169c8369b529
Instruction Fuzzy Hash: 87D15830E0064ACFCF55CFA8C5805AEBBB2FF49314F248159E825AB640D775EA42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB609D Relevance: 7.7, APIs: 5, Instructions: 227windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB60A4
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB60EB
GetWindow.USER32(00000000,00000005), ref: 6CBB6112
GetWindow.USER32(?,00000002), ref: 6CBB613D
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBB616C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSendWindow$H_prolog3
String ID:
API String ID: 1382076901-0
Opcode ID: b870b889aed8a0a98e8baa3499974a9bbfba9246c619c019548dcfcb5bf33c95
Instruction ID: 3e72aaf00bc88b5325e73c1f9947391dc966c107488d30b01e7461c8cfb91528
Opcode Fuzzy Hash: b870b889aed8a0a98e8baa3499974a9bbfba9246c619c019548dcfcb5bf33c95
Instruction Fuzzy Hash: 1571F531646A959FDB098B64C888AFD77B0EF05728F248169E808EBB51DF30DD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD96DE Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CBD9758
EqualRect.USER32(?,?), ref: 6CBD9783
BeginDeferWindowPos.USER32(?), ref: 6CBD9790
EndDeferWindowPos.USER32(?), ref: 6CBD97B5

Part of subcall function 6CBD475F: GetWindowRect.USER32(?,?), ref: 6CBD4775
Part of subcall function 6CBD475F: GetParent.USER32(?), ref: 6CBD47B7
Part of subcall function 6CBD475F: GetParent.USER32(?), ref: 6CBD47C7

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

GetWindowRect.USER32(?,?), ref: 6CBD986A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Rect$DeferParent$BeginEqualException@8H_prolog3Throw
String ID:
API String ID: 601628497-0
Opcode ID: 3c127d7265f8d51fe2039055ce3183584c0af2576027dd62a24a2b8eebf40b52
Instruction ID: f7693ec41c502d290d1169f257db9650a9c015266bf6b837e16a869bc2713306
Opcode Fuzzy Hash: 3c127d7265f8d51fe2039055ce3183584c0af2576027dd62a24a2b8eebf40b52
Instruction Fuzzy Hash: 54515971E00249DFCF00CFA9C9949DEBBF4FF49754B26452AE415B7600DB31AA84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB588F0 Relevance: 7.7, APIs: 5, Instructions: 162stringCOMMON

Download Yara Rule

APIs

SHGetPathFromIDListW.SHELL32(?,?), ref: 6CB58999
SHGetPathFromIDListW.SHELL32(?,?), ref: 6CB589C9

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 6CB58A7C
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 6CB58A9D
lstrcmpiW.KERNEL32(?,?), ref: 6CB58AB1

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FileFromInfoListPath$Exception@8H_prolog3Throwlstrcmpi
String ID:
API String ID: 4171047833-0
Opcode ID: 5a7bc75a426f1cff16ae14386d903af1378cb301ce6995e691deefd1a45e376d
Instruction ID: 053790ba8c699f473a12d56c1cf1e0d86737c60253aa73ec3dbd50e329fa14c7
Opcode Fuzzy Hash: 5a7bc75a426f1cff16ae14386d903af1378cb301ce6995e691deefd1a45e376d
Instruction Fuzzy Hash: AF519DB0A612A99BDF218F54CC40B9EB7BDFF48304F5081DBA549A7540DB339AA1CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB352F Relevance: 7.7, APIs: 5, Instructions: 153windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB3536
RedrawWindow.USER32(?,?,?,00000541), ref: 6CBB36FC

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

GetSystemMenu.USER32(?,00000000), ref: 6CBB3570
IsMenu.USER32(?), ref: 6CBB358F
IsMenu.USER32(?), ref: 6CBB359D

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Menu$Window$H_prolog3LongRedrawSystem
String ID:
API String ID: 1445310841-0
Opcode ID: 806a712fba4b70370c1bd116dd8cbc653faa2253543574f2c7588c765e186505
Instruction ID: e9994554729029f203b032c1b95da84299bafc32513d1f5a4983b9869a620171
Opcode Fuzzy Hash: 806a712fba4b70370c1bd116dd8cbc653faa2253543574f2c7588c765e186505
Instruction Fuzzy Hash: 6751EE71A052869BDB04DFB8C944BFEB7B5AF04318F248269D916FBB84DF709944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA0125 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CBA0156

Part of subcall function 6CB50F8F: ClientToScreen.USER32(?,?), ref: 6CB50FA0
Part of subcall function 6CB50F8F: ClientToScreen.USER32(?,?), ref: 6CB50FAD

PtInRect.USER32(?,?,?), ref: 6CBA0170
PtInRect.USER32(?,?,?), ref: 6CBA01E3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: 3b56b020b4227b496c4fa18665ae1f9d746dedc3b144b9907f3585e2792cb989
Instruction ID: f95868f33eb27c21910353b1d41d0fa479ef082f5d5b9f5b13601ad9e607b5f5
Opcode Fuzzy Hash: 3b56b020b4227b496c4fa18665ae1f9d746dedc3b144b9907f3585e2792cb989
Instruction Fuzzy Hash: FC413C71A0568AEFCF00CFA8D944ADEB7B5EF05304F504529E846FB644D771EA068B11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7D5D6 Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6CB7D625
GetParent.USER32(?), ref: 6CB7D646
GetParent.USER32(?), ref: 6CB7D679
UpdateWindow.USER32(?), ref: 6CB7D6DB
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 6CB7D706

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$FocusMessageSendUpdateWindow
String ID:
API String ID: 2438739141-0
Opcode ID: ac7b61d4ed6efc4ecc7b6cd8dca1217db8acc22239ab1879326618d428c340ad
Instruction ID: 1c295b186f19cb0a8072054919a9b33e4883e06950c8f68e75673d63e4511696
Opcode Fuzzy Hash: ac7b61d4ed6efc4ecc7b6cd8dca1217db8acc22239ab1879326618d428c340ad
Instruction Fuzzy Hash: 4231F231704A409FCB259F39D844A5E7BF5EF857A8B25462DE87A976D0DF30D8009B21

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7AC2B Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 6CB7AC54
ScreenToClient.USER32(?,?), ref: 6CB7AC84
SetCursor.USER32 ref: 6CB7ACCD
ScreenToClient.USER32(?,?), ref: 6CB7ACED
PtInRect.USER32(?,?,?), ref: 6CB7AD16

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: 5953a26f80317f1addb740342811a00b725fa8ccc8a1b4014b735f18c5e45112
Instruction ID: 9ee5577e233cc8b260099267c7bd6e5dced189c4d02801e99c5a4ff58c99e3e4
Opcode Fuzzy Hash: 5953a26f80317f1addb740342811a00b725fa8ccc8a1b4014b735f18c5e45112
Instruction Fuzzy Hash: C7318DB1A00249EFCF50DFB5C9849AEBBB9FB09305B50452AE926E3640DB30D905DF61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7D714 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00000000,?,?), ref: 6CB7D730
WindowFromPoint.USER32(?,?), ref: 6CB7D75B
ScreenToClient.USER32(?,00000000), ref: 6CB7D78C
GetParent.USER32(?), ref: 6CB7D7FA
UpdateWindow.USER32(?), ref: 6CB7D852

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$CallClientFromHookNextParentPointScreenUpdate
String ID:
API String ID: 160110263-0
Opcode ID: 6ca03497ff6d7d78786b68ea985c2eb356c4adc0062318b044fda4459cc7bdd2
Instruction ID: ee5f2fa9c896c3883669da188b941101847cfd1dc068825af97c6ea26b809fd0
Opcode Fuzzy Hash: 6ca03497ff6d7d78786b68ea985c2eb356c4adc0062318b044fda4459cc7bdd2
Instruction Fuzzy Hash: 5A31A036604280AFDF118FA4E808E9D3BB5FB4A355F20C16DE82597AA0DB319854EB60

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB1751 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6CBB0F1D: GetParent.USER32(?), ref: 6CBB0F29
Part of subcall function 6CBB0F1D: GetParent.USER32(00000000), ref: 6CBB0F2C

GetWindowLongW.USER32(?,000000EC), ref: 6CBB17C0
RedrawWindow.USER32(?,00000000,00000000,00000081,?,?,?,?,?,6CBB1B6C,00000000), ref: 6CBB1811
SetWindowLongW.USER32(?,000000EC,?), ref: 6CBB1820
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137,?,?,?,?,?,6CBB1B6C,00000000), ref: 6CBB1836
GetClientRect.USER32(?,?), ref: 6CBB184A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$LongParent$ClientRectRedraw
String ID:
API String ID: 556606033-0
Opcode ID: ad3febc93864331c5141d4062864342003a8fff6b99e9b9a31e9abfe6bef6cec
Instruction ID: 18d86d9473056bf107f9261168cfaf5f215ea16ed826b93ccdbb891e895ffc0f
Opcode Fuzzy Hash: ad3febc93864331c5141d4062864342003a8fff6b99e9b9a31e9abfe6bef6cec
Instruction Fuzzy Hash: C521D2B2A251C8AFEF019A75CC849FE77B9EB85358F244938F121B3590EF30D9809711

Uniqueness

Uniqueness Score: -1.00%

Function 6CB67FC0 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB67FE5
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 6CB68078
GetParent.USER32(?), ref: 6CB68084
GetWindowLongW.USER32(?,000000F4), ref: 6CB6809E
SendMessageW.USER32(?,00000111,?), ref: 6CB680AE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageParentSend$LongWindow
String ID:
API String ID: 2933145521-0
Opcode ID: 40318282bff00e2844bacf56eb3e87dd348264181039b4db2c70245539fb75df
Instruction ID: 447a43014acecfedc5c46fea8f1d1076f11db355d7fdac3c58a86505e0aff471
Opcode Fuzzy Hash: 40318282bff00e2844bacf56eb3e87dd348264181039b4db2c70245539fb75df
Instruction Fuzzy Hash: 73215A32604684BFDF109B32CC44B9E76BEEB05358F20491AE595A2E50EB72DC409B92

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5742E Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB57435
CreateRectRgnIndirect.GDI32(?), ref: 6CB57457

Part of subcall function 6CB50EC3: SelectClipRgn.GDI32(?,00000000), ref: 6CB50EE9
Part of subcall function 6CB50EC3: SelectClipRgn.GDI32(?,?), ref: 6CB50EFF

GetParent.USER32(?), ref: 6CB57477
MapWindowPoints.USER32(?,00000000,?,00000001), ref: 6CB574CF
SendMessageW.USER32(?,00000014,?,00000000), ref: 6CB574FC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClipSelect$CreateH_prolog3IndirectMessageParentPointsRectSendWindow
String ID:
API String ID: 3362736716-0
Opcode ID: e8ff5bcfb2b40c578e0f80677d2dbdf2e05b00fb85c8d24bf1efa71697e8f4cc
Instruction ID: 20e63c81e7af3d284496a4bf245911e62721493a6f85b39c3f0208c6100bcb92
Opcode Fuzzy Hash: e8ff5bcfb2b40c578e0f80677d2dbdf2e05b00fb85c8d24bf1efa71697e8f4cc
Instruction Fuzzy Hash: 0B314F71A1025A9FCF04DFA4C844AEEBBB5FF08304F508528E915AB650EB71DE24DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB1954 Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

Part of subcall function 6CBB0F1D: GetParent.USER32(?), ref: 6CBB0F29
Part of subcall function 6CBB0F1D: GetParent.USER32(00000000), ref: 6CBB0F2C

SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6CBB19CF
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CBB19F6
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CBB1A13
SendMessageW.USER32(?,00000222,?,00000000), ref: 6CBB1A2A
SendMessageW.USER32(?,00000222,00000000,?), ref: 6CBB1A4F

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Parent$LongWindow
String ID:
API String ID: 4191550487-0
Opcode ID: 4916f5855dff98452ec8b15c384aa10c7f4e164d246d6d29dc94e564e1198f2e
Instruction ID: eb39c7faf4a520d17547bcfaad953b296e58fbe1d5894fb97d8f64fe4e703750
Opcode Fuzzy Hash: 4916f5855dff98452ec8b15c384aa10c7f4e164d246d6d29dc94e564e1198f2e
Instruction Fuzzy Hash: EE213831B61188BBEF095B25CC46FFD7A65EB48314F180129F625BB9D0CFF0E8859A91

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB9935 Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CBB9978
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CBB99AB
GetWindowRect.USER32(?,?), ref: 6CBB99BA
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CBB9A10
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 6CBB9A22

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$MessageSend$RectRedrawVisible
String ID:
API String ID: 1695962874-0
Opcode ID: fc1ccda9c3cb1778d9c6e6ac4d5679017e7bc929d9f759128ab4023b6793a608
Instruction ID: be8fce0999ed89382d1537b67ad9b8bd398e39f8f98253745323d0c9694bf481
Opcode Fuzzy Hash: fc1ccda9c3cb1778d9c6e6ac4d5679017e7bc929d9f759128ab4023b6793a608
Instruction Fuzzy Hash: E6312171A10695AFCB11DF99CD84EEFBBB8FB89714F10465AF566B7290CB309900CB11

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB2C12 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CBB2C6B
GetWindowRect.USER32(?,?), ref: 6CBB2C8E
PtInRect.USER32(?,?,?), ref: 6CBB2C9A
GetWindowRect.USER32(?,?), ref: 6CBB2CB8
PtInRect.USER32(?,?,?), ref: 6CBB2CC5

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Window
String ID:
API String ID: 924285169-0
Opcode ID: fb367fdbdf14b7a724a69e04fc2277520fc46f703894ae068b31300edcff6cee
Instruction ID: 216317569d421ee102ff7acabe478d0da3aca73ed3202f1a5915fa27e318da15
Opcode Fuzzy Hash: fb367fdbdf14b7a724a69e04fc2277520fc46f703894ae068b31300edcff6cee
Instruction Fuzzy Hash: 8D310271A202599FCB00DFA9C9488EEBBF8FF4D754B11416AE905F3610DB30E944DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4BC80 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6CB4BCA3
GetWindowRect.USER32(00000000,?), ref: 6CB4BCD0
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 6CB4BCF5
GetWindow.USER32(?,00000005), ref: 6CB4BCFE
ScrollWindow.USER32(?,?,?,?,?), ref: 6CB4BD19

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: 9e614fc595b1f5a0dc3f6f87352d437d1c5c59268b68a87d74e4adf7dcf11805
Instruction ID: f7f5cacbbb94a9506246be9c2ae5a5b466f94fa3542b98e89868f49a9b08f1c5
Opcode Fuzzy Hash: 9e614fc595b1f5a0dc3f6f87352d437d1c5c59268b68a87d74e4adf7dcf11805
Instruction Fuzzy Hash: 44216D71A00609EFCF11CF99CC88D9FBBB8FF88304B10844AFA46A7601D7309950DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4D6C6 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB4D6D0
GetTopWindow.USER32(00000000), ref: 6CB4D6F5
GetDlgCtrlID.USER32(00000000), ref: 6CB4D707
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 6CB4D763
GetWindow.USER32(00000000,00000002), ref: 6CB4D7A3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: 34b109b27d4e7ba6d391314cf9224de1d3b915c3735339619dd10d1f36b24313
Instruction ID: 98ea213313fee36e86995a0ff7e1d437709d5e9a31facbd455cc298494abbd32
Opcode Fuzzy Hash: 34b109b27d4e7ba6d391314cf9224de1d3b915c3735339619dd10d1f36b24313
Instruction Fuzzy Hash: F421D231A09254AAEF11DB60EC84EDDBB78EF52318F20C155E415A2A98EB304E44EB51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB9DE6 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB9DED
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 6CBB9E14
SendMessageW.USER32(?,0000007F,00000001,00000000), ref: 6CBB9E28
GetClassLongW.USER32(?,000000DE), ref: 6CBB9EA0
GetClassLongW.USER32(?,000000F2), ref: 6CBB9EAE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClassLongMessageSend$H_prolog3
String ID:
API String ID: 350087385-0
Opcode ID: 3535f18e8a0250826852108bfc5fda46572d136ac5351df4440be5dc2762c52c
Instruction ID: 9bee8ddf712fdcfe3c0d096f0d300813932c6378d9ff0ac2f7befb0a455e5eda
Opcode Fuzzy Hash: 3535f18e8a0250826852108bfc5fda46572d136ac5351df4440be5dc2762c52c
Instruction Fuzzy Hash: 1221A431A00255ABDB21DB64CC81FEE72B4EF66714F114264F910BB7E0DF719C48CA91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB436C0 Relevance: 7.6, APIs: 5, Instructions: 75stringCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(C43828F3,00000000), ref: 6CB43711
ProcessIdToSessionId.KERNEL32(00000000,?), ref: 6CB4371F
WTSQuerySessionInformationW.WTSAPI32(00000000,?,00000005,00000000,?), ref: 6CB43741
lstrcpyW.KERNEL32(?,00000000), ref: 6CB43759
NetUserGetInfo.NETAPI32(00000000,?,00000001,?), ref: 6CB43770

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ProcessSession$CurrentInfoInformationQueryUserlstrcpy
String ID:
API String ID: 3793445260-0
Opcode ID: c762a1a00a76f8b734858cd04c4a15f41d47bae30e7507fe6d8b597bbb3b71f2
Instruction ID: 8e6ca61a11c23178a7fb1df2654baa2122de0ca2dc1cb378214e790a724867a0
Opcode Fuzzy Hash: c762a1a00a76f8b734858cd04c4a15f41d47bae30e7507fe6d8b597bbb3b71f2
Instruction Fuzzy Hash: 8E217CB1A1122AAFDF14DFA4DC48FEEB7B8FB48714F04819AE405A7540D734AA84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D9D2 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 6CB511B3: __EH_prolog3.LIBCMT ref: 6CB511BA
Part of subcall function 6CB511B3: GetDC.USER32(00000000), ref: 6CB511E6

IsRectEmpty.USER32(?), ref: 6CB5D9FB
InvertRect.USER32(?,?), ref: 6CB5DA09
SetRectEmpty.USER32(?), ref: 6CB5DA19
GetClientRect.USER32(?,?), ref: 6CB5DA36
InvertRect.USER32(?,?), ref: 6CB5DA83

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$EmptyInvert$ClientH_prolog3
String ID:
API String ID: 1656078942-0
Opcode ID: 291b83fb5b9a5e7d3a9ca7fe72e10c3cfc5c7d0ce706d091dec61a16ff040beb
Instruction ID: 189c0e2456e451ec51077a21a0b562301ea2d353395714437925c95694865f41
Opcode Fuzzy Hash: 291b83fb5b9a5e7d3a9ca7fe72e10c3cfc5c7d0ce706d091dec61a16ff040beb
Instruction Fuzzy Hash: 82212A72A00149EFCF01CFA9C9849DEBBB9FF49704F548139E909EA204E7309A94CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6BD4D Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4FF6B: GetWindowLongW.USER32(?,000000F0), ref: 6CB4FF76

SendMessageW.USER32(?,00000086,00000001,00000000), ref: 6CB6BDB4
SendMessageW.USER32(?,00000086,00000000,00000000), ref: 6CB6BDCB
GetDesktopWindow.USER32 ref: 6CB6BDCF
SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 6CB6BDF0
GetWindow.USER32(00000000), ref: 6CB6BDF5

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: e4ea4d7bcbdde97d4f55e91f3640b4c23a6af5cd422e6a258f28637c63cee8e9
Instruction ID: 549fda30f5e944ed26e39e82e31443fa4f39d23681abb3ed062555ee27ef1efe
Opcode Fuzzy Hash: e4ea4d7bcbdde97d4f55e91f3640b4c23a6af5cd422e6a258f28637c63cee8e9
Instruction Fuzzy Hash: F511EF312817E477EB221A27CC85F9E3A78DF41798F208164FA006DDD0CFA1C840A791

Uniqueness

Uniqueness Score: -1.00%

Function 6CBA276C Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBA2773
DestroyMenu.USER32(?,00000004,6CBA5E31,00000004,6CB5C9A6), ref: 6CBA27AF
IsWindow.USER32(?), ref: 6CBA27C0
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 6CBA27D4
~_Task_impl.LIBCPMT ref: 6CBA284D

Part of subcall function 6CBFB3DF: GetParent.USER32(00000000), ref: 6CBFB445

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: DestroyH_prolog3MenuMessageParentSendTask_implWindow
String ID:
API String ID: 1857064102-0
Opcode ID: 0ec0ea34e7619c0a45cf518442aec855d7f255f175b60a94a860571cba441b43
Instruction ID: d89b6f8c8ebdc1a498ca36f26b787a74d854717181359d28c39d78b8f2de123d
Opcode Fuzzy Hash: 0ec0ea34e7619c0a45cf518442aec855d7f255f175b60a94a860571cba441b43
Instruction Fuzzy Hash: 5F31BC70505680CADB22DF78C5487EEBBB0AF56308F64448CC4EA57B80DBB56A09EB12

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D76C Relevance: 7.6, APIs: 5, Instructions: 68stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 6CB5D7B8
SendMessageW.USER32(?,0000120C,00000000,00000002), ref: 6CB5D7DC
lstrlenW.KERNEL32(00000000), ref: 6CB5D7E5
SendMessageW.USER32(?,0000120C,00000001,00000002), ref: 6CB5D803
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6CB5D81C

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSendlstrlen$Exception@8H_prolog3RedrawThrowWindow
String ID:
API String ID: 524015339-0
Opcode ID: 885589f6d9f63a94dc62febfdf3f66f6d1e9b16b02a3ed86bd6ee63926166eb4
Instruction ID: 85ebc61960a7f25bcff20624c26bb2fe319e595d09f299ba846a1b22a8077202
Opcode Fuzzy Hash: 885589f6d9f63a94dc62febfdf3f66f6d1e9b16b02a3ed86bd6ee63926166eb4
Instruction Fuzzy Hash: DD219A75600204AFDB11DF69CC49FAEBBF4FF88310F110269F55AA72A0DBB0A810CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB2129 Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CBB215D
SHAppBarMessage.SHELL32(00000007,?), ref: 6CBB217B
SHAppBarMessage.SHELL32(00000007,?), ref: 6CBB2195
SHAppBarMessage.SHELL32(00000007,?), ref: 6CBB21AB
SHAppBarMessage.SHELL32(00000007,?), ref: 6CBB21C4

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$_memset
String ID:
API String ID: 2485647581-0
Opcode ID: 08290b6927a57615cf3d1c1f7c1530c8e4218d6acb8cc779ca44ab377dce3130
Instruction ID: 29692134ff78820d2a34d3965d5b61fb12297476d0ac97a2a555b80061c893c7
Opcode Fuzzy Hash: 08290b6927a57615cf3d1c1f7c1530c8e4218d6acb8cc779ca44ab377dce3130
Instruction Fuzzy Hash: 40218171E4120AAEEB04CFA5D8C5FEABFB8FB04758F10102AD919E6180DB71E545CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6C557 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6CB6C5D1
GlobalAddAtomW.KERNEL32(?), ref: 6CB6C5E0
GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 6CB6C5F6
GlobalAddAtomW.KERNEL32(?), ref: 6CB6C5FF
SendMessageW.USER32(?,000003E4,?,?), ref: 6CB6C629

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 7b147a148e0abc32a0ebae9c63ef40abb70e277749b2101410ffca5d603eeee1
Instruction ID: 4ba322fe95d0130ba90d3b0c56c0aceb0e3d925538caf217372e03a8d2096926
Opcode Fuzzy Hash: 7b147a148e0abc32a0ebae9c63ef40abb70e277749b2101410ffca5d603eeee1
Instruction Fuzzy Hash: 2721C371A01218AACF20EF69C848AEEB3F8EF08304F40844AE55DD7581D774EE84CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5A262 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000005C,?), ref: 6CB5A296
CreateFontIndirectW.GDI32(?), ref: 6CB5A2AB
IsWindow.USER32(?), ref: 6CB5A2C9
InvalidateRect.USER32(?,00000000,00000001), ref: 6CB5A2E7
UpdateWindow.USER32(?), ref: 6CB5A2F0

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$CreateFontIndirectInvalidateObjectRectUpdate
String ID:
API String ID: 1602852816-0
Opcode ID: 0a9fe917745ba0b409d5da77a15d8e56877b5ddc4c64c0d6a5308e984fffeca1
Instruction ID: f81ef43d1390cb5b25200908aa6a13fc1da8c2028b1a572e98d18b834aaf2e2c
Opcode Fuzzy Hash: 0a9fe917745ba0b409d5da77a15d8e56877b5ddc4c64c0d6a5308e984fffeca1
Instruction Fuzzy Hash: 8D11C431200345ABDB20AF74CC59AAF77B8FF05204F808529A506B3A90EF71E858DF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB64957 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB64963
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6CB6498F
SendMessageW.USER32(?,00000150,?,00000000), ref: 6CB649A2
SendMessageW.USER32(?,00000146,00000000,00000000), ref: 6CB649BC
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 6CB649CF

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Exception@8H_prolog3ThrowWindow
String ID:
API String ID: 1622667542-0
Opcode ID: 743dc1a96435c5ecd940d40c3039f299944f261695a335bd7549cef0cd0560ce
Instruction ID: e8747b581d113d1ea714f4b3e8f800d0566ac11fff92261077330c424610de0c
Opcode Fuzzy Hash: 743dc1a96435c5ecd940d40c3039f299944f261695a335bd7549cef0cd0560ce
Instruction Fuzzy Hash: AF019E71750A05BFEB018B72CC05F4ABAB9FB48784F104122B605A6EE0E7B0ED109F94

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5034C Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 6CB50378
_memset.LIBCMT ref: 6CB50396
GetWindowTextW.USER32(00000000,?,00000100), ref: 6CB503B0
lstrcmpW.KERNEL32(?,?,?,?), ref: 6CB503C2
SetWindowTextW.USER32(00000000,?), ref: 6CB503CE

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: ee17d01af4f68d0484864b874314d8c56acca73625ccd6f513ec418f3854c78a
Instruction ID: 5e751f9f358785dc9242d699c213a14f6ef667a74694d76f7ab9c4bed0160665
Opcode Fuzzy Hash: ee17d01af4f68d0484864b874314d8c56acca73625ccd6f513ec418f3854c78a
Instruction Fuzzy Hash: 6E01D6B6601259ABDB00EF75ED88DDF77BCEF49348F404061E905E3201EA30DA5887A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBE3DBC Relevance: 7.6, APIs: 5, Instructions: 53threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBE3DC3
EnterCriticalSection.KERNEL32(6CCA2C5C,00000000,6CB7DB17,00000001), ref: 6CBE3E1F
__beginthread.LIBCMT ref: 6CBE3E39
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 6CBE3E52
LeaveCriticalSection.KERNEL32(6CCA2C5C), ref: 6CBE3E69

Part of subcall function 6CB966AB: __EH_prolog3.LIBCMT ref: 6CB966B2

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalH_prolog3Section$EnterLeavePriorityThread__beginthread
String ID:
API String ID: 4118814795-0
Opcode ID: 9e1fc269478f3c4e7075287623917fc0d8f7e1b06df278cc1960b746996c9de5
Instruction ID: bdb2e8f8f6c52bc3d2dc1d316ae6b456e31b83ea7ee98dae4f07f5243575b30a
Opcode Fuzzy Hash: 9e1fc269478f3c4e7075287623917fc0d8f7e1b06df278cc1960b746996c9de5
Instruction Fuzzy Hash: 2B118230D417A0ABCA119F75985C44C3F74E70BBBCB244759E529D7EE0D7308596CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5EE62 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CB5EE69
IsWindow.USER32(?), ref: 6CB5EE90
InflateRect.USER32(?,00000000,000000FF), ref: 6CB5EEAC
InvalidateRect.USER32(?,?,00000001), ref: 6CB5EEC1
UpdateWindow.USER32(?), ref: 6CB5EED0

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: RectWindow$H_prolog3_InflateInvalidateUpdate
String ID:
API String ID: 2146894351-0
Opcode ID: f34ecf8f8e488b966c23c4cb08352f262219f62614f07a0eff61d724bcfaab2b
Instruction ID: 293d1bae85f3733ccefa0d481c076fff4c8b45def86493a03c57c326ba0ad38c
Opcode Fuzzy Hash: f34ecf8f8e488b966c23c4cb08352f262219f62614f07a0eff61d724bcfaab2b
Instruction Fuzzy Hash: 151164712002008FDF00DFA8C988FE937B5FF0A304F4482A8EA05AF696CB31E904DB20

Uniqueness

Uniqueness Score: -1.00%

Function 6CB67D07 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB67D3A
GetCursorPos.USER32(?), ref: 6CB67D4A
ScreenToClient.USER32(?,?), ref: 6CB67D57
PtInRect.USER32(?,?,?), ref: 6CB67D67
SetCursor.USER32(?), ref: 6CB67D77

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientCursorRect$Screen
String ID:
API String ID: 1023402310-0
Opcode ID: 3672c48d18f1c43e568787d273c0b69877e26f310dddbf6eb40216e4a1bae037
Instruction ID: fa8c8bed5158dffcab93a3dd03e408f261848e3d49284d315ce2b933fc167f1a
Opcode Fuzzy Hash: 3672c48d18f1c43e568787d273c0b69877e26f310dddbf6eb40216e4a1bae037
Instruction Fuzzy Hash: FE114871E1020AEFCF01DFAAC9048BEFBF9FF45304B40846AE016A2110DB749A16DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB99262 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,75FD6BA0,00000000,6CC63080,?,6CB9B114,?,?,?,00000084,6CB9B4E8,0000000A,0000000A,0000000A,00000000), ref: 6CB99286
LoadResource.KERNEL32(?,00000000,?,6CB9B114,?,?,?,00000084,6CB9B4E8,0000000A,0000000A,0000000A,00000000,00000014,6CB67288,00000004), ref: 6CB9929C
LockResource.KERNEL32(00000000,?,?,6CB9B114,?,?,?,00000084,6CB9B4E8,0000000A,0000000A,0000000A,00000000,00000014,6CB67288,00000004), ref: 6CB992AB
FreeResource.KERNEL32(?,00000000,00000000,?,?,6CB9B114,?,?,?,00000084,6CB9B4E8,0000000A,0000000A,0000000A,00000000,00000014), ref: 6CB992BC
SizeofResource.KERNEL32(?,00000000,?,?,6CB9B114,?,?,?,00000084,6CB9B4E8,0000000A,0000000A,0000000A,00000000,00000014,6CB67288), ref: 6CB992C9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: fd7aa6aef2e67459915daf2ebd320321672f1aa23fd72c31366d8f8fd22ac2b8
Instruction ID: eb1ff497d333cdb117c5172ee6d5c8ab8fa7339de430f891c35ab46ed0565b98
Opcode Fuzzy Hash: fd7aa6aef2e67459915daf2ebd320321672f1aa23fd72c31366d8f8fd22ac2b8
Instruction Fuzzy Hash: 4C017C76A14665BF8B415BA68C0888F7BBCEB8B3743048025F909E3A00DB30D9109BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6BBB3 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 6CB6BBD9
PostMessageW.USER32(?,00000367,00000000,00000000), ref: 6CB6BBF1
GetCapture.USER32 ref: 6CB6BBF3
ReleaseCapture.USER32 ref: 6CB6BBFE
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 6CB6BC2C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 430865ea090d2dcd9f1763caea89a1580bfc365dac12dc628207eda2045c40ef
Instruction ID: 1d6371c022b4d507e0915824d9bb96f0b0b6d894c269982cff069345ca0071fe
Opcode Fuzzy Hash: 430865ea090d2dcd9f1763caea89a1580bfc365dac12dc628207eda2045c40ef
Instruction Fuzzy Hash: 28018F31614640AFEB211B36DC49F5B7BBCFB84708F50852DF08AE2580EE60A954E761

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBC0B2 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6CBBC0C1
SendMessageW.USER32(?,00000366,00000000,?), ref: 6CBBC0DD
ClientToScreen.USER32(?,?), ref: 6CBBC0EA
GetWindowLongW.USER32(?,000000F0), ref: 6CBBC0F3
GetParent.USER32(?), ref: 6CBBC101

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: f8e2479f612077f9e3f7b04443b6e34ce4bc4c4a3b3842f0c09c32b3b2dc8b0b
Instruction ID: bfa11b030f7e6bbbdc4dd33fcb9dfebdf2015e0d0de93b1a3e216ac16ec4741f
Opcode Fuzzy Hash: f8e2479f612077f9e3f7b04443b6e34ce4bc4c4a3b3842f0c09c32b3b2dc8b0b
Instruction Fuzzy Hash: 55F0D136241A246BE7025A198C04BFB377CEF867B1F108212FD34F2180DF34CA5083A5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB65238 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 6CB65258
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 6CB65270
PtInRect.USER32(?,?,?), ref: 6CB6528A
ReleaseCapture.USER32 ref: 6CB65297
RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 6CB652A7

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: RectRedrawWindow$CaptureRelease
String ID:
API String ID: 1080614547-0
Opcode ID: d51e0097e852baf100c82395c562d011c0725fbaab08118e6f79a96e71864117
Instruction ID: 2bc1fa638769ffea34f46768be4611b402f81089177e1bf44388bd2b7cc0d5e2
Opcode Fuzzy Hash: d51e0097e852baf100c82395c562d011c0725fbaab08118e6f79a96e71864117
Instruction Fuzzy Hash: 8C019E31110B45ABCF214F66CC48DAB7BB9FB85705B40C91EF6AA92820EB31D065EF54

Uniqueness

Uniqueness Score: -1.00%

Function 6CC3C7B5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CC3C7C1

Part of subcall function 6CC39502: __getptd_noexit.LIBCMT ref: 6CC39505
Part of subcall function 6CC39502: __amsg_exit.LIBCMT ref: 6CC39512

__getptd.LIBCMT ref: 6CC3C7D8
__amsg_exit.LIBCMT ref: 6CC3C7E6
__lock.LIBCMT ref: 6CC3C7F6
__updatetlocinfoEx_nolock.LIBCMT ref: 6CC3C80A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 06f72f68b2946b54c50b1472fb0fb444b8800d2e7efe4e77aff1a4f52683f2f6
Instruction ID: 9e92679490bc326b3132bf957c8e22be52a9fe2e590c5525f306cb96fed1d216
Opcode Fuzzy Hash: 06f72f68b2946b54c50b1472fb0fb444b8800d2e7efe4e77aff1a4f52683f2f6
Instruction Fuzzy Hash: 90F090329446309BD611BBB8B445BCD77A0BF01728F106309D819BBBC0FF649584DA65

Uniqueness

Uniqueness Score: -1.00%

Function 6CB43671 Relevance: 7.5, APIs: 5, Instructions: 24COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,6CB43647), ref: 6CB43676
LocalFree.KERNEL32(00000000,6CB43647), ref: 6CB43681
FreeSid.ADVAPI32(?,6CB43647), ref: 6CB4368F
CloseHandle.KERNEL32(?,6CB43647), ref: 6CB4369D
CloseHandle.KERNEL32(?,6CB43647), ref: 6CB436AB

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Free$CloseHandleLocal
String ID:
API String ID: 705109652-0
Opcode ID: 4b214281da2350ef68935d05b9c8501463644a15bd0fdb3f321a08be0f62cfb5
Instruction ID: d2a4fd1acd973dc162a7e8685e794a804e2a5ddfd645d1fd336748fce483719d
Opcode Fuzzy Hash: 4b214281da2350ef68935d05b9c8501463644a15bd0fdb3f321a08be0f62cfb5
Instruction Fuzzy Hash: ACE09270A1AE515B8F0257A8C88C45D7F7AEB45615BB8C500F422F7A0CE735C891AF15

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41D90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB41E06
_memmove.LIBCMT ref: 6CB41E5C

Part of subcall function 6CB41AC0: std::_Xinvalid_argument.LIBCPMT ref: 6CB41AD7

Strings

string too long, xrefs: 6CB41E01
UIxFramework, xrefs: 6CB41DD2, 6CB41DE8, 6CB41DF5, 6CB41E5A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: UIxFramework$string too long
API String ID: 2168136238-2815365410
Opcode ID: ea52bab732e3aafbd67641a9d1b0793f5bb82ef0dd3656dd9b1c7e90a66567fa
Instruction ID: fff27c46a2521a6ecd8543e8dc3efd4b024ed32631484e67a90d850f55bc7734
Opcode Fuzzy Hash: ea52bab732e3aafbd67641a9d1b0793f5bb82ef0dd3656dd9b1c7e90a66567fa
Instruction Fuzzy Hash: 9631B476B081519B8710CE9DE8C0869B3BAFFD5365318813AE604C7A08D721EC75D7B6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CB41F8E

Part of subcall function 6CC3285E: std::exception::_Copy_str.LIBCMT ref: 6CC32879

__CxxThrowException@8.LIBCMT ref: 6CB41FA3

Part of subcall function 6CC348D8: RaiseException.KERNEL32(6CB41FA8,00000000,C43828F3,6CC7FC3C,6CB41FA8,00000000,6CC94B14,?,C43828F3), ref: 6CC3491A

Part of subcall function 6CB42060: std::exception::exception.LIBCMT ref: 6CB42092
Part of subcall function 6CB42060: __CxxThrowException@8.LIBCMT ref: 6CB420A7

_memmove.LIBCMT ref: 6CB41FE7

Strings

UIxFramework, xrefs: 6CB41F05

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
String ID: UIxFramework
API String ID: 163498487-1847128417
Opcode ID: 051239fd8a0255a60ebee362a20326e9164abc6ea1f4405552aea6f5b84f2878
Instruction ID: 01f2de0b72628b0eb1b2956fb7e0c04d927d3d58b13ecec5482660ba211637a5
Opcode Fuzzy Hash: 051239fd8a0255a60ebee362a20326e9164abc6ea1f4405552aea6f5b84f2878
Instruction Fuzzy Hash: 0F41C571E042459BCF04CF68C890A9EB7F9FF05314F14822EE82597B44E730E925DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41CB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB41D29
_memmove.LIBCMT ref: 6CB41D5C

Part of subcall function 6CB41C00: std::_Xinvalid_argument.LIBCPMT ref: 6CB41C18
Part of subcall function 6CB41C00: std::_Xinvalid_argument.LIBCPMT ref: 6CB41C36
Part of subcall function 6CB41C00: _memmove.LIBCMT ref: 6CB41C7A

Strings

string too long, xrefs: 6CB41D24
relay.dll, xrefs: 6CB41CF2, 6CB41D08, 6CB41D5A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: relay.dll$string too long
API String ID: 2168136238-3404641863
Opcode ID: 0bb32b664ef312d040bf0b05f32e539d1272465fbacd01d50923763690fc0bae
Instruction ID: 04e0e9cfeab7ab51bfc51519ba49c7ef4b6ffa56e5798e5f55e0521ffa3ab53e
Opcode Fuzzy Hash: 0bb32b664ef312d040bf0b05f32e539d1272465fbacd01d50923763690fc0bae
Instruction Fuzzy Hash: A421D5717092559B8B00CE9DECC0C69B3BAFFD1359318812EE501CBA18D731E875D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB7A3B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CBB7A45

Part of subcall function 6CBE5C31: __EH_prolog3.LIBCMT ref: 6CBE5C38

Part of subcall function 6CB48A12: __EH_prolog3.LIBCMT ref: 6CB48A19

Part of subcall function 6CB489D0: __EH_prolog3.LIBCMT ref: 6CB489D7

Part of subcall function 6CBE5954: __EH_prolog3.LIBCMT ref: 6CBE595B

_free.LIBCMT ref: 6CBB7B3D

Strings

MDITabsState, xrefs: 6CBB7B2F
%sMDIClientArea-%d, xrefs: 6CBB7A84

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catch_free
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 276651542-353449602
Opcode ID: ffeada51064facd93f8dbcffb92dad1bad60b4671df67e90d07f4424a4effb37
Instruction ID: 771775e24a188ff734385eff4b74cca928cc29a14cab356d8eec16103096565f
Opcode Fuzzy Hash: ffeada51064facd93f8dbcffb92dad1bad60b4671df67e90d07f4424a4effb37
Instruction Fuzzy Hash: A4419C74900289AFDF05DFE4C894AEDBBB4AF19308F14809DE509BB781DB715A48DF62

Uniqueness

Uniqueness Score: -1.00%

Function 6CB42470 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(UniversalInstaller.exe,C43828F3,install,00000000,00000000), ref: 6CB424B3
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6CB424C6

Strings

UniversalInstaller.exe, xrefs: 6CB424A2
install, xrefs: 6CB42493

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Module$FileHandleName
String ID: UniversalInstaller.exe$install
API String ID: 4146042529-576483242
Opcode ID: 960905f79d28bf06f2a26126224bf4f91dbda29f42c242a184fe4b2252810e64
Instruction ID: 1bcec4661aac30247c78be4c55d194824c8719fd90a534695e3f9bc92b1fdce4
Opcode Fuzzy Hash: 960905f79d28bf06f2a26126224bf4f91dbda29f42c242a184fe4b2252810e64
Instruction Fuzzy Hash: 09310471D042699BCB20DF64CC88BDEB7B4EF48314F00469AD425A7B90EB74AE48DF91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4F7FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 6CB4F847
__snwprintf_s.LIBCMT ref: 6CB4F879

Part of subcall function 6CC34966: __getptd_noexit.LIBCMT ref: 6CC34966

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 6CB4F86F
Afx:%p, xrefs: 6CB4F83D

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __snwprintf_s$__getptd_noexit
String ID: Afx:%p$Afx:%p:%x:%p:%p:%p
API String ID: 101746997-482058564
Opcode ID: 17f6f4974e0d6a090a41aee478d38d3568e80470ec4246ab72cad7538ac94092
Instruction ID: d0cea70e035794f72ae69e22d498c66c3803a89ef69d502e79a46729f98f7d95
Opcode Fuzzy Hash: 17f6f4974e0d6a090a41aee478d38d3568e80470ec4246ab72cad7538ac94092
Instruction Fuzzy Hash: 62316AB1D04358EFCB01DFA9D8409CE7BF8EF48369F108016E908AB724E7359A54DB66

Uniqueness

Uniqueness Score: -1.00%

Function 6CB425D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,C43828F3,uninstall,?), ref: 6CB4260A
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6CB4261D

Strings

uninstall, xrefs: 6CB425F3
relay.dll, xrefs: 6CB4269F

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Module$FileHandleName
String ID: relay.dll$uninstall
API String ID: 4146042529-3772736717
Opcode ID: 6c1d2ec23e4a0686f83338a24a1814eb01bd79b6e1c0cbed22624ca7a2f2c116
Instruction ID: 0c747898946267032a1aa36083f289d20a4e67c092372b5bc097c7ca1dbfc7e9
Opcode Fuzzy Hash: 6c1d2ec23e4a0686f83338a24a1814eb01bd79b6e1c0cbed22624ca7a2f2c116
Instruction Fuzzy Hash: 2931E271D041689BCB10DF64DC88BDEB7B8EF08314F4442D9E40AAB684EB34AB84DF81

Uniqueness

Uniqueness Score: -1.00%

Function 6CB70E98 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,6CBB5932), ref: 6CB70F0F
GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6CB70F1F

Strings

DWMAPI, xrefs: 6CB70F0A
DwmInvalidateIconicBitmaps, xrefs: 6CB70F19

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DWMAPI$DwmInvalidateIconicBitmaps
API String ID: 1646373207-1098356003
Opcode ID: 9b058d07a68b9711c20342ef7836031723535d6c26c51dbc9af9608b6905650e
Instruction ID: 5c09e477ea54ff2ad250008ff72a628d5fc5958e6c570f42918aded479e51397
Opcode Fuzzy Hash: 9b058d07a68b9711c20342ef7836031723535d6c26c51dbc9af9608b6905650e
Instruction Fuzzy Hash: 4511B171A102858BCF10DF799984AEFB6F5EF49254B100479AC26EB640EB72D904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6CB56109 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB5612E
GetSysColor.USER32(00000014), ref: 6CB56178
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 6CB561CB

Strings

(, xrefs: 6CB5615C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: BitmapColorCreate_memset
String ID: (
API String ID: 3930187609-3887548279
Opcode ID: e200c0e0b67a8e99c7f69337a5ab8ef0d639f389ca2989c83c05c88603a46830
Instruction ID: 8800f49f54138d7c99b36064b33fda2bd042184bc1a38b77cd578dd358425903
Opcode Fuzzy Hash: e200c0e0b67a8e99c7f69337a5ab8ef0d639f389ca2989c83c05c88603a46830
Instruction Fuzzy Hash: 06210431A11258DFEF04CBB8D819BEDBBF8EF95700F00846EE546E7281DA315A48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41AC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB41AD7

Part of subcall function 6CC4936E: std::exception::exception.LIBCMT ref: 6CC49383
Part of subcall function 6CC4936E: __CxxThrowException@8.LIBCMT ref: 6CC49398
Part of subcall function 6CC4936E: std::exception::exception.LIBCMT ref: 6CC493A9

Part of subcall function 6CB41EA0: std::_Xinvalid_argument.LIBCPMT ref: 6CB41EAD

_memmove.LIBCMT ref: 6CB41B37

Strings

invalid string position, xrefs: 6CB41AD2
UIxFramework, xrefs: 6CB41AC6, 6CB41ACA

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: UIxFramework$invalid string position
API String ID: 3404309857-1112216684
Opcode ID: b3743f4ceb7cdf858533292d85cc8212526a9ab324f3160b3f924fad0bb88d29
Instruction ID: b7324d2c34cb9f32513d378b3158320b5a5ab6a7acbdc5ad05a290a50b5d3b0e
Opcode Fuzzy Hash: b3743f4ceb7cdf858533292d85cc8212526a9ab324f3160b3f924fad0bb88d29
Instruction Fuzzy Hash: 11110B33B096159B8710DE6DE8C0499B36AFF84368318862AE415DBB44E731EC69D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4DF13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB46A75: EnterCriticalSection.KERNEL32(6CC9EB58,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46AAF
Part of subcall function 6CB46A75: InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46AC1
Part of subcall function 6CB46A75: LeaveCriticalSection.KERNEL32(6CC9EB58,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46ACE
Part of subcall function 6CB46A75: EnterCriticalSection.KERNEL32(?,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46ADE

Part of subcall function 6CB463B4: __EH_prolog3_catch.LIBCMT ref: 6CB463BB

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 6CB4DF5C
FreeLibrary.KERNEL32(?), ref: 6CB4DF6C

Strings

HtmlHelpW, xrefs: 6CB4DF56
hhctrl.ocx, xrefs: 6CB4DF40

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: a52167f2d01657b835c9a249962ba8c89720337985a5a8c4b1ca6a68303d0bd1
Instruction ID: 9b235c6235712ae3c502fd352787c01adc360cdf3a69fe04bdbf4300ea72d367
Opcode Fuzzy Hash: a52167f2d01657b835c9a249962ba8c89720337985a5a8c4b1ca6a68303d0bd1
Instruction Fuzzy Hash: 9D01F23114CB86ABCF210B76E804B8F3AB1AF003A9F00C519F989A5E58DB30D464E752

Uniqueness

Uniqueness Score: -1.00%

Function 6CB50495 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6CB504B6
GetClassNameW.USER32(?,?,0000000A), ref: 6CB504CB
CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF,?,6CB4B1F4,?,?), ref: 6CB504E5

Strings

combobox, xrefs: 6CB504D3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: e7f6ea6b6269d171671b3ae90cbdab5d53c4c65937cc14328207d917bff6bec2
Instruction ID: 1c3ca7ae7eb7b27cf28dcaa55e177e30e6d70dc458c88d3de4075d4a10f75cae
Opcode Fuzzy Hash: e7f6ea6b6269d171671b3ae90cbdab5d53c4c65937cc14328207d917bff6bec2
Instruction Fuzzy Hash: 05F0F4316542596FCF01DF68CD06E9E37B8EB06324F904300FA21F71C0DA2099118795

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBF136 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000002), ref: 6CBBF15D
GetFocus.USER32 ref: 6CBBF169
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 6CBBF19A

Strings

y, xrefs: 6CBBF147

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: FocusKillRedrawTimerWindow
String ID: y
API String ID: 1950525498-4225443349
Opcode ID: 8514624d57955e0d1fd227ce6b26096846d57c0b84e8bddd2011d3ca51de4490
Instruction ID: 49f762b9e7c3392849c40930d07c5d10ba5db784836f1758d7e8fd379f9599e8
Opcode Fuzzy Hash: 8514624d57955e0d1fd227ce6b26096846d57c0b84e8bddd2011d3ca51de4490
Instruction Fuzzy Hash: 3BF0A4392D5284EFDF205A62CC08B693775EB05769F50C929F12EB6950CE709890DF41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB47BAF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB47BC1
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 6CB47BD1

Strings

RegCreateKeyTransactedW, xrefs: 6CB47BCB
Advapi32.dll, xrefs: 6CB47BBC

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: a6e6b87893727cbb0e57b53d93aa3e0fca168ea81e3c425e833f4f870cdbe232
Instruction ID: 116f96df44a79e21ff966642c6b99a820f5842282139c17cd0c53ab07abfd931
Opcode Fuzzy Hash: a6e6b87893727cbb0e57b53d93aa3e0fca168ea81e3c425e833f4f870cdbe232
Instruction Fuzzy Hash: 07F08732115189BBCF121EE08C04FDA3BB6EB08395F118425FA10A0460DBB2C0B1EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB47C14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB47C28
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6CB47C38

Strings

Advapi32.dll, xrefs: 6CB47C23
RegDeleteKeyTransactedW, xrefs: 6CB47C32

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: e363af3b42bd3045836ebd804526d29b10c3b09fc8c387a349c090f5aac6adbf
Instruction ID: 8a6f65583e01fba84ed4b81b292b23612e55857bec7625ff15f0e7cf4cf59329
Opcode Fuzzy Hash: e363af3b42bd3045836ebd804526d29b10c3b09fc8c387a349c090f5aac6adbf
Instruction Fuzzy Hash: 1AF05C33204950B78B111A5A8D08C177FBAEBC2B61771C43BF254E0819D673C0B1F760

Uniqueness

Uniqueness Score: -1.00%

Function 6CB47B56 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 6CB47B68
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6CB47B78

Strings

Advapi32.dll, xrefs: 6CB47B63
RegOpenKeyTransactedW, xrefs: 6CB47B72

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 6f17546182865095672cff7965558ad446defefa0a947ee2eff7d348426f8df6
Instruction ID: fc384153a2a974666020ec8abb5b679803fca5c0b234afed6a5f80c4ce51e986
Opcode Fuzzy Hash: 6f17546182865095672cff7965558ad446defefa0a947ee2eff7d348426f8df6
Instruction Fuzzy Hash: 5EF03A32258245EBDF112EE1CC04FA67BB9EB49795F50C426F961B1850D7B1C0B0EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB54F97 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6CB54FA9
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 6CB54FB9

Strings

kernel32.dll, xrefs: 6CB54FA4
GetFileAttributesTransactedW, xrefs: 6CB54FB3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetFileAttributesTransactedW$kernel32.dll
API String ID: 1646373207-1378992308
Opcode ID: 0588ce73b81d049af1de2acd61cc21d2b104fc8f05b80653c6acac4e7f3a1c55
Instruction ID: afc9435f383932cd419db117596c7f53d89fc0d8d074f8fa510db1d5b520dd35
Opcode Fuzzy Hash: 0588ce73b81d049af1de2acd61cc21d2b104fc8f05b80653c6acac4e7f3a1c55
Instruction Fuzzy Hash: E6F0A031215254EFDF021FA89C04F967BB9EB08392F90C86AF52891810D732C4B0DF95

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5677D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB56784
GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 6CB567C5

Part of subcall function 6CB4B536: ActivateActCtx.KERNEL32(?,?,6CC89010,00000010,6CB4DF4A,hhctrl.ocx,6CB4D17C,0000000C), ref: 6CB4B556

Strings

SHCreateItemFromParsingName, xrefs: 6CB567BF
Shell32.dll, xrefs: 6CB5679D

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ActivateAddressH_prolog3Proc
String ID: SHCreateItemFromParsingName$Shell32.dll
API String ID: 323876227-214508289
Opcode ID: 4843d6d777cd4340c47338f6d4aec910d94b2d3b4d0368798d08b8777c7f81ae
Instruction ID: b404b2631ad148033324a5d94ee01d2f82c9ad477e186bb40ed116eddbfca7a4
Opcode Fuzzy Hash: 4843d6d777cd4340c47338f6d4aec910d94b2d3b4d0368798d08b8777c7f81ae
Instruction Fuzzy Hash: C0F09071605284ABDF009FA4AA1878D3BB0AB1239CF508508E912E6EA0E7728674DB02

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9041C Relevance: 6.3, APIs: 4, Instructions: 258keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(6CC6C148), ref: 6CB90448
GetKeyState.USER32(00000011), ref: 6CB90450
IsRectEmpty.USER32(?), ref: 6CB904AD
GetWindowRect.USER32(?,6CC6C148), ref: 6CB9062A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID:
API String ID: 2684165152-0
Opcode ID: bf40c18fb93cf071c109a85c84390540938ffdda4e7a4075a23f81c8eb286655
Instruction ID: b5f88efbdd53ca6bf6110c34a6035034e9cd262950f4126adba677314698f048
Opcode Fuzzy Hash: bf40c18fb93cf071c109a85c84390540938ffdda4e7a4075a23f81c8eb286655
Instruction Fuzzy Hash: 6E91C231A04289DFDF04CFA4D844AEEBBB5FF8A314F208179E915AB650DB319850DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D084 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 6CB5D15B
IsWindow.USER32(?), ref: 6CB5D1AB
SetRectEmpty.USER32(?), ref: 6CB5D227
SetRectEmpty.USER32(?), ref: 6CB5D22D

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EmptyRect$Window
String ID:
API String ID: 1945993337-0
Opcode ID: 1b55ee5f021e0ee04f1ceeffacf6339807ccc829a4b2a8804432fd56960bc448
Instruction ID: fda448e8b599f0835853ef4311cfb74d3eb85930ab060488da9ec7610e64fcf5
Opcode Fuzzy Hash: 1b55ee5f021e0ee04f1ceeffacf6339807ccc829a4b2a8804432fd56960bc448
Instruction Fuzzy Hash: BC51BA31A01245CFDB05CF68C990BEA73FAFF49308F5402A9EC1AAF256DB71A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB1EC8 Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CBB1F64
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CBB1FAA
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 6CBB1FBA
IsWindowVisible.USER32(?), ref: 6CBB205F

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSendWindow$RedrawVisible
String ID:
API String ID: 2376333906-0
Opcode ID: 1a66452eadcb7ef252ecfb093882da5c9c87a74da40b4042055e3a06c81d8a09
Instruction ID: 7d6efa3ee87ce9a7e96081530ba15700475e8b9ac4e21fdc88cf4bf1b26f9ade
Opcode Fuzzy Hash: 1a66452eadcb7ef252ecfb093882da5c9c87a74da40b4042055e3a06c81d8a09
Instruction Fuzzy Hash: 0051B631204A40AFCB218F25C988EBA37BAFF85704B74456DF4569BA61DB32E841DB12

Uniqueness

Uniqueness Score: -1.00%

Function 6CC04B4C Relevance: 6.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CC04B7E
SetRectEmpty.USER32(?), ref: 6CC04C10
SetRect.USER32(?,0000000A,?,?), ref: 6CC04C47
CopyRect.USER32(?,?), ref: 6CC04C80

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$CopyEmptyWindow
String ID:
API String ID: 2176940440-0
Opcode ID: 6f07e19e12873d3991a1c5de41e88529206086abaafe40bf4f87d656682ef309
Instruction ID: 12533e0efbf7f8e3328478a8971760a753ab918913ebe8959fdc137d1542787d
Opcode Fuzzy Hash: 6f07e19e12873d3991a1c5de41e88529206086abaafe40bf4f87d656682ef309
Instruction Fuzzy Hash: 5751F6B2E01618AFCF00DFA9C9849EEBBF9FF99704B10415AE411B7600D771AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5519F Relevance: 6.2, APIs: 4, Instructions: 155timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CB551C2
GetFileTime.KERNEL32(?,?,?,?), ref: 6CB55200
GetFileSizeEx.KERNEL32(?,?), ref: 6CB55218

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: 3613a51c87c1f5801a9a814b92cc2ea9b7341a80aa8643d0478844765b683aa7
Instruction ID: 48f2ccc4398cd0d6c908b74fdf20a3f3ab03ba1a161943defd0bbd14ed38a2bf
Opcode Fuzzy Hash: 3613a51c87c1f5801a9a814b92cc2ea9b7341a80aa8643d0478844765b683aa7
Instruction Fuzzy Hash: 17514CB1514749AFCB10CFA9C880C9AB7F8FF093147508A2DE4AAD7A80E730E958CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6CB569BB Relevance: 6.1, APIs: 4, Instructions: 149COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 6CB569D4
_wcslen.LIBCMT ref: 6CB569F6
_wcslen.LIBCMT ref: 6CB56A37
_wcslen.LIBCMT ref: 6CB56B0C

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 659d16fe1a7048cfde93193b5bcb53adff139366637ffa063768561e96377f74
Instruction ID: bf9475b7709c4dd47258c7e94a875c8514364a3c9874651211b2c8ba1f69d6ee
Opcode Fuzzy Hash: 659d16fe1a7048cfde93193b5bcb53adff139366637ffa063768561e96377f74
Instruction Fuzzy Hash: E5519D36D44669EF8B11CFA8C8808DEBBB5EF48314B60851AE804F7700EB31AA558B91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB754E2 Relevance: 6.1, APIs: 4, Instructions: 137keyboardwindowCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000001), ref: 6CB75523
WindowFromPoint.USER32(?,?), ref: 6CB75563
SendMessageW.USER32(?,00000000,?,00000000), ref: 6CB755D6
ScreenToClient.USER32(?,?), ref: 6CB75637

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AsyncClientFromMessagePointScreenSendStateWindow
String ID:
API String ID: 227561881-0
Opcode ID: 970153056c41e8d3113571f6ebbf15c2d3bbdfd1df2f881b524879417ca30825
Instruction ID: 9630335f8559aca3b98ba0a4c3edd059dbd6cfac69cc30482e2349805f4eae64
Opcode Fuzzy Hash: 970153056c41e8d3113571f6ebbf15c2d3bbdfd1df2f881b524879417ca30825
Instruction Fuzzy Hash: D1518371A0414A9FDF24CF64C844AEE77B5FF44304F10462AED2AE7640EB30E958CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4F8FF Relevance: 6.1, APIs: 4, Instructions: 132windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB4F906
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 6CB4FA52

Part of subcall function 6CB44632: _malloc.LIBCMT ref: 6CB44650

SendDlgItemMessageW.USER32(?,?,0000040B,00000000,00000001), ref: 6CB4F9DE

Part of subcall function 6CB53D81: __EH_prolog3.LIBCMT ref: 6CB53D88

SendDlgItemMessageW.USER32(?,?,0000037C,?,?), ref: 6CB4FA10

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ItemMessageSend$H_prolog3$_malloc
String ID:
API String ID: 2480034192-0
Opcode ID: cb1d80c2cbb38f3cb0069c606fab33d5e79f37af76806b7f680bfd0d2c3f036c
Instruction ID: 4ce91c2c58782a5987cb905505d90cfdd762dfd60652cb7dcf0b1aa3d73c23f3
Opcode Fuzzy Hash: cb1d80c2cbb38f3cb0069c606fab33d5e79f37af76806b7f680bfd0d2c3f036c
Instruction Fuzzy Hash: CB410571908151ABDF14DF68CC40BFE3BB5EB44328F508319F9A1A7AD8D7308A41E751

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB4A4E Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6CBB4A55

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Part of subcall function 6CB458CB: __EH_prolog3_catch.LIBCMT ref: 6CB458D2

GetWindowRect.USER32(?,?), ref: 6CBB4B49
GetSystemMetrics.USER32(00000010), ref: 6CBB4B57
GetSystemMetrics.USER32(00000011), ref: 6CBB4B62

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$Exception@8H_prolog3H_prolog3_H_prolog3_catchRectThrowWindow
String ID:
API String ID: 3575448974-0
Opcode ID: 2e362328a97977046cce38fde5107e58e9380a41fad0eaa1341210b41dd4f1c2
Instruction ID: b50cb5ed1ba08a51c49e5bdbd6956a658a35d7ba66aaec889feb599302fd676b
Opcode Fuzzy Hash: 2e362328a97977046cce38fde5107e58e9380a41fad0eaa1341210b41dd4f1c2
Instruction Fuzzy Hash: 6C417971A006099FCB14DFA8C894AEEBBB6FF48304F044569E906FB790CB70A908DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6CB9D8F8 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB9D9B8
SetRectEmpty.USER32(?), ref: 6CB9D9C5
SetRectEmpty.USER32(?), ref: 6CB9DA73
SetRectEmpty.USER32 ref: 6CB9DAD0

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: d68b79b74b977bbdb82a383577b13004ed142d7c0837143ceda8c9e7577a9a51
Instruction ID: 4876870c582fcd7ff4646881df652416d1ab1f993eeca8fd8cda47b028569d2e
Opcode Fuzzy Hash: d68b79b74b977bbdb82a383577b13004ed142d7c0837143ceda8c9e7577a9a51
Instruction Fuzzy Hash: 1751ADB1905B858EC760CF7AC5846DAFAF8FF95304F104A2FC0AAE2660D7B06585DF01

Uniqueness

Uniqueness Score: -1.00%

Function 6CB73FCB Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB74097
ClientToScreen.USER32(?,?), ref: 6CB740A7
IsWindow.USER32(?), ref: 6CB740C9
ClientToScreen.USER32(?,?), ref: 6CB740FE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientScreenWindow
String ID:
API String ID: 1643562046-0
Opcode ID: 9f2bd51c30ec932a7b674f5a9134a862534a297dccc04faf87e4ba3e255c43b2
Instruction ID: f0d26583a712b2f88e7fe1f63343eebcc37aad013cc0a0270fe39a0d41890a46
Opcode Fuzzy Hash: 9f2bd51c30ec932a7b674f5a9134a862534a297dccc04faf87e4ba3e255c43b2
Instruction Fuzzy Hash: 37419371500540EEDB218F54CC58EEE7BBDEF05345F10442AED65D29A4EB31D984DF22

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7361E Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CB736EA
ClientToScreen.USER32(?,?), ref: 6CB736FA
IsWindow.USER32(?), ref: 6CB7371C
ClientToScreen.USER32(?,?), ref: 6CB73751

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClientScreenWindow
String ID:
API String ID: 1643562046-0
Opcode ID: 828a95d886f53af6a1e92ef11caf5cf31002e8848c5dd045ea0de8a71e45c244
Instruction ID: 0c69b05cf8d518ad6a9f4e5e0ca3320f15031e233c299e1e95148912aff808ee
Opcode Fuzzy Hash: 828a95d886f53af6a1e92ef11caf5cf31002e8848c5dd045ea0de8a71e45c244
Instruction Fuzzy Hash: E341A475504285EBEF208F54CC90EEE7BB9EF18354F204429EDA5D7A60EB35E940DB22

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5F2CD Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CB5F35A
RedrawWindow.USER32(?,?,00000000,00000105), ref: 6CB5F375
IsRectEmpty.USER32(?), ref: 6CB5F3C7
RedrawWindow.USER32(?,?,00000000,00000105), ref: 6CB5F3E2

Part of subcall function 6CB5CF85: RedrawWindow.USER32(00000000,?,00000000,00000105), ref: 6CB5CFEF

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: RedrawWindow$EmptyRect
String ID:
API String ID: 138230908-0
Opcode ID: ad9e028f1a3217072dc54f9d250098fd7c21ce1b872a60b567660d7456cb96c9
Instruction ID: ca22a0556e3fca88a83e3a392d666bd168c87dc075b53890e7eac2ec9817e2a7
Opcode Fuzzy Hash: ad9e028f1a3217072dc54f9d250098fd7c21ce1b872a60b567660d7456cb96c9
Instruction Fuzzy Hash: 7D417E72A01145DFEF00DFA4C884BEFB7BAEF49304F944079EA05AB241D771A951CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6CC443CF Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6CC44403
__isleadbyte_l.LIBCMT ref: 6CC44436
MultiByteToWideChar.KERNEL32(00000080,00000009,6CC333D0,?,00000000,00000000,?,?,?,?,6CC333D0,00000000), ref: 6CC44467
MultiByteToWideChar.KERNEL32(00000080,00000009,6CC333D0,00000001,00000000,00000000,?,?,?,?,6CC333D0,00000000), ref: 6CC444D5

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 46100e7b1033345309fba62697cb4bab505ba344525a6f382cf530a9bb3bf6c2
Instruction ID: 900f68388703a7affc983e28e293716e21f4068eb14ba3012e1af23d9782cbbf
Opcode Fuzzy Hash: 46100e7b1033345309fba62697cb4bab505ba344525a6f382cf530a9bb3bf6c2
Instruction Fuzzy Hash: 4F31C431A01295EFDB10CFA8C884AAE7BB5FF01319F35C9A9E4649B991F731D980DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBAB4B3 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CBAB4DC
GetWindowRect.USER32(?,?), ref: 6CBAB513
GetClientRect.USER32(?,?), ref: 6CBAB531

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: 069684620cc046f6a6588ef78eb0b701a7b499a162876ea033113149c85c116e
Instruction ID: 1fb7724b9f21fdf515388d06e4e89c108bd8839393ecb5cae68d94d1f29588ea
Opcode Fuzzy Hash: 069684620cc046f6a6588ef78eb0b701a7b499a162876ea033113149c85c116e
Instruction Fuzzy Hash: 77315EB1604649EFCB00DFA8C994EADB7F4FF09304B508569E41ADB651DB30ED51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CC04DE6 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6CC04E3C
IsRectEmpty.USER32(?), ref: 6CC04E46
SetRectEmpty.USER32(?), ref: 6CC04E9D
SetRectEmpty.USER32(?), ref: 6CC04EA3

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: f08147d99c5e8d6bffdab1a64c9b13468ae9382d613f5bc128ae1a3e11bb2ac4
Instruction ID: 8cee48f24280fbcd89f68ed67386c9c48c2a3ac5883e66f4049ba11942d37aa4
Opcode Fuzzy Hash: f08147d99c5e8d6bffdab1a64c9b13468ae9382d613f5bc128ae1a3e11bb2ac4
Instruction Fuzzy Hash: E3319071A01618DFCF01CFA9C8808DFB7F8AF59714B20816AE915AB605E772D985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5E1BF Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 6CB5E1E0
ScreenToClient.USER32(?,00000000), ref: 6CB5E1ED
SetCursor.USER32 ref: 6CB5E21A
PtInRect.USER32(?,00000000,00000000), ref: 6CB5E284

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Cursor$ClientRectScreen
String ID:
API String ID: 2390797981-0
Opcode ID: c76da4dfd29d0a59d1e4a56733c9a0d8b8c5e2f5ef2a42c8a0a468d81ab52e2c
Instruction ID: f4940619be0269b19f8fb30ec05e69766af4bfe98e15f128de2617828f26d484
Opcode Fuzzy Hash: c76da4dfd29d0a59d1e4a56733c9a0d8b8c5e2f5ef2a42c8a0a468d81ab52e2c
Instruction Fuzzy Hash: A021FE7261028AEFCF01CFB5D948ADE7BBAFB41329F804518E005E2104DB35EAA0CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6CB66809 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB66810
GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 6CB66878
CreatePalette.GDI32(00000000), ref: 6CB668C3

Part of subcall function 6CB663EC: GetObjectW.GDI32(?,00000002,?), ref: 6CB663FB

Part of subcall function 6CB44632: _malloc.LIBCMT ref: 6CB44650

GetPaletteEntries.GDI32(00000000,00000000,00000000,00000004), ref: 6CB668AA

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Palette$Entries$CreateH_prolog3ObjectSystem_malloc
String ID:
API String ID: 437169817-0
Opcode ID: 4ebf2a23aa65d36596ab7b8cd28052080034345a56191300ee52aea3e1a2a98b
Instruction ID: 9c8ff1ddfbf45c74b6f91c54113098ccd6cb184ca5b6c48b3e3a619ba8ae55f6
Opcode Fuzzy Hash: 4ebf2a23aa65d36596ab7b8cd28052080034345a56191300ee52aea3e1a2a98b
Instruction Fuzzy Hash: DF21BE32600240ABDB04DFA8C854FCE77B4EF4A315F14806AE64ADBB90EF349464CF66

Uniqueness

Uniqueness Score: -1.00%

Function 6CC36788 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 7f72ef1a24c8f8454aa795a0a8397f9692f0ef382bed62e4fafcdc3e1d801309
Instruction ID: 71892b1b3665a8d491a2a7b0aa79f91cac2f7e7a2fc86d6db14e2bb2983006f4
Opcode Fuzzy Hash: 7f72ef1a24c8f8454aa795a0a8397f9692f0ef382bed62e4fafcdc3e1d801309
Instruction Fuzzy Hash: FD11B431604624EFDB109F65EC08A8A3EB8FB86768F115114ED58E7A90FB318950D792

Uniqueness

Uniqueness Score: -1.00%

Function 6CB44AB9 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB44AC0

Part of subcall function 6CB44632: _malloc.LIBCMT ref: 6CB44650

__CxxThrowException@8.LIBCMT ref: 6CB44B05
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000,?,?,6CC88790,00000004,6CB42ED8,?,?,6CB4443C,80070216), ref: 6CB44B2F
LocalFree.KERNEL32(?), ref: 6CB44B5D

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: afadc95cf304c6d49a7a2f1af533ff25cfdf0f8adac630c4f5e70b883fd4c8db
Instruction ID: b2056d57341c3b6c5e96763c65aaa1f74c9ab84e53839e50122692b11d58f9b8
Opcode Fuzzy Hash: afadc95cf304c6d49a7a2f1af533ff25cfdf0f8adac630c4f5e70b883fd4c8db
Instruction Fuzzy Hash: 1A11E271914698AFDB00CFA4CC04FEE3BB8FF44758F20C518F9249BA90E7319A60AB55

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1830F Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005,00000005,?,00000000,?,6CC185F2,00000005,?), ref: 6CC1832F
LoadResource.KERNEL32(?,00000000,?,00000000,?,6CC185F2,00000005,?), ref: 6CC18344
LockResource.KERNEL32(00000000,?,00000000,?,6CC185F2,00000005,?), ref: 6CC18356
GlobalFree.KERNEL32(?), ref: 6CC18390

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 7f1b11755b31dfe9078261185fa98cd8bd0448fee8be8d57f6e65ce47a6f5e59
Instruction ID: afcb359de2a66870d6d6ef75213ad78ff947643e7d4570b7379fc7b146e49419
Opcode Fuzzy Hash: 7f1b11755b31dfe9078261185fa98cd8bd0448fee8be8d57f6e65ce47a6f5e59
Instruction Fuzzy Hash: 5011D335208680AFCB125F67C844F5A7BF5BF84369B5AC02AE825D7E10EB30D455AF20

Uniqueness

Uniqueness Score: -1.00%

Function 6CB71191 Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB711A2
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 6CB711E5
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 6CB711F1
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 6CB711D0

Part of subcall function 6CBB1954: SendMessageW.USER32(?,00000234,00000000,00000000), ref: 6CBB19CF
Part of subcall function 6CBB1954: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CBB19F6
Part of subcall function 6CBB1954: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 6CBB1A13
Part of subcall function 6CBB1954: SendMessageW.USER32(?,00000222,?,00000000), ref: 6CBB1A2A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$ParentRedrawWindow
String ID:
API String ID: 2139789815-0
Opcode ID: ce58e7d97de16bb02376ba5457b78a2d0a9e13f5d4feada5168aa420a6edca45
Instruction ID: 55e964ba108bb6c9b426214625ddeb2081bc49fe13d102d034ad74be9a7e1594
Opcode Fuzzy Hash: ce58e7d97de16bb02376ba5457b78a2d0a9e13f5d4feada5168aa420a6edca45
Instruction Fuzzy Hash: DE11C471200288BFEB216F91CCD4EAE7ABDEB80348F144129FA18A7950C770DD849B70

Uniqueness

Uniqueness Score: -1.00%

Function 6CB69571 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,00000005), ref: 6CB6959C
LoadResource.KERNEL32(?,00000000), ref: 6CB695A4
LockResource.KERNEL32(00000000), ref: 6CB695B6
FreeResource.KERNEL32(00000000), ref: 6CB69604

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 1ac2c6211b6bb06a6f958c2a6d9c2680a4971876086200d6b912abf0b411abd8
Instruction ID: 542c688874024bb4d4c9db24be97256b7f032d316785b8ea9a9c4763295be022
Opcode Fuzzy Hash: 1ac2c6211b6bb06a6f958c2a6d9c2680a4971876086200d6b912abf0b411abd8
Instruction Fuzzy Hash: E8110470900B50EFD7109F66C884AB6B7B4FF04329F108529EC5653D40D770DD94EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CB53023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4FF0B: GetDlgItem.USER32(?,?), ref: 6CB4FF1C

GetWindowLongW.USER32(?,000000F0), ref: 6CB53040
GetWindowTextLengthW.USER32(?), ref: 6CB5306D
GetWindowTextW.USER32(?,00000000,00000100), ref: 6CB5309C
SendMessageW.USER32(?,0000014D,000000FF,?), ref: 6CB530BD

Part of subcall function 6CB5034C: lstrlenW.KERNEL32(?,?,?), ref: 6CB50378
Part of subcall function 6CB5034C: _memset.LIBCMT ref: 6CB50396
Part of subcall function 6CB5034C: GetWindowTextW.USER32(00000000,?,00000100), ref: 6CB503B0
Part of subcall function 6CB5034C: lstrcmpW.KERNEL32(?,?,?,?), ref: 6CB503C2
Part of subcall function 6CB5034C: SetWindowTextW.USER32(00000000,?), ref: 6CB503CE

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Text$ItemLengthLongMessageSend_memsetlstrcmplstrlen
String ID:
API String ID: 205973220-0
Opcode ID: 331659b20a1aea85acf17dd391f67859a4c786d173b3bd3fcb78dc4ab61c1da4
Instruction ID: 34f7d0519fe4772d3f68ea0872653d10a8f7e8378ffcb855f86521eae4664075
Opcode Fuzzy Hash: 331659b20a1aea85acf17dd391f67859a4c786d173b3bd3fcb78dc4ab61c1da4
Instruction Fuzzy Hash: 30114C32108689ABCF029F54DC04F9D7B6AEF05364F948618F9649BAE0CB3199B5EB41

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4B1B2 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 6CB4B1FF
SetBkColor.GDI32(?,?), ref: 6CB4B209
GetSysColor.USER32(00000008), ref: 6CB4B219
SetTextColor.GDI32(?,?), ref: 6CB4B221

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: e432b351317f0a788e91a21715d6cf23a00e7907454bdf3f85740c0e986b9e2b
Instruction ID: 6107a05bcecc0fba4a6c98fde037cf8fca7c240be8a3a110ca7b5f398d5d2298
Opcode Fuzzy Hash: e432b351317f0a788e91a21715d6cf23a00e7907454bdf3f85740c0e986b9e2b
Instruction Fuzzy Hash: E611C035615945ABCB009F78AC44ABF3BB8EF46218F608514FA25E3588CB30D911E7A3

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4987E Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00000000,?), ref: 6CB498BA

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

GetFocus.USER32 ref: 6CB498D0
GetParent.USER32(?), ref: 6CB498DE
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 6CB498F1

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: f9078d2f3f0591bb5794fc9e305c568f94e09dd6f04d94de3612d64b8c44d6e8
Instruction ID: 0d0daa20d03c2d149553e93270f1b61c9458725a2a4ae675ff355544f2c398ce
Opcode Fuzzy Hash: f9078d2f3f0591bb5794fc9e305c568f94e09dd6f04d94de3612d64b8c44d6e8
Instruction Fuzzy Hash: A4112171604644AFDB209F24DD88C5ABBFEFF8539A710C629F05652D58C730A894EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5A8BA Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CB5A8F7
GetSystemMetrics.USER32(0000002D), ref: 6CB5A90B
GetSystemMetrics.USER32(00000002), ref: 6CB5A913
SendMessageW.USER32(?,0000101E,00000000,00000000), ref: 6CB5A92B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MetricsSystem$ClientMessageRectSend
String ID:
API String ID: 2251314529-0
Opcode ID: bd03f36beebe07e6eefe241a752d4c54b6fb080909b670d98a19dc0563c486f1
Instruction ID: 1bac6f6c7593091d489bc476790e49b9d73854a7868ba20c0a2dc89b0639c18d
Opcode Fuzzy Hash: bd03f36beebe07e6eefe241a752d4c54b6fb080909b670d98a19dc0563c486f1
Instruction Fuzzy Hash: 900161B2A01215AFDF00DFB8C949AAE7BF4EB48300F514166E905F7681DA709940CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D486 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 6CB5D4C3
_memset.LIBCMT ref: 6CB5D4D9
GetObjectW.GDI32(?,0000005C,?), ref: 6CB5D4EA
CreateFontIndirectW.GDI32(?), ref: 6CB5D4FB

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Object$CreateFontIndirectStock_memset
String ID:
API String ID: 1064234985-0
Opcode ID: 66396cb8229ed8c4db4042f926c57470014d82db0ce6d7e7426138fdd9c71ac3
Instruction ID: 68ec6246092b72ccd019701f8509e1accc65270d40231667df25ba622ab5e768
Opcode Fuzzy Hash: 66396cb8229ed8c4db4042f926c57470014d82db0ce6d7e7426138fdd9c71ac3
Instruction Fuzzy Hash: 1D01C432601658ABDB009FB4DD0CBEFB779FB40704F540219A519E7A80DBB0E9158BC1

Uniqueness

Uniqueness Score: -1.00%

Function 6CB6C413 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 6CB6C431
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 6CB6C44A
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 6CB6C47D
DragFinish.SHELL32(?), ref: 6CB6C4A5

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 650a97641f7cead6d1b62b685d1c8cbb58b0752f0ee6c5bb09f84c64b05548dd
Instruction ID: b2bf95ac5b0a5231d6dcf725a753e0e43670b798dab56446288290171cc04d6d
Opcode Fuzzy Hash: 650a97641f7cead6d1b62b685d1c8cbb58b0752f0ee6c5bb09f84c64b05548dd
Instruction Fuzzy Hash: 66112E71A40218ABCF10EB65CC8CFED7BB8FF55315F104595E11AA7281CB74AE849F61

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB0E66 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00000000), ref: 6CBB0E83

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CountItemMenu
String ID:
API String ID: 1409047151-0
Opcode ID: 0efbb219b473b1bc069c1dc588ca9324c03f4f59dba41336aab52a777cb8d255
Instruction ID: d49918735194ad85f721d1bbf42d21081a6bf63f3de3af01e058845b98317732
Opcode Fuzzy Hash: 0efbb219b473b1bc069c1dc588ca9324c03f4f59dba41336aab52a777cb8d255
Instruction Fuzzy Hash: 9F018FB1E152C8AE9B014A69E9809BF7A7DEB85784F104465F400F2500DB71C9819B61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4D54B Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6CB4D55B
GetTopWindow.USER32(00000000), ref: 6CB4D59A
GetWindow.USER32(00000000,00000002), ref: 6CB4D5B8

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 618bd99ec5e8d32a7dd32f52f3f3ed3467fef2af6b0d5027049d489da7b1f120
Instruction ID: 0176644ca05f5b6b09cd36ec8e8206a92f5153f1e1adffafef0dcfb64ac1e55b
Opcode Fuzzy Hash: 618bd99ec5e8d32a7dd32f52f3f3ed3467fef2af6b0d5027049d489da7b1f120
Instruction Fuzzy Hash: B401D73210525ABBDF025FA5EC04EDE3A36EF49358F048110FA1465564CB36CA71FBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB4CC4B Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6CB4CC58
GetTopWindow.USER32(00000000), ref: 6CB4CC6B

Part of subcall function 6CB4CC4B: GetWindow.USER32(00000000,00000002), ref: 6CB4CCB2

GetTopWindow.USER32(?), ref: 6CB4CC9B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 24357cbd58eadd9f265e16ba499af313784a7f0d59528c53819b02d621f30d78
Instruction ID: db2025ca643d016f486007eb81b0dcfc25e21f831191ea3da9210c34b8c8bde7
Opcode Fuzzy Hash: 24357cbd58eadd9f265e16ba499af313784a7f0d59528c53819b02d621f30d78
Instruction Fuzzy Hash: E401B1321096A5B7CB123BAD9D00A8E3A79DF41FA4F04C111FC1066915E731C469B6E6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7A0C1 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,00000002,00000002), ref: 6CB7A0FD
InvalidateRect.USER32(?,?,00000001), ref: 6CB7A10E
UpdateWindow.USER32(?), ref: 6CB7A117
SetRectEmpty.USER32(?), ref: 6CB7A124

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Rect$EmptyInflateInvalidateUpdateWindow
String ID:
API String ID: 3040190709-0
Opcode ID: fc8d5b8ed43a697725c3b4b45fc1e63a4adf26102b19838e2fe940029fb266dc
Instruction ID: fac6edcdffcf8f018270ae73d620176397007a437e5d85df63e089de75b6b3a0
Opcode Fuzzy Hash: fc8d5b8ed43a697725c3b4b45fc1e63a4adf26102b19838e2fe940029fb266dc
Instruction Fuzzy Hash: C70192716001459FCF00DF98CD89ADA7BB8FB0A325F504265ED06AF096CB709A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5D006 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,00000001,?,?,6CB5D41E), ref: 6CB5D025
InvalidateRect.USER32(?,?,00000001), ref: 6CB5D046
InvalidateRect.USER32(?,?,00000001,00000000), ref: 6CB5D06B
UpdateWindow.USER32(?), ref: 6CB5D07B

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: InvalidateRect$UpdateWindow
String ID:
API String ID: 488614814-0
Opcode ID: b9418a837a6bef9f6ad6b7b8bd60b89c58ade2cbb8eed0112f016878bfa0b113
Instruction ID: 20bcfe1b1e8bf38152b8e795c4d8e47bf643bba0a28575d633ba65c501aed6da
Opcode Fuzzy Hash: b9418a837a6bef9f6ad6b7b8bd60b89c58ade2cbb8eed0112f016878bfa0b113
Instruction Fuzzy Hash: E1015A72201600DFE7219F39DD90F92B7F9FF48310F990658E1A9972A1D770E891CB11

Uniqueness

Uniqueness Score: -1.00%

Function 6CB50192 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CB501A7
GetParent.USER32(?), ref: 6CB501B6
GetParent.USER32(?), ref: 6CB501CC
SetFocus.USER32(?,00000000), ref: 6CB501E2

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: 91e1aa289dfa0b2edb4f3d80ea22ba277874a45c61c6688bff8621b4bffd97d6
Instruction ID: 3aef4484393aa01ddf3ff54e15a704ce9df194c4b6c6442b976d3a48cdfe7499
Opcode Fuzzy Hash: 91e1aa289dfa0b2edb4f3d80ea22ba277874a45c61c6688bff8621b4bffd97d6
Instruction Fuzzy Hash: E4F037326146809BDA207B35E808A9E7AF9FF84218F054868E48693A64DB74DC19EA10

Uniqueness

Uniqueness Score: -1.00%

Function 6CB653A5 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 6CB653CB
PtInRect.USER32(?,?,?), ref: 6CB653DE
SetCapture.USER32(?), ref: 6CB653EB
RedrawWindow.USER32(?,00000000,00000000,00000401,00000000), ref: 6CB6540A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CaptureClientRectRedrawScreenWindow
String ID:
API String ID: 2178243973-0
Opcode ID: 4b99ff0a6bcd6d822508bf201e98d1fce53e62e429c2b0e30944674e85ab9d35
Instruction ID: 262ff75dd33358b8108999b1477bf26de09c5ec006075045633e00fe4ed5972d
Opcode Fuzzy Hash: 4b99ff0a6bcd6d822508bf201e98d1fce53e62e429c2b0e30944674e85ab9d35
Instruction Fuzzy Hash: 14018F71620208BFDF119F60CC09BDEBBB8FB08304F408559F546A2650DBB0E964EB14

Uniqueness

Uniqueness Score: -1.00%

Function 6CB69A1D Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005), ref: 6CB69A39
LoadResource.KERNEL32(?,00000000), ref: 6CB69A41
LockResource.KERNEL32(00000000), ref: 6CB69A4E
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 6CB69A66

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: d97d3af0508469cff89ab8c5b9a498225745d0503dde855369f48470b7304b99
Instruction ID: d4a3be57084ea61a415cd86358311ea538415dd962761bd1a78c386698768f41
Opcode Fuzzy Hash: d97d3af0508469cff89ab8c5b9a498225745d0503dde855369f48470b7304b99
Instruction Fuzzy Hash: 50F0B432600614BBCB016BA58C48CDFBFBCEF866717008425F605E3600DB70C951ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 6CC1CE7F Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 6CB500C2: ShowWindow.USER32(?,?,?,?,?,6CB4C0E9,00000001), ref: 6CB500D3

UpdateWindow.USER32(?), ref: 6CC1CEAC
UpdateWindow.USER32(?), ref: 6CC1CEB8
SetRectEmpty.USER32(?), ref: 6CC1CEC4
SetRectEmpty.USER32(?), ref: 6CC1CECD

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$EmptyRectUpdate$Show
String ID:
API String ID: 1262231214-0
Opcode ID: d434e3b88b04cdf630b88584b7cccd2883c3137c95de6f952fdc72b917c0ac8d
Instruction ID: 01c104e5c6efb337557d4f929ef3802d779b26e1dab5827850630d7a86871526
Opcode Fuzzy Hash: d434e3b88b04cdf630b88584b7cccd2883c3137c95de6f952fdc72b917c0ac8d
Instruction Fuzzy Hash: 5FF08232311A149FE711AB26CC00F47B7F9BFC1715F260529E195A3960DB71E811DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB7BA8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CBB7BB2

Part of subcall function 6CBE5C31: __EH_prolog3.LIBCMT ref: 6CBE5C38

Part of subcall function 6CBE5954: __EH_prolog3.LIBCMT ref: 6CBE595B

Strings

MDITabsState, xrefs: 6CBB7C66
%sMDIClientArea-%d, xrefs: 6CBB7BF4

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catch
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 1670334802-353449602
Opcode ID: 22612a4d8b3923bf8a5ba16292a042f4bda00756c095144b1a82028617f1b282
Instruction ID: 4fb963dd5f1857e54e95a8c1a1d60e840593efd32b6a491eaed46d7746517dbb
Opcode Fuzzy Hash: 22612a4d8b3923bf8a5ba16292a042f4bda00756c095144b1a82028617f1b282
Instruction Fuzzy Hash: 56519070901199EFCF05CBA4C954BFDBBB4EF09308F148189E119BB781DB719A48DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7125E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 6CB70E98: GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,6CBB5932), ref: 6CB70F0F
Part of subcall function 6CB70E98: GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6CB70F1F

Part of subcall function 6CB5C89B: __EH_prolog3.LIBCMT ref: 6CB5C8A2

GetWindowRect.USER32(?,?), ref: 6CB712D1
SetWindowRgn.USER32(?,00000000,00000001), ref: 6CB7131E

Strings

, xrefs: 6CB712FA

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Window$AddressH_prolog3HandleModuleProcRect
String ID:
API String ID: 2106468464-3916222277
Opcode ID: ad4a84c8abaf5ffc1a54931e75bf10cd9572110663be0d2d265c28d66c4ce2ca
Instruction ID: a026b1cf909112f12a1adb2d088f6c65ae692d587d0e9d77439fc1c89b7213f5
Opcode Fuzzy Hash: ad4a84c8abaf5ffc1a54931e75bf10cd9572110663be0d2d265c28d66c4ce2ca
Instruction Fuzzy Hash: 75516070A00644EFCB22CF65C8549EFBBF5FF88744F24452EE86A96A50DB309A40CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7524E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CB752BD
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 6CB7535A

Strings

, xrefs: 6CB752E8

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: InfoParametersRectSystemWindow
String ID:
API String ID: 85510744-3916222277
Opcode ID: 128dbc6540f30674cfbd0505c366654b49825632ff220b7a9edaaa00cc53e02d
Instruction ID: 421def7e7406e276e775fa22133ca6ad3a8e7ae732e0679c03b32314c12b5ea9
Opcode Fuzzy Hash: 128dbc6540f30674cfbd0505c366654b49825632ff220b7a9edaaa00cc53e02d
Instruction Fuzzy Hash: C5416C71A00748DFCB21CF65C9849EEBBF5FF88344F10852EE86AA6650DB719A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CBBFA77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CBBFB4B
KillTimer.USER32(?,00000002), ref: 6CBBFB7A

Strings

, xrefs: 6CBBFB2F

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: KillRectTimerWindow
String ID:
API String ID: 1987732032-3916222277
Opcode ID: 23ffcd6d86b5df8e87da498c02b7878e9a9ca190645e74be187895db7a8f0cec
Instruction ID: 2e0a3c3809dbb119dce65cd49ece84bffad8765aa5e24298fb1d6de1cef52c55
Opcode Fuzzy Hash: 23ffcd6d86b5df8e87da498c02b7878e9a9ca190645e74be187895db7a8f0cec
Instruction Fuzzy Hash: 9D31CF39A046459FCB14DFA8C884AEEB7B1FF88305F20456AE41AA7641DF70B945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6CB42B20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000006,?,?,-00000034,?,6CB42CBE,00000000,?,?,?,-00000034,?,6CB472D7,?), ref: 6CB42B3B

Part of subcall function 6CB429E0: LoadResource.KERNEL32(?,00000000,?,?,?,6CB42B4D,?,00000000,00000000,?,00000006,?,?,-00000034,?,6CB42CBE), ref: 6CB429ED

_wmemcpy_s.LIBCMT ref: 6CB42BB6

Strings

&, xrefs: 6CB42BD6

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: Resource$FindLoad_wmemcpy_s
String ID: &
API String ID: 3991362986-2822232526
Opcode ID: cf34a1b3323add8b65bf67e05af84044c8be90e0138916b700f0c32cc0cb9325
Instruction ID: 23448737bc937b808ffd5e7dffb2498fb8fa9ce1d8fdb6bbb6bc9049ad9ed437
Opcode Fuzzy Hash: cf34a1b3323add8b65bf67e05af84044c8be90e0138916b700f0c32cc0cb9325
Instruction Fuzzy Hash: 622134322084515FD7109FADDC8CE6BB3A9EF82364B04C666F844CB748E270E841B3A3

Uniqueness

Uniqueness Score: -1.00%

Function 6CB7FC37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CB7FC3E

Part of subcall function 6CBE5C31: __EH_prolog3.LIBCMT ref: 6CBE5C38

Part of subcall function 6CBE5954: __EH_prolog3.LIBCMT ref: 6CBE595B

Strings

LargeIcons, xrefs: 6CB7FCDF
%sMFCToolBarParameters, xrefs: 6CB7FC71

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: H_prolog3
String ID: %sMFCToolBarParameters$LargeIcons
API String ID: 431132790-2076908790
Opcode ID: 54320ce2c1dc5d9956aff05822c6f3a80344e74aca7326a6f3f685b2ee756e46
Instruction ID: 6b689f017809daf8fd28d0a0e682565c2719f895f74b60c7e4e5492f47c7c081
Opcode Fuzzy Hash: 54320ce2c1dc5d9956aff05822c6f3a80344e74aca7326a6f3f685b2ee756e46
Instruction Fuzzy Hash: 3821C971A00185EFCF10DFA8C884FEDBBB4AF45348F144059E919AB781DB718A48DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6CB5BB0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 6CB5BB54
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 6CB5BB66

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Strings

N, xrefs: 6CB5BB11

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: MessageSend$Exception@8H_prolog3Throw
String ID: N
API String ID: 2952110909-1130791706
Opcode ID: 2dc33060462821c22415b2d9cb0f10b61e2e26ab25f10fa958eab18028be0d33
Instruction ID: 61b3671d24d47bebabd516c5e23403be060d20033d84f75d7dd74fe651ccd7d0
Opcode Fuzzy Hash: 2dc33060462821c22415b2d9cb0f10b61e2e26ab25f10fa958eab18028be0d33
Instruction Fuzzy Hash: 94112531700B85AFDB118FA5CC40FAAB7A9FF48369F004228F2145AAA1CBB0DC60C750

Uniqueness

Uniqueness Score: -1.00%

Function 6CB41A40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CB41A4F

Part of subcall function 6CC4936E: std::exception::exception.LIBCMT ref: 6CC49383
Part of subcall function 6CC4936E: __CxxThrowException@8.LIBCMT ref: 6CC49398
Part of subcall function 6CC4936E: std::exception::exception.LIBCMT ref: 6CC493A9

_memmove.LIBCMT ref: 6CB41A8A

Strings

invalid string position, xrefs: 6CB41A4A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: cff9da22587e1af5d48c44e0b0e7c31be772165580b1fd663ee8e4924d543349
Instruction ID: 90f1e57f43c300326c61ce1e2694b1c3c566f487cf902b211703242cda847c9d
Opcode Fuzzy Hash: cff9da22587e1af5d48c44e0b0e7c31be772165580b1fd663ee8e4924d543349
Instruction Fuzzy Hash: F5015E327086518BC330CE3CE99081AB3F6AFC47443288A2DD0A5C7E1DEB31D9669791

Uniqueness

Uniqueness Score: -1.00%

Function 6CB55FBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 6CB55FE2
CopyRect.USER32(?,?), ref: 6CB55FF4

Strings

(, xrefs: 6CB55FDB

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 920327661d1a99d4c3c58e1b8e7221c7cabe54b8dd8c1c1f178d4457158eb396
Instruction ID: d1b38affb8ef423ea847ee58f54ce536183d5e48fd4e292217e245c38f21f4ee
Opcode Fuzzy Hash: 920327661d1a99d4c3c58e1b8e7221c7cabe54b8dd8c1c1f178d4457158eb396
Instruction Fuzzy Hash: 8211D6B1A1164ADFCB00CFA8C58499EB7F8FF08304B908859E456E3740D730F955CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6CB55D94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CB4C1E4: GetModuleHandleW.KERNEL32(?,?,6CB4C230,InitCommonControls), ref: 6CB4C1F2
Part of subcall function 6CB4C1E4: LoadLibraryW.KERNEL32(?,?,6CB4C230,InitCommonControls), ref: 6CB4C202

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6CB55DC7
_memset.LIBCMT ref: 6CB55DE0

Strings

DllGetVersion, xrefs: 6CB55DC1

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: a8833213126625f36ed4203b1030452b522fe715c2706af5ba28ee26198f685d
Instruction ID: b6211b58c40b5f73b42a5b101702eb4cb78d82d4f60fbcb9c31ec4809d709c4e
Opcode Fuzzy Hash: a8833213126625f36ed4203b1030452b522fe715c2706af5ba28ee26198f685d
Instruction Fuzzy Hash: BE01F171F00229ABDB00DFA9D885BDE77F8EF05319F900461EA04E3690E7309D1887E5

Uniqueness

Uniqueness Score: -1.00%

Function 6CBD19EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registryclipboardCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBD19F3
RegisterClipboardFormatW.USER32(00000010), ref: 6CBD1A3C

Strings

ToolbarButton%p, xrefs: 6CBD1A2A

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ClipboardFormatH_prolog3Register
String ID: ToolbarButton%p
API String ID: 1070914459-899657487
Opcode ID: 7888a1c99891a8109b07cfb4bb75b34103574f02107fca9bbb28902d0a04e2b2
Instruction ID: 26d9c538fcd31ebe7486425e3d6be1c4ec8b0fd96cb03ecb8e6e220fb047cdc6
Opcode Fuzzy Hash: 7888a1c99891a8109b07cfb4bb75b34103574f02107fca9bbb28902d0a04e2b2
Instruction Fuzzy Hash: 32F0AF329081A18ADF10EBE5D8087DDB774EF01328F0A8A49E42463F80EB34A948DF56

Uniqueness

Uniqueness Score: -1.00%

Function 6CBB09CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6CBB09D6
GetProcAddress.KERNEL32(00000000,?), ref: 6CBB0A0F

Part of subcall function 6CB4B536: ActivateActCtx.KERNEL32(?,?,6CC89010,00000010,6CB4DF4A,hhctrl.ocx,6CB4D17C,0000000C), ref: 6CB4B556

Strings

UxTheme.dll, xrefs: 6CBB09EF

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: ActivateAddressH_prolog3Proc
String ID: UxTheme.dll
API String ID: 323876227-352951104
Opcode ID: 06a4f75b67fb2eb9f6f823b382d5a48eccb5cf95e2cbce9b01e8957d4637f917
Instruction ID: 25bce8af025fb65017fcbd83fec0ab850a61fd2a8ecff26133dc41cf744fdcfe
Opcode Fuzzy Hash: 06a4f75b67fb2eb9f6f823b382d5a48eccb5cf95e2cbce9b01e8957d4637f917
Instruction Fuzzy Hash: 70E030757011645ADB109BA5A52C39C3AF4BB07759F508044E808E7B80EB76CA548F55

Uniqueness

Uniqueness Score: -1.00%

Function 6CB467D5 Relevance: 5.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CC9E99C,00000000,6CC9E980,6CC9E99C,6CC9E980,?,6CB468B4,02C5EA48,00000000,?,?,?,?,6CB46BD2,00000000,00000000), ref: 6CB46834
LeaveCriticalSection.KERNEL32(6CC9E99C,00000000,?,6CB468B4,02C5EA48,00000000,?,?,?,?,6CB46BD2,00000000,00000000,000000FF,00000010,6CB445DD), ref: 6CB46844
LocalFree.KERNEL32(?,?,6CB468B4,02C5EA48,00000000,?,?,?,?,6CB46BD2,00000000,00000000,000000FF,00000010,6CB445DD,?), ref: 6CB4684D
TlsSetValue.KERNEL32(6CC9E980,00000000,?,6CB468B4,02C5EA48,00000000,?,?,?,?,6CB46BD2,00000000,00000000,000000FF,00000010,6CB445DD), ref: 6CB4685F

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 302af91b1d9ba9d4e240cb984d6e7262555e40430a3ad745c2c3a3d6992470eb
Instruction ID: 3a656581da1e6429d80de9b244a5196efe367d25fe39e504242a6d0bef8c65f3
Opcode Fuzzy Hash: 302af91b1d9ba9d4e240cb984d6e7262555e40430a3ad745c2c3a3d6992470eb
Instruction Fuzzy Hash: A1114931A05604EFDB10CF54C884F5AB7B4FF4531AF20C46AE562CBAA5CB71A990DF51

Uniqueness

Uniqueness Score: -1.00%

Function 6CB46A75 Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CC9EB58,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46AAF
InitializeCriticalSection.KERNEL32(?,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46AC1
LeaveCriticalSection.KERNEL32(6CC9EB58,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46ACE
EnterCriticalSection.KERNEL32(?,?,?,?,?,6CB463CF,00000010,00000008,6CB4627B,6CB46212,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA), ref: 6CB46ADE

Part of subcall function 6CB452C6: __CxxThrowException@8.LIBCMT ref: 6CB452DC
Part of subcall function 6CB452C6: __EH_prolog3.LIBCMT ref: 6CB452E9

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: b1a32a24495efb6a6461e98e236f12d1ff5bc57b7be1701f69d4cd328dc9ab8b
Instruction ID: 70ede64ac9bc19f8275f9c8f111493a37b8e29f1ed0c8e40d4bff6882a6c5105
Opcode Fuzzy Hash: b1a32a24495efb6a6461e98e236f12d1ff5bc57b7be1701f69d4cd328dc9ab8b
Instruction Fuzzy Hash: 6BF0F672208544AFDF005F59CC44749B779FBE2368F56841AE00193941DB30A4C4EBE6

Uniqueness

Uniqueness Score: -1.00%

Function 6CB46303 Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CC9E99C,?,?,?,?,6CB4692F,?,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA,?), ref: 6CB46311
TlsGetValue.KERNEL32(6CC9E980,?,?,?,?,6CB4692F,?,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA,?), ref: 6CB46325
LeaveCriticalSection.KERNEL32(6CC9E99C,?,?,?,?,6CB4692F,?,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA,?), ref: 6CB4633B
LeaveCriticalSection.KERNEL32(6CC9E99C,?,?,?,?,6CB4692F,?,00000004,6CB4625C,6CB452E2,6CB46285,6CB46ECD,6CB445CE,?,6CC32FFA,?), ref: 6CB46346

Memory Dump Source

Source File: 00000003.00000002.2132800507.000000006CB41000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CB40000, based on PE: true

Associated: 00000003.00000002.2132784750.000000006CB40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132887188.000000006CC57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132918379.000000006CC99000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132938920.000000006CCA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2132956978.000000006CCA7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cb40000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 1af684b6e2b4668138570b13e7022d04c8e8962bcbed053e2b6e071431cbb843
Instruction ID: bf3e89ffed336395971974e95c76cea3f22ab060fe406028fd1f9bfa2b88e99e
Opcode Fuzzy Hash: 1af684b6e2b4668138570b13e7022d04c8e8962bcbed053e2b6e071431cbb843
Instruction Fuzzy Hash: BFF030362181549FD7104F68CC88C4BF7BEEB89370319C555E815D3515D634F895AB50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report relay.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_41a576617a4d91b2fca1f808095b0ff5072ae_7522e4b5_42b45446-5eab-40ec-af17-0c0f836199b4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_43a5166fcb246f7d77dda47518c3ad7a1b5fed0_7522e4b5_947ae66e-1b85-463a-8ce6-0cbc4dae92d4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_43a5166fcb246f7d77dda47518c3ad7a1b5fed0_7522e4b5_e91ff5ac-65a9-46ed-9bba-93ef15ff2f0b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58917a6b9efbc14a7f3eb3b1b9c8b1b9253d4_7522e4b5_1b83567d-f16f-46b8-80f9-995180bfbf98\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7b66fce5118c38f37fd6766cbdd34cc5acf99d_7522e4b5_2e868f36-de62-4ba6-9b84-fedb1c24e82b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7b66fce5118c38f37fd6766cbdd34cc5acf99d_7522e4b5_80a7260b-cf6e-489e-a566-6a270c8c0270\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7b66fce5118c38f37fd6766cbdd34cc5acf99d_7522e4b5_d55df6fc-a234-4ca2-8311-086d43100733\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER12B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER14B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE93D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE94D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE99.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA67.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA68.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAA7.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAB6.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED8.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE7.tmp.WERInternalMetadata.xml

Windows Analysis Report
relay.dll