Edit tour

Windows Analysis Report
YY#U6302#U53f7#U534f#U8bae.exe

Overview

General Information

Sample name:	YY#U6302#U53f7#U534f#U8bae.exe renamed because original name is a hash value
Original sample name:	YY.exe
Analysis ID:	1457838
MD5:	765cf453d0cea3719b619e4c55881093
SHA1:	060ae0476bbd908d08537c8b6bb24d2ec83d524c
SHA256:	3d76cc27be3265077a5c15f2c76848b73148df035b7d3a3d2b9ad77232587cfd
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Detected VMProtect packer

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

YY#U6302#U53f7#U534f#U8bae.exe (PID: 908 cmdline: "C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe" MD5: 765CF453D0CEA3719B619E4C55881093)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: YY#U6302#U53f7#U534f#U8bae.exe

Virustotal: Detection: 50%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for sample

Source: YY#U6302#U53f7#U534f#U8bae.exe

Joe Sandbox ML: detected

Source: YY#U6302#U53f7#U534f#U8bae.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: \iext_fnr.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr
Source:	Binary string: C:\Program Files (x86)\e\lib\ExuiKrnln\ExuiKrnln.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: F:\openssl-1.0.0d\openssl-1.0.0d\out32dll\libeay32.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: F:\openssl-1.0.0d\openssl-1.0.0d\out32dll\libeay32.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: \iext_fnr.pdbM source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEFC5C0 FindFirstFileW,FindNextFileW,FindNextFileW,		0_2_6CEFC5C0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEFC790 FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,lstrlenA,		0_2_6CEFC790

Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000003.1699125254.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://117.72.34.175:1011/?OrderID=4BA33E0B1BE84295&ipnumber=50
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://120.26.95.191:5658/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://120.26.95.191:5658/http://120.26.95.191:5659/qq17336171577b2cc005c28c42472000e7863283a212&_=h
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://120.26.95.191:5659/
Source: iext1.fnr.bbs.125.la.0.dr	String found in binary or memory: http://bbs.125.la/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://channel.yy.com/ajax/member/indexAction
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://do-dw.yy.com/user.php?sids=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://hgame.yy.com/action/getUserLoginInfo.json
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://hgame.yy.com/action/getUserLoginInfo.jsondata.ownChannels
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://peipei.yy.com/web/account/internal/account/list
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://vip.yy.com/service/web/user/info?_time=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://vip.yy.com/service/web/user/info?_time=vipLevel
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://vip.yy.com/vip/vcard/indexrest?_time=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.openssl.org/V
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.uc.cn/ip
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.uc.cn/ipIP:http://
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.yy.com/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.yy.com/search-
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.yy.com/sid
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr	String found in binary or memory: https://bbs.125.la/thread-14738139-1-1.html
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://captcha.yy.com/baidu/submit.do?appid=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://captcha.yy.com/baidu/submit.do?appid=obj
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://hd.vip.yy.com/service/hdplatform/drawgift/202402ee1a8f/giftpagingp?drawGiftGroupId=202402ee1
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://hgame.yy.com/person/p_account
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://iexui.com/downexui
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yyweb
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yywebconfigData/giftDatac
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://nfnba.lanzoub.com/ietaw0udyhid
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passport.baidu.com/viewlog/getstyle?ak=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://passport.baidu.com/viewlog?ak=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://udb.yy.com/authentication.do?action=authenticate&appid=5060&busiUrl=http%3A%2F%2Fwww.yy.com&
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.dmdaili.com/yaoqing/33405.html
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.xiequ.cn/index.html?dc1bbee2
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.yy.com/gu/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.yy.com/u/
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.yy.com/zone/assets/total.json
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.yy.com/zone/userinfo/getUserInfo.json
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ysapi.yy.com/api/internal/nobleQuery/QueryUserInfoReq.json?data=
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://yyfkw.cn
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://yyfkw.cn999https://nfnba.lanzoub.com/ietaw0udyhid

System Summary

Detected VMProtect packer

Source: YY#U6302#U53f7#U534f#U8bae.exe

Static PE information: .vmp0 and .vmp1 section names

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_00401770	0_2_00401770
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF03D60	0_2_6CF03D60
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF03060	0_2_6CF03060
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF25CA0	0_2_6CF25CA0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF56C8E	0_2_6CF56C8E
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF08C70	0_2_6CF08C70
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF27D80	0_2_6CF27D80
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF58D78	0_2_6CF58D78
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF04EB0	0_2_6CF04EB0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF32EA0	0_2_6CF32EA0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF29E30	0_2_6CF29E30
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF30E30	0_2_6CF30E30
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF22F50	0_2_6CF22F50
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF0AF40	0_2_6CF0AF40
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF28F20	0_2_6CF28F20
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF35F20	0_2_6CF35F20
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF1C860	0_2_6CF1C860
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF42814	0_2_6CF42814
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEF19F0	0_2_6CEF19F0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF24940	0_2_6CF24940
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF32930	0_2_6CF32930
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF0BAE0	0_2_6CF0BAE0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF17A1E	0_2_6CF17A1E
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF1ABC0	0_2_6CF1ABC0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEFDB50	0_2_6CEFDB50
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF33B00	0_2_6CF33B00
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF2B4E0	0_2_6CF2B4E0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF424B5	0_2_6CF424B5
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF20400	0_2_6CF20400
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEF4590	0_2_6CEF4590
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF1F560	0_2_6CF1F560
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF5D549	0_2_6CF5D549
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF0C6E0	0_2_6CF0C6E0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEF76D0	0_2_6CEF76D0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF496A7	0_2_6CF496A7
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF2A680	0_2_6CF2A680
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEF3640	0_2_6CEF3640
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF22610	0_2_6CF22610
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF067A0	0_2_6CF067A0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF5C790	0_2_6CF5C790
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEFC790	0_2_6CEFC790
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF04770	0_2_6CF04770
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF13770	0_2_6CF13770
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF4B710	0_2_6CF4B710
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF251C0	0_2_6CF251C0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF17180	0_2_6CF17180
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEF5190	0_2_6CEF5190

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: String function: 6CF3C240 appears 47 times

Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs YY#U6302#U53f7#U534f#U8bae.exe
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameExuiKrnl.dll* vs YY#U6302#U53f7#U534f#U8bae.exe
Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibeay32.dllH vs YY#U6302#U53f7#U534f#U8bae.exe

Source: YY#U6302#U53f7#U534f#U8bae.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: 0_2_6CEFAD60 CreateToolhelp32Snapshot,GetCurrentProcessId,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

0_2_6CEFAD60

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

File created: C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la

Jump to behavior

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: YY#U6302#U53f7#U534f#U8bae.exe

Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: udbauthsdk.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Section loaded: wintypes.dll	Jump to behavior

Source: YY#U6302#U53f7#U534f#U8bae.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: YY#U6302#U53f7#U534f#U8bae.exe

Static file information: File size 4972544 > 1048576

Source: YY#U6302#U53f7#U534f#U8bae.exe

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x4b9000

Source:	Binary string: \iext_fnr.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr
Source:	Binary string: C:\Program Files (x86)\e\lib\ExuiKrnln\ExuiKrnln.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: F:\openssl-1.0.0d\openssl-1.0.0d\out32dll\libeay32.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: F:\openssl-1.0.0d\openssl-1.0.0d\out32dll\libeay32.pdb source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: \iext_fnr.pdbM source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: 0_2_6CF03D60 CreateIextInterface,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleFileNameW,_wcsrchr,LoadLibraryW,FreeLibrary,GetModuleHandleW,GetCurrentProcess,ReadProcessMemory,OpenFileMappingW,GetCurrentProcessId,MapViewOfFile,UnmapViewOfFile,CloseHandle,LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_6CF03D60

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: YY#U6302#U53f7#U534f#U8bae.exe	Static PE information: section name: .vmp0
Source: YY#U6302#U53f7#U534f#U8bae.exe	Static PE information: section name: .vmp1
Source: iext1.fnr.bbs.125.la.0.dr	Static PE information: section name: .detourc
Source: iext1.fnr.bbs.125.la.0.dr	Static PE information: section name: .detourd

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_00406D9F pushad ; ret	0_2_00406DA0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_004065AC push ebx; retf	0_2_004065AD
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF5BFC1 push ecx; ret	0_2_6CF5BFD4

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

File created: C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la

Jump to dropped file

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

File created: C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la

Jump to dropped file

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: 0_2_6CEFAD60 CreateToolhelp32Snapshot,GetCurrentProcessId,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

0_2_6CEFAD60

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la

Jump to dropped file

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

API coverage: 1.2 %

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEFC5C0 FindFirstFileW,FindNextFileW,FindNextFileW,		0_2_6CEFC5C0
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CEFC790 FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,lstrlenA,		0_2_6CEFC790

Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1700974559.000000000131E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpp

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: 0_2_6CF03060 GdiplusStartup,IsDebuggerPresent,

0_2_6CF03060

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: 0_2_6CEFAD60 CreateToolhelp32Snapshot,GetCurrentProcessId,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

0_2_6CEFAD60

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

0_2_6CF03D60

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: 0_2_6CF56124 GetProcessHeap,

0_2_6CF56124

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF3B805 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CF3B805
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF44984 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF44984
Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe	Code function: 0_2_6CF3C469 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF3C469

Source: YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: ExuiKrnln.dll,Tab_HbitmapLayeredTab_UpdateStateTab_RefreshCallBackTab_NeedUpdateFocusManagementTabDownTab_OLDFocuscontrolTab_WM_DESTROYTab_WM_DESTROY_TRUETab_WM_32879Tab_WM_DESTROY_FALSETab_IsWinControlWM_SIZEIsunicodeTab_GraphicsTab_OldHbitmapICON_1DownlistExShell_TrayWnd

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: 0_2_6CF3C285 cpuid

0_2_6CF3C285

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: 0_2_6CF3C58C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CF3C58C

Source: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe

Code function: 0_2_6CF5445D GetTimeZoneInformation,

0_2_6CF5445D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YY#U6302#U53f7#U534f#U8bae.exe	50%	Virustotal		Browse
YY#U6302#U53f7#U534f#U8bae.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la	5%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG	0%	Avira URL Cloud	safe
https://ysapi.yy.com/api/internal/nobleQuery/QueryUserInfoReq.json?data=	0%	Avira URL Cloud	safe
http://www.yy.com/search-	0%	Avira URL Cloud	safe
https://www.yy.com/zone/assets/total.json	0%	Avira URL Cloud	safe
http://hgame.yy.com/action/getUserLoginInfo.jsondata.ownChannels	0%	Avira URL Cloud	safe
http://120.26.95.191:5659/	0%	Avira URL Cloud	safe
http://www.openssl.org/V	0%	Avira URL Cloud	safe
https://ysapi.yy.com/api/internal/nobleQuery/QueryUserInfoReq.json?data=	0%	Virustotal		Browse
https://www.yy.com/zone/assets/total.json	0%	Virustotal		Browse
http://www.yy.com/	0%	Avira URL Cloud	safe
http://www.openssl.org/V	0%	Virustotal		Browse
http://peipei.yy.com/web/account/internal/account/list	0%	Avira URL Cloud	safe
http://www.yy.com/	0%	Virustotal		Browse
https://www.yy.com/u/	0%	Avira URL Cloud	safe
http://www.yy.com/search-	0%	Virustotal		Browse
http://bbs.125.la/	0%	Avira URL Cloud	safe
http://hgame.yy.com/action/getUserLoginInfo.jsondata.ownChannels	NaN%	Virustotal		Browse
https://bbs.125.la/thread-14738139-1-1.html	0%	Avira URL Cloud	safe
http://120.26.95.191:5659/	NaN%	Virustotal		Browse
http://vip.yy.com/service/web/user/info?_time=vipLevel	0%	Avira URL Cloud	safe
https://www.yy.com/u/	0%	Virustotal		Browse
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG	0%	Virustotal		Browse
http://peipei.yy.com/web/account/internal/account/list	NaN%	Virustotal		Browse
http://bbs.125.la/	1%	Virustotal		Browse
http://hgame.yy.com/action/getUserLoginInfo.json	0%	Avira URL Cloud	safe
https://www.dmdaili.com/yaoqing/33405.html	0%	Avira URL Cloud	safe
https://captcha.yy.com/baidu/submit.do?appid=	0%	Avira URL Cloud	safe
https://passport.baidu.com/viewlog/getstyle?ak=	0%	Avira URL Cloud	safe
https://bbs.125.la/thread-14738139-1-1.html	1%	Virustotal		Browse
http://vip.yy.com/service/web/user/info?_time=vipLevel	NaN%	Virustotal		Browse
https://www.yy.com/zone/userinfo/getUserInfo.json	0%	Avira URL Cloud	safe
https://passport.baidu.com/viewlog/getstyle?ak=	0%	Virustotal		Browse
http://www.openssl.org/support/faq.html	0%	Avira URL Cloud	safe
https://www.dmdaili.com/yaoqing/33405.html	NaN%	Virustotal		Browse
https://hd.vip.yy.com/service/hdplatform/drawgift/202402ee1a8f/giftpagingp?drawGiftGroupId=202402ee1	0%	Avira URL Cloud	safe
http://hgame.yy.com/action/getUserLoginInfo.json	NaN%	Virustotal		Browse
https://captcha.yy.com/baidu/submit.do?appid=	0%	Virustotal		Browse
https://iexui.com/downexui	0%	Avira URL Cloud	safe
http://www.openssl.org/support/faq.html	0%	Virustotal		Browse
http://do-dw.yy.com/user.php?sids=	0%	Avira URL Cloud	safe
https://hgame.yy.com/person/p_account	0%	Avira URL Cloud	safe
https://iexui.com/downexui	0%	Virustotal		Browse
https://captcha.yy.com/baidu/submit.do?appid=obj	0%	Avira URL Cloud	safe
https://yyfkw.cn	0%	Avira URL Cloud	safe
http://117.72.34.175:1011/?OrderID=4BA33E0B1BE84295&ipnumber=50	0%	Avira URL Cloud	safe
https://hd.vip.yy.com/service/hdplatform/drawgift/202402ee1a8f/giftpagingp?drawGiftGroupId=202402ee1	NaN%	Virustotal		Browse
https://hgame.yy.com/person/p_account	0%	Virustotal		Browse
http://120.26.95.191:5658/	0%	Avira URL Cloud	safe
https://www.yy.com/zone/userinfo/getUserInfo.json	NaN%	Virustotal		Browse
https://captcha.yy.com/baidu/submit.do?appid=obj	0%	Virustotal		Browse
https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yywebconfigData/giftDatac	0%	Avira URL Cloud	safe
https://yyfkw.cn	0%	Virustotal		Browse
http://vip.yy.com/service/web/user/info?_time=	0%	Avira URL Cloud	safe
http://120.26.95.191:5658/	NaN%	Virustotal		Browse
https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yywebconfigData/giftDatac	0%	Virustotal		Browse
http://vip.yy.com/vip/vcard/indexrest?_time=	0%	Avira URL Cloud	safe
http://www.yy.com/sid	0%	Avira URL Cloud	safe
https://www.xiequ.cn/index.html?dc1bbee2	0%	Avira URL Cloud	safe
http://www.uc.cn/ip	0%	Avira URL Cloud	safe
http://www.yy.com/sid	0%	Virustotal		Browse
https://udb.yy.com/authentication.do?action=authenticate&appid=5060&busiUrl=http%3A%2F%2Fwww.yy.com&	0%	Avira URL Cloud	safe
http://do-dw.yy.com/user.php?sids=	0%	Virustotal		Browse
http://vip.yy.com/service/web/user/info?_time=	0%	Virustotal		Browse
https://udb.yy.com/authentication.do?action=authenticate&appid=5060&busiUrl=http%3A%2F%2Fwww.yy.com&	0%	Virustotal		Browse
http://117.72.34.175:1011/?OrderID=4BA33E0B1BE84295&ipnumber=50	NaN%	Virustotal		Browse
https://www.yy.com/gu/	0%	Avira URL Cloud	safe
http://www.uc.cn/ip	0%	Virustotal		Browse
http://www.uc.cn/ipIP:http://	0%	Avira URL Cloud	safe
https://www.yy.com/gu/	0%	Virustotal		Browse
https://www.xiequ.cn/index.html?dc1bbee2	NaN%	Virustotal		Browse
https://nfnba.lanzoub.com/ietaw0udyhid	0%	Avira URL Cloud	safe
https://yyfkw.cn999https://nfnba.lanzoub.com/ietaw0udyhid	0%	Avira URL Cloud	safe
http://120.26.95.191:5658/http://120.26.95.191:5659/qq17336171577b2cc005c28c42472000e7863283a212&_=h	0%	Avira URL Cloud	safe
https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yyweb	0%	Avira URL Cloud	safe
https://passport.baidu.com/viewlog?ak=	0%	Avira URL Cloud	safe
https://nfnba.lanzoub.com/ietaw0udyhid	NaN%	Virustotal		Browse
http://vip.yy.com/vip/vcard/indexrest?_time=	0%	Virustotal		Browse
http://channel.yy.com/ajax/member/indexAction	0%	Avira URL Cloud	safe
http://www.uc.cn/ipIP:http://	0%	Virustotal		Browse
http://120.26.95.191:5658/http://120.26.95.191:5659/qq17336171577b2cc005c28c42472000e7863283a212&_=h	NaN%	Virustotal		Browse
https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yyweb	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ysapi.yy.com/api/internal/nobleQuery/QueryUserInfoReq.json?data=	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hgame.yy.com/action/getUserLoginInfo.jsondata.ownChannels	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.yy.com/zone/assets/total.json	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.yy.com/search-	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://120.26.95.191:5659/	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.openssl.org/V	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.yy.com/	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://peipei.yy.com/web/account/internal/account/list	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.yy.com/u/	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://bbs.125.la/	iext1.fnr.bbs.125.la.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bbs.125.la/thread-14738139-1-1.html	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701213455.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmp, iext1.fnr.bbs.125.la.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://vip.yy.com/service/web/user/info?_time=vipLevel	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hgame.yy.com/action/getUserLoginInfo.json	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://captcha.yy.com/baidu/submit.do?appid=	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.dmdaili.com/yaoqing/33405.html	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://passport.baidu.com/viewlog/getstyle?ak=	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.yy.com/zone/userinfo/getUserInfo.json	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://hd.vip.yy.com/service/hdplatform/drawgift/202402ee1a8f/giftpagingp?drawGiftGroupId=202402ee1	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://iexui.com/downexui	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://do-dw.yy.com/user.php?sids=	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://hgame.yy.com/person/p_account	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://captcha.yy.com/baidu/submit.do?appid=obj	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://yyfkw.cn	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://117.72.34.175:1011/?OrderID=4BA33E0B1BE84295&ipnumber=50	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000003.1699125254.0000000001351000.00000004.00000020.00020000.00000000.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://120.26.95.191:5658/	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yywebconfigData/giftDatac	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://vip.yy.com/service/web/user/info?_time=	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://vip.yy.com/vip/vcard/indexrest?_time=	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.yy.com/sid	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.xiequ.cn/index.html?dc1bbee2	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.uc.cn/ip	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://udb.yy.com/authentication.do?action=authenticate&appid=5060&busiUrl=http%3A%2F%2Fwww.yy.com&	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.yy.com/gu/	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.uc.cn/ipIP:http://	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nfnba.lanzoub.com/ietaw0udyhid	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://yyfkw.cn999https://nfnba.lanzoub.com/ietaw0udyhid	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://120.26.95.191:5658/http://120.26.95.191:5659/qq17336171577b2cc005c28c42472000e7863283a212&_=h	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	NaN%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://lxcode.bs2cdn.yy.com/a413808b-e679-47f1-9380-be7b3ebf8813.xml?from=yyweb	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://passport.baidu.com/viewlog?ak=	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://channel.yy.com/ajax/member/indexAction	YY#U6302#U53f7#U534f#U8bae.exe, 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1457838
Start date and time:	2024-06-15 20:02:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YY#U6302#U53f7#U534f#U8bae.exe renamed because original name is a hash value
Original Sample Name:	YY.exe
Detection:	MAL
Classification:	mal60.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Process:	C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	741376
Entropy (8bit):	6.917105002705599
Encrypted:	false
SSDEEP:	12288:wKBQAJdbyF+XZrjvhIeWgtN5XcTXrTmY5GTTTTTTTTTy8L1d8GsgFMwq:wKBZbpXZrjhI8N5sT7TzGTTTTTTTTTy9
MD5:	A96FBD5E66B31F3D816AD80F623E9BD9
SHA1:	4EDA42260BD3EB930CD4EAFD7D15C6AF367BCF18
SHA-256:	2E67BA278646FDE95BB614DCBCC7DA1C6BF7976C918B2C6AD3D78640000326F3
SHA-512:	43921107313775EA14B1BD33CF758C13798F4FA1C1074771C1C96B1B43B98F3416D249ED8AB3171383772D0054829C3754A91B5E94135F1DF6D67A76F599C80E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C...............L.\|.....L.z....L.{.....H......H.z./...H.{.....H.\|.....L.~.......~.......w.H....................}.....Rich....................PE..L......d...........!...".....r............................................................@.........................@...T............0.......................@..`k......p...............................@...............P............................text............................... ..`.rdata..............................@..@.data...4...........................@....detourc.".......$..................@..@.detourd..... ......................@....rsrc........0......................@..@.reloc..`k...@...l..................@..B........................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.921437760987104
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YY#U6302#U53f7#U534f#U8bae.exe
File size:	4'972'544 bytes
MD5:	765cf453d0cea3719b619e4c55881093
SHA1:	060ae0476bbd908d08537c8b6bb24d2ec83d524c
SHA256:	3d76cc27be3265077a5c15f2c76848b73148df035b7d3a3d2b9ad77232587cfd
SHA512:	2132af60567aaf5c89001c36edd0764ef5e336dd2260d20287953ce2dac4b80c7817d0c0fe410a0d092900181c3d360999f7f2c06b5eba51a2e54821175cec18
SSDEEP:	98304:ygvElT54uia2kf5SCyJsAh6wbwPy7kl/CNBIs0lApvWJ:yFT54rHi4H+Ah/bOUkVQY2oJ
TLSH:	893633D84EF59834C2A6033CE43172374EBFF657D628936E265CE6AEAC4D1819341A37
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#.vOB.%OB.%OB.% ].%FB.% ].%IB.%.^.%bB.%4^.%JB.%.].%cB.%.J.%MB.%OB.%.@.%-].%RB.%yd.%.B.%yd.%7B.%.].%.B.%.].%RB.%OB.%.B.%.D.%NB.

File Icon


Icon Hash:	099c9113582f8b55

Static PE Info

General

Entrypoint:	0xb93dda
Entrypoint Section:	.vmp1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x66653771 [Sun Jun 9 05:02:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fe512f2e549df2214891378c91f66a42

Entrypoint Preview

Instruction
push 0E4B68F2h
call 00007F34FD55337Dh
add byte ptr [eax], al
push esp
insb
jnc 00007F34FD09BFE8h
jc 00007F34FD09C007h
add byte ptr [eax], al
add byte ptr [edi+65h], al
je 00007F34FD09BFF5h
jns 00007F34FD09C015h
je 00007F34FD09C007h
insd
push esp
imul ebp, dword ptr [ebp+65h], 24648D00h
sbb al, E8h
popfd
add dword ptr [eax], eax
add byte ptr [ebx-18h], dl
lock add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [ebx+65h], dl
je 00007F34FD09BFF9h
imul ebp, dword ptr [esi+64h], 7845776Fh
je 00007F34FD09BFE7h
js 00007F34FD09BFA2h
add byte ptr [eax], al
inc edi
je 00007F34FD09BFF9h
outsd
insb
jne 00007F34FD09C00Fh
dec ecx
outsb
outsw
jc 00007F34FD09C00Fh
popad
je 00007F34FD09C00Bh
outsd
outsb
inc ecx
add byte ptr [eax], al
add byte ptr [ebx+72h], al
popad
je 00007F34FD09C007h
push esp
push 64616572h
add al, ch
pop esi
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [ebx+72h], al
popad
je 00007F34FD09C007h
inc esp
imul esi, dword ptr [edx+65h], 726F7463h
jns 00007F34FD09BFE3h
add byte ptr [eax], al
add byte ptr [edi+69h], dl
inc ebx
push 6F547261h
dec ebp
jne 00007F34FD09C00Eh
je 00007F34FD09C00Bh
inc edx
jns 00007F34FD09C016h
add byte ptr [eax], al
add byte ptr [edi+61h], dl
imul esi, dword ptr [esi+eax*2+6Fh], 6C754D72h
je 00007F34FD09C00Bh
jo 00007F34FD09C00Eh
dec edi
bound ebp, dword ptr [edx+65h]
arpl word ptr [ebx+esi*2+00h], si
add byte ptr [eax], al
inc ecx
jo 00007F34FD09C012h
outsb
dec ebp
outsb
jne 00007F34FD09BFE3h
add byte ptr [eax], al
add byte ptr [ebx+72h], al
popad
je 00007F34FD09C007h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x79627c	0x168	.vmp1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x788000	0x6190	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4c000	0x4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb9735b	0x850	.vmp1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19e742	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a0000	0x577b12	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x718000	0x6f3ca	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x788000	0x6190	0x3000	a1864bf4c4f443ebfc78e5e2fff8348b	False	0.394287109375	data	4.088331277576032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vmp0	0x78f000	0x3024	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp1	0x793000	0x4b8233	0x4b9000	5d3194b71c1a11ae1687b1d9c64ef151	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xc4c000	0x4c	0x1000	31b33e1e166e82486ce7540bf78125ec	False	0.0224609375	data	0.11968309355305998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x78a5b8	0xb	data	Chinese	China	1.0
TEXTINCLUDE	0x78a5c4	0x16	data	Chinese	China	0.5
TEXTINCLUDE	0x78a5dc	0x151	data	Chinese	China	0.03857566765578635
RT_CURSOR	0x78a730	0x134	data	Chinese	China	0.04220779220779221
RT_CURSOR	0x78a864	0x134	data	Chinese	China	0.04220779220779221
RT_CURSOR	0x78a998	0x134	data	Chinese	China	0.04220779220779221
RT_CURSOR	0x78aacc	0xb4	data	Chinese	China	0.06666666666666667
RT_BITMAP	0x78ab80	0x16c	data	Chinese	China	0.03571428571428571
RT_BITMAP	0x78acec	0x248	data	Chinese	China	0.025684931506849314
RT_BITMAP	0x78af34	0x144	data	Chinese	China	0.058823529411764705
RT_BITMAP	0x78b078	0x158	empty	Chinese	China	0
RT_BITMAP	0x78b1d0	0x158	empty	Chinese	China	0
RT_BITMAP	0x78b328	0x158	empty	Chinese	China	0
RT_BITMAP	0x78b480	0x158	empty	Chinese	China	0
RT_BITMAP	0x78b5d8	0x158	empty	Chinese	China	0
RT_BITMAP	0x78b730	0x158	empty	Chinese	China	0
RT_BITMAP	0x78b888	0x158	empty	Chinese	China	0
RT_BITMAP	0x78b9e0	0x158	empty	Chinese	China	0
RT_BITMAP	0x78bb38	0x5e4	empty	Chinese	China	0
RT_BITMAP	0x78c11c	0xb8	empty	Chinese	China	0
RT_BITMAP	0x78c1d4	0x16c	empty	Chinese	China	0
RT_BITMAP	0x78c340	0x144	empty	Chinese	China	0
RT_ICON	0x788bf4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x788edc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x789004	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0, resolution 2834 x 2834 px/m			0.6824577861163227
RT_MENU	0x78c484	0xc	empty	Chinese	China	0
RT_MENU	0x78c490	0x284	empty	Chinese	China	0
RT_DIALOG	0x78c714	0x98	empty	Chinese	China	0
RT_DIALOG	0x78c7ac	0x17a	empty	Chinese	China	0
RT_DIALOG	0x78c928	0xfa	empty	Chinese	China	0
RT_DIALOG	0x78ca24	0xea	empty	Chinese	China	0
RT_DIALOG	0x78cb10	0x8ae	empty	Chinese	China	0
RT_DIALOG	0x78d3c0	0xb2	empty	Chinese	China	0
RT_DIALOG	0x78d474	0xcc	empty	Chinese	China	0
RT_DIALOG	0x78d540	0xb2	empty	Chinese	China	0
RT_DIALOG	0x78d5f4	0xe2	empty	Chinese	China	0
RT_DIALOG	0x78d6d8	0x18c	empty	Chinese	China	0
RT_STRING	0x78d864	0x50	empty	Chinese	China	0
RT_STRING	0x78d8b4	0x2c	empty	Chinese	China	0
RT_STRING	0x78d8e0	0x78	empty	Chinese	China	0
RT_STRING	0x78d958	0x1c4	empty	Chinese	China	0
RT_STRING	0x78db1c	0x12a	empty	Chinese	China	0
RT_STRING	0x78dc48	0x146	empty	Chinese	China	0
RT_STRING	0x78dd90	0x40	empty	Chinese	China	0
RT_STRING	0x78ddd0	0x64	empty	Chinese	China	0
RT_STRING	0x78de34	0x1d8	empty	Chinese	China	0
RT_STRING	0x78e00c	0x114	empty	Chinese	China	0
RT_STRING	0x78e120	0x24	empty	Chinese	China	0
RT_GROUP_CURSOR	0x78e144	0x14	empty	Chinese	China	0
RT_GROUP_CURSOR	0x78e158	0x14	empty	Chinese	China	0
RT_GROUP_CURSOR	0x78e16c	0x22	empty	Chinese	China	0
RT_GROUP_ICON	0x78a0ac	0x14	data			1.2
RT_GROUP_ICON	0x78a0c0	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x78a0d4	0x14	data	Chinese	China	1.25
RT_VERSION	0x78a0e8	0x214	data	Chinese	China	0.5375939849624061
RT_MANIFEST	0x78a2fc	0x2b9	XML 1.0 document, ASCII text, with very long lines (697), with no line terminators			0.5279770444763271

Imports

DLL	Import
RASAPI32.dll	RasHangUpA, RasGetConnectStatusA
WINMM.dll	midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, midiStreamOut, midiOutPrepareHeader, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutClose, waveOutGetNumDevs
WS2_32.dll	WSAAsyncSelect, closesocket, send, select, WSACleanup, WSAStartup, gethostbyname, inet_ntoa, inet_addr, gethostname, htons, socket, sendto, recvfrom, ioctlsocket, connect, listen, getpeername, accept, __WSAFDIsSet, ntohs, htonl, bind, ntohl, WSAGetLastError, getsockname, recv
KERNEL32.dll	UnmapViewOfFile, CreateFileMappingA, MapViewOfFile, OpenFileMappingA, GetCurrentProcessId, GetSystemDirectoryA, GetWindowsDirectoryA, GetCurrentProcess, TerminateThread, GetModuleHandleW, VirtualQuery, LoadLibraryW, GetVersionExW, DeleteFileW, TerminateProcess, GetFileSize, SetFilePointer, CreateFileW, GetTempPathW, FileTimeToSystemTime, GetTimeZoneInformation, SetLastError, GetVersion, LocalFree, FormatMessageA, CreateMutexA, ReleaseMutex, SuspendThread, GetACP, CreateSemaphoreA, ResumeThread, InterlockedExchange, ReleaseSemaphore, IsBadCodePtr, IsBadReadPtr, CompareStringW, CompareStringA, GetStringTypeW, GetStringTypeA, SetUnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, LCMapStringW, LCMapStringA, SetEnvironmentVariableA, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetFileType, SetStdHandle, HeapSize, ExitThread, GetLocalTime, GetSystemTime, RaiseException, RtlUnwind, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, InterlockedDecrement, InterlockedIncrement, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CloseHandle, WaitForSingleObject, CreateProcessA, GetTickCount, GetCommandLineA, MulDiv, GetProcAddress, GetModuleHandleA, GetVolumeInformationA, SetCurrentDirectoryA, GetCurrentDirectoryA, CreateDirectoryA, CopyFileA, DeleteFileA, GetFileAttributesA, SetFileAttributesA, FindClose, FindFirstFileA, GetTempPathA, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, MultiByteToWideChar, WideCharToMultiByte, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock
USER32.dll	GetClassNameA, GetDesktopWindow, GetDlgItem, SetWindowTextA, MessageBoxW, GetSysColorBrush, wsprintfA, WaitForInputIdle, FindWindowExA, GetWindowTextA, ReleaseDC, LoadStringA, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, GetForegroundWindow, DefWindowProcW, GetPropA, RegisterClassA, CreateWindowExA, SetPropA, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, CreateIconFromResource, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, UnhookWindowsHookEx, CallWindowProcA, RemovePropA, GetMessageTime, GetLastActivePopup, RegisterWindowMessageA, GetWindowPlacement, GetNextDlgTabItem, EndDialog, CreateDialogIndirectParamA, DestroyWindow, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, CharUpperA, GetWindowTextLengthA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, UnregisterClassA, IsChild, TrackPopupMenu, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard
GDI32.dll	ExtSelectClipRgn, LineTo, MoveToEx, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, SelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, CreateEllipticRgn, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetStretchBltMode, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, CreateBitmap, SelectObject, CreatePen, PatBlt, CombineRgn, CreateRectRgn, FillRgn, CreateSolidBrush, CreateFontIndirectA, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, GetViewportExtEx, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextMetricsA, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, CreateRectRgnIndirect, SetBkColor, CreatePalette, StretchBlt, SaveDC, RestoreDC
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	RegSetValueExA, RegOpenKeyExA, RegCloseKey, RegQueryValueA, CryptReleaseContext, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptAcquireContextA, RegCreateKeyExA
SHELL32.dll	DragQueryFileA, SHGetSpecialFolderPathA, Shell_NotifyIconA, ShellExecuteA
ole32.dll	OleRun, CoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize, RegisterDragDrop, RevokeDragDrop, ReleaseStgMedium, CLSIDFromProgID
OLEAUT32.dll	SafeArrayAccessData, SafeArrayGetElement, VariantCopyInd, VariantInit, SysAllocString, SafeArrayDestroy, SafeArrayCreate, SafeArrayPutElement, RegisterTypeLib, LHashValOfNameSys, LoadTypeLib, SafeArrayUnaccessData, UnRegisterTypeLib, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, VariantChangeType, VariantClear, VariantCopy
COMCTL32.dll	ImageList_Destroy
WLDAP32.dll
WININET.dll	InternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetReadFile, InternetConnectA, InternetSetOptionA, InternetCloseHandle, InternetOpenA
comdlg32.dll	ChooseColorA, ChooseFontA, GetFileTitleA, GetSaveFileNameA, GetOpenFileNameA
KERNEL32.dll	VirtualProtect, GetModuleFileNameA, ExitProcess
USER32.dll	MessageBoxA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Target ID:	0
Start time:	14:02:56
Start date:	15/06/2024
Path:	C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe"
Imagebase:	0x400000
File size:	4'972'544 bytes
MD5 hash:	765CF453D0CEA3719B619E4C55881093
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.2%
Total number of Nodes:	279
Total number of Limit Nodes:	21

Executed Functions

Function 6CF03D60 Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 340
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CF02E30: ___from_strstr_to_strchr.LIBCMT ref: 6CF02E72

GetModuleHandleW.KERNEL32(00000000), ref: 6CF03DAB
GetModuleHandleW.KERNEL32(00000000), ref: 6CF03DD3
GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 6CF03DE0
_wcsrchr.LIBVCRUNTIME ref: 6CF03E04
LoadLibraryW.KERNEL32(?), ref: 6CF03E97
FreeLibrary.KERNEL32(00000000), ref: 6CF03EB5
GetModuleHandleW.KERNEL32(00000000), ref: 6CF03EBD
GetCurrentProcess.KERNEL32(?,00000000), ref: 6CF03ED9
ReadProcessMemory.KERNELBASE(00000000), ref: 6CF03EE0
OpenFileMappingW.KERNELBASE(000F001F,00000000,01332158), ref: 6CF03FF6
GetCurrentProcessId.KERNEL32 ref: 6CF04002
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 6CF04039
UnmapViewOfFile.KERNEL32(00000000), ref: 6CF04058
CloseHandle.KERNEL32(00000000), ref: 6CF0405F
LoadLibraryW.KERNEL32(ComCtl32.dll), ref: 6CF040BE
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 6CF040D2
FreeLibrary.KERNEL32(?), ref: 6CF0410F

Strings

krnln.fne, xrefs: 6CF03EF6
ComCtl32.dll, xrefs: 6CF040B7
DllGetVersion, xrefs: 6CF040CC
'B_2KUt5/aaI{5KVS, xrefs: 6CF03E3C
'5/]aIT5(IR, xrefs: 6CF03D85
%02x, xrefs: 6CF03FBE
\, xrefs: 6CF03F5E
, xrefs: 6CF040EE

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: FileHandleLibraryModule$Process$CurrentFreeLoadView$AddressCloseMappingMemoryNameOpenProcReadUnmap___from_strstr_to_strchr_wcsrchr
String ID: $%02x$'5/]aIT5(IR$'B_2KUt5/aaI{5KVS$ComCtl32.dll$DllGetVersion$\$krnln.fne
API String ID: 2714175470-3990559437
Opcode ID: 0d153d087615278a26fe4c83ae8a6a64f64057cbe5810063c077ca6cd00d9f62
Instruction ID: 7aed92f36cf28eae4a189312a7802718e073a49dfee2eb58963904c34686002f
Opcode Fuzzy Hash: 0d153d087615278a26fe4c83ae8a6a64f64057cbe5810063c077ca6cd00d9f62
Instruction Fuzzy Hash: 9CC14871B09340ABEB408F25CC14F9B7BF4AF85B08F154619F994AB691EB70D908CB96

Function 6CF03060 Relevance: 21.9, APIs: 2, Strings: 10, Instructions: 885COMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(6CF9E7B4,?,00000000,D1DC5EAD), ref: 6CF0310D
IsDebuggerPresent.KERNEL32(D1DC5EAD), ref: 6CF03169

Strings

'/izNgKPrUJato%lN!otzCorlPS#5RP/BioJ-PomJUN/1QoTmN1GNm%/(/tS'No]oPK{]%tC(PTft5.PGdNmNo-#J|%JM[PSr/R?/1Nf^/ +[J{MtN(tmzP_,5-I5/mTolaD.BPGa15amPa1TB5[57L51TB5,a{la)[aSBaCfT]ma;SaV[BrU5.'f^kJSG/IKPLR/Q?N1Lo^+ +V/i){y.{yI{NMJ|MfQN5gufQmPakP.SN!?tUzoL/o%-/.Vf|%/.Uf, xrefs: 6CF03555
C:\Users\user\Desktop\, xrefs: 6CF03850
'/izNgKPrUJato%lN!otzCorlPS#5RP/BioJ-PomJUN/1QoTmN1GNm%/(/tS'No]oPK{]%tC(PTft5.PGdNmNo-#J|%JM[PSr/R?/1Nf^/ +[J{MtN(tmzP_,5-I5/mTolaD.BPGa15amPa1TB5[57L51TB5,a{la)[aSBaCfT]ma;SaV[BrU5.'f^kJSG/IKPLR/Q?N1Lo^+ +VJI!or'P[k/iq{I%t|rf?lf^g{5.{ye{NdJ|zf|'PTrP.zoRg{B'o, xrefs: 6CF034FE
(VC6, xrefs: 6CF03237, 6CF03369
'tyioT)N1)od`/f/P?'/ftNZuPr]Jf%olrN!]tz1oLaPzN5R1/K?tI_JU{/1,oTIN17f^|/`{Pr+/Q#NV|/K^NoBo/,f|qo,NJ!zJ[5PS_J(#N7(t]'tP.t'?{N@f^IP{@/2TtzyPP)/(LP.KPTaT!y]`lfyG5g+]RCiiof+oiD, xrefs: 6CF03436
C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe, xrefs: 6CF03BBA
bug, xrefs: 6CF03882
'/izNgKPrUJato%lN!otzCorlPS#5RP/BiPCl/Q!/DaNg!{,.NB_ou[oly/i@{L2t5^f^|J!T{dm/{kJ[2Prr/Qyf|`PadP.?N!)tz]or`o%q/f,fQT/fy5DQ/KN +SPa|P.LNDU{Z-NKMouGo%z/ilT,af+ea1JB^.f+-a/atJ;P.7/L_/QmPrK/f/toitCZPQetU'T!uB2^57G5DBaD.BNQ5D,a;'a#DB%]aDgBL_BuyB^GaVTTf#a'Ua;Ca{ga{_a, xrefs: 6CF033A4
M, xrefs: 6CF03119, 6CF03123, 6CF03138, 6CF0364C, 6CF036B2, 6CF0385A
3.5.701, xrefs: 6CF03223

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: DebuggerGdiplusPresentStartup
String ID: (VC6$ M$'/izNgKPrUJato%lN!otzCorlPS#5RP/BiPCl/Q!/DaNg!{,.NB_ou[oly/i@{L2t5^f^|J!T{dm/{kJ[2Prr/Qyf|`PadP.?N!)tz]or`o%q/f,fQT/fy5DQ/KN +SPa|P.LNDU{Z-NKMouGo%z/ilT,af+ea1JB^.f+-a/atJ;P.7/L_/QmPrK/f/toitCZPQetU'T!uB2^57G5DBaD.BNQ5D,a;'a#DB%]aDgBL_BuyB^GaVTTf#a'Ua;Ca{ga{_a$'/izNgKPrUJato%lN!otzCorlPS#5RP/BioJ-PomJUN/1QoTmN1GNm%/(/tS'No]oPK{]%tC(PTft5.PGdNmNo-#J|%JM[PSr/R?/1Nf^/ +[J{MtN(tmzP_,5-I5/mTolaD.BPGa15amPa1TB5[57L51TB5,a{la)[aSBaCfT]ma;SaV[BrU5.'f^kJSG/IKPLR/Q?N1Lo^+ +V/i){y.{yI{NMJ|MfQN5gufQmPakP.SN!?tUzoL/o%-/.Vf|%/.Uf$'/izNgKPrUJato%lN!otzCorlPS#5RP/BioJ-PomJUN/1QoTmN1GNm%/(/tS'No]oPK{]%tC(PTft5.PGdNmNo-#J|%JM[PSr/R?/1Nf^/ +[J{MtN(tmzP_,5-I5/mTolaD.BPGa15amPa1TB5[57L51TB5,a{la)[aSBaCfT]ma;SaV[BrU5.'f^kJSG/IKPLR/Q?N1Lo^+ +VJI!or'P[k/iq{I%t|rf?lf^g{5.{ye{NdJ|zf|'PTrP.zoRg{B'o$'tyioT)N1)od`/f/P?'/ftNZuPr]Jf%olrN!]tz1oLaPzN5R1/K?tI_JU{/1,oTIN17f^|/`{Pr+/Q#NV|/K^NoBo/,f|qo,NJ!zJ[5PS_J(#N7(t]'tP.t'?{N@f^IP{@/2TtzyPP)/(LP.KPTaT!y]`lfyG5g+]RCiiof+oiD$3.5.701$C:\Users\user\Desktop\$C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe$bug
API String ID: 797656621-2384605490
Opcode ID: 04dc083cc7fa9d225a46553559014204a9610c874390c251ea7e7cc6974f69a6
Instruction ID: a58078a4cca9b517478310e70607660f9c5f9d8a8c8a748706ff2bfcc52f0ea5
Opcode Fuzzy Hash: 04dc083cc7fa9d225a46553559014204a9610c874390c251ea7e7cc6974f69a6
Instruction Fuzzy Hash: 0772CF71A016199FDB24CF28C851FEAB3F5BF49718F108698D45997B50EB30EA89DF80

Function 6CEFAD60 Relevance: 9.1, APIs: 6, Instructions: 80
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 6CEFAD81
GetCurrentProcessId.KERNEL32 ref: 6CEFADB7
Process32FirstW.KERNEL32(00000000,0000022C), ref: 6CEFADCD
Process32NextW.KERNEL32(00000000,0000022C), ref: 6CEFADEC
CloseHandle.KERNEL32(00000000), ref: 6CEFADF3
FindCloseChangeNotification.KERNELBASE(00000000), ref: 6CEFAE1B

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CloseProcess32$ChangeCreateCurrentFindFirstHandleNextNotificationProcessSnapshotToolhelp32
String ID:
API String ID: 3200957769-0
Opcode ID: 9b1266e5910ef6c9caed0822b0b8e508d1125d61f684aa836512cf5d69c66486
Instruction ID: c7ded15e3743ef5571ab9afb1c1b6289c54a2ae4f54eecf44c3fdde5db3d587c
Opcode Fuzzy Hash: 9b1266e5910ef6c9caed0822b0b8e508d1125d61f684aa836512cf5d69c66486
Instruction Fuzzy Hash: 4B210631704350AFC750DF25D849BAEB7E8EF85229F20092AF8ADC7280DB709945CB96

Function 6CF3C00E Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CF3C055
___scrt_uninitialize_crt.LIBCMT ref: 6CF3C06F

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: d5a3cc13d04e730537541ae88da9d2260e6ea8fda56c00806e97941aa79b9c6d
Instruction ID: f6c9151b1426997e1c770e9cc823e215643a19f8b9f72b7f1607a0f1baad2236
Opcode Fuzzy Hash: d5a3cc13d04e730537541ae88da9d2260e6ea8fda56c00806e97941aa79b9c6d
Instruction Fuzzy Hash: D841C572E05678BBDB10BF69CC00B9E7AB4EB85768F116316E81C97B40C73489059BD0

Function 6CF3C0BE Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CF3C0FB
dllmain_crt_dispatch.LIBCMT ref: 6CF3C112
dllmain_raw.LIBCMT ref: 6CF3C15A
dllmain_crt_dispatch.LIBCMT ref: 6CF3C16D
dllmain_raw.LIBCMT ref: 6CF3C180

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 85fdfb6be20af750d6bbcd066ffd8ca3477a0baf5fe9c1fc9d553b677f0c78ef
Instruction ID: 0c69c6f0971428bbab85ee047283db057330c0e11f8a5420dea274c061ed447a
Opcode Fuzzy Hash: 85fdfb6be20af750d6bbcd066ffd8ca3477a0baf5fe9c1fc9d553b677f0c78ef
Instruction Fuzzy Hash: 82217EB2D05675BBDB21BE55CC40AAF3A78AB85B98F126216FC1C67710C3348D41ABD0

Function 6CF3BF07 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CF3BF54

Part of subcall function 6CF3C62A: InitializeSListHead.KERNEL32(6CF9D878,6CF3BF5E,6CF8E780,00000010,6CF3BEEF,?,?,?,6CF3C117,?,00000001,?,?,00000001,?,6CF8E7C8), ref: 6CF3C62F

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CF3BFBE

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 06d3c1d3a9bcafdd874dc4c227ae6946091156f037643f5c504ed18f26b25c7e
Instruction ID: 3732895cfa5583bc6694e378144c2fd1878dea85a28c26262cb69a7cd5807b2f
Opcode Fuzzy Hash: 06d3c1d3a9bcafdd874dc4c227ae6946091156f037643f5c504ed18f26b25c7e
Instruction Fuzzy Hash: 3221D431609A75BADF046BB588217DC37B09B1232DF307919C49D27EC2CB625508CAE9

Function 6CF52D9C Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,6CEF2388,00000002,?,6CF51B7E,00000001,00000364,00000002,FFFFFFFF,000000FF,?,?,6CF44622,6CF50335,00000002), ref: 6CF52DDD

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 29998f62bd389ba6ecd530c916a00acf8b852f80fdc6df41bd49e94cf2f0f839
Instruction ID: 199112c056a68038d47b9a554410dc0de1c7b68d9206778ab1ddffa69587206a
Opcode Fuzzy Hash: 29998f62bd389ba6ecd530c916a00acf8b852f80fdc6df41bd49e94cf2f0f839
Instruction Fuzzy Hash: E0F0E03660652457DF150A268C4CB9B3758AF51774F544311AE34E7980CF21D82086E0

Non-executed Functions

Function 6CF04EB0 Relevance: 62.0, APIs: 41, Instructions: 548
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFocus.USER32 ref: 6CF04F18
GetTickCount64.KERNEL32 ref: 6CF04F20
CallWindowProcW.USER32(?,?,?,?,?), ref: 6CF04F66
BeginPaint.USER32(?,?), ref: 6CF04F97
EndPaint.USER32(?,?,?,?), ref: 6CF04FA3
GetCursorPos.USER32(?), ref: 6CF04FE6
GetWindowRect.USER32(?,?), ref: 6CF04FF2
PtInRect.USER32(?,?,00000100), ref: 6CF05019
LoadCursorW.USER32(00000000,-00007F00), ref: 6CF0502D
SetCursor.USER32(00000000,?,?), ref: 6CF05034
GetWindowRect.USER32(?,?), ref: 6CF0507C
GetDC.USER32 ref: 6CF05083
SelectObject.GDI32(00000000,?), ref: 6CF05099
DrawTextW.USER32 ref: 6CF050D7
SelectObject.GDI32(00000000,00000000), ref: 6CF050DF
ReleaseDC.USER32(?,00000000), ref: 6CF050E6
SetFocus.USER32(?), ref: 6CF051B4
GetWindowRect.USER32(?,?), ref: 6CF05201
PtInRect.USER32(?,?,?), ref: 6CF05218
GetCursorPos.USER32(?), ref: 6CF05249
GetWindowRect.USER32(?,?), ref: 6CF05255
PtInRect.USER32(?,?,?), ref: 6CF0528B
TrackMouseEvent.USER32(?,?,?), ref: 6CF052D0
GetWindowDC.USER32(?,?,?), ref: 6CF052F7
ReleaseDC.USER32(?,00000000), ref: 6CF0530F

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Rect$Window$Cursor$FocusObjectPaintReleaseSelect$BeginCallCount64DrawEventLoadMouseProcTextTickTrack
String ID:
API String ID: 628924928-0
Opcode ID: 054c7495c4315eb1965172d136e886290d6214f73f6b7b88e4f416b40fdf168a
Instruction ID: 0441769d6c586bf08e8cbf72b5b71d78b0ee542189a496d53c077a6029b0103d
Opcode Fuzzy Hash: 054c7495c4315eb1965172d136e886290d6214f73f6b7b88e4f416b40fdf168a
Instruction Fuzzy Hash: 58129A71B042469FCB00CF69C898AAABBE8FF89719F144A6DF969CB251C770D404CB65

Function 6CF33B00 Relevance: 36.5, APIs: 18, Strings: 2, Instructions: 1527windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000003,?), ref: 6CF33BB1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 6CF33BCC
lstrlenA.KERNEL32(00000000,?), ref: 6CF33CE6

Strings

, xrefs: 6CF344D2
M, xrefs: 6CF33CF4

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$lstrlen
String ID: $ M
API String ID: 1172434978-372607837
Opcode ID: 698c2f53b6d19e6e0dc3d67b6afeb4180fcc19dd7ffd5b87dc841af0e412d2e6
Instruction ID: 341c1ca7d71e451baa20c64bbaa4d48e2a8e3a399cbc7da785b7c0df6eadff5f
Opcode Fuzzy Hash: 698c2f53b6d19e6e0dc3d67b6afeb4180fcc19dd7ffd5b87dc841af0e412d2e6
Instruction Fuzzy Hash: 86B2AB31B01314AFCB14CF29C881B9ABBF1FB89318F115A5EE9699B690D771E845CBC1

Function 6CF27D80 Relevance: 26.8, APIs: 13, Strings: 2, Instructions: 521windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000404,00000001,FFFFFFFF), ref: 6CF27ED3
SendMessageW.USER32(?,0000040B,00000000,6CF7428C), ref: 6CF27EEF
SendMessageW.USER32(?,00000411,00000000,6CF7428C), ref: 6CF27F0B
SendMessageW.USER32(?,0000040F,00000000,00000000), ref: 6CF27F24
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000127,?,?,75C05540), ref: 6CF27F38
SendMessageW.USER32(?,00000404,?,00000000), ref: 6CF282AF
SendMessageW.USER32(?,0000040B,?,?), ref: 6CF282F0
SendMessageW.USER32(?,00000411,00000000,?), ref: 6CF2830C
SendMessageW.USER32(?,0000040F,00000000,?), ref: 6CF28328

Strings

gfff, xrefs: 6CF27E60
gfff, xrefs: 6CF27E31

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Window
String ID: gfff$gfff
API String ID: 2326795674-3084402119
Opcode ID: c9f3bd6833812f75bf49bc9d4387af93c294e9eb4c7341e3855af7801ec8fe6b
Instruction ID: 30857a1e7f5a2f5c02faea7f6d48b8dd8c474a5799be2d5f5cfcfe07729f56af
Opcode Fuzzy Hash: c9f3bd6833812f75bf49bc9d4387af93c294e9eb4c7341e3855af7801ec8fe6b
Instruction Fuzzy Hash: 1412D272E002159FDB14CF99CC80FAEBBB8FF49304F15816AE915AB781D735A905CBA0

Function 6CF25CA0 Relevance: 24.4, APIs: 16, Instructions: 415windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 6CF25CE5
SendMessageW.USER32(?,00000404,00000001,FFFFFFFF), ref: 6CF25D1C
SendMessageW.USER32(?,0000040B,00000000,6CF7428C), ref: 6CF25D38
SendMessageW.USER32(?,00000411,00000000,6CF7428C), ref: 6CF25D4E
SendMessageW.USER32(?,0000040F,00000000,00000000), ref: 6CF25D61
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000127,?), ref: 6CF25D75

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: 76b24fb25bce9f55096b62e5dbf8538bf8ee25c2ed5c8f16b04e487444d156d3
Instruction ID: 7c3c2ebf5bb7a0c8f1331ff476d6caba89c24f3341782aa652c4a55afb4a5f46
Opcode Fuzzy Hash: 76b24fb25bce9f55096b62e5dbf8538bf8ee25c2ed5c8f16b04e487444d156d3
Instruction Fuzzy Hash: A1D18FB1B01615ABEB14CFA9C891BAEB7F4EF48704F108569E91AE7780DB35E801CB54

Function 6CEFC790 Relevance: 20.2, APIs: 7, Strings: 4, Instructions: 955filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 6CEFCAC0
FindNextFileW.KERNEL32(00000000,?), ref: 6CEFCBB2
FindClose.KERNEL32(00000000), ref: 6CEFCBC4
FindFirstFileW.KERNEL32(00000000,?), ref: 6CEFCD5E
FindNextFileW.KERNEL32(00000000,00000010), ref: 6CEFCFB3
FindClose.KERNEL32(00000000), ref: 6CEFCFC2
lstrlenA.KERNEL32(3.5.701,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6CEFD2E9

Strings

M, xrefs: 6CEFD0FE, 6CEFD192, 6CEFD301
3.5.701, xrefs: 6CEFD2E4, 6CEFD326
%s%s, xrefs: 6CEFCB14
., xrefs: 6CEFCD8D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Find$File$CloseFirstNext$lstrlen
String ID: M$%s%s$.$3.5.701
API String ID: 2427512422-3258477754
Opcode ID: 801bb631d9a15eb8012871e587485c2eb8b190029480ade5b4e9c508d3db6522
Instruction ID: 99a9283767293f5f73ee073f8e376d95f5cf0d87a8381aa812cc28cee9d3381d
Opcode Fuzzy Hash: 801bb631d9a15eb8012871e587485c2eb8b190029480ade5b4e9c508d3db6522
Instruction Fuzzy Hash: 7782C375A016199FDB24DF68C884BAEB7B5FF44308F20856DD82A97741DB30EA46CF90

Function 6CF067A0 Relevance: 18.5, APIs: 12, Instructions: 518COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 6CF06814
GetScrollInfo.USER32(?,00000001,?), ref: 6CF068D7
ScrollWindow.USER32(?,00000000,00000000,00000000,00000000), ref: 6CF0695E
SetScrollInfo.USER32(?,00000001,?,00000001), ref: 6CF06983
InvalidateRect.USER32(?,00000000,00000000), ref: 6CF0698E
TrackMouseEvent.USER32 ref: 6CF06A01
CallWindowProcW.USER32(?,?,?,?,?), ref: 6CF06A69

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ScrollWindow$CallInfoProc$EventInvalidateMouseRectTrack
String ID:
API String ID: 2269578552-0
Opcode ID: 340cdd1b100ce843e517e6fbd69c59ec94c742fd9f53ee7a0fd27506bdc7c9e9
Instruction ID: 3b582dc4f84a4af4354c20ce2162a1474ee054f469b490ab7ae5040bace018b2
Opcode Fuzzy Hash: 340cdd1b100ce843e517e6fbd69c59ec94c742fd9f53ee7a0fd27506bdc7c9e9
Instruction Fuzzy Hash: 76F1DF327042109BCB08CF29D8E5A6F77E5FF88725F50466AFD5ACB681CB30D8949B91

Function 6CF20400 Relevance: 15.5, APIs: 10, Instructions: 526windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?), ref: 6CF20492
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF2049E
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 6CF204B2
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF207E3
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF207EF
SendMessageW.USER32(?,00001061,?,00000000), ref: 6CF207FD
SendMessageW.USER32(?,0000120B,?,?), ref: 6CF2085A
SendMessageW.USER32(?,0000120C,?,00000004), ref: 6CF208C7

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 89adef01820a3540eb61104b5d21a7b15b3d86a63f59b5bfb3afad6c2ce32f7e
Instruction ID: e6dbf88d78cf8fed93a7c382abf03669d4f7572437fe3cab076ba54c0aff6688
Opcode Fuzzy Hash: 89adef01820a3540eb61104b5d21a7b15b3d86a63f59b5bfb3afad6c2ce32f7e
Instruction Fuzzy Hash: 5C12C472E003999FEB10CFA4C890B9EBBB5FF45308F244169E559AB781D7B4A845CB90

Function 6CF35F20 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 452windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000003,?), ref: 6CF35FCD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 6CF360E2
SendMessageW.USER32(?,00001127,?,00000000), ref: 6CF361B7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 6CF362DC
SendMessageW.USER32(?,0000113E,00000000,?), ref: 6CF3640C

Strings

@, xrefs: 6CF360DA

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID: @
API String ID: 3850602802-2766056989
Opcode ID: 284f842fab6644cbceb257105ef1091fa73e1388ad8413ecd2c21626ff43fb8c
Instruction ID: 815cee066a69cb72019d8249a118745d2d6ab67e8b3d51d38b626d10d02cf8dc
Opcode Fuzzy Hash: 284f842fab6644cbceb257105ef1091fa73e1388ad8413ecd2c21626ff43fb8c
Instruction Fuzzy Hash: 3CF18971B05614AFCB14CF29C881B9AB7F1FB89318F219A59FA59CB690D771E840CBC1

Function 6CF30E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF30F3A, 6CF30FAA
M, xrefs: 6CF30F52, 6CF30F6A

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: M${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 0-2259455005
Opcode ID: 1bdccb6f29b16595d14acf23a775e1c2b7a58559cee183fa740a3e41c0064660
Instruction ID: c2f179d8e301fde3a3b7a10789e2e4119d0a39fbe3f6de29a3ce51320246c0cd
Opcode Fuzzy Hash: 1bdccb6f29b16595d14acf23a775e1c2b7a58559cee183fa740a3e41c0064660
Instruction Fuzzy Hash: 9491C271B00124AFCB18CF29C9A4AAAB7F4FF48315B10956EE85EDBA90D735D900CBD0

Function 6CF29E30 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF29EC9
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6CF29EDB
GetWindow.USER32(?,00000005), ref: 6CF29EFA
SetPropW.USER32(00000000,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF29F0F
PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 6CF29F1C

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF29EC3, 6CF29F09

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessagePostProp$Window
String ID: {478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 183564908-2367190246
Opcode ID: fd5787f3e3fd712679d7042d781c4c37b2b875d653ec6d37a58559dd33e3708d
Instruction ID: 2569c04573a2033541762a790c527534d604234c8caddc4309932ff41b27e543
Opcode Fuzzy Hash: fd5787f3e3fd712679d7042d781c4c37b2b875d653ec6d37a58559dd33e3708d
Instruction Fuzzy Hash: 1F519C70B10205ABCB18CF59C891BAEBBF5FF99301F24856EE449EB391DA75D900CB90

Function 6CF24940 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF249D9
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6CF249EB
GetWindow.USER32(?,00000005), ref: 6CF24A0A
SetPropW.USER32(00000000,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF24A1F
PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 6CF24A2C

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF249D3, 6CF24A19

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessagePostProp$Window
String ID: {478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 183564908-2367190246
Opcode ID: dbf108b154f08e111ea9addce5bca3e76671b779f3dde2ac624cfd095f5c65ad
Instruction ID: 29c0283d29e148644b845150e1efa24c976b92b09c383a3039b827ba098f7e3a
Opcode Fuzzy Hash: dbf108b154f08e111ea9addce5bca3e76671b779f3dde2ac624cfd095f5c65ad
Instruction Fuzzy Hash: 8851AC70B00205AFCB08CF59C891BAABBF5FB49301F24856EE549EB391E675D900CB94

Function 6CF56C8E Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6CF56EA5

Strings

1#SNAN, xrefs: 6CF56D9A
1#QNAN, xrefs: 6CF56DA1
1#INF, xrefs: 6CF56DC4
1#IND, xrefs: 6CF56D93

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2ab55dc009f877039dc8fe154ee4aa625c19fcc699d175a1c0bd65e3e72abee2
Instruction ID: b9917665fa6d8459a004c4bbd36ebba0ee57afe8bbf52924e45d8286e29a08db
Opcode Fuzzy Hash: 2ab55dc009f877039dc8fe154ee4aa625c19fcc699d175a1c0bd65e3e72abee2
Instruction Fuzzy Hash: 72D26B72E196288FDB64CE28CC407EAB7B5FB55305F5481EAD90DE3640EB34AE958F40

Function 6CF28F20 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 318windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF3BDDE: EnterCriticalSection.KERNEL32(6CF9D840,00000503,0000000B,?,6CEFACFF,6CF9E7B0,00000000,00000000,?,6CF04074), ref: 6CF3BDE9
Part of subcall function 6CF3BDDE: LeaveCriticalSection.KERNEL32(6CF9D840,?,6CEFACFF,6CF9E7B0,00000000,00000000,?,6CF04074), ref: 6CF3BE26

SendMessageW.USER32(?,00000439,00000000,00000030), ref: 6CF2936A

Strings

0, xrefs: 6CF2933D
%, xrefs: 6CF2919B
......, xrefs: 6CF2904B, 6CF29173
*NW[&{*g>f:y, xrefs: 6CF29263, 6CF292C7

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMessageSend
String ID: %$*NW[&{*g>f:y$......$0
API String ID: 417868457-2189770699
Opcode ID: 9169e3091f48917b2a2d35a5d6580c2a5b616ee16a76db33bbfc99e81456062f
Instruction ID: e3e440cecc59b42c8d3be759f129f613c31c112e1666c0472d3e7576736e3874
Opcode Fuzzy Hash: 9169e3091f48917b2a2d35a5d6580c2a5b616ee16a76db33bbfc99e81456062f
Instruction Fuzzy Hash: 5ED1CF70A006199FEB14CF58C880F9AB7F4FF49318F1542A9E9199B740DB35EA84CBD2

Function 6CF32EA0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF32FC2, 6CF33031
M, xrefs: 6CF32FD8, 6CF32FF0

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: M${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 0-2259455005
Opcode ID: ff6644b99adbfe04d2b5c4d43d0f11596eea997fedbc7fbc22678d6ed2d33a90
Instruction ID: 7f4fdafe2c18cd449c1ce10f3eb0918b0179970ecba160670ff20bf15e85f25c
Opcode Fuzzy Hash: ff6644b99adbfe04d2b5c4d43d0f11596eea997fedbc7fbc22678d6ed2d33a90
Instruction Fuzzy Hash: 3281C371B042209FCB04DF29C4A5A6AB7F4FB49319B019A6EE89ECB791D735E4058BC1

Function 6CF2A680 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF2A7A2, 6CF2A811
M, xrefs: 6CF2A7B8, 6CF2A7D0

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: M${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 0-2259455005
Opcode ID: c9bf0254f72910a76e0445e36d9f35ae1c99a0f8b7ceb73d8c970939637e1f28
Instruction ID: 1096697134344a9bf2f1f000281ca6434876008289ee6060b9790dfbc95c090f
Opcode Fuzzy Hash: c9bf0254f72910a76e0445e36d9f35ae1c99a0f8b7ceb73d8c970939637e1f28
Instruction Fuzzy Hash: 8581A331B142108FCB14CF69C4A4A6AB7F4FF49319F158A6EE89ECB690D739D905CB81

Function 6CF251C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF252E2, 6CF25351
M, xrefs: 6CF252F8, 6CF25310

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: M${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 0-2259455005
Opcode ID: 44fbab4cab118544cbfff97e0f032d9e180c41294d3df377fda29d2eecbaa042
Instruction ID: 43bfebfcf2d148ce7c604a3a9fe675ab0723e33926583e35820bf8dad6543f0b
Opcode Fuzzy Hash: 44fbab4cab118544cbfff97e0f032d9e180c41294d3df377fda29d2eecbaa042
Instruction Fuzzy Hash: 8881B431B142109FCB04CF69C4A4A6AB7F4FF49319F548A6EE49ECB795D735D8048B81

Function 6CF0AF40 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237COMMON

Download Yara Rule

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF0B04F, 6CF0B0BD
M, xrefs: 6CF0B065, 6CF0B07D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: M${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 0-2259455005
Opcode ID: 0593bdcc72a1efc69726a5841e3b4511a768b386b6f30ab8af8541a48ad846cb
Instruction ID: 79a361de6de01c2635fbaeb7bd7b826a1421d25a2bad2df9a6565b3b59779a4f
Opcode Fuzzy Hash: 0593bdcc72a1efc69726a5841e3b4511a768b386b6f30ab8af8541a48ad846cb
Instruction Fuzzy Hash: 2F81D631B001149FCB18CF69C8A0AAEBBF4FF49715B11896EE85EDB751D731E9048B90

Function 6CF13770 Relevance: 7.9, APIs: 5, Instructions: 361windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF137CC
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF137D8
SendMessageW.USER32(00000000,0000104C,00000000,?), ref: 6CF13AC7
SendMessageW.USER32(00000000,0000104C,00000000,?), ref: 6CF13B34
InvalidateRect.USER32(00000000,00000000,00000000), ref: 6CF13B77

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$InvalidateRect
String ID:
API String ID: 2778011698-0
Opcode ID: c659c33c83b89fadd73c71107dac6b2128da8f443ecd22461cadc6a38ea1d32a
Instruction ID: d5b2dadbb210329d63e6ec95c3dce82f8d0a18ca3b2508efd29fd5b51ea19bdd
Opcode Fuzzy Hash: c659c33c83b89fadd73c71107dac6b2128da8f443ecd22461cadc6a38ea1d32a
Instruction Fuzzy Hash: 63E14575E042198FDB14CFA9C880BADBBB1FF49314F2442ADE519ABB91D731A948CF40

Function 6CEF76D0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 551windowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,D1DC5EAD,?,?), ref: 6CEF772E
SendMessageW.USER32(?,0000102F,?,00000003), ref: 6CEF796B
LeaveCriticalSection.KERNEL32(?), ref: 6CEF7D74

Strings

malloc, xrefs: 6CEF7CD5

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CriticalSection$EnterLeaveMessageSend
String ID: malloc
API String ID: 417868457-2803490479
Opcode ID: 818b96cca7c8ede4fa86c975e889360b2ac583a91493920a3683ae37dc1c928d
Instruction ID: 7f70dbd3f4982589ff165873b6cd15be59da4817205409378f0c513ccab5cddc
Opcode Fuzzy Hash: 818b96cca7c8ede4fa86c975e889360b2ac583a91493920a3683ae37dc1c928d
Instruction Fuzzy Hash: FE328771E05219DFDB14CF98D880AADBBF2FF4A318F35412AE825AB750D771A942CB50

Function 6CF4B710 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204faab022524768da466ab8984e9b7aff7e09c834dc3f81180b0b4ee1ce27a1
Instruction ID: 867703dc484af551766e84b97dc4ad25cba03a694b33ce39074c6ad213e274e0
Opcode Fuzzy Hash: 204faab022524768da466ab8984e9b7aff7e09c834dc3f81180b0b4ee1ce27a1
Instruction Fuzzy Hash: 42025D71E016199FDB14CFA9C890B9EFBB1FF48318F248669D919E7742D731A902CB90

Function 6CF2B4E0 Relevance: 6.3, APIs: 4, Instructions: 335windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,00000418,00000000,00000000), ref: 6CF2B5D5
SendMessageW.USER32(?,00000418,00000000,00000000), ref: 6CF2B7AC
SendMessageW.USER32(?,00000443,?,?), ref: 6CF2B7C9
CallWindowProcW.USER32(?,00000001,00000421,00000000,00000000), ref: 6CF2B840

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$CallProcWindow
String ID:
API String ID: 562906466-0
Opcode ID: 8443c5c14034d50891546b2b1e216a50cb2dd0d564b7db2ed879e0a212b18484
Instruction ID: b0919240f1e202c0ef14ea3bd8ad0d1e956ab545cc4e6f5dac9fd6d97d556404
Opcode Fuzzy Hash: 8443c5c14034d50891546b2b1e216a50cb2dd0d564b7db2ed879e0a212b18484
Instruction Fuzzy Hash: A3D15C71E017099BDB14CFE9C881B9EBBB5FF44314F148A69EC2AAB790D774A805CB50

Function 6CF3C469 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CF3C475
IsDebuggerPresent.KERNEL32 ref: 6CF3C541
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF3C561
UnhandledExceptionFilter.KERNEL32(?), ref: 6CF3C56B

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 11208f94cc7a818777c90f15078e0ea48e6c9e4dab63635fa412315190ffee04
Instruction ID: 4d0863847f71b70bc90cded3eec82d1cdbbcfd0fd8969de841b856338f4b1b38
Opcode Fuzzy Hash: 11208f94cc7a818777c90f15078e0ea48e6c9e4dab63635fa412315190ffee04
Instruction Fuzzy Hash: FF312B75D15328ABDF50DF65C9897CDBBB8AF04308F1041AAE40DA7240EB715A84CF55

Function 6CF3B805 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6CF3B925,6CF60400), ref: 6CF3B80A
UnhandledExceptionFilter.KERNEL32(6CF3B925,?,6CF3B925,6CF60400), ref: 6CF3B813
GetCurrentProcess.KERNEL32(C0000409,?,6CF3B925,6CF60400), ref: 6CF3B81E
TerminateProcess.KERNEL32(00000000,?,6CF3B925,6CF60400), ref: 6CF3B825

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 584b6bd865e61c02c55891f285dd6e8ea63b22d0e4d4eaa3e2b5455635968e5f
Instruction ID: 75c2959da5fc41b1c706bf011410550dfe5ed464488174c59684211b7595f3d3
Opcode Fuzzy Hash: 584b6bd865e61c02c55891f285dd6e8ea63b22d0e4d4eaa3e2b5455635968e5f
Instruction Fuzzy Hash: 63D01231A20144AFDF812BE2C80CB6C3F38EB06316F124411F31F81001CBF144008B59

Function 6CF0BAE0 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 519windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102F,?,0000FFFE), ref: 6CF0C10F
InvalidateRect.USER32(?,00000000,00000000,?,?,00000000,?,00000001,D1DC5EAD), ref: 6CF0C12A

Strings

I:\cpp\_git_works\iext\iext_ListView_BindArray.cpp, xrefs: 6CF0C0C3

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: I:\cpp\_git_works\iext\iext_ListView_BindArray.cpp
API String ID: 909852535-1209357225
Opcode ID: 191c9633736a05ace463554a673204e64d18879da244592f9153bc97ba1957ff
Instruction ID: 6b8803bde5b15719f4991d4103371cf6994ea31244277d21409cd4cf1d122426
Opcode Fuzzy Hash: 191c9633736a05ace463554a673204e64d18879da244592f9153bc97ba1957ff
Instruction Fuzzy Hash: 2A225971A01209DFDB04CFA8C8A0B9EBBF5FF49B14F248569E815EBB50D731A841DB91

Function 6CEFC5C0 Relevance: 4.6, APIs: 3, Instructions: 84fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 6CEFC640
FindNextFileW.KERNEL32(?,?), ref: 6CEFC661
FindNextFileW.KERNEL32(?,?,?,?,?), ref: 6CEFC685

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: FileFind$Next$First
String ID:
API String ID: 1808125830-0
Opcode ID: 9a8784600b142376bac93c8eb58f8b424241960ed8b1112cd3dad667b22c1893
Instruction ID: 330cc783aa6180f6a112dca525b50d2b3d23b6049ca9bb8ca9a76ae23fd32660
Opcode Fuzzy Hash: 9a8784600b142376bac93c8eb58f8b424241960ed8b1112cd3dad667b22c1893
Instruction Fuzzy Hash: B53175716083019FDB20DF25C844AAB77F8FF45758F215A2DE8A587690E770E90ACBD2

Function 6CF44984 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CF44A7C
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CF44A86
UnhandledExceptionFilter.KERNEL32(-00000225,?,?,?,?,?,?), ref: 6CF44A93

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 4980d1a50e710d98eb0363b14b1de9e5fe2dfa474d47f4bd65d592878e870137
Instruction ID: 7450ef87d505e9f5a61050f7211ce3b10ad6428d1a3d69fa3e5364e97762ac0a
Opcode Fuzzy Hash: 4980d1a50e710d98eb0363b14b1de9e5fe2dfa474d47f4bd65d592878e870137
Instruction Fuzzy Hash: 1131D674D11228ABCB61DF65D8887CCBBB8BF08314F5082EAE41DA7250E7709B858F58

Function 6CF22610 Relevance: 3.6, APIs: 2, Instructions: 568windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF220D0: SendMessageW.USER32(00000000,0000101F,00000000,00000000), ref: 6CF22128
Part of subcall function 6CF220D0: SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF22134

SendMessageW.USER32(00000000,00001004,00000000,00000000), ref: 6CF226FF
SendMessageW.USER32(00000000,0000104B,00000000,?), ref: 6CF22D81

Part of subcall function 6CEF76D0: EnterCriticalSection.KERNEL32(?,D1DC5EAD,?,?), ref: 6CEF772E

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$CriticalEnterSection
String ID:
API String ID: 2245208738-0
Opcode ID: 9a270513f86a0071720450873d248ce9e8982a3764004525079cb4fcde9d26bf
Instruction ID: 07c7d40dea146f73ab36ebb5c1441b387a12ac578b897ee1a12db69b81c3742d
Opcode Fuzzy Hash: 9a270513f86a0071720450873d248ce9e8982a3764004525079cb4fcde9d26bf
Instruction Fuzzy Hash: 94426971E00219CFDB24CFA4C884BEEB7B5BF48314F10419AE619AB790DB75AA85CF51

Function 6CF1ABC0 Relevance: 3.3, Strings: 2, Instructions: 822COMMON

Download Yara Rule

Strings

%, xrefs: 6CF1AE58
%, xrefs: 6CF1B045

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: %$%
API String ID: 0-2066442488
Opcode ID: eb7fcb0d42e6af6010d2f13792afd3119b523e861e3359d8e9ac528221245997
Instruction ID: 87232b18c7e7fd5e4c6182a07ee2896705274aeba2ea715d33e771603f3e5c22
Opcode Fuzzy Hash: eb7fcb0d42e6af6010d2f13792afd3119b523e861e3359d8e9ac528221245997
Instruction Fuzzy Hash: AE7268B1E05219CFDB24CF69C840B9EB7F1BF48318F2486A9D419A7B51DB31A985CF90

Function 6CF17A1E Relevance: 3.2, APIs: 2, Instructions: 215COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000000), ref: 6CF17BBC
InvalidateRect.USER32(?,00000000,00000000), ref: 6CF17C27

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 90774af98711c97fcf33d58c7a4b933df21bc9e5842e8bb75e80f254f5e58466
Instruction ID: ad76f4095e1740231715756d3977d8e94e6da1ee2b053f2ee5cf435c50b9fd88
Opcode Fuzzy Hash: 90774af98711c97fcf33d58c7a4b933df21bc9e5842e8bb75e80f254f5e58466
Instruction Fuzzy Hash: 1571C034B082119FD714CF29C4D0B9AB3F1FF88329F10461AE9A99BA94D731E945CB82

Function 6CF04770 Relevance: 3.2, APIs: 2, Instructions: 192COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(?), ref: 6CF047B6
GetWindowTextW.USER32(00000000,00000010,?), ref: 6CF04819

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: TextWindow$Length
String ID:
API String ID: 1006428111-0
Opcode ID: 42194652104a57c583ba5fa6c5f20bed23559a0fcf01f0f61b80704918084ad6
Instruction ID: e9d8d069630eb38ca998a4a29a260dda05eeb1ecf693d46ea9e26d7fb51df340
Opcode Fuzzy Hash: 42194652104a57c583ba5fa6c5f20bed23559a0fcf01f0f61b80704918084ad6
Instruction Fuzzy Hash: 5871C071A006069FCB18CF68C8A0AAEBBF1FF58714F24463DD566D3B50E734A945CB94

Function 6CEF19F0 Relevance: 2.7, APIs: 2, Instructions: 215COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,D1DC5EAD,6CF742AC,00000000,00000000), ref: 6CEF1A5F
MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000010,?,6CF742AC,00000000,00000000), ref: 6CEF1AE1

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 7fc20f1882bb402df680f7b22184b2fe6629872a76c8d30d29ab5f1e3896a71c
Instruction ID: b564ee5b69495673e057d5b8982e087435dc2af7dc9f314ab2702437e71be3fb
Opcode Fuzzy Hash: 7fc20f1882bb402df680f7b22184b2fe6629872a76c8d30d29ab5f1e3896a71c
Instruction Fuzzy Hash: A47190B1A046099BCB18CFA8C8907AEB7F5FF88314F24452DE526E7B50E775D946CB80

Function 6CEFDB50 Relevance: 2.7, APIs: 2, Instructions: 212COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(000003A8,00000000,?,?,00000000,00000000,D1DC5EAD,?,?,?,?,?,?,?,Function_0006E05D,000000FF), ref: 6CEFDBB7
MultiByteToWideChar.KERNEL32(000003A8,00000000,?,?,00000010,?,?,?,?), ref: 6CEFDC3B

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: cf5b89b8a5e4e97c383538d3ea78736091b5672d056dee684148aeb2fca36aec
Instruction ID: 71b82795fd6896eebbbc4ba141b7e5ecb7ff27f5a455b84f2acfa7a115fd31ca
Opcode Fuzzy Hash: cf5b89b8a5e4e97c383538d3ea78736091b5672d056dee684148aeb2fca36aec
Instruction Fuzzy Hash: 4271D570A006069BCB18CF68C8907AEBBF5FF89314F24462DD526D7B90E775A902CB91

Function 6CF5445D Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,6CF548A2,00000000,00000000,00000000), ref: 6CF54761

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 931403cfe240a66c552f1d4a4e9a606484ba1e8bb9e0b0b12e6cdf7a7d18396f
Instruction ID: 1459c0e871f0252eeaba471ad7df349570d872e9eaba261265b8a546d4c02213
Opcode Fuzzy Hash: 931403cfe240a66c552f1d4a4e9a606484ba1e8bb9e0b0b12e6cdf7a7d18396f
Instruction Fuzzy Hash: 03D13C72E00125ABDB009F69CC01BEE7FB9EF25718FA44156EA05E7B80E7709A75C790

Function 6CF08C70 Relevance: 1.9, APIs: 1, Instructions: 352COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 6CF08F97

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ObjectSelect
String ID:
API String ID: 1517587568-0
Opcode ID: 6dc460a4653d1318db3fc38745e81fe3fdc64067deddd29802b8467aa296620a
Instruction ID: 2daaf620ef9a301b9a2cdb47be89d555d4125722744b5ab912165ce140e7fad6
Opcode Fuzzy Hash: 6dc460a4653d1318db3fc38745e81fe3fdc64067deddd29802b8467aa296620a
Instruction Fuzzy Hash: E6D1D031B00209AFDB04CF69C4A0BAAB7F4FF44718F20466EE819CBA81D771E954DB90

Function 6CF58D78 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CF58D73,?,?,00000008,?,?,6CF5BE2B,00000000), ref: 6CF58FA5

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 582118499e8a5ca255912d46ce7f9ea73b156045b11c95dcffd64039500de544
Instruction ID: 94c602282dfdd0658070ba3bcfcd84dc38cd657b5d421dcb09224014079e0b2d
Opcode Fuzzy Hash: 582118499e8a5ca255912d46ce7f9ea73b156045b11c95dcffd64039500de544
Instruction Fuzzy Hash: F5B18171220608CFD704CF28C486B957BF0FF15368F658659E9A9CF6A1C736DAA2CB40

Function 6CF3C285 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CF3C29B

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: c73ba354ad034d68a77d7d3f4eb42b2fc3236a2c2adefef2de1ace9f5111f7c5
Instruction ID: 3d96f2c9aa442ee4b591d6b4609e1f4a1c881350443b9e77513ba9f8c8d12b2c
Opcode Fuzzy Hash: c73ba354ad034d68a77d7d3f4eb42b2fc3236a2c2adefef2de1ace9f5111f7c5
Instruction Fuzzy Hash: 06518EB1E15229DBEF24CF59C4817AEBBF4FB45314F24862AC429EB651D375E900CB90

Function 6CEF5190 Relevance: 1.6, Strings: 1, Instructions: 381COMMON

Download Yara Rule

Strings

Yl, xrefs: 6CEF535E, 6CEF5241, 6CEF527F

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: Yl
API String ID: 0-3592166634
Opcode ID: 7188a24494a0d311be05fa597030fecca7787f005fa37fb6e74aa74ff728d05e
Instruction ID: 5527ea346df34ef592efd5fc190f4442799570cbbd119dbea1f31673ee5b376a
Opcode Fuzzy Hash: 7188a24494a0d311be05fa597030fecca7787f005fa37fb6e74aa74ff728d05e
Instruction Fuzzy Hash: F902BE75909215CFC709CF18C4D48FABBF1EF69310B1A82EDD8999B762D331A981CB91

Function 6CF424B5 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

0, xrefs: 6CF42625

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 92706f1875cfbb1b140534759adf4a8381aad6fff1c175b9e2f1fb3038ab93b6
Instruction ID: b0bfa39db566f33c34b6f9093ec01c330ab8afe8c7bdd30231654a4172435b6f
Opcode Fuzzy Hash: 92706f1875cfbb1b140534759adf4a8381aad6fff1c175b9e2f1fb3038ab93b6
Instruction Fuzzy Hash: 0BC1D0709056468FCB14CF68C5A86AABFB1BF06318F20C629D466D7F93D732E949CB50

Function 6CF1C860 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

M, xrefs: 6CF1C951, 6CF1C97F, 6CF1CA5D, 6CF1CB38

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-519822722
Opcode ID: 2bc9737faecbbb7ac7b439bd0b834ec96cf09dc4c2c3da048d5dbd27ec83ca01
Instruction ID: edd26b82bce9cb38b86fb2c4d6d8e6cc75e6f703fc5fcddcbfd4cca4c7aace76
Opcode Fuzzy Hash: 2bc9737faecbbb7ac7b439bd0b834ec96cf09dc4c2c3da048d5dbd27ec83ca01
Instruction Fuzzy Hash: B1B190B2E492059BDB05DF68C891BFFBBB9AF05348F140039E855E7B41E725AA04C7A1

Function 6CF56124 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CF56124

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d35b986c78d4625ce2edc8d18d2a382f0efd3c6d8c65f8ec039ede0928ca635d
Instruction ID: e5ee9451fb0bd54f84ec683d8aa292ea54b9d088a6b817c7dfdd57d97bd1287b
Opcode Fuzzy Hash: d35b986c78d4625ce2edc8d18d2a382f0efd3c6d8c65f8ec039ede0928ca635d
Instruction Fuzzy Hash: 16A01130B20200CB8F808F32820AB0C3AB8BA822C03208028A002C0200EB2080008B20

Function 6CF5C790 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e538f688891d84faca6265af9d0095b2e9fca0b70f7086b0abe39f48d1ce60e0
Instruction ID: aefb267add20523cd6b68dca733ecf49ebb386f2f8bdeb90dae993d04b60cb54
Opcode Fuzzy Hash: e538f688891d84faca6265af9d0095b2e9fca0b70f7086b0abe39f48d1ce60e0
Instruction Fuzzy Hash: F1323A21E7AF410DDB635538C861335B668AFB73C8F55D727F926B1EAAEB2980D34100

Function 6CF5D549 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2690304c0665860233c0441fc194e5d50f1e7a49523024045b0a0a09b0394a33
Instruction ID: fb5c6fc31921f267dbc53330f0f9c26633ea0dbc487a37fbd1ef7a03990b9631
Opcode Fuzzy Hash: 2690304c0665860233c0441fc194e5d50f1e7a49523024045b0a0a09b0394a33
Instruction Fuzzy Hash: EC321822E3AF414DDB635534C9213357669AFB73C4F65D727F829B5DA9EB29C0834200

Function 6CF0C6E0 Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072b1376fa90bb8d34f03a30f47436a54aec01a552af22e39a025661b3765ab0
Instruction ID: 01187da94364c9480687cca602789a2cd79ec4cf844b08f6853848bc5bb45a95
Opcode Fuzzy Hash: 072b1376fa90bb8d34f03a30f47436a54aec01a552af22e39a025661b3765ab0
Instruction Fuzzy Hash: EA329D78B01656CFDB09DF58C090AAAB7B1FF4A704F248199D855AB761C731AC02DFA2

Function 6CEF4590 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee72e1bedcf84323938b19d8dc862953c0d192be81ec958e57e0f2cba4e5f41
Instruction ID: 46d5a5a65d9b69100684010296638a9129d44aaf24c480ada8a068570b157452
Opcode Fuzzy Hash: 8ee72e1bedcf84323938b19d8dc862953c0d192be81ec958e57e0f2cba4e5f41
Instruction Fuzzy Hash: 53028A35600B408FD724CF29C580AA6B7F1FF48318B654A2EE9A687B51D735F992CF81

Function 6CF42814 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423d0df29664698a76e5024a58b1eb158d2e9b83d619df6291fbcd9e44e54f07
Instruction ID: 87ce15e9a74fd2ef10cddb99a61425145673f6cdc4758292c6eb13c3fc9d0b16
Opcode Fuzzy Hash: 423d0df29664698a76e5024a58b1eb158d2e9b83d619df6291fbcd9e44e54f07
Instruction Fuzzy Hash: 0AD1E230A016068FCB18CF69C5886AEBFB1FF45318F20C669D856DBB92D732E945CB10

Function 6CF22F50 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e907c77b161b55bfd94e0ea9427c34a90f9a487bfbc0853c63ab47a66d89a35a
Instruction ID: a7fac9872af45753abfb01a0fc29904d3bebab91b2c75ae2d9cca25c8779e7f4
Opcode Fuzzy Hash: e907c77b161b55bfd94e0ea9427c34a90f9a487bfbc0853c63ab47a66d89a35a
Instruction Fuzzy Hash: 33B107B6F012199BDB10DFE9D4917AEF3B8FF59314F20426AD8459B680DB3A984CC790

Function 6CF17180 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50a0c22680211c7c94970171dd9d659aa624464b48c4f2562f66f025a5e4646
Instruction ID: 2ae988c092e6f4f6f433aba00808837de4585f80737041dfc507cc58cbf99497
Opcode Fuzzy Hash: a50a0c22680211c7c94970171dd9d659aa624464b48c4f2562f66f025a5e4646
Instruction Fuzzy Hash: 6CB19F75E05219DFCB04CF99C490AEEBBB1FF49314F24425AE819A7B50D730AE55CBA0

Function 6CF1F560 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905ee72049134810fcc8e4779360230bf8cac9938b161eef5f870343fb2fa4ee
Instruction ID: 0f610416d552e2b6a1ed2d584bc3d7ff0cdd4ecd2a6f297ac972dcb8df3a484c
Opcode Fuzzy Hash: 905ee72049134810fcc8e4779360230bf8cac9938b161eef5f870343fb2fa4ee
Instruction Fuzzy Hash: F1715171B301744BDB44CE7BD8D063633F1E38B341387461AEA528B685D734E966CBA0

Function 6CEF3640 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f3ed4073413a5e934b71c9d06ff1f16e799126d2a25023f47e1207c534258c
Instruction ID: af644480a51f01fe3638730dc4e7facf3ebb326eb6216027ae2a5badfd070cf2
Opcode Fuzzy Hash: d4f3ed4073413a5e934b71c9d06ff1f16e799126d2a25023f47e1207c534258c
Instruction Fuzzy Hash: 97613175B201665FDB84DE2FD8C09363371E78F321395462AEA91CB385C639E627C7A0

Function 6CF32930 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6d08386be50eac44d3cb43536f1dd0442b17758c386dd893acd16c71ca519d
Instruction ID: 5651896ac9cfddfbd7082f7cdf9da48b225a454f82f05db0f26a095a1e931eae
Opcode Fuzzy Hash: 5b6d08386be50eac44d3cb43536f1dd0442b17758c386dd893acd16c71ca519d
Instruction Fuzzy Hash: CF51AF71205215AFCB1CCF28C8A496AFBE5FB89314B05866EE45ECB792D732D940DBD0

Function 6CF496A7 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cdb639d8b4a3dc78a39e7bf92b193c27b07351c41d90c50fc3a0074acfaed45
Instruction ID: 8da6c8ef74b447d3bf11c4ee3907b3d357ce004ed58ad9cbe591dbce69fdc9a6
Opcode Fuzzy Hash: 8cdb639d8b4a3dc78a39e7bf92b193c27b07351c41d90c50fc3a0074acfaed45
Instruction Fuzzy Hash: 6D517272E00119EFDF04CF99C940AEEBFB6FF88304F598499D915AB241D774AA50CB90

Function 00401770 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699604011.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1699589823.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699727907.00000000005A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699727907.00000000009DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700191506.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700191506.0000000000B39000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700191506.0000000000B47000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700191506.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700191506.0000000000B86000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700286315.0000000000B88000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700300698.0000000000B8F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700314503.0000000000B93000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700329077.0000000000B94000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700602889.0000000000F97000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1700623087.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a258b6dcfb8244e0624a241c4aa59feb7b258c87b8bd0d309f36abf59a0f5ed1
Instruction ID: 52aa607848448e9685be8cb4f6d456d7c466e29189b8e850d68b7cc22c5769b8
Opcode Fuzzy Hash: a258b6dcfb8244e0624a241c4aa59feb7b258c87b8bd0d309f36abf59a0f5ed1
Instruction Fuzzy Hash: D2316377A00119ABDB00DF5CD881ADEB7F5EB94320F15C02AE858E7391E6359B05CB94

Function 6CF081A0 Relevance: 60.0, APIs: 32, Strings: 2, Instructions: 452
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindow.USER32(?), ref: 6CF081E9
SendMessageW.USER32(?,00001003,00000000,00000000), ref: 6CF08205
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 6CF08213
SendMessageW.USER32(?,00001003,00000002,00000000), ref: 6CF08221
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF0822F
SendMessageW.USER32(00000000,00001208,00000000,00000000), ref: 6CF0823B
DeleteObject.GDI32(?), ref: 6CF08356
GetObjectA.GDI32(00000000,0000003C,?), ref: 6CF08386
CreateFontIndirectA.GDI32(?), ref: 6CF083C5
CreateWindowExW.USER32(?,6CF8635C,?,?,?,?,?,?,?,?), ref: 6CF08479
SendMessageA.USER32(00000000,00002005,00000001,00000000), ref: 6CF0848F
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF084BF
GetWindowLongW.USER32(00000000,000000F0), ref: 6CF084F0
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6CF0850A
SetWindowLongW.USER32(?,000000FC,6CF0A420), ref: 6CF08519
SetPropW.USER32(?,{E6784E04-5AC0-455D-B61B-0C08CEA40E76},?), ref: 6CF0852D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 6CF08545

Part of subcall function 6CF20A20: SendMessageW.USER32(?,00001009,00000000,00000000), ref: 6CF20A8A

InitializeFlatSB.COMCTL32(?), ref: 6CF0855E
LoadCursorW.USER32(00000000,00007F89), ref: 6CF0858F
CallWindowProcW.USER32(6CF86310,?,0000103E,00000000,00000000), ref: 6CF085AE
SendMessageW.USER32(?,00001024,00000000,?), ref: 6CF08606
SendMessageW.USER32(?,00001026,00000000,?), ref: 6CF0861E
GetSysColor.USER32(00000004), ref: 6CF0862C
SendMessageW.USER32(?,00001001,00000000,?), ref: 6CF08643
SendMessageW.USER32(?,0000102F,?,00000003), ref: 6CF08681
SendMessageW.USER32(?,0000102C,00000000,0000F000), ref: 6CF086C0
SendMessageW.USER32(?,0000102F,?,00000003), ref: 6CF086E5
SendMessageW.USER32(?,00001036,00000000,00000100), ref: 6CF087A3
SendMessageW.USER32(?,00001036,00000000,00000100), ref: 6CF087D6
CreateFontIndirectA.GDI32(?), ref: 6CF0882E
SendMessageW.USER32(?,00000030,?,00000001), ref: 6CF0884F
SendMessageW.USER32(?,00000030,?,00000001), ref: 6CF08866

Part of subcall function 6CF20340: SendMessageW.USER32(?,0000102B,00000001,?), ref: 6CF203DF

Strings

{E6784E04-5AC0-455D-B61B-0C08CEA40E76}, xrefs: 6CF0851C
SysListView32, xrefs: 6CF084AB

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Window$CreateLong$FontIndirectObject$CallColorCursorDeleteFlatInitializeLoadProcProp
String ID: SysListView32${E6784E04-5AC0-455D-B61B-0C08CEA40E76}
API String ID: 1195607631-1216753371
Opcode ID: 4defbc96df5b35b1beb2789d3ccd62965c926be72e0f3609897a1ced0bbc97b9
Instruction ID: 732fe7ab0e9dfbac0f9b8ce9a82402981a33a51d3611aead81efb7910856a396
Opcode Fuzzy Hash: 4defbc96df5b35b1beb2789d3ccd62965c926be72e0f3609897a1ced0bbc97b9
Instruction Fuzzy Hash: 23128B70700B41EFEB25CF24C959B96BBF1BF48B08F104609E5A99B690D7B1B494DF81

Function 6CF21730 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF21973

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: {478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 0-2367190246
Opcode ID: e66dc2cfbc91430d8f82f9772e9afe11dc30af52cc59443dadaaf76128c6d126
Instruction ID: 1d8db8a8d2cfdfc0c88f41986f6c927208fdf117fb8734571fbb7c3af122c1ed
Opcode Fuzzy Hash: e66dc2cfbc91430d8f82f9772e9afe11dc30af52cc59443dadaaf76128c6d126
Instruction Fuzzy Hash: 2BD1D231B50601EBEB148F68CC45BA5B7B1FF49700F248619EA65ABAD0C7B5FC50CB88

Function 6CF056B0 Relevance: 40.7, APIs: 27, Instructions: 195
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowDC.USER32(?,?,?,?,?,?,?,?,?,6CF051D9), ref: 6CF056C1
GetCurrentObject.GDI32(00000000,00000006), ref: 6CF056FE
SendMessageW.USER32(?,00000031,?,?), ref: 6CF0571A
GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6CF051D9), ref: 6CF05751
GetSysColor.USER32(0000000D), ref: 6CF0576A
CreatePen.GDI32(00000000,00000001,00000000), ref: 6CF05775
CreateSolidBrush.GDI32(?), ref: 6CF05786
SelectObject.GDI32(?,00000000), ref: 6CF057AE
SelectObject.GDI32(6CF051D9,?), ref: 6CF057B5
SelectObject.GDI32(6CF051D9,?), ref: 6CF057BB
Rectangle.GDI32(6CF051D9,?,?,?,?), ref: 6CF057D6
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 6CF0580A
CreateRectRgn.GDI32(?,?,?,?), ref: 6CF05827
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 6CF05833
CombineRgn.GDI32(00000000,00000001,00000000,00000004), ref: 6CF0583E
SelectClipRgn.GDI32(?,00000000), ref: 6CF0584E
BitBlt.GDI32(?,00000000,00000000,?,?,6CF051D9,00000000,00000000,00CC0020), ref: 6CF0586A
DeleteObject.GDI32(00000001), ref: 6CF05873
DeleteObject.GDI32(00000000), ref: 6CF05880
DeleteObject.GDI32(00000000), ref: 6CF05883
SelectClipRgn.GDI32(?,00000000), ref: 6CF0588B
BitBlt.GDI32(?,00000000,00000000,?,?,6CF051D9,00000000,00000000,00CC0020), ref: 6CF058B2
DeleteObject.GDI32(?), ref: 6CF058C3
DeleteDC.GDI32(?), ref: 6CF058C7
DeleteObject.GDI32(?), ref: 6CF058E8
DeleteObject.GDI32(?), ref: 6CF058ED
ReleaseDC.USER32(?,?), ref: 6CF058F3

Part of subcall function 6CF04A60: GetModuleHandleW.KERNEL32(00000000), ref: 6CF04ABD
Part of subcall function 6CF04A60: SelectObject.GDI32(?,?), ref: 6CF04AD4
Part of subcall function 6CF04A60: SetBkMode.GDI32(?,00000001), ref: 6CF04AE0
Part of subcall function 6CF04A60: DrawTextW.USER32(?,00000000,00000000,00000005,00000024), ref: 6CF04B38
Part of subcall function 6CF04A60: SetBkMode.GDI32(?,?), ref: 6CF04B42
Part of subcall function 6CF04A60: SelectObject.GDI32(?,?), ref: 6CF04B4C

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Object$DeleteSelect$Create$Rect$ClipHandleModeModule$BrushColorCombineCurrentDrawMessageRectangleReleaseSendSolidTextWindow
String ID:
API String ID: 4194721849-0
Opcode ID: 4f9dea476e4f22fb5f31bd1a098d9a85db0c5b2b89f404b143d4133cc592fb17
Instruction ID: 545dbb58671743e8b5513fb4efd2f4ad4513d24d942461d841b8c983eeb7454a
Opcode Fuzzy Hash: 4f9dea476e4f22fb5f31bd1a098d9a85db0c5b2b89f404b143d4133cc592fb17
Instruction Fuzzy Hash: D1716D31E10204FBDF519FA1CD89FAE7FB5FF89B10F240169EA146A290C7B55900DBA9

Function 6CF29980 Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 365
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteObject.GDI32(?), ref: 6CF29A1F
GetObjectA.GDI32(00000000,0000003C,?), ref: 6CF29A43
CreateFontIndirectA.GDI32(?), ref: 6CF29A82
CreateWindowExW.USER32(00000000,static,00000000,50000000,?,?,00001000,00001000,?,?,00000000,?), ref: 6CF29B39
CreateWindowExW.USER32(?,6CF87444,?,?,?,?,?,?,?,?), ref: 6CF29B69
SendMessageA.USER32(00000000,00002005,00000001,00000000), ref: 6CF29B7A
DestroyWindow.USER32(?,?,?), ref: 6CF29BAD
SendMessageW.USER32(00000000,00000418,00000000,000001F4), ref: 6CF29BFB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 6CF29C54
CallWindowProcW.USER32(6CF873DC,00000000,0000041E,00000014,00000000), ref: 6CF29C8C
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 6CF29CAD
SendMessageW.USER32(00000000,0000042F,?,00000000), ref: 6CF29CC7
SendMessageW.USER32(00000000,00000454,00000000,00000081), ref: 6CF29CE1
SendMessageW.USER32(00000000,00000430,00000000,00000000), ref: 6CF29D1E
SendMessageW.USER32(00000000,00000434,00000000,00000000), ref: 6CF29D5B
SendMessageW.USER32(00000000,00000436,00000000,00000000), ref: 6CF29D98
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 6CF29DD2
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 6CF29DF7
CallWindowProcW.USER32(6CF873DC,00000000,00000421,00000000,00000000), ref: 6CF29E13

Strings

0, xrefs: 6CF29C23
static, xrefs: 6CF29B32
ToolbarWindow32, xrefs: 6CF29B8D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Window$Create$CallObjectProc$DeleteDestroyFontIndirectMove
String ID: 0$ToolbarWindow32$static
API String ID: 2932085743-1139442359
Opcode ID: 2979850a0011d44bd13b8a3b3a932f55dd54767eaa6337ca081b33c6a950a3df
Instruction ID: 85d8fd86b96f5a5db09249f07cdc616d30bafd43a65887114ba4d9a6bef4bc7f
Opcode Fuzzy Hash: 2979850a0011d44bd13b8a3b3a932f55dd54767eaa6337ca081b33c6a950a3df
Instruction Fuzzy Hash: BFE19A70701702AFEB188F65C885F66BBB5BF48704F108619FA599BA90CBB5F950CB90

Function 6CF2E950 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 399COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000000), ref: 6CF2E9CA

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF2EA91

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: InvalidateRect
String ID: {478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 634782764-2367190246
Opcode ID: e711652be705e5312cafe04795b1a39a2c9514726a5e337c8d1b9519d0cf1e82
Instruction ID: a6871ff0abe149f2bb37e82a9cb9f4b535653524909eb8fd6718ce4d405fe941
Opcode Fuzzy Hash: e711652be705e5312cafe04795b1a39a2c9514726a5e337c8d1b9519d0cf1e82
Instruction Fuzzy Hash: 55D1D332B50601AFEB14CFB9D884B66B3A4FF49315F208629E969D7A80D775F850CBD0

Function 6CF1A110 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 278windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF19980: PostQuitMessage.USER32(00000000), ref: 6CF199E0

Part of subcall function 6CEF9A30: IsWindow.USER32(00000000), ref: 6CEF9A75

GetModuleHandleW.KERNEL32(00000000), ref: 6CF1A210
GetClassInfoExW.USER32(00000000,edit,00000030), ref: 6CF1A223
RegisterClassExW.USER32 ref: 6CF1A254
IsWindow.USER32(?), ref: 6CF1A269
CreateWindowExW.USER32(00010200,_jy_edit_list_,00000000,46011080,00000000,00000000,00000000,00000000,?,00000000,00000000,?), ref: 6CF1A29F
SendMessageA.USER32(?,00002005,00000001,00000000), ref: 6CF1A2C0
IsWindow.USER32(?), ref: 6CF1A2CF
SendMessageA.USER32(?,00002005,00000001,00000000), ref: 6CF1A313
DeleteObject.GDI32(?), ref: 6CF1A331
CreateSolidBrush.GDI32(?), ref: 6CF1A33B
SetWindowLongW.USER32(?,000000FC,6CF19FD0), ref: 6CF1A394
GetAncestor.USER32(?,00000003), ref: 6CF1A3AE
SetWindowLongW.USER32(?,000000F8,00000000), ref: 6CF1A3B8
SendMessageW.USER32(?), ref: 6CF1A3EC
SendMessageW.USER32(?,000010E7,00000000,?), ref: 6CF1A411
SetPropW.USER32(?,{805DC748-25DE-44F1-A512-3CC72AAC9D49},?), ref: 6CF1A428
SetPropW.USER32(?,{805DC748-25DE-44F1-A512-3CC72AAC9D49},?), ref: 6CF1A439

Strings

edit, xrefs: 6CF1A21D
{805DC748-25DE-44F1-A512-3CC72AAC9D49}, xrefs: 6CF1A420, 6CF1A431
_jy_edit_list_, xrefs: 6CF1A248, 6CF1A295
0, xrefs: 6CF1A206

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$Message$Send$ClassCreateLongProp$AncestorBrushDeleteHandleInfoModuleObjectPostQuitRegisterSolid
String ID: 0$_jy_edit_list_$edit${805DC748-25DE-44F1-A512-3CC72AAC9D49}
API String ID: 2508000158-2508486159
Opcode ID: 46f3da0c383c37f36076d02c8e3a431dbd9f388ed2ff3f7569c7fb69b59913be
Instruction ID: 2b79c9f5ca194f4b7cb7ec8502aecb04582ae1dbb6f84f755c30fcb2af86e240
Opcode Fuzzy Hash: 46f3da0c383c37f36076d02c8e3a431dbd9f388ed2ff3f7569c7fb69b59913be
Instruction Fuzzy Hash: 6AB17C70704302AFD704CF25CC89FA6BBF4BF89718F104619FA699B6A1D7B1A814CB95

Function 6CF321F0 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 317windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 6CF3228D
GetObjectA.GDI32(00000000,0000003C,?), ref: 6CF322B1
CreateFontIndirectA.GDI32(?), ref: 6CF322EA

Part of subcall function 6CEF9300: RegisterWindowMessageW.USER32({FA6E5F10-1413-48DB-A752-E7F35C5DF3C5},?,?,D1DC5EAD), ref: 6CEF9378
Part of subcall function 6CEF9300: CreateThread.KERNEL32(00000000,00000000,Function_00009130,?,00000000,00000000), ref: 6CEF93A4

CreateWindowExW.USER32(?,6CF875E0,?,?,?,?,?,?,?,?), ref: 6CF32452
SendMessageA.USER32(00000000,00002005,00000001,00000000), ref: 6CF32467
GetSysColor.USER32(00000004), ref: 6CF324C7
SendMessageW.USER32(?,0000111D,00000000,?), ref: 6CF324E0
GetSysColor.USER32(00000004), ref: 6CF324EE
SendMessageW.USER32(?,0000111E,00000000,?), ref: 6CF32501
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 6CF3251B
SendMessageW.USER32(?,0000111B,00000008,00000000), ref: 6CF32533
SendMessageW.USER32(?,00001109,00000000,00000000), ref: 6CF3256B
SendMessageW.USER32(?,0000110B,00000009), ref: 6CF325A8
GetSysColor.USER32(00000004), ref: 6CF325B9
SendMessageW.USER32(?,00001128,00000000,?), ref: 6CF325CC
SendMessageW.USER32(?,00000030,?,00000001), ref: 6CF325E3
GetWindowLongW.USER32(?,000000F0), ref: 6CF325FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6CF3261F

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF3276D
SysTreeView32, xrefs: 6CF3247A, 6CF32692

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Message$Send$Window$ColorCreate$LongObject$DeleteFontIndirectRegisterThread
String ID: SysTreeView32${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 261105507-1627943566
Opcode ID: 2c107fddd6a8341ce2b4bfa657e25f17d67278a352d82c530917b381e95392dc
Instruction ID: 2ecf01983290c4ada80e2f2d49f3e1bf656c2ee750aa6bc2be5da97025d544e3
Opcode Fuzzy Hash: 2c107fddd6a8341ce2b4bfa657e25f17d67278a352d82c530917b381e95392dc
Instruction Fuzzy Hash: 26D18D70B11B16BFEB488F25C989B95BBB1FF08304F105619E6198BA91D7B1F4A4CBD0

Function 6CF09A60 Relevance: 33.2, APIs: 22, Instructions: 241windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CF09ACC
CreatePen.GDI32(00000000,00000001,FF000000), ref: 6CF09ADC
SelectObject.GDI32(?,00000000), ref: 6CF09AE7
SendMessageW.USER32(?,00001027,00000000,00000000), ref: 6CF09B00
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 6CF09B11
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 6CF09B1F
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF09B33
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF09B3F
GetScrollPos.USER32(?,00000000), ref: 6CF09B49
SendMessageW.USER32(?,0000103B,?,?), ref: 6CF09B8E
SendMessageW.USER32(?,0000101D,?,00000000), ref: 6CF09BB6
SendMessageW.USER32(?,0000100E,00000000,?), ref: 6CF09BE7
MoveToEx.GDI32(?,?,?,00000000), ref: 6CF09BFA
LineTo.GDI32(?,?,?), ref: 6CF09C07
MoveToEx.GDI32(?,?,?,00000000), ref: 6CF09C1B
LineTo.GDI32(?,?,?), ref: 6CF09C29
SendMessageW.USER32(?,0000100E,00000003,?), ref: 6CF09C4F
GetWindowRect.USER32(?,?), ref: 6CF09C84
MoveToEx.GDI32(?,?,?,00000000), ref: 6CF09CBD
LineTo.GDI32(?,00000003,?), ref: 6CF09CC8
SelectObject.GDI32(?,?), ref: 6CF09CE2
DeleteObject.GDI32(?), ref: 6CF09CEB

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$LineMoveObject$RectSelect$ClientCreateDeleteScrollWindow
String ID:
API String ID: 3099576715-0
Opcode ID: 9159c4b33b6ad7b24b2c4dde17d7c9288bc9cb79f243c760f31d98c1d187b6ac
Instruction ID: 55eeda13c1a00c2fe77dca7b2a302dca9be93e9ecde9f161115eeb0bb55be3db
Opcode Fuzzy Hash: 9159c4b33b6ad7b24b2c4dde17d7c9288bc9cb79f243c760f31d98c1d187b6ac
Instruction Fuzzy Hash: 99916571F4020AAFEF008FA5CD84BEDBBB5FF09705F204128F614A6290DBB46A51DB64

Function 6CF04B80 Relevance: 30.2, APIs: 20, Instructions: 250memorywindowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000D), ref: 6CF04C07

Part of subcall function 6CF3BD94: EnterCriticalSection.KERNEL32(6CF9D840,0000000B,?,6CEFAD20,6CF9E7B0), ref: 6CF3BD9E
Part of subcall function 6CF3BD94: LeaveCriticalSection.KERNEL32(6CF9D840,?,6CEFAD20,6CF9E7B0), ref: 6CF3BDD1
Part of subcall function 6CF3BD94: RtlWakeAllConditionVariable.NTDLL ref: 6CF3BE48

CreatePen.GDI32(00000000,00000001,00000000), ref: 6CF04CBC
CreateSolidBrush.GDI32(?), ref: 6CF04CC6
SelectObject.GDI32(?,00000000), ref: 6CF04CD9
SelectObject.GDI32(?,?), ref: 6CF04CE3
Rectangle.GDI32(?,D1DC5EAD,?,?,?), ref: 6CF04CF6
SelectObject.GDI32(?,00000000), ref: 6CF04D11
SelectObject.GDI32(?,00000000), ref: 6CF04D17
DeleteObject.GDI32(?), ref: 6CF04D22
DeleteObject.GDI32(?), ref: 6CF04D27
GdipCreateFromHDC.GDIPLUS(?,?), ref: 6CF04D3F
GlobalAlloc.KERNEL32(00000002,00000104), ref: 6CF04DA4

Part of subcall function 6CF3BDDE: EnterCriticalSection.KERNEL32(6CF9D840,00000503,0000000B,?,6CEFACFF,6CF9E7B0,00000000,00000000,?,6CF04074), ref: 6CF3BDE9
Part of subcall function 6CF3BDDE: LeaveCriticalSection.KERNEL32(6CF9D840,?,6CEFACFF,6CF9E7B0,00000000,00000000,?,6CF04074), ref: 6CF3BE26

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 6CF04DBE
GlobalLock.KERNEL32(00000000), ref: 6CF04DC9
GlobalUnlock.KERNEL32(?), ref: 6CF04DE4
GdipAlloc.GDIPLUS(00000010), ref: 6CF04DEC
GdipCreateBitmapFromStream.GDIPLUS(?,00000000), ref: 6CF04E16
GdipDrawImageRectI.GDIPLUS(00000000,?,?,?,00000010,00000010), ref: 6CF04E77
GdipDeleteGraphics.GDIPLUS(00000000), ref: 6CF04E7E

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Object$CreateGdip$CriticalGlobalSectionSelect$Delete$AllocEnterFromLeaveStream$BitmapBrushColorConditionDrawGraphicsImageLockRectRectangleSolidUnlockVariableWake
String ID:
API String ID: 584105262-0
Opcode ID: 1bb8ad575952f686be52b9527269f693e82919be56ac15afa231d40180c47c7f
Instruction ID: 364e921ff53c1bcaa2ebbb9864f2b5b35b45698d6b35f3307bd586effb4b8d20
Opcode Fuzzy Hash: 1bb8ad575952f686be52b9527269f693e82919be56ac15afa231d40180c47c7f
Instruction Fuzzy Hash: 9EA14771E11618ABDF51CFA8C948BEEBBF5FF49710F248219E869B3250D7706940CBA4

Function 6CF09DC0 Relevance: 28.8, APIs: 19, Instructions: 334windowCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?), ref: 6CF09F34
GetDC.USER32(?), ref: 6CF09F40
ReleaseDC.USER32(?,00000000), ref: 6CF09F58
GetCursorPos.USER32(?), ref: 6CF0A068
GetWindowRect.USER32(?,?), ref: 6CF0A080
SendMessageW.USER32(?,00001027,00000000,00000000), ref: 6CF0A09C
SendMessageW.USER32(?,00001028,00000000,00000000), ref: 6CF0A0B6
PtInRect.USER32(?,?,?), ref: 6CF0A0D3
SendMessageW.USER32(?,00001027,00000000,00000000), ref: 6CF0A0F7
SendMessageW.USER32(?,00001028,00000000,00000000), ref: 6CF0A111
SetFocus.USER32(?), ref: 6CF0A135
IsWindowVisible.USER32(?), ref: 6CF0A19C
SendMessageW.USER32(?,00000008,00000000,00000000), ref: 6CF0A1BA
CallWindowProcW.USER32(?,?,?,?), ref: 6CF0A2EF

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Window$CallProcRect$CursorFocusReleaseVisible
String ID:
API String ID: 1056779275-0
Opcode ID: 0783469e8fbe1c594dca336a77b2b24ca4d6214753eba0266dd4959ce98d74b1
Instruction ID: 4bc849e635e9d8da6cc26cedc81adf0852e0dee3d6b27b741bc7d783842bfe59
Opcode Fuzzy Hash: 0783469e8fbe1c594dca336a77b2b24ca4d6214753eba0266dd4959ce98d74b1
Instruction Fuzzy Hash: 8EC18971704341AFC704CF64C898FAABBE5FB88B04F140A2DF5A997291D772E814DB92

Function 6CF19980 Relevance: 27.3, APIs: 18, Instructions: 287windowCOMMON

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 6CF199E0
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF19A0F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF19A1B
GetScrollPos.USER32(?,00000000), ref: 6CF19A2E
SendMessageW.USER32(?,0000100E,?,00000000), ref: 6CF19A61
SendMessageW.USER32(?,0000100E,?,?), ref: 6CF19A87
SendMessageW.USER32(?,0000100E,?,?), ref: 6CF19AAC
SendMessageW.USER32(?,00001037,00000000,00000000), ref: 6CF19AC4
GetWindowLongW.USER32(?,000000F0), ref: 6CF19AE4
SendMessageW.USER32(?,0000101D,00000000,00000000), ref: 6CF19B56

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Message$Send$LongPostQuitScrollWindow
String ID:
API String ID: 1454303256-0
Opcode ID: 6e94e4ac334c344833177ac8b4fe37a68dd492b3fe9a8a87786fb577f39d83d8
Instruction ID: 73861f2954ba9739150bb1ce8957ebe568594919ba97dfdda88bcfa7efc61d54
Opcode Fuzzy Hash: 6e94e4ac334c344833177ac8b4fe37a68dd492b3fe9a8a87786fb577f39d83d8
Instruction Fuzzy Hash: 8FD16B74E14259EFDB14CF24CC85BA9BBB0FF4A314F104299E959A7790DB70AA84CF90

Function 6CF05AB0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

GetPropW.USER32(?,{1DE85EBD-ECDD-4091-93D6-D609A63D9DC6}), ref: 6CF05AC0
GetClassLongW.USER32(?,000000EC), ref: 6CF05ADE
GetClassLongW.USER32(?,-000000FC), ref: 6CF05AF4
GetClassLongW.USER32(?,000000F8), ref: 6CF05B03
SetClassLongW.USER32(?,000000F8,00000000), ref: 6CF05BB0
SetClassLongW.USER32(?,?,00000000), ref: 6CF05BB7
RemovePropW.USER32(?,{1DE85EBD-ECDD-4091-93D6-D609A63D9DC6}), ref: 6CF05BDE
CallWindowProcW.USER32(00000000,?,00000002,?,?), ref: 6CF05BF9
SetPropW.USER32(?,{1DE85EBD-ECDD-4091-93D6-D609A63D9DC6},?), ref: 6CF05C28

Strings

{1DE85EBD-ECDD-4091-93D6-D609A63D9DC6}, xrefs: 6CF05ABA, 6CF05BD8, 6CF05C1F, 6CF05CC6, 6CF05CD2

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ClassLong$Prop$CallProcRemoveWindow
String ID: {1DE85EBD-ECDD-4091-93D6-D609A63D9DC6}
API String ID: 1314334625-1501827269
Opcode ID: 7c52376e943c43228c4bff40d7b4a4ea30fc472a9a60d41801646d115df45682
Instruction ID: cf58a48baf02f3376c3bb74a1c746095fed640012efe187b333ca501eae7959f
Opcode Fuzzy Hash: 7c52376e943c43228c4bff40d7b4a4ea30fc472a9a60d41801646d115df45682
Instruction Fuzzy Hash: 61715832B052559BDB008F39CC94EBABBB4FF9AB15B24834EFD1597241D7B1A840D760

Function 6CF0A525 Relevance: 24.1, APIs: 16, Instructions: 141windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6CF0A539
GetClientRect.USER32(?,?), ref: 6CF0A54B
CreatePen.GDI32(00000000,00000001,?), ref: 6CF0A55B
SelectObject.GDI32(00000000,00000000), ref: 6CF0A567
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF0A594
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF0A5A0
SendMessageW.USER32(?,0000103B,?,?), ref: 6CF0A5E6
GetScrollPos.USER32(?,00000000), ref: 6CF0A5EB
SendMessageW.USER32(?,0000101D,?,00000000), ref: 6CF0A627
MoveToEx.GDI32(?,75C05540,?,00000000), ref: 6CF0A637
LineTo.GDI32(?,75C05540,?), ref: 6CF0A643
MoveToEx.GDI32(00000000,?,?,00000000), ref: 6CF0A6AF
LineTo.GDI32(00000000,?,?), ref: 6CF0A6C0
SelectObject.GDI32(00000000,?), ref: 6CF0A6CB
DeleteObject.GDI32(?), ref: 6CF0A6D5
ReleaseDC.USER32(?,00000000), ref: 6CF0A6DD

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Object$LineMoveSelect$ClientCreateDeleteRectReleaseScroll
String ID:
API String ID: 3452632813-0
Opcode ID: 4722e3df50d8692792b44c71aaaa685886b1e85b0b74e2623dc90fc64a245a3a
Instruction ID: 393c34f335b0e290b3356bfba9a7eea6da7f6da4fe7e2663b41d0b7411792a60
Opcode Fuzzy Hash: 4722e3df50d8692792b44c71aaaa685886b1e85b0b74e2623dc90fc64a245a3a
Instruction Fuzzy Hash: 42519E31618340BFDB018F64CC88FAEBBF5FF8A704F104A18F695962A1C7B59854DB5A

Function 6CF06D80 Relevance: 21.3, APIs: 14, Instructions: 292windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?,D1DC5EAD,?,?), ref: 6CF06DD4
GetClientRect.USER32(?,?), ref: 6CF06E23
FillRect.USER32(00000000,00000000,?), ref: 6CF06E8D
SetBkMode.GDI32(00000000,00000001), ref: 6CF06E97
GetModuleHandleW.KERNEL32(00000000), ref: 6CF06EC8
SelectObject.GDI32(00000000,00000000), ref: 6CF06EE0
GetScrollPos.USER32(?,00000001), ref: 6CF06EEE
SendMessageW.USER32(?,000010E6,00000000,00000000), ref: 6CF06F1E
FillRect.USER32(?,00000000,?), ref: 6CF0704E
DrawTextW.USER32(?,00000000,000000FF,00000000,00000024), ref: 6CF070D5
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6CF07160
DeleteObject.GDI32(?), ref: 6CF0716E
DeleteDC.GDI32(?), ref: 6CF07176
EndPaint.USER32(?,?), ref: 6CF071A1

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Rect$DeleteFillObjectPaint$BeginClientDrawHandleMessageModeModuleScrollSelectSendText
String ID:
API String ID: 3727618064-0
Opcode ID: fc1fb8373b72adf83a235cdb4ad39a245b2d0a5a7f8e2473256502b41352fa75
Instruction ID: 9530d09b20b9a2486d57d4dbd72d104b274c82db5e0b76917a766e47681c5e26
Opcode Fuzzy Hash: fc1fb8373b72adf83a235cdb4ad39a245b2d0a5a7f8e2473256502b41352fa75
Instruction Fuzzy Hash: 48D14771E00229AFDB64CF25CC41BD9B7B5FF09700F1082DAE958A3680D771AA94CF91

Function 6CF3BCD2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6CF9D840,00000FA0,?,?,6CF3BCB0), ref: 6CF3BCDE
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,6CF3BCB0), ref: 6CF3BCE9
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6CF3BCB0), ref: 6CF3BCFA
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 6CF3BD0C
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 6CF3BD1A
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,6CF3BCB0), ref: 6CF3BD3D
DeleteCriticalSection.KERNEL32(6CF9D840,00000007,?,?,6CF3BCB0), ref: 6CF3BD59
CloseHandle.KERNEL32(00000000,?,?,6CF3BCB0), ref: 6CF3BD69

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 6CF3BCE4
WakeAllConditionVariable, xrefs: 6CF3BD12
kernel32.dll, xrefs: 6CF3BCF5
SleepConditionVariableCS, xrefs: 6CF3BD06

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 9a17d85e0add4d9e7066e71189b017831ab43c1a192f3699334a42b09c657476
Instruction ID: 8bc86baeac0e7a41b6c96318910c4ea9bfb8b486d4e0190998260f27e390b3f3
Opcode Fuzzy Hash: 9a17d85e0add4d9e7066e71189b017831ab43c1a192f3699334a42b09c657476
Instruction Fuzzy Hash: 49017531F21AA17BDFA21F73990CB7636B8AB42744B350954F819E2941DAB1C8008BA4

Function 6CF0FE40 Relevance: 19.8, APIs: 13, Instructions: 257windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF0FF3F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF0FF4F
SendMessageW.USER32(?,00001061,?,?), ref: 6CF0FFA5
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF1001B
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF10027
GetWindowLongW.USER32(?,000000F0), ref: 6CF10042
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF1006D
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF10079
GetClientRect.USER32(?,?), ref: 6CF10096
SendMessageW.USER32(?,0000101D,00000000,00000000), ref: 6CF100C5
SetWindowLongW.USER32(?,000000F0,?), ref: 6CF100ED
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000127,?,?), ref: 6CF1010F
CallWindowProcW.USER32(?,?,00000115,00000008,00000000), ref: 6CF10133

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Window$Long$CallClientProcRect
String ID:
API String ID: 2108633897-0
Opcode ID: 2c8ff217cef2aac40e5dccda49553f9f4348c9c1a8526d737bd96eec34f186f6
Instruction ID: b250af9f3da6c0f90be563b3cccd92508f16c0553365f13949c0032ec16d178c
Opcode Fuzzy Hash: 2c8ff217cef2aac40e5dccda49553f9f4348c9c1a8526d737bd96eec34f186f6
Instruction Fuzzy Hash: 05A10F34704701AFE744CF18C885F66B7E1BF89B14F2086A8F66A9B7A1D7B0E854CB44

Function 6CF3B110 Relevance: 19.7, APIs: 13, Instructions: 248windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6CF3B155
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6CF3B17F
GetWindowLongW.USER32(?,000000F0), ref: 6CF3B19F
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B1E7
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B205
SendMessageW.USER32(?,0000112C,?,?), ref: 6CF3B21A
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B260
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B2A7
GetWindowLongW.USER32(?,000000F0), ref: 6CF3B2C4
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B312
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B35C
GetSysColor.USER32(00000004), ref: 6CF3B37C
SendMessageW.USER32(?,00001128,00000000,?), ref: 6CF3B38D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$LongWindow$Color
String ID:
API String ID: 4152392018-0
Opcode ID: d99e614cf87b141df8d198efbdf8bec680b8865f7e84801e26782def009f9abd
Instruction ID: 9ac3c7382b49260a39dc100ff2ee3593886404f8396171697d2dc243e5d4f1c1
Opcode Fuzzy Hash: d99e614cf87b141df8d198efbdf8bec680b8865f7e84801e26782def009f9abd
Instruction Fuzzy Hash: A181D472754218AFDB58CF29CC91B9A73E5EF89710F21066DF61DDB780CA71E8018B94

Function 6CF308C0 Relevance: 18.2, APIs: 12, Instructions: 202COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6CF30926
GetClientRect.USER32(?,?), ref: 6CF30936
SelectObject.GDI32(00000000,?), ref: 6CF30995
SetBkMode.GDI32(00000000,00000001), ref: 6CF3099E
SetTextColor.GDI32(00000000,?), ref: 6CF309AB
DrawTextW.USER32(00000000,?,000000FF,?,00000000), ref: 6CF309C8
OffsetRect.USER32(?,00000001,00000001), ref: 6CF309E9
EndPaint.USER32(?,?), ref: 6CF30A31
CallWindowProcW.USER32(?,?,?,?), ref: 6CF30A9D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: PaintRectText$BeginCallClientColorDrawModeObjectOffsetProcSelectWindow
String ID:
API String ID: 1308658712-0
Opcode ID: ef8cada8f802a19f6af97c5eae0549ec87f6400fe9dbef3f94eddd4fab18b14d
Instruction ID: 8584f844585602a71dc49fd4f989e906953a63e91d07ccbe2cb992dc11dd57fc
Opcode Fuzzy Hash: ef8cada8f802a19f6af97c5eae0549ec87f6400fe9dbef3f94eddd4fab18b14d
Instruction Fuzzy Hash: 4161E572614295AFDB00CF65CC45FABB7F9FB89314F100A1AF5AAC2690D7B1D844CBA1

Function 6CF44236 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CF43F7D: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 6CF43F9A

GetLastError.KERNEL32 ref: 6CF4434A
__dosmaperr.LIBCMT ref: 6CF44351
GetFileType.KERNEL32(00000000), ref: 6CF4435D
GetLastError.KERNEL32 ref: 6CF44367
__dosmaperr.LIBCMT ref: 6CF44370
CloseHandle.KERNEL32(00000000), ref: 6CF44390
CloseHandle.KERNEL32(?), ref: 6CF444DD
GetLastError.KERNEL32 ref: 6CF4450F
__dosmaperr.LIBCMT ref: 6CF44516

Strings

H, xrefs: 6CF4449B

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7754ce79eef67bb5b4a29498972e46dfe90b0a7832205546e823b9546272387d
Instruction ID: 2de1f446d9de69a89f72ce31e42a916f3359d36b46137623a6361a5f32af694b
Opcode Fuzzy Hash: 7754ce79eef67bb5b4a29498972e46dfe90b0a7832205546e823b9546272387d
Instruction Fuzzy Hash: D7A13532A141559FCF09CF68DC51BAE7FB1AB07328F284249E821EB7D2CB359916CB51

Function 6CF28580 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 270windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 6CF286C3
SendMessageW.USER32(?,00002001,00000000,?), ref: 6CF286DD
SetPropW.USER32(?,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF28705
DeleteObject.GDI32(?), ref: 6CF2872D
GetObjectA.GDI32(00000000,0000003C,?), ref: 6CF28751
CreateFontIndirectA.GDI32(?), ref: 6CF28790
SendMessageW.USER32(?,00000030,?,00000001), ref: 6CF287AF

Strings

gfff, xrefs: 6CF2859D
{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF286FD
gfff, xrefs: 6CF285B8

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageObjectSend$ColorCreateDeleteFontIndirectProp
String ID: gfff$gfff${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 4196777890-1154717430
Opcode ID: 858d53e7d0262c2cad19ac8351f5915d8862ef0856004d68662d5360fddb324d
Instruction ID: 4a7bc61d5b818d2ae95afd0c105a9876e668bb0196d9409b3e88bbc2e917ad5f
Opcode Fuzzy Hash: 858d53e7d0262c2cad19ac8351f5915d8862ef0856004d68662d5360fddb324d
Instruction Fuzzy Hash: A1910332B00205AFDB10DF69D880FAAB7B5FF84314F14866AE919DBB51D731E960CB91

Function 6CF246C0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 195windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 6CF2471B
GetObjectA.GDI32(00000000,0000003C,?), ref: 6CF2473F
CreateFontIndirectA.GDI32(?), ref: 6CF2477E
SendMessageA.USER32(00000000,00002005,00000001,00000000), ref: 6CF24850
SendMessageW.USER32(?,00000030,?,00000000), ref: 6CF248B5
GetSysColor.USER32(00000004), ref: 6CF248C4
SendMessageW.USER32(?,00002001,00000000,?), ref: 6CF248E2
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 6CF24918

Strings

msctls_statusbar32, xrefs: 6CF24863
static, xrefs: 6CF24808

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Object$ColorCreateDeleteFontIndirectMoveWindow
String ID: msctls_statusbar32$static
API String ID: 3248265719-3151833825
Opcode ID: 3f28dbed255db2c2cd3668e5dd9dea3b22c70438bab6ae383eee0ac9b949a12b
Instruction ID: 4b9928ea19f5eec3d5206543b5eea3e920438fd520a27ae2f728c29dd0b7f78a
Opcode Fuzzy Hash: 3f28dbed255db2c2cd3668e5dd9dea3b22c70438bab6ae383eee0ac9b949a12b
Instruction Fuzzy Hash: 0C71CF70A10740AFEB618F65CC84FA6BBF5FF49704F104918F9AA87A90D7B4E494CB54

Function 6CF05900 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 146windowCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?,{805DC748-25DE-44F1-A512-3CC72AAC9D49}), ref: 6CF0590D
SendMessageW.USER32(?,0000000C,00000000), ref: 6CF05945
GetTickCount64.KERNEL32 ref: 6CF0594B
GetPropW.USER32(?,{805DC748-25DE-44F1-A512-3CC72AAC9D49}), ref: 6CF059AB
SetTextColor.GDI32(?,?), ref: 6CF059D3
CreateSolidBrush.GDI32(00FBF3E5), ref: 6CF059F1
FillRect.USER32(?,?,00000000), ref: 6CF059FE
DeleteObject.GDI32(00000000), ref: 6CF05A05
DrawTextW.USER32(?,?,000000FF,?,00008024), ref: 6CF05A4E

Strings

{805DC748-25DE-44F1-A512-3CC72AAC9D49}, xrefs: 6CF05905, 6CF0599F, 6CF05A73

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: PropText$BrushColorCount64CreateDeleteDrawFillMessageObjectRectSendSolidTick
String ID: {805DC748-25DE-44F1-A512-3CC72AAC9D49}
API String ID: 2841610567-3310409241
Opcode ID: 2f9d3e6a9e1fe72d0675737dffc95576b6cdf9ff519daa33d88bbad4ac4d1f07
Instruction ID: 85ebdd9a6b91ed8614133dcde3b07f2f55ad4ffe977e7f0d21eadc531c53c820
Opcode Fuzzy Hash: 2f9d3e6a9e1fe72d0675737dffc95576b6cdf9ff519daa33d88bbad4ac4d1f07
Instruction Fuzzy Hash: 36411831B00609AFCB00CFA9C899ABE7BB4EF49715F244159F919D7700CB71A904DB94

Function 6CF14590 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CF14600
ScreenToClient.USER32(?,?), ref: 6CF14625
ScreenToClient.USER32(?,?), ref: 6CF1462E
GetWindow.USER32(?,00000003), ref: 6CF146A3
SetPropW.USER32(?,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF146C3
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6CF146D5
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 6CF14720

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF146BB
M, xrefs: 6CF1472F, 6CF14744

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$ClientScreen$MessagePostPropRect
String ID: M${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 889213118-2259455005
Opcode ID: d7e1ad6833ea28b6bde7cfeeca3940cc13d90123554bb89c0f03aa13534e8397
Instruction ID: 454e52da0c1080617a2408a8034f2d27974e71006cd6fb71cd500a2ae1851247
Opcode Fuzzy Hash: d7e1ad6833ea28b6bde7cfeeca3940cc13d90123554bb89c0f03aa13534e8397
Instruction Fuzzy Hash: 99615C72E10219AFDF04CFA5DD84BAEBBB5FF89718F240119E914A7690D735A901CF90

Function 6CF27500 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CF27570
ScreenToClient.USER32(?,?), ref: 6CF27595
ScreenToClient.USER32(?,?), ref: 6CF2759E
GetWindow.USER32(00000000,00000003), ref: 6CF27613
SetPropW.USER32(00000000,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},00000000), ref: 6CF27633
PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 6CF27645
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 6CF27690

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF2762B
M, xrefs: 6CF2769F, 6CF276B4

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$ClientScreen$MessagePostPropRect
String ID: M${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 889213118-2259455005
Opcode ID: 4c8de7daa9c9bfc776aa0de3d8216c59ff28aa3487c129856d8bdf818efdf436
Instruction ID: 10ea5f840f82b2f22bd89627ac7c5352fd74ee850997261b9d5bf67e22244535
Opcode Fuzzy Hash: 4c8de7daa9c9bfc776aa0de3d8216c59ff28aa3487c129856d8bdf818efdf436
Instruction Fuzzy Hash: 81616D72E01219AFDF05CFE8C881FAEBBB5FF48714F20411AE925A7690D735A901CB90

Function 6CF2D7C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CF2D830
ScreenToClient.USER32(?,?), ref: 6CF2D855
ScreenToClient.USER32(?,?), ref: 6CF2D85E
GetWindow.USER32(00000000,00000003), ref: 6CF2D8D3
SetPropW.USER32(00000000,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},00000000), ref: 6CF2D8F3
PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 6CF2D905
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 6CF2D950

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF2D8EB
M, xrefs: 6CF2D95F, 6CF2D974

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$ClientScreen$MessagePostPropRect
String ID: M${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 889213118-2259455005
Opcode ID: 5c37aa8ebb9b6aa7ff933caeaa3c7a227513a4d7b82a490014923d657c0040c6
Instruction ID: b8538ac111e5c2e41be5fe009aba167f14d62896eca8ed050774289ea7ef3785
Opcode Fuzzy Hash: 5c37aa8ebb9b6aa7ff933caeaa3c7a227513a4d7b82a490014923d657c0040c6
Instruction Fuzzy Hash: 71613672E01219AFDF05CFE8C890BEEBBB5FF48714F244119E925A7690D775A901CBA0

Function 6CF38780 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6CF387F0
ScreenToClient.USER32(?,?), ref: 6CF38815
ScreenToClient.USER32(?,?), ref: 6CF3881E
GetWindow.USER32(?,00000003), ref: 6CF38893
SetPropW.USER32(?,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF388B3
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6CF388C5
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 6CF38910

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF388AB
M, xrefs: 6CF3891F, 6CF38934

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$ClientScreen$MessagePostPropRect
String ID: M${478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 889213118-2259455005
Opcode ID: f5d9ad7c5b4ded01e594af1822a31b102a09ef210b859852667c95c60e877147
Instruction ID: 6707e1e030b892ad5e5582785bf120a42eecd1f8480c7c62544dedcd336298af
Opcode Fuzzy Hash: f5d9ad7c5b4ded01e594af1822a31b102a09ef210b859852667c95c60e877147
Instruction Fuzzy Hash: 1C617172E01219AFDF05CFA8CC84BEEBBB5FF48714F20411AE925A7690C735A901CB90

Function 6CF05D00 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6CF05D86
GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6CF05DA3
GetModuleHandleW.KERNEL32(00000000), ref: 6CF05DE5
GetClassInfoExW.USER32(00000000,00000000,00000030), ref: 6CF05DFC
LoadCursorW.USER32(00000000,00007F00), ref: 6CF05E3E

Strings

0, xrefs: 6CF05D57
y, xrefs: 6CF05F40

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ClassHandleInfoModule$CursorLoad
String ID: 0$y
API String ID: 737057163-52106428
Opcode ID: 87cc675f9356a78908c1defe84c1f2834d9c3219bab6a11acd7c82494fe1cde1
Instruction ID: 9e5b79b3bf34a81785afdf9e2059d2924f12db16f673d65ea8509a0a8e771819
Opcode Fuzzy Hash: 87cc675f9356a78908c1defe84c1f2834d9c3219bab6a11acd7c82494fe1cde1
Instruction Fuzzy Hash: DA710E31B197418BEB00DF38D855BAAB7F8FF95748F144A2EE854C7201EB70E4448B96

Function 6CF46AE2 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6CF46EBA

Strings

p, xrefs: 6CF46BDF
p, xrefs: 6CF46C41
f, xrefs: 6CF46BF4
f, xrefs: 6CF46C3A
:, xrefs: 6CF46BAD
p, xrefs: 6CF46BFB
f, xrefs: 6CF46BD8

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: 9d3279c77f3055d21714abccd81905956dc148df01a015e8ddcd5d00d72a93e8
Instruction ID: fbf2d68c76802c8762ec9a5e06cfa96f406dbada25f7b68fc510b52481d82faf
Opcode Fuzzy Hash: 9d3279c77f3055d21714abccd81905956dc148df01a015e8ddcd5d00d72a93e8
Instruction Fuzzy Hash: 5B029675A03108CADB20CFA9D454ADEBFB2FF40B19F64C116E455BBA82D7348D89CB52

Function 6CF05FA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CF05FA9
GetModuleHandleW.KERNEL32(00000000), ref: 6CF06022
CreateWindowExW.USER32(?,00000000), ref: 6CF0605A
SetPropW.USER32(00000000,{1DE85EBD-ECDD-4091-93D6-D609A63D9DC6},?), ref: 6CF0608C
SetWindowLongW.USER32(?,000000FC,Function_00015AB0), ref: 6CF060AB
GetModuleHandleW.KERNEL32(00000000), ref: 6CF060E2
SendMessageW.USER32(?,00000030,00000000,00000000), ref: 6CF06104

Strings

{1DE85EBD-ECDD-4091-93D6-D609A63D9DC6}, xrefs: 6CF06086

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$HandleModule$CreateLongMessagePropSend
String ID: {1DE85EBD-ECDD-4091-93D6-D609A63D9DC6}
API String ID: 3353306537-1501827269
Opcode ID: 35d7902b8e917be064b17ff41c4fa6ca5fcbe05fd6b2a64aeb9e96ec00e765fa
Instruction ID: 8f8dc5a8c041069c9bf0903368695e96ac1270468daffdcee4d43fb3eeb982d0
Opcode Fuzzy Hash: 35d7902b8e917be064b17ff41c4fa6ca5fcbe05fd6b2a64aeb9e96ec00e765fa
Instruction Fuzzy Hash: BD416970B20701AFEF909F66C844B667BF4FB09714F108519F86986A61E7B1A890DB92

Function 6CF1F800 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

ImageList_Destroy.COMCTL32(?), ref: 6CF1F881
GlobalAlloc.KERNEL32(00000042,?), ref: 6CF1F89C
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 6CF1F8B4
GlobalLock.KERNEL32(?), ref: 6CF1F8CF
GlobalUnlock.KERNEL32(?), ref: 6CF1F8E7
ImageList_Read.COMCTL32(00000000), ref: 6CF1F8FE
GlobalFree.KERNEL32(?), ref: 6CF1F929

Strings

MITL, xrefs: 6CF1F835

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Global$ImageList_$AllocCreateDestroyFreeLockReadStreamUnlock
String ID: MITL
API String ID: 1660572485-2529983576
Opcode ID: 25756e4215cb975258d9e6ed72203d9748cc750ffa5c0929752aac38126afeb8
Instruction ID: 2d96c193d00076226d1b1faad2a11710a33b80ca6ad30b3678f482d45365b515
Opcode Fuzzy Hash: 25756e4215cb975258d9e6ed72203d9748cc750ffa5c0929752aac38126afeb8
Instruction Fuzzy Hash: 58419175F05205EBDB80DF65CC84AAEBBB4FF05319F248069E859EBA40DB71D900CBA0

Function 6CF19FD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?,{805DC748-25DE-44F1-A512-3CC72AAC9D49}), ref: 6CF19FDE
DefWindowProcW.USER32(?,?,?,?), ref: 6CF19FF4
GetFocus.USER32 ref: 6CF1A033
GetTickCount64.KERNEL32 ref: 6CF1A03C
IsWindowVisible.USER32(?), ref: 6CF1A07A
CallWindowProcW.USER32(?,?,?,?,?), ref: 6CF1A0C7

Strings

{805DC748-25DE-44F1-A512-3CC72AAC9D49}, xrefs: 6CF19FD8

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$Proc$CallCount64FocusPropTickVisible
String ID: {805DC748-25DE-44F1-A512-3CC72AAC9D49}
API String ID: 3415482201-3310409241
Opcode ID: 0f73e3712ee8e76d579dab10408723de659938871551485adb3c719e241eeba4
Instruction ID: 98251e41d5d334130de035cc1c0af2983be2ec6c9056aae43857eae404bb5a36
Opcode Fuzzy Hash: 0f73e3712ee8e76d579dab10408723de659938871551485adb3c719e241eeba4
Instruction Fuzzy Hash: ED319A76705305AFDB108F26C988BAA7BF8EF48314F208419F96AC7A41C771E810CB64

Function 6CF38A40 Relevance: 13.8, APIs: 9, Instructions: 250timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 6CF38C07
ScreenToClient.USER32(?,00000000), ref: 6CF38C11
CallWindowProcW.USER32(0000004E,?,00001111,00000000,00000000), ref: 6CF38C36
CallWindowProcW.USER32(0000004E,?,0000110B,00000009,?), ref: 6CF38C59
SetTimer.USER32(?,00000000,0000000A,6CF38D50), ref: 6CF38C66
GetCursorPos.USER32(?), ref: 6CF38C8B
ScreenToClient.USER32(?,?), ref: 6CF38C99

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CallClientCursorProcScreenWindow$Timer
String ID:
API String ID: 803889119-0
Opcode ID: dd22d46a6f528e2e109cf2a3df30ab85975f68d90bc47f1a4309a226bca97c8c
Instruction ID: 4376eb548b36c32b792a1178b6f076a8798fd00a6509aa26397b0e38bfc7bda7
Opcode Fuzzy Hash: dd22d46a6f528e2e109cf2a3df30ab85975f68d90bc47f1a4309a226bca97c8c
Instruction Fuzzy Hash: A4811F71604311BFE710CB24CC82FAAB7A4AF85718F20461BF69ADB6D0C7B4E8418A95

Function 6CF308A2 Relevance: 13.7, APIs: 9, Instructions: 189COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6CF30926
GetClientRect.USER32(?,?), ref: 6CF30936
SelectObject.GDI32(00000000,?), ref: 6CF30995
SetBkMode.GDI32(00000000,00000001), ref: 6CF3099E
SetTextColor.GDI32(00000000,?), ref: 6CF309AB
DrawTextW.USER32(00000000,?,000000FF,?,00000000), ref: 6CF309C8
OffsetRect.USER32(?,00000001,00000001), ref: 6CF309E9
EndPaint.USER32(?,?), ref: 6CF30A31
CallWindowProcW.USER32(?,?,?,?), ref: 6CF30A9D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: PaintRectText$BeginCallClientColorDrawModeObjectOffsetProcSelectWindow
String ID:
API String ID: 1308658712-0
Opcode ID: fb1e30035450c3e7aa36f5d1359bf1613dc9bd81cb07087d6f6776c711190932
Instruction ID: d09ff03501e0db70c31a5319f53622b69ca619c196b6fd7454a4731801761341
Opcode Fuzzy Hash: fb1e30035450c3e7aa36f5d1359bf1613dc9bd81cb07087d6f6776c711190932
Instruction Fuzzy Hash: 7751D372615290AFDB04CF65CC45FABBBF8FB49314F10091AF5AAC6690D7B1D805CBA1

Function 6CF36440 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 335windowCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?,{343BF546-3975-41C8-94EB-47E67E2B3670}), ref: 6CF3650C

Part of subcall function 6CF38620: SendMessageW.USER32(?,00001105,00000000,00000000), ref: 6CF38647

GetPropW.USER32(?,{343BF546-3975-41C8-94EB-47E67E2B3670}), ref: 6CF3662F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 6CF366EB
SendMessageW.USER32(?,0000110A,?,?), ref: 6CF36706
SendMessageW.USER32(?,0000110A,00000001,?), ref: 6CF36775
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 6CF367B6

Part of subcall function 6CF389B0: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 6CF389C7
Part of subcall function 6CF389B0: SendMessageW.USER32(448D026A,0000110A,00000001,00000000), ref: 6CF38A19

Strings

{343BF546-3975-41C8-94EB-47E67E2B3670}, xrefs: 6CF36504, 6CF36627

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Prop
String ID: {343BF546-3975-41C8-94EB-47E67E2B3670}
API String ID: 1471249206-1567992397
Opcode ID: 351bce2e1d2f259305f4be9ee45959135fe41f1fe210242b104ce4a5dd3562b6
Instruction ID: f214f917ca286da902f4abe7356b270c4080f001ebd7a91690034f09e6067b38
Opcode Fuzzy Hash: 351bce2e1d2f259305f4be9ee45959135fe41f1fe210242b104ce4a5dd3562b6
Instruction Fuzzy Hash: 96D15E71D01229ABDF14CF64C884BEEBBB5BF48314F245219F919E7680DB74A945CBE0

Function 6CF3DA10 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CF3DB2F
___TypeMatch.LIBVCRUNTIME ref: 6CF3DC3D
_UnwindNestedFrames.LIBCMT ref: 6CF3DD8F
CallUnexpected.LIBVCRUNTIME ref: 6CF3DDAA

Strings

csm, xrefs: 6CF3DA4D
csm, xrefs: 6CF3DB66
csm, xrefs: 6CF3DABA

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 664e8e037caef375a51fe72dfe7c580dda73097241e2bc5413672e185429b8f4
Instruction ID: a7fdeb1cf201aa8ca7975f25d43314c8e0f957a9bde8f564cb25e049595c36b9
Opcode Fuzzy Hash: 664e8e037caef375a51fe72dfe7c580dda73097241e2bc5413672e185429b8f4
Instruction Fuzzy Hash: 48B19A71820229FFCF0ACFA4C980A9EBBB5FF44318B14655AE8196BB11C731DA51CBD1

Function 6CF2F5F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 6CF2F67A
GetObjectA.GDI32(00000000,0000003C,?), ref: 6CF2F69E
CreateFontIndirectA.GDI32(?), ref: 6CF2F6DD
CreateWindowExW.USER32(?,?,54000100,?,?,?,?,?,?), ref: 6CF2F736
SendMessageA.USER32(00000000,00002005,00000001,00000000), ref: 6CF2F74B

Strings

<, xrefs: 6CF2F6AC
, xrefs: 6CF2F6FA

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CreateObject$DeleteFontIndirectMessageSendWindow
String ID: $<
API String ID: 2315921265-428540627
Opcode ID: 74d6abdafa34226fdb09b2960379b68d672d1017738bd06121a417a951111af1
Instruction ID: bfa840bd6bffade3a888abf37f4845a41f8019ed22d7903680e1d854873646e2
Opcode Fuzzy Hash: 74d6abdafa34226fdb09b2960379b68d672d1017738bd06121a417a951111af1
Instruction Fuzzy Hash: EB41CD71A20304ABDF418F64C985B96BFB8FF49304F148669ED489F616E771E498CBA0

Function 6CEFC370 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6CEFC3D5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CEFC3ED
GetFileSize.KERNEL32(00000000,00000000), ref: 6CEFC3FF
GetLastError.KERNEL32 ref: 6CEFC40C
ReadFile.KERNEL32(00000000,-00000008,00000000,?), ref: 6CEFC462
CloseHandle.KERNEL32(00000000), ref: 6CEFC480

Strings

M, xrefs: 6CEFC412

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastPointerReadSize
String ID: M
API String ID: 2615290210-519822722
Opcode ID: 4f154c9728f0572215a852ec5096e9591e080bc424a6a995eb77ecf44209b5ca
Instruction ID: 9f0879bed8378b1499e9e5ec155d79158cbadb1f77f5ee2d587473274680406f
Opcode Fuzzy Hash: 4f154c9728f0572215a852ec5096e9591e080bc424a6a995eb77ecf44209b5ca
Instruction Fuzzy Hash: F831B371B057419BD720DF24CC45B6A77B8AB85B18F304A1CF8B9977C0E770E9068AA6

Function 6CF3B0E0 Relevance: 12.2, APIs: 8, Instructions: 232windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6CF3B155
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6CF3B17F
GetWindowLongW.USER32(?,000000F0), ref: 6CF3B19F
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B1E7
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B205
SendMessageW.USER32(?,0000112C,?,?), ref: 6CF3B21A
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B260
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B2A7
GetWindowLongW.USER32(?,000000F0), ref: 6CF3B2C4
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B312
SendMessageW.USER32(?,0000112D,00000000,00000000), ref: 6CF3B35C
GetSysColor.USER32(00000004), ref: 6CF3B37C
SendMessageW.USER32(?,00001128,00000000,?), ref: 6CF3B38D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$LongWindow$Color
String ID:
API String ID: 4152392018-0
Opcode ID: f64b489ed577585bc869256c38139d708a06564bb2e39f32bc599d838b302377
Instruction ID: d9a7fa1d44e19f07b3ddfdbdf783b6f0d1bc00224ab917e6ef1d69f4c3900439
Opcode Fuzzy Hash: f64b489ed577585bc869256c38139d708a06564bb2e39f32bc599d838b302377
Instruction Fuzzy Hash: F071F7367156149FDB44CF29C890BAA77F1EF8A714F2446AEE91DCB780C771E8018B90

Function 6CF24DA0 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 6CF24E90
CreateSolidBrush.GDI32(?), ref: 6CF24E97
FillRect.USER32(?,?,00000000), ref: 6CF24EA7
DeleteObject.GDI32(00000000), ref: 6CF24EAE
SetTextColor.GDI32(?,00FFFF00), ref: 6CF24EBC
IsWindow.USER32(?), ref: 6CF24EF5
GetWindowLongW.USER32(?,000000F0), ref: 6CF24F1D
MoveWindow.USER32(?,00000000,00000000,00000001,00000001,00000001), ref: 6CF24F41

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$Color$BrushCreateDeleteFillLongMoveObjectRectSolidText
String ID:
API String ID: 171756483-0
Opcode ID: 7e21a15c6f205264c117faa4d5f26226e7f36fb683c9b7949907e2ad9f0efd24
Instruction ID: aefd2236d439e4b8059a6398661488c3a76c478948e6c49a486a108723aa0e3e
Opcode Fuzzy Hash: 7e21a15c6f205264c117faa4d5f26226e7f36fb683c9b7949907e2ad9f0efd24
Instruction Fuzzy Hash: F851F332700204AFDB219FA4DC95FAABBB8FB46320F204265F625DB5D0D7B5E950CB90

Function 6CF1A670 Relevance: 12.1, APIs: 8, Instructions: 138windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,?,00000001), ref: 6CF1A6E5
SendMessageW.USER32(?,0000000C,00000000,00000000), ref: 6CF1A6FA
MoveWindow.USER32(00000000,?,?,?,?,00000001,?,?,?,?,?,?,?,?,75C0EC20,?), ref: 6CF1A74B
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,?,?,?,?,?,?,?,?,75C0EC20), ref: 6CF1A766
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 6CF1A794
SendMessageW.USER32(?,000000B7,00000000,00000000), ref: 6CF1A7A2
ShowWindow.USER32(?,00000005,?,?,?,?,?,?,?,?,75C0EC20,?), ref: 6CF1A7B4
SetFocus.USER32(?,?,?,?,?,?,?,?,?,75C0EC20,?), ref: 6CF1A7C3

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Window$FocusMoveShow
String ID:
API String ID: 3714846255-0
Opcode ID: 14767b4c5188ae830c1ee72b4dcfd2df70dc688d4ef22ea5089e852937608acd
Instruction ID: f597068952f3ebf0157747d6ca05158020f31e2eefd7bbf8c581880447b89b71
Opcode Fuzzy Hash: 14767b4c5188ae830c1ee72b4dcfd2df70dc688d4ef22ea5089e852937608acd
Instruction Fuzzy Hash: 73414D74B00205AFEB14CF65CC85FAABBB9FF48714F108218F929A7690D771E914CB94

Function 6CF0A7CE Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

CreatePen.GDI32(00000000,00000001,?), ref: 6CF0A7E5
SelectObject.GDI32(?,00000000), ref: 6CF0A7F1
MoveToEx.GDI32(?,00000000,?,00000000), ref: 6CF0A804
LineTo.GDI32(?,00000000,?), ref: 6CF0A811
SetPixel.GDI32(?,00000000,?,?), ref: 6CF0A82F
SelectObject.GDI32(?,?), ref: 6CF0A83A
DeleteObject.GDI32(?), ref: 6CF0A844
ReleaseDC.USER32 ref: 6CF0A84C

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Object$Select$CreateDeleteLineMovePixelRelease
String ID:
API String ID: 3665830648-0
Opcode ID: c2742c85f2eba6f477c16b9651f7f1102514eaadc5b922a965cca9f06530f164
Instruction ID: 7d638fea44c7d1edb283ce3ba06cfb1179dfe8298c9208471f7e213a7c89f6be
Opcode Fuzzy Hash: c2742c85f2eba6f477c16b9651f7f1102514eaadc5b922a965cca9f06530f164
Instruction Fuzzy Hash: 8D11AD71758380BFDB415B718C88BAABBB8FF4A301F200908F6D995191C7F58850DB59

Function 6CF07450 Relevance: 10.9, APIs: 7, Instructions: 358COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00FFFFFF), ref: 6CF0784C
CreateSolidBrush.GDI32(00FFF3E5), ref: 6CF07858
CreateSolidBrush.GDI32(00FFE8CD), ref: 6CF07864
CreateSolidBrush.GDI32(00FFE9D2), ref: 6CF07870
CreateSolidBrush.GDI32(00D9D9D9), ref: 6CF0787C
InitializeCriticalSection.KERNEL32(?,?,00000018,00000004,0000000C,00000004,00000400,00000004,00000400,00000004,?,?,?,?,D1DC5EAD), ref: 6CF0797D
InitializeCriticalSection.KERNEL32(?,?,00000018,00000004,0000000C,00000004,00000400,00000004,00000400,00000004,?,?,?,?,D1DC5EAD), ref: 6CF07985

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: BrushCreateSolid$CriticalInitializeSection
String ID:
API String ID: 1954606325-0
Opcode ID: b969ee303d6b9e6f12d5d5badf26f5b7e79904e907b192bcfa102962a19f0e8a
Instruction ID: a7982a33a5e5b20a2fb362b07e42fa810c39618e10778fdc38c32e94b077873f
Opcode Fuzzy Hash: b969ee303d6b9e6f12d5d5badf26f5b7e79904e907b192bcfa102962a19f0e8a
Instruction Fuzzy Hash: 260249B0A01715AFEB14CF24C814B9ABBF0FF05718F218649E5686F3A1D7B5A984CBD1

Function 6CF507D3 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6CF50859

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7a0da33c6a8347ca1116db0dc4c99da51f0c22c7dd5aba92502bf5c9a9d4ebe8
Instruction ID: 5f8f183eb13c068c57d751157b3d48441377fe663b725956f08f5c3367108513
Opcode Fuzzy Hash: 7a0da33c6a8347ca1116db0dc4c99da51f0c22c7dd5aba92502bf5c9a9d4ebe8
Instruction Fuzzy Hash: 53B17872A05395AFEB05CF64CC81BEE7BB4EF2631CF544156E604AB782D7B09921C7A0

Function 6CF195F0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 6CF19701
GetClassNameW.USER32(00000000,?,00000104), ref: 6CF1971D
GetWindow.USER32(00000000,00000002), ref: 6CF19742
GetWindowTextLengthW.USER32(00000000), ref: 6CF197F8
GetWindowTextW.USER32(?,00000010,?), ref: 6CF1985F

Strings

edit, xrefs: 6CF19729

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$Text$ClassLengthName
String ID: edit
API String ID: 3948557493-2167791130
Opcode ID: aaa7d4f001f614374ad0608013f3d2d6dd5905fe213a657f7466b5d93f9c6148
Instruction ID: 351f293ee8c9df4fd48a5b1b87e9f13ef3fcfef8c2d32f57e57f1330db0584dd
Opcode Fuzzy Hash: aaa7d4f001f614374ad0608013f3d2d6dd5905fe213a657f7466b5d93f9c6148
Instruction Fuzzy Hash: 14A1C371905616AFDB148F65DC84BAAB7B4FF08314F1002A9E81997F81EF70DA44CF90

Function 6CF1A800 Relevance: 10.7, APIs: 7, Instructions: 233windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6CF1AA59
SendMessageW.USER32(00000000,?,?), ref: 6CF1AA66
GetParent.USER32(?), ref: 6CF1AA81
SendMessageW.USER32(00000000,0000004E,00000000,?), ref: 6CF1AA90
SendMessageW.USER32(?,00001074,?,?), ref: 6CF1AAC1
ShowWindow.USER32(?,00000000,?,?), ref: 6CF1AAD9
ShowWindow.USER32(?,00000000,?,?), ref: 6CF1AAEB

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$ParentShowWindow
String ID:
API String ID: 540303654-0
Opcode ID: 5516ae51c2fab8b6ab9fc3b53eb9425f584ad06e94223b10768d4f5fae71fb09
Instruction ID: 2e0dbefe54c90e5a59631a31d9b18831eddcc401f84bae46e332c0d8c528b982
Opcode Fuzzy Hash: 5516ae51c2fab8b6ab9fc3b53eb9425f584ad06e94223b10768d4f5fae71fb09
Instruction Fuzzy Hash: 49A1DF70A09358DFDB24CF64C981BDAB7F4AF05314F1442A9E958ABB85D770A988CF50

Function 6CF21330 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF21375
SendMessageW.USER32(?,0000102F,05F5E100,00000003), ref: 6CF21409
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000127,?,05F5E100,000000FF,00000000,00000001), ref: 6CF214CC
SendMessageW.USER32(?,00001037,00000000,00000000), ref: 6CF21500
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 6CF2152A

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF2136D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$PropWindow
String ID: {478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 475322447-2367190246
Opcode ID: 321d3331e3928a5a705a1412cef02c1f1b2b6dffce3a352dddc42d051a9c9045
Instruction ID: 71f54930de9717e882bedcf69e0db18ab7fe90926b99357f3426e9e8e377c96f
Opcode Fuzzy Hash: 321d3331e3928a5a705a1412cef02c1f1b2b6dffce3a352dddc42d051a9c9045
Instruction Fuzzy Hash: 28518B31B00609AFDB08CF68C881BD9B7A5FB09315F208269EA29CB680D775AD54CBD4

Function 6CF33840 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 6CF3386F
SendMessageW.USER32 ref: 6CF338AA
SendMessageW.USER32(?,0000113E,00000000,?), ref: 6CF33966
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 6CF339AE
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 6CF339C9
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 6CF339EF
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 6CF33A0A

Part of subcall function 6CF3D452: RaiseException.KERNEL32(E06D7363,00000001,00000003,#l,?,?,?,?,6CEF23E0,?,6CF8EFE8,?,?,?,6CF02EDF,?), ref: 6CF3D4B2

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$ExceptionRaise
String ID:
API String ID: 1853712985-0
Opcode ID: 30aaca1b84eb1e21dc49a6e75db921ca069d7269cf6734930a87b1e4b01018c5
Instruction ID: 171497d7dfab89d5a8331923799b381d72685a7bd0e1a91c9491f08e4d9f2d72
Opcode Fuzzy Hash: 30aaca1b84eb1e21dc49a6e75db921ca069d7269cf6734930a87b1e4b01018c5
Instruction Fuzzy Hash: 6251C171A49350AFD715CF24C846B6BBBE1EF88714F11491CFA699B380DBB1D805CB91

Function 6CF11490 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 162threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6CF114FD
GetWindowThreadProcessId.USER32(?,00000000), ref: 6CF1151A
GetWindowRect.USER32(?,?), ref: 6CF1154B
GetParent.USER32(?), ref: 6CF11556
CallWindowProcW.USER32(?,?,00000115,00000008,00000000), ref: 6CF1164D

Strings

M, xrefs: 6CF1161F

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$Thread$CallCurrentParentProcProcessRect
String ID: M
API String ID: 2840136335-519822722
Opcode ID: 2682c65793d6e6203d424a5c4f4c492544b32ad1c8d444ca9788d47ee975d1b5
Instruction ID: 1202814e0357b5236206180dd058464e089299edccc732df4903bd807d1d73a5
Opcode Fuzzy Hash: 2682c65793d6e6203d424a5c4f4c492544b32ad1c8d444ca9788d47ee975d1b5
Instruction Fuzzy Hash: 975155347082019FDB44CF29C881B6AB7F5FF59358F1486A9E85A8BB51E731E810CF92

Function 6CF3CE70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CF3CEA7
___except_validate_context_record.LIBVCRUNTIME ref: 6CF3CEAF
_ValidateLocalCookies.LIBCMT ref: 6CF3CF38
__IsNonwritableInCurrentImage.LIBCMT ref: 6CF3CF63
_ValidateLocalCookies.LIBCMT ref: 6CF3CFB8

Strings

csm, xrefs: 6CF3CF4D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4b017677fb3968fa99075375b005600f13058692724ad62936bc11cb44df7c29
Instruction ID: f7770b9ee4e7c9f7499ac98f7a560d7057b60156a78fbf666521320b5f22f3e9
Opcode Fuzzy Hash: 4b017677fb3968fa99075375b005600f13058692724ad62936bc11cb44df7c29
Instruction Fuzzy Hash: AB41A234A11239BBCF00DF69C880ADE7BB5AF45318F249295E8189B791D731EA15CFE1

Function 6CF04590 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 6CF0460B
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6CF04667
DeleteObject.GDI32(?), ref: 6CF0467C
SelectObject.GDI32(?,00000000), ref: 6CF04687
DeleteDC.GDI32(?), ref: 6CF046B8

Strings

(, xrefs: 6CF04627

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CreateDeleteObject$CompatibleSectionSelect
String ID: (
API String ID: 2986811175-3887548279
Opcode ID: ea4ef5d8576279e69ffdc4b0b7905f781d46ae8525b476e2b294910b87f3c8ef
Instruction ID: e1e300efb0d0cb0973935bb33b235a9e23b009209381f7cca1f5a3037e7375ca
Opcode Fuzzy Hash: ea4ef5d8576279e69ffdc4b0b7905f781d46ae8525b476e2b294910b87f3c8ef
Instruction Fuzzy Hash: BA416F71F01745ABDB10CFAAD9907AAFBF8EF98714F10852EE859D3740DBB098448B50

Function 6CF32B20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,00000001,?), ref: 6CF32B52
CallWindowProcW.USER32(?,?,?,?), ref: 6CF32B84

Strings

{343BF546-3975-41C8-94EB-47E67E2B3670}, xrefs: 6CF32C0B

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CallProcWindow
String ID: {343BF546-3975-41C8-94EB-47E67E2B3670}
API String ID: 2714655100-1567992397
Opcode ID: e03cff29c558ad035531763fb389c5b6ec281ed569bfcd5dd5f5ba89ea9da78c
Instruction ID: 487264757d9fc6533bf75e9f88351f34f036f0c5a2ad7a09294c0a2a71b83f4c
Opcode Fuzzy Hash: e03cff29c558ad035531763fb389c5b6ec281ed569bfcd5dd5f5ba89ea9da78c
Instruction Fuzzy Hash: D6313772A14311BFDB009F15DC49FAB7BB8FB85725F104529F99892252D3B28814CBE2

Function 6CF52657 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6CF52766,?,00000002,00000000,00000002,?,?,6CF5293C,00000022,FlsSetValue,6CF62C70,log,00000002), ref: 6CF52718

Strings

ext-ms-, xrefs: 6CF526C2
api-ms-, xrefs: 6CF526AE

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: f87814ca9274d0252d0b01726ca0198dea59c52bbe479ef63f2333a0b0e80cf2
Instruction ID: 18c78e213c9541ff473ec8a33a9b79e589e735aef2fd95eb31d3f545315e12c2
Opcode Fuzzy Hash: f87814ca9274d0252d0b01726ca0198dea59c52bbe479ef63f2333a0b0e80cf2
Instruction Fuzzy Hash: 1C212B71A12111ABCB119B26DC48B5A3778EF13364F760310EA21A76C1D772EE11CAD0

Function 6CF2F960 Relevance: 9.3, APIs: 6, Instructions: 317COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(000003A8,00000000,?,00000001,00000000,00000000), ref: 6CF2FAE8
MultiByteToWideChar.KERNEL32(000003A8,00000000,?,00000001,?,?), ref: 6CF2FB2B
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000123), ref: 6CF2FB51
DeleteObject.GDI32(?), ref: 6CF2FB92
GetObjectA.GDI32(00000000,0000003C,?), ref: 6CF2FBBF
CreateFontIndirectA.GDI32(?), ref: 6CF2FBFF

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ByteCharMultiObjectWide$CreateDeleteFontIndirectWindow
String ID:
API String ID: 74276570-0
Opcode ID: 132621e62d94373df1419676e7c17c91d5808298efb9dc249856d9dfbcc545c7
Instruction ID: b4e5b2a54424901d809a1b585979ddca9613a2436a45e9adf1b927c630264949
Opcode Fuzzy Hash: 132621e62d94373df1419676e7c17c91d5808298efb9dc249856d9dfbcc545c7
Instruction Fuzzy Hash: D9D17B71A10216DFDB44CFA9C850B9ABBF4FF49304F24866AD819ABB41D734E942CF90

Function 6CF28890 Relevance: 9.3, APIs: 6, Instructions: 303windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 6CF2899A
SendMessageW.USER32(?,00000406,?,00000000), ref: 6CF28A0E
SendMessageW.USER32(00000001,0000040C,00000000,00000000), ref: 6CF28A9F
SendMessageW.USER32(00000001,0000040D,00000000,00000000), ref: 6CF28AE2
SendMessageW.USER32(00000001,00000413,?,?), ref: 6CF28B0B
SendMessageW.USER32(00000001,00000414,00000000,00000000), ref: 6CF28B2B

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 58e2e3ea2c196915dd3e5c93425463deeb18f7ce58dc72613dcb610cb404750f
Instruction ID: ca6d589a0d77f047e299581e982491041d290c902f087796cba44dfddbeeff17
Opcode Fuzzy Hash: 58e2e3ea2c196915dd3e5c93425463deeb18f7ce58dc72613dcb610cb404750f
Instruction Fuzzy Hash: 11C16EB1A01314DFEB24CF54CC88B9AB7F5AF48714F1484AAD919AB742D734AE84CF94

Function 6CF4F158 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f40e75dde812befd9b494e9df62f3e838238595a1457addad3091ce647f5963
Instruction ID: be2c7233b3534672796966aa2714d9f6e7673d7218cab57c25987f7291bbfa3e
Opcode Fuzzy Hash: 1f40e75dde812befd9b494e9df62f3e838238595a1457addad3091ce647f5963
Instruction Fuzzy Hash: 9FB1F370E042499FDF41CFA8C840BAEBFB1AF46318F24C259E518A7793CB709946CB65

Function 6CF45F6B Relevance: 9.3, APIs: 6, Instructions: 265COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6CF460F3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CF4610F
__allrem.LIBCMT ref: 6CF46126
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CF46144
__allrem.LIBCMT ref: 6CF4615B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CF46179

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 96ab71c3f5674ea0749dea53640d810d48411caa529c90d255a108a20ac8ea02
Instruction ID: 8342515102fb7e103be422fd6bd5c8e972def0568e970e56e12ff6b1d36b67c8
Opcode Fuzzy Hash: 96ab71c3f5674ea0749dea53640d810d48411caa529c90d255a108a20ac8ea02
Instruction Fuzzy Hash: 2D810772600B029BE7109F69CC40B9BBBF9AF84768F24C62AF511D7BC2E770D5098B51

Function 6CF28350 Relevance: 9.2, APIs: 6, Instructions: 194windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040F,00000000,00000000), ref: 6CF283B1
DestroyIcon.USER32(?,-00000014,0000000C,6CF2430D), ref: 6CF283CE
ImageList_GetImageCount.COMCTL32(?,00000000,6CF2430D,-00000014,0000000C,6CF2430D,?,?,?,6CF2430D), ref: 6CF28433
ImageList_GetIcon.COMCTL32(?,00000000,00000001,?,?,?,6CF2430D), ref: 6CF284AC
SendMessageW.USER32(?,0000040F,00000000,?), ref: 6CF284E3
ImageList_Destroy.COMCTL32(?,-00000014,0000000C,6CF2430D,?,?,?,6CF2430D), ref: 6CF28563

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Image$List_$DestroyIconMessageSend$Count
String ID:
API String ID: 2572164146-0
Opcode ID: 29e062a9d433a525552de141a239d1805fd91429deb92b2ee0ed7a07c35a4999
Instruction ID: 06c8e9082b5fb82c0a21973c120ee0a0830de9202222eb60d387418f02569436
Opcode Fuzzy Hash: 29e062a9d433a525552de141a239d1805fd91429deb92b2ee0ed7a07c35a4999
Instruction Fuzzy Hash: B9713872A01105DFDB14CF98C984B9ABBB5FF48314F2981AAE819AB741D770FD50CBA4

Function 6CF25980 Relevance: 9.1, APIs: 6, Instructions: 133windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 6CF259CE
SendMessageW.USER32(?,00000406,00000000,?), ref: 6CF25A24
SendMessageW.USER32(?,00000404,00000001,?), ref: 6CF25A6D
SendMessageW.USER32(?,0000040B,?,?), ref: 6CF25A95
SendMessageW.USER32(?,00000411,00000000,?), ref: 6CF25AB0
SendMessageW.USER32(?,0000040F,00000000,?), ref: 6CF25ACB

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8664c6d72f6d1728dcc2cda895eaaf70ed457d4c9fc356d804a406a4c6d66421
Instruction ID: 29ef86cf1d92d2f203e7476bb00c760a03544c45274984c048c6d1c7ee653d9c
Opcode Fuzzy Hash: 8664c6d72f6d1728dcc2cda895eaaf70ed457d4c9fc356d804a406a4c6d66421
Instruction Fuzzy Hash: 3C4184B17012196BDB18CFA9CC81FAAB3A8BF44714F104569A719E7680E774E941CF64

Function 6CF220D0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 362windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000101F,00000000,00000000), ref: 6CF22128
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF22134
SendMessageW.USER32(00000000,0000105F,00000000,00000017), ref: 6CF222D6
SendMessageW.USER32(?,0000120B,?,00000004), ref: 6CF2235C

Strings

H, xrefs: 6CF225CF

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID: H
API String ID: 3850602802-2852464175
Opcode ID: bbf591f6ff1fa3b4738c09744c935f6ca0459b59af6758410084c35b1eb7df5a
Instruction ID: 9464c2fcac4edb71b4db92820e4557e59894ccbe178f117119914c2d75214447
Opcode Fuzzy Hash: bbf591f6ff1fa3b4738c09744c935f6ca0459b59af6758410084c35b1eb7df5a
Instruction Fuzzy Hash: 1DE18F719003289FDB24CF54CC88BDAB7B5AF09314F1441DAEA5DAB282D7359A89DF90

Function 6CF04A60 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6CF04ABD
SelectObject.GDI32(?,?), ref: 6CF04AD4
SetBkMode.GDI32(?,00000001), ref: 6CF04AE0
DrawTextW.USER32(?,00000000,00000000,00000005,00000024), ref: 6CF04B38
SetBkMode.GDI32(?,?), ref: 6CF04B42
SelectObject.GDI32(?,?), ref: 6CF04B4C

Part of subcall function 6CF046E0: SystemParametersInfoW.USER32(0000001F,0000005C,?,00000000), ref: 6CF04710
Part of subcall function 6CF046E0: CreateFontIndirectW.GDI32(?), ref: 6CF04758

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ModeObjectSelect$CreateDrawFontHandleIndirectInfoModuleParametersSystemText
String ID:
API String ID: 3232084009-0
Opcode ID: 6038acd01fbd4cc50590237a5a96a59be566d643175b61a47f7b142585a83301
Instruction ID: 8e93de5ca70a8317d639d3867dff5fcca1c13109a8438b505f5da0bf853e6b97
Opcode Fuzzy Hash: 6038acd01fbd4cc50590237a5a96a59be566d643175b61a47f7b142585a83301
Instruction Fuzzy Hash: 8331C171F11604ABDF41DFA9C889BBEBBB4FB1AB04F00421DE965A7240E770A940DB95

Function 6CF211D0 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 6CF21214
SetWindowLongW.USER32(?,000000EC,00000000), ref: 6CF21232
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,000000EC), ref: 6CF21241
GetWindowLongW.USER32(?,000000F0), ref: 6CF2124A
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6CF21263
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,000000F0,?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 6CF21272

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: da81f1a4fa80fc276af91eafcddde7527599047cf32fec37204a766327394c8e
Instruction ID: 28f4cc903c17e7e1396fe83e2596bf4bb6c1d603637a29a1ce5f6d80ba661390
Opcode Fuzzy Hash: da81f1a4fa80fc276af91eafcddde7527599047cf32fec37204a766327394c8e
Instruction Fuzzy Hash: 6F01C431A98124A7EB5446A58C49F7E3978DB43B70F30436AF525F32C09AFD9C4086A9

Function 6CF3D6D9 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CF3D422,6CF3BA45,6CF3BEDF,?,6CF3C117,?,00000001,?,?,00000001,?,6CF8E7C8,0000000C,6CF3C210), ref: 6CF3D6E7
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CF3D6F5
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CF3D70E
SetLastError.KERNEL32(00000000,6CF3C117,?,00000001,?,?,00000001,?,6CF8E7C8,0000000C,6CF3C210,?,00000001,?), ref: 6CF3D760

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 60859eb330f09b6ec762156ed60379dc6bfaa6040434a233703337e4411a3e98
Instruction ID: 580a7b697197ef3e057f28f5830b26930b3a7ea7738926fa32cf4e0023380b4d
Opcode Fuzzy Hash: 60859eb330f09b6ec762156ed60379dc6bfaa6040434a233703337e4411a3e98
Instruction Fuzzy Hash: 1A01B933E2D3717E9A401A755C887963A78DF0737C7205339E92851AE0EF914815A6C0

Function 6CEFAAE0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 6CEFAC9D

Strings

gfff, xrefs: 6CEFAC35
gfff, xrefs: 6CEFAB3F
gfff, xrefs: 6CEFAAEE
gfff, xrefs: 6CEFAB14

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: gfff$gfff$gfff$gfff
API String ID: 118556049-2178600047
Opcode ID: b77231f33a7725cb6cc8dbd22c8614a6a61cd3c5fe2c0b0f328753b5595e7080
Instruction ID: c36ac0af09705bc6dd6c6d6eeb5d5dfd6b2a89ffac632e093a8b6f4cd5257537
Opcode Fuzzy Hash: b77231f33a7725cb6cc8dbd22c8614a6a61cd3c5fe2c0b0f328753b5595e7080
Instruction Fuzzy Hash: 7C512471F005189FDB08DF3DECA0AAD77B9EB49304B14422DE816DF750E731AA198792

Function 6CF130F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF1312E
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF1313A
SendMessageW.USER32(?,0000120B,?,00000004), ref: 6CF131AD
InvalidateRect.USER32(?,00000000,00000000,?,00000004,?,00000004), ref: 6CF132AE

Strings

, xrefs: 6CF1317B

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$InvalidateRect
String ID:
API String ID: 2778011698-3916222277
Opcode ID: 2af1989454b762310d686eab61b76abd75228a493fb4fd9195042b257136f5a5
Instruction ID: a573f022ee91e4e3f6a6433b49f26537adf264759554f7b331b8bfccda0defca
Opcode Fuzzy Hash: 2af1989454b762310d686eab61b76abd75228a493fb4fd9195042b257136f5a5
Instruction Fuzzy Hash: 085180B2B047416FE740CA39CC82B86B7D5AFC8360F048B24FAA8D76D5D774D8058B85

Function 6CF0E0C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001032,00000000,00000000), ref: 6CF0E143
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 6CF0E1B1
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 6CF0E1C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 6CF0E1E3

Strings

M, xrefs: 6CF0E0F5, 6CF0E145

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID: M
API String ID: 3850602802-519822722
Opcode ID: e38d481d9e70ca8e8b03f53b5c95d964fcede74764289d9bb5d76fef13d6ac9a
Instruction ID: 9be8448ea5323370d699410b82b1b7c66355054887b310323735b340b3efece7
Opcode Fuzzy Hash: e38d481d9e70ca8e8b03f53b5c95d964fcede74764289d9bb5d76fef13d6ac9a
Instruction Fuzzy Hash: 7D418F71B01218EFEB10CF59CC85BADB7B8FB48704F1140AAE958EB291C6B1E8008B90

Function 6CF551D1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe, xrefs: 6CF551ED

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\YY#U6302#U53f7#U534f#U8bae.exe
API String ID: 0-3809112584
Opcode ID: 86d956adaa097d7785f60434f51760408817f1574b534c0e742b4b7ae3550645
Instruction ID: 42329775b680da79f2c115335543b6bd0eefe3fc77b63c4e3bf388a8976b4dc3
Opcode Fuzzy Hash: 86d956adaa097d7785f60434f51760408817f1574b534c0e742b4b7ae3550645
Instruction Fuzzy Hash: 7621A532604209AFDB109FA6CC40D9B7BBDEF6236C7558A14FA25DBE41D730EC608B90

Function 6CF1A4E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetPropW.USER32(?,{805DC748-25DE-44F1-A512-3CC72AAC9D49}), ref: 6CF1A4FF
DefWindowProcW.USER32(?,?,?,?), ref: 6CF1A513
SetPropW.USER32(?,{805DC748-25DE-44F1-A512-3CC72AAC9D49},?), ref: 6CF1A52D
GetPropW.USER32(?,{805DC748-25DE-44F1-A512-3CC72AAC9D49}), ref: 6CF1A53B

Strings

{805DC748-25DE-44F1-A512-3CC72AAC9D49}, xrefs: 6CF1A4F9, 6CF1A527, 6CF1A535

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Prop$ProcWindow
String ID: {805DC748-25DE-44F1-A512-3CC72AAC9D49}
API String ID: 2157524683-3310409241
Opcode ID: c7ac1fd84f1dd0ade7127daf0cacfa0a8d272a9bc647f1c3b2b9b7d39a47e77d
Instruction ID: 323b261897b06f2028796334e8613e21826bc917f392fbbc8443d7b40c89058e
Opcode Fuzzy Hash: c7ac1fd84f1dd0ade7127daf0cacfa0a8d272a9bc647f1c3b2b9b7d39a47e77d
Instruction Fuzzy Hash: DC010837609214AFCB018E59EC88EAB7BB8EF46764B10450AFC15E3600C771EC1496A0

Function 6CF44888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D1DC5EAD,?,?,00000000,6CF5F6D6,000000FF,?,6CF44822,6CF44939,?,6CF447F6,00000000), ref: 6CF448BD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CF448CF
FreeLibrary.KERNEL32(00000000,?,?,00000000,6CF5F6D6,000000FF,?,6CF44822,6CF44939,?,6CF447F6,00000000), ref: 6CF448F1

Strings

CorExitProcess, xrefs: 6CF448C7
mscoree.dll, xrefs: 6CF448B6

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9e8696ced400a788b5cb64d2707136fe4490e53f51d1cb7e492097d982de6257
Instruction ID: 6e32ad92cb09ffd0c683edf6595483068d59a99a106f86b0f0b3dbf3d7148691
Opcode Fuzzy Hash: 9e8696ced400a788b5cb64d2707136fe4490e53f51d1cb7e492097d982de6257
Instruction Fuzzy Hash: 73016231A10699ABDF018F51CC05BBEBBB8FB05715F214626F822E2A90DB759900CB54

Function 6CEF91A0 Relevance: 7.6, APIs: 5, Instructions: 137COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?,?), ref: 6CEF91D4
GetAncestor.USER32(?,00000003,?), ref: 6CEF91FD
GetWindow.USER32(00000000,00000005), ref: 6CEF920E
GetWindow.USER32(00000000,00000002), ref: 6CEF922A

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$AncestorProc
String ID:
API String ID: 2339909887-0
Opcode ID: 3e69d81f5950ba15e14f7b61c82b367d3b0ab72daa470def9c58fbf74331a86b
Instruction ID: f0a131f0c3f2a37c26d5d458ce749a64e99bcff4239b4e723945db2552d98f39
Opcode Fuzzy Hash: 3e69d81f5950ba15e14f7b61c82b367d3b0ab72daa470def9c58fbf74331a86b
Instruction Fuzzy Hash: 12410832E00118AFDB01DF69E844FAEB7F5EF85328F2485A9E86597751C7319D05CB90

Function 6CF2A320 Relevance: 7.6, APIs: 5, Instructions: 136windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 6CF2A41F
GetSysColor.USER32(00000004), ref: 6CF2A46B
CreateSolidBrush.GDI32(?), ref: 6CF2A472
FillRect.USER32(?,?,00000000), ref: 6CF2A480
SetTextColor.GDI32(?,00FFFF00), ref: 6CF2A48E

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Color$BrushCreateFillMessageRectSendSolidText
String ID:
API String ID: 2769008296-0
Opcode ID: f402235299891cf8d0341a909ceb54e752a973267037b52c7cecd7bf7f31ded2
Instruction ID: 22926874dc2d4cf9f44c65782471e86e070fb665c23620bb33aae732ee3c772f
Opcode Fuzzy Hash: f402235299891cf8d0341a909ceb54e752a973267037b52c7cecd7bf7f31ded2
Instruction Fuzzy Hash: 4941E8323005049FC7148FA9D855FAAB7E8FF45220F20866BF566CBAE1D775E814D7A0

Function 6CF15C40 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101C,?,00000000), ref: 6CF15C8F
SendMessageW.USER32(?,0000102F,00000000,00000003), ref: 6CF15CBE
CallWindowProcW.USER32(?,?,00000115,00000008,00000000), ref: 6CF15CDF
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF15D08
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF15D14

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$CallProcWindow
String ID:
API String ID: 562906466-0
Opcode ID: f42d4b05e25469e85d3c92539861c8f2e464ed9f5bac3bf1d9f61007ae477fe0
Instruction ID: b70b62dfbc1878615949aa933c929d8d4c95128f3810895dc0f0d67c22f59fee
Opcode Fuzzy Hash: f42d4b05e25469e85d3c92539861c8f2e464ed9f5bac3bf1d9f61007ae477fe0
Instruction Fuzzy Hash: 2331C634345600AFE364CF19CD89F9277E1AF49B14F1585A8F65A9F7A1C7B1B844CB04

Function 6CF1FFF0 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6CF20018
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6CF20039
SendMessageA.USER32(?,00000047,00000000,?), ref: 6CF20067
SetWindowLongW.USER32(?,000000F0,00000000), ref: 6CF2007E
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000127), ref: 6CF20096

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$Long$MessageSend
String ID:
API String ID: 1593136606-0
Opcode ID: ce9c9adc6b196998988c337633ce599aed782f4c946cee7a017163a053464cc4
Instruction ID: fd29b7a84c88305c28c7dd924458d27132787d66fbba01073b290066fbe14792
Opcode Fuzzy Hash: ce9c9adc6b196998988c337633ce599aed782f4c946cee7a017163a053464cc4
Instruction Fuzzy Hash: 8B116035B14255ABDB44CFA9CC48FAAF7B8FF49715F204319B518A7280DBB8A8448758

Function 6CF3BD94 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CF9D840,0000000B,?,6CEFAD20,6CF9E7B0), ref: 6CF3BD9E
LeaveCriticalSection.KERNEL32(6CF9D840,?,6CEFAD20,6CF9E7B0), ref: 6CF3BDD1
RtlWakeAllConditionVariable.NTDLL ref: 6CF3BE48
SetEvent.KERNEL32(?,6CF9E7B0), ref: 6CF3BE52
ResetEvent.KERNEL32(?,6CF9E7B0), ref: 6CF3BE5E

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: 7af57d453b94a9ceabdddfaf86639eff7db0d8457730707f91e8a954a22112f5
Instruction ID: 9a4cc1aa408a6bb32288ac2ac559f7db89f32a59fe629fb61c539ec99a0e346d
Opcode Fuzzy Hash: 7af57d453b94a9ceabdddfaf86639eff7db0d8457730707f91e8a954a22112f5
Instruction Fuzzy Hash: BF011D31F21560EBCF86AF19E548BA57BB5EB4B3127254069F90693355C7729C01CF88

Function 6CF3B3E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 347windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF390E0: SendMessageW.USER32(00000000,00001105,00000000,00000000), ref: 6CF3910A

SendMessageW.USER32(00000000,0000110A,00000003,?), ref: 6CF3B4CC
SendMessageW.USER32(00000000,0000110A,00000003,00000000), ref: 6CF3B4E3
SendMessageW.USER32(00000000,0000113E,00000000,0000002E), ref: 6CF3B52A

Strings

., xrefs: 6CF3B509

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID: .
API String ID: 3850602802-248832578
Opcode ID: 17cc3a5cf70309a6e91b83044daa2b5f87a2beda82ba89f92472d4f8acb6315d
Instruction ID: 3e129799ff7e0be75243f000982245b2d8bada4e398f91814b0a91bff07f4aac
Opcode Fuzzy Hash: 17cc3a5cf70309a6e91b83044daa2b5f87a2beda82ba89f92472d4f8acb6315d
Instruction Fuzzy Hash: 51E13CB5E00259DFDF04CFE4C895BEEBBB5AF48314F204129EA15AB780D774A949CB90

Function 6CF39550 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000003,?), ref: 6CF3968D
SendMessageW.USER32(00000001,0000110A,00000003,00000000), ref: 6CF396AC
CallWindowProcW.USER32(?,00000001,0000113E,00000000,0000002E), ref: 6CF396E0

Strings

., xrefs: 6CF396B9

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$CallProcWindow
String ID: .
API String ID: 562906466-248832578
Opcode ID: 4265a348ad2a0911daa3bcd6ac18e7b793512a48e30b74c530f63654e27eaa24
Instruction ID: 10c7426d270e9d9b8831a5678673c78eb652131eb70a9c71b9e022433a2b72fc
Opcode Fuzzy Hash: 4265a348ad2a0911daa3bcd6ac18e7b793512a48e30b74c530f63654e27eaa24
Instruction Fuzzy Hash: ADD13DB1E01259DFDF04CFA4C885BEEBBB5BF08314F204159EA15AB780DB75AA45CB90

Function 6CF1DB70 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 306windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000101F,00000000,00000000), ref: 6CF1DC5C
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF1DC68
SendMessageW.USER32(00000002,0000105F,00000000,0000001F), ref: 6CF1DD07

Strings

H, xrefs: 6CF1DEAD

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID: H
API String ID: 3850602802-2852464175
Opcode ID: a933dd7d2ea3f6bfa0c5d9415abbeb13362c3b2dca9b596b830b2359d84b29a5
Instruction ID: 708031512704879e5e6431203727c7c5576fba8cf6c45718332b3b4ba8565fc3
Opcode Fuzzy Hash: a933dd7d2ea3f6bfa0c5d9415abbeb13362c3b2dca9b596b830b2359d84b29a5
Instruction Fuzzy Hash: DAC1BFB1E043089FDB05CFA4C885BDEBBB5FF48318F204529E525ABB91D774A849CB94

Function 6CF02E30 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 6CF02E72
___from_strstr_to_strchr.LIBCMT ref: 6CF02F81

Strings

.ifaT(KB5Ge]NP/toJ{!|^Q1IyuDgZ,-7kd;VCrL2m_?+USz)R`q@M#[l%'c0vFwY9Hh\Ex>&}8jsA"4n6$b3=*W<OX~p, xrefs: 6CF02E6D, 6CF02E81, 6CF02EA8, 6CF02F7C, 6CF02F99
VUUU, xrefs: 6CF02E88

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: .ifaT(KB5Ge]NP/toJ{!|^Q1IyuDgZ,-7kd;VCrL2m_?+USz)R`q@M#[l%'c0vFwY9Hh\Ex>&}8jsA"4n6$b3=*W<OX~p$VUUU
API String ID: 601868998-43962714
Opcode ID: fd86ec4483a3617c86b0b0b656817e4cec4826b89d7c6befd71fb298cb713460
Instruction ID: e9cbb9f2e37d6973d92e3834f89e4b851e19f9b287785bc782c276726798bd86
Opcode Fuzzy Hash: fd86ec4483a3617c86b0b0b656817e4cec4826b89d7c6befd71fb298cb713460
Instruction Fuzzy Hash: CA61A0B2E052199FCB04CF68C8506EEFBF5EF49314F14826AD815AB781E735A945CBA0

Function 6CF2EE90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 177windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000418,00000000,00000000), ref: 6CF2EF8A
SendMessageW.USER32(?,0000043F,00000000,00000020), ref: 6CF2F013

Strings

, xrefs: 6CF2EFE4
/, xrefs: 6CF2EFEC

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID: $/
API String ID: 3850602802-2637513485
Opcode ID: 95cbbdeae14f1d39680e21986d3629d4c0810e799ea704807bcd0bf1765d318c
Instruction ID: 98b92aa149a72262bc05dc10026af2bdc1fc2608c6c3ff26b0c563ff45b1d11c
Opcode Fuzzy Hash: 95cbbdeae14f1d39680e21986d3629d4c0810e799ea704807bcd0bf1765d318c
Instruction Fuzzy Hash: EB7122706183519FD710CF68C884B5AFBF4AF89718F10891EFA989B780D7B5E844CB96

Function 6CEFE4E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,00000000,?,?,?,?,?), ref: 6CEFE4FE
GetProcAddress.KERNEL32(00000000,MessageBoxTimeoutA), ref: 6CEFE515

Strings

user32.dll, xrefs: 6CEFE4F3
MessageBoxTimeoutA, xrefs: 6CEFE50F

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: MessageBoxTimeoutA$user32.dll
API String ID: 1646373207-3979136001
Opcode ID: cb5277bf6647ba344fb4a104aa9f69e2375f68ada767af09a9f7f562a8acf86e
Instruction ID: 365fa8496430bd12e1b165a8c97f6d957e9f71a9d3b75f00c6107e8110b25049
Opcode Fuzzy Hash: cb5277bf6647ba344fb4a104aa9f69e2375f68ada767af09a9f7f562a8acf86e
Instruction Fuzzy Hash: 5831E372A01116ABDF119E648C41FEF3AB9EF49318F204269FE25D7290FB71DA158BD0

Function 6CEF8640 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6CEF865E
GetProcAddress.KERNEL32(00000000,MessageBoxTimeoutW), ref: 6CEF8675

Strings

user32.dll, xrefs: 6CEF8653
MessageBoxTimeoutW, xrefs: 6CEF866F

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: MessageBoxTimeoutW$user32.dll
API String ID: 1646373207-235504669
Opcode ID: 7aaebec4179b0f3784a4981b67bf686312aed23e419bf653b4b9fd30f64812b9
Instruction ID: 24497a4a329af55b90a8b3e9ae1cd9b8656aa205ea85a0c84dee88d0bc2c8514
Opcode Fuzzy Hash: 7aaebec4179b0f3784a4981b67bf686312aed23e419bf653b4b9fd30f64812b9
Instruction Fuzzy Hash: B53105B1A01115ABDF119EA58C41FEF3BB9EF45218F204269FE25DB380EB71C9158B94

Function 6CF10790 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF1081F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF1082B
SendMessageW.USER32(?,0000103B,00000000,00000008), ref: 6CF10880

Strings

M, xrefs: 6CF107B9, 6CF1082D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID: M
API String ID: 3850602802-519822722
Opcode ID: d56dbf5864f995e13cc160e37de110c2508d72f4b8957b47ce62248aa31bde76
Instruction ID: 8ee722d56e1d03f63f50ba86265d5e5c60868f6812c857b5f3f5a9cc50ffa2ac
Opcode Fuzzy Hash: d56dbf5864f995e13cc160e37de110c2508d72f4b8957b47ce62248aa31bde76
Instruction Fuzzy Hash: 8331BF75B05244ABEB14CF49CC80F9A7BF9FB88714F108569E918DBB40DBB0F8108BA1

Function 6CEF9000 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000104), ref: 6CEF906E
SetWindowLongW.USER32(?,000000FC,6CEF91A0), ref: 6CEF90AB

Strings

Jy_iext1_04, xrefs: 6CEF9078
syslistview32, xrefs: 6CEF908E

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ClassLongNameWindow
String ID: Jy_iext1_04$syslistview32
API String ID: 1147815241-704972977
Opcode ID: fa02770f2f03a1f59f1e61d756ee75af14ca95fab5c5c24d0d25fab1cc6a55b4
Instruction ID: 25e895450ed87224407c30698e3aa4e659a6c380e4fdbfea26034e61ff7ec6f6
Opcode Fuzzy Hash: fa02770f2f03a1f59f1e61d756ee75af14ca95fab5c5c24d0d25fab1cc6a55b4
Instruction Fuzzy Hash: E121D4B19043556FCB10DF64EC45A9B77F8AB45318F10492AF8A8C7681EB31E90DCBD2

Function 6CF32C60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 6CF32C7F
SendMessageW.USER32 ref: 6CF32CDF
RemovePropW.USER32(?,{343BF546-3975-41C8-94EB-47E67E2B3670}), ref: 6CF32D06

Strings

{343BF546-3975-41C8-94EB-47E67E2B3670}, xrefs: 6CF32CFE

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: KillMessagePropRemoveSendTimer
String ID: {343BF546-3975-41C8-94EB-47E67E2B3670}
API String ID: 725981643-1567992397
Opcode ID: 875bfa9ff15eb0fb4c9ac5bd2907a6ce6a29abd6be9b381cbc3b998af764ebe1
Instruction ID: b78a1103780dfaf10815afbd8aa65805903326bf36a3b125b0efa5b1916da168
Opcode Fuzzy Hash: 875bfa9ff15eb0fb4c9ac5bd2907a6ce6a29abd6be9b381cbc3b998af764ebe1
Instruction Fuzzy Hash: 3D218E72A04714AFC750DF15C884A9AB7F4FF89310F105A19F9A8A7640D770F944CBD6

Function 6CF3E7F2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CF3E7A3,00000000,?,00000001,?,?,?,6CF3E892,00000001,FlsFree,6CF60FBC,FlsFree), ref: 6CF3E7FF
GetLastError.KERNEL32(?,6CF3E7A3,00000000,?,00000001,?,?,?,6CF3E892,00000001,FlsFree,6CF60FBC,FlsFree,00000000,?,6CF3D7AE), ref: 6CF3E809
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CF3E831

Strings

api-ms-, xrefs: 6CF3E816

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 185109fc1af07690dde8a065c9fd68fddd89d008b110735f8db84d051a93bd80
Instruction ID: 051afc384057cc1a241165f9905cace58fddcdfaf5d46f1fca0ac658bb9e1198
Opcode Fuzzy Hash: 185109fc1af07690dde8a065c9fd68fddd89d008b110735f8db84d051a93bd80
Instruction Fuzzy Hash: E3E01A34A84254BBEF401E62DC45B583A749F11B55F384420FD0EA89D5E7E2D85195C8

Function 6CF4F6E7 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(D1DC5EAD,00000000,00000000,?), ref: 6CF4F74A

Part of subcall function 6CF52D30: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF5A43F,?,00000000,-00000008), ref: 6CF52D91

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CF4F99C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CF4F9E2
GetLastError.KERNEL32 ref: 6CF4FA85

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 4f098d09d307bc8a89654e9c3ac688cc67c794cdd56a7bf14cead53b230b3de4
Instruction ID: a1eb2a7f70f97d130ee6d6e094f81104e99169f06ab2f553eb333c63700eaf75
Opcode Fuzzy Hash: 4f098d09d307bc8a89654e9c3ac688cc67c794cdd56a7bf14cead53b230b3de4
Instruction Fuzzy Hash: 4DD17A75E04248AFCF45CFA8C880ADDBFB4EF09314F24856AE529EB752D730A946CB50

Function 6CF1BF60 Relevance: 6.3, APIs: 4, Instructions: 270windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF1BF96
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF1BFA2
SendMessageW.USER32(?,0000103B,00000000,?), ref: 6CF1C029
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 6CF1C12D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1f35d2ead5413a04dc2869c0e3c8bd31d531076edcb9cf53d0796ae1cceb9049
Instruction ID: 7a7436641c093548d6adffebf694490b919ce7c1079c351a10cca8d6147b3af1
Opcode Fuzzy Hash: 1f35d2ead5413a04dc2869c0e3c8bd31d531076edcb9cf53d0796ae1cceb9049
Instruction Fuzzy Hash: 4DA10631E186059FDB11DF7CC880A99F7B5FF86344F25836AE544FBA51E731A9828B40

Function 6CF1E4A0 Relevance: 6.2, APIs: 4, Instructions: 195COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 6CF1E538
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?), ref: 6CF1E571
WideCharToMultiByte.KERNEL32(000003A8,00000000,6CF7428C,6CF7428A,00000000,00000000,00000000,00000000), ref: 6CF1E5B8
WideCharToMultiByte.KERNEL32(000003A8,00000000,6CF7428C,6CF7428A,00000000,?,00000000,00000000), ref: 6CF1E5F1

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 024f4dfadaa687613ce5c51c331219e1fb1c3e65b162619c9a8aa049649f87ae
Instruction ID: 025e49cfca5643f440e4ee57163484f6c04a3a797771a0a2d983391dffabf9dc
Opcode Fuzzy Hash: 024f4dfadaa687613ce5c51c331219e1fb1c3e65b162619c9a8aa049649f87ae
Instruction Fuzzy Hash: B4519F36F083017BD7304E6A5C8CFAABB35DB4632CF6802A9ED5997E81D7629D0587D0

Function 6CF12A30 Relevance: 6.2, APIs: 4, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100E,?,00000000), ref: 6CF12B7F
InvalidateRect.USER32(?,00000000,00000000), ref: 6CF12B9D
InvalidateRect.USER32(?,00000000,00000000), ref: 6CF12BAB
SendMessageW.USER32(?,00001074,?,?), ref: 6CF12C1A

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: 39e9e996da95d093bdfa0abfb47a75e4a5e45425198568cd83bedee90dbf03f2
Instruction ID: dcdda2de9ff46302d468d3a95d5234b7f8c7b50340ab29956138ee5e9a18199b
Opcode Fuzzy Hash: 39e9e996da95d093bdfa0abfb47a75e4a5e45425198568cd83bedee90dbf03f2
Instruction Fuzzy Hash: A7719D71A056098FCB14CF98C988B9EB7B4FF05314F214668D825ABB90D731AE05CF90

Function 6CF200B0 Relevance: 6.2, APIs: 4, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001003,00000000,00000000), ref: 6CF2026A
SendMessageW.USER32(?,00001003,00000002,00000000), ref: 6CF202D8
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF202EC
SendMessageW.USER32(?,00001208,00000000,?), ref: 6CF20325

Part of subcall function 6CF3BDDE: EnterCriticalSection.KERNEL32(6CF9D840,00000503,0000000B,?,6CEFACFF,6CF9E7B0,00000000,00000000,?,6CF04074), ref: 6CF3BDE9
Part of subcall function 6CF3BDDE: LeaveCriticalSection.KERNEL32(6CF9D840,?,6CEFACFF,6CF9E7B0,00000000,00000000,?,6CF04074), ref: 6CF3BE26

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$CriticalSection$EnterLeave
String ID:
API String ID: 4009585992-0
Opcode ID: a52c3b1b4db5ab77f732bd0e4bacdacca297ed96e99b99e52d360df6e6a0b76a
Instruction ID: 1d9168c2a1cece9f9d528439ac8f120b3ebe97ac142bc4a77cf765cb16c12582
Opcode Fuzzy Hash: a52c3b1b4db5ab77f732bd0e4bacdacca297ed96e99b99e52d360df6e6a0b76a
Instruction Fuzzy Hash: 8561DF71B11641EFEB44CF64CC54B95B7B1FB09304F208629E4289BBD0DBB9A854CBD2

Function 6CF3D7B9 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CF3D880
___AdjustPointer.LIBCMT ref: 6CF3D8A3
___AdjustPointer.LIBCMT ref: 6CF3D93F

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 9833ea7b569fc77752ff09e9acf960a9f1f9b57595350b93b36463cfde919dfb
Instruction ID: 297406c4e4c58e7a65027e9e9cf0a928a6b359a3a0484da21380b9ec5fc20c8e
Opcode Fuzzy Hash: 9833ea7b569fc77752ff09e9acf960a9f1f9b57595350b93b36463cfde919dfb
Instruction Fuzzy Hash: 9E51CE76A16622BFEB158F54D840BAAB7B4FF44318F201529EC1957A90E731F845C7D0

Function 6CF38620 Relevance: 6.1, APIs: 4, Instructions: 147windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001105,00000000,00000000), ref: 6CF38647
SendMessageW.USER32(?,0000110A,00000001,00000001), ref: 6CF3866A

Part of subcall function 6CEFE600: Concurrency::cancel_current_task.LIBCPMT ref: 6CEFE747

SendMessageW.USER32(?,0000110A,00000001,00000001), ref: 6CF386D1
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 6CF38713

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Concurrency::cancel_current_task
String ID:
API String ID: 4226222239-0
Opcode ID: a999677438eba72674a2e7e86392f0d9cc84a0e6929c6b5b1080b02c71a6bb74
Instruction ID: cf851188a3513792cc2f3c9d32a8d1291cb2cb561560104fec181f63162c8a33
Opcode Fuzzy Hash: a999677438eba72674a2e7e86392f0d9cc84a0e6929c6b5b1080b02c71a6bb74
Instruction Fuzzy Hash: E9417171200618AFDB15CF19C984EAB7BB6EF85758B20841FF959CBA50C774FC418BA1

Function 6CF0E540 Relevance: 6.1, APIs: 4, Instructions: 145windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102F,?,00000003), ref: 6CF0E5EE
InvalidateRect.USER32(?,00000000,00000000), ref: 6CF0E60A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 6CF0E694
SendMessageW.USER32(?,0000104D,00000000,?), ref: 6CF0E712

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$InvalidateRect
String ID:
API String ID: 2778011698-0
Opcode ID: 0927b9ad2176db33e64f6372134f13b424f3f716e1cf7f49e48098b5e0d17191
Instruction ID: ad05d11e49f2d5e6bd3450bed5037daf8c82576879483e30b8c2cec53e668113
Opcode Fuzzy Hash: 0927b9ad2176db33e64f6372134f13b424f3f716e1cf7f49e48098b5e0d17191
Instruction Fuzzy Hash: FD513575A183459FC340CF25C884B9ABBE4BF88704F104A2EF9A897290D7B0E804CF82

Function 6CF53E34 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83ba9e12049d85c0a136c57e26c51172ec76bae91d9a94d43a3b3bfb5d4b5af
Instruction ID: 1f5eb192e75c4940965d03a98572297a4b5aa184a127c9c716581f4e0c0db1f1
Opcode Fuzzy Hash: f83ba9e12049d85c0a136c57e26c51172ec76bae91d9a94d43a3b3bfb5d4b5af
Instruction Fuzzy Hash: 3541F372A00604AFD7159F7CCC00B9ABFF8EB99714F50852AE201DBB81D371A9598B80

Function 6CF2D9F0 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000419,?,00000000), ref: 6CF2DA42
SendMessageW.USER32(?,00000419,?,00000000), ref: 6CF2DAA3
SendMessageW.USER32(?,00000433,?,01334D40), ref: 6CF2DAE0
ClientToScreen.USER32(?,?), ref: 6CF2DAF9

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$ClientScreen
String ID:
API String ID: 1264711397-0
Opcode ID: 3cac46ff8a33b8568f9204ce2e3ec0f2bd743b3f6b6edccf9bb2d7c62284cca9
Instruction ID: 92113f4de3f9d275b428d9856cb68d7efcf1faf22cfe33eda0d4ced89a7c4b78
Opcode Fuzzy Hash: 3cac46ff8a33b8568f9204ce2e3ec0f2bd743b3f6b6edccf9bb2d7c62284cca9
Instruction Fuzzy Hash: 84416B75B00219AFEB008FA4CC85FEAB7BCBF08708F008559FA15A6681D3B5E914CB60

Function 6CF0E9E0 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102F,?,00000003), ref: 6CF0EA73
InvalidateRect.USER32(?,00000000,00000000), ref: 6CF0EA99
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 6CF0EAC2
SendMessageW.USER32(?,00001008,?,00000000), ref: 6CF0EAED

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$InvalidateRect
String ID:
API String ID: 2778011698-0
Opcode ID: b3fc44a05b5cacf0e8975854351463bce9cada091252ba5555e19666f5365e2b
Instruction ID: 6f48fe38fa404e387017b8edc6c852f15c454f518357e3a90b4e2fc7b1fce4b9
Opcode Fuzzy Hash: b3fc44a05b5cacf0e8975854351463bce9cada091252ba5555e19666f5365e2b
Instruction Fuzzy Hash: C3410F39701605AFD704CF58C88AFA0B7B4FF4A715F1542A5FA29CB7A1C7B1A860DB80

Function 6CF390E0 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001105,00000000,00000000), ref: 6CF3910A
SendMessageW.USER32(00000000,0000110A,00000000,00000000), ref: 6CF39134
SendMessageW.USER32(00000000,0000110A,00000001,00000000), ref: 6CF3918C
SendMessageW.USER32(00000000,0000110A,00000001,00000000), ref: 6CF391C0

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 95f41a4a0bd42c609df60978b0bbc28d7420fa56ab672912dd1adea2f0142fb8
Instruction ID: 13b39e5dc652ad942d31dd7ee46e32d38dec0caaca7cb6905480c3de510fd107
Opcode Fuzzy Hash: 95f41a4a0bd42c609df60978b0bbc28d7420fa56ab672912dd1adea2f0142fb8
Instruction Fuzzy Hash: DF317271E40218BBDB159F65CC85FAEBB78EF45711F1044AAF905AB280DBB19D148B90

Function 6CF3AAC0 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001109,00000000,00000000), ref: 6CF3AB3C

Part of subcall function 6CF3AAC0: LoadIconW.USER32(00000000,00007F00), ref: 6CF3A2E6
Part of subcall function 6CF3AAC0: ImageList_GetImageCount.COMCTL32(00000000,00000000,00000000,D1DC5EAD,?,75C05540,75BFCF90), ref: 6CF3A36E
Part of subcall function 6CF3AAC0: ImageList_GetIconSize.COMCTL32(00000000,00000010,00000010), ref: 6CF3A381
Part of subcall function 6CF3AAC0: DestroyIcon.USER32(?), ref: 6CF3A3B7

ImageList_Destroy.COMCTL32(?,00000000,00000000,?,?,?,00000064), ref: 6CF3AB7C
SendMessageW.USER32(?,00001109,00000064,00000000), ref: 6CF3ABA7
SendMessageW.USER32(?,00001108,00000064,00000000), ref: 6CF3ABBA

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Image$IconList_MessageSend$Destroy$CountLoadSize
String ID:
API String ID: 3232949183-0
Opcode ID: 93335d8db258d85df13348eb4134d49b13e84be7175398d06869c999d16bd39a
Instruction ID: 360ab1c1dd60bdf1827d7bbaf5f2df3a9ee6feada63c590c1b7bb038d97d1598
Opcode Fuzzy Hash: 93335d8db258d85df13348eb4134d49b13e84be7175398d06869c999d16bd39a
Instruction Fuzzy Hash: 61316E31740118BBEB08CF6ADC41FA5B7E9EF45325F1451AAE91DCB6A0DB71A8108BD0

Function 6CEFC4B0 Relevance: 6.1, APIs: 4, Instructions: 94fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000007,00000000,00000002,00000080,00000000), ref: 6CEFC517
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CEFC52B
WriteFile.KERNEL32(00000000,?,00000001,?,00000000), ref: 6CEFC575
CloseHandle.KERNEL32(00000000), ref: 6CEFC586

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: ea8b5003b10ed38b705d450254c982a55a6db726766ef6bb17082e0bbdba8cc9
Instruction ID: 3f4a59c03f3f24438dee7a53e6319eb3d61de6f7a97470b04c29956b72a1a657
Opcode Fuzzy Hash: ea8b5003b10ed38b705d450254c982a55a6db726766ef6bb17082e0bbdba8cc9
Instruction Fuzzy Hash: 4631C271B457019BD321DE24C885B2B7BB4EB85B1CF308A1CE9799B7C0E770E9068A95

Function 6CF54B41 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CF52D30: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF5A43F,?,00000000,-00000008), ref: 6CF52D91

GetLastError.KERNEL32 ref: 6CF54BA5
__dosmaperr.LIBCMT ref: 6CF54BAC
GetLastError.KERNEL32(?,?,?,?), ref: 6CF54BE6
__dosmaperr.LIBCMT ref: 6CF54BED

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: b7697e29b522c4894db366e6390ed080ae3ae2d591768ba2cfd8e9c75d434de4
Instruction ID: 81a2cc5756fcff77434fd645962cb0768fc4ece15553e65bd9001d14e847ae4d
Opcode Fuzzy Hash: b7697e29b522c4894db366e6390ed080ae3ae2d591768ba2cfd8e9c75d434de4
Instruction Fuzzy Hash: 6221C832A04615BFDB109F66C884E5BBFB8FF5136C7458A18FA1997A50D730EC348B90

Function 6CF55C03 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CF55C0B

Part of subcall function 6CF52D30: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CF5A43F,?,00000000,-00000008), ref: 6CF52D91

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF55C43
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CF55C63

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: a212841c53b2f04b261bde2313ad88fc418c4d88ef23b6fb538e0cebb6621776
Instruction ID: fd4680a575079aea8e517b0fbfe3c9b9cf88c529ca2187c228c42bad0e3f95b8
Opcode Fuzzy Hash: a212841c53b2f04b261bde2313ad88fc418c4d88ef23b6fb538e0cebb6621776
Instruction Fuzzy Hash: 3C1104B2A056567F6A0117B68E8CDAF397CDF6639C3900215FB04D2A00FBA0DD2481B4

Function 6CF13020 Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF13098
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF130A4
SetFocus.USER32(?), ref: 6CF130CB
SendMessageW.USER32(?,00001076,?,00000000), ref: 6CF130DE

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend$Focus
String ID:
API String ID: 3982298024-0
Opcode ID: fa910f816f10bf0e7ef336cca3cfd1e89a114307b3a3dc5ff06c0c3c2d33e990
Instruction ID: 8670f89d92cf3933598ca650c80f12e53654e1d69ae9784125abcc41337fe85b
Opcode Fuzzy Hash: fa910f816f10bf0e7ef336cca3cfd1e89a114307b3a3dc5ff06c0c3c2d33e990
Instruction Fuzzy Hash: F8218031B04B04AFDB20CF59CC81F59BBF4EB48718F158169E958ABA90C272F8449B90

Function 6CF245D0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

UnregisterClassW.USER32(00000000), ref: 6CF245FF
IsWindow.USER32(?), ref: 6CF24624
DestroyWindow.USER32(?), ref: 6CF2462F
IsWindow.USER32(?), ref: 6CF24676

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$ClassDestroyUnregister
String ID:
API String ID: 1257303165-0
Opcode ID: 31b9efed48ff07f796d986a67df8327f1808246173465799ec9b117f3aba2a34
Instruction ID: adbf072207948e360b16a543fd254ddbde8c97c422f1ef299c4954ebab3f4380
Opcode Fuzzy Hash: 31b9efed48ff07f796d986a67df8327f1808246173465799ec9b117f3aba2a34
Instruction Fuzzy Hash: C121AC32F20111AFEF41DF6AD980E66BFB5FB867243150029E958D7A10D7B4AC80CBE0

Function 6CF2F500 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

UnregisterClassW.USER32(00000000), ref: 6CF2F52F
IsWindow.USER32(?), ref: 6CF2F554
DestroyWindow.USER32(?), ref: 6CF2F55F
IsWindow.USER32(?), ref: 6CF2F5A6

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$ClassDestroyUnregister
String ID:
API String ID: 1257303165-0
Opcode ID: 6db69c4796d1be317534cf281903f797c245541a6d6bc046157acbb98e117f08
Instruction ID: 1f45c914874013b6f55de5b05fa0a90515fbb9b1097170ef7a2571cba1dc39ea
Opcode Fuzzy Hash: 6db69c4796d1be317534cf281903f797c245541a6d6bc046157acbb98e117f08
Instruction Fuzzy Hash: 3F218C32B315219FEF84DFAAC881A6673B5FB866143524519E861A7A10CB30EC40CFE0

Function 6CF080B0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

UnregisterClassW.USER32(00000000), ref: 6CF080DF
IsWindow.USER32(?), ref: 6CF08104
DestroyWindow.USER32(?), ref: 6CF0810F
IsWindow.USER32(?), ref: 6CF08156

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$ClassDestroyUnregister
String ID:
API String ID: 1257303165-0
Opcode ID: 15150e5f383993818250794250b6a22179373b2d87bbb3c0e7a971bff2a5dd70
Instruction ID: f77b1419fbdc85db44f4d091a342d0319ec7a2609f96fa89a553fb769ae7f412
Opcode Fuzzy Hash: 15150e5f383993818250794250b6a22179373b2d87bbb3c0e7a971bff2a5dd70
Instruction Fuzzy Hash: D521AE32B24100DFEF40DF2AC8D0B667BB5FB4AB647520916D915D7612E730AC40EBE1

Function 6CF32100 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

UnregisterClassW.USER32(00000000), ref: 6CF3212F
IsWindow.USER32(?), ref: 6CF32154
DestroyWindow.USER32(?), ref: 6CF3215F
IsWindow.USER32(?), ref: 6CF321A6

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$ClassDestroyUnregister
String ID:
API String ID: 1257303165-0
Opcode ID: e06b8d3662a04a2606c57cc2c832ee20d6c1ebb45c37bd5e136f404947b54bce
Instruction ID: c8edb905b0df7f9da2eb21ab154b1b93a9b57642594098af63602a25ab54c71d
Opcode Fuzzy Hash: e06b8d3662a04a2606c57cc2c832ee20d6c1ebb45c37bd5e136f404947b54bce
Instruction Fuzzy Hash: 0721A532B20214EFEF40EF26CA88B6673B5FB467153120529DA69D7611D771AC84CBE2

Function 6CF06460 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,?,00000003), ref: 6CF0648D
SendMessageW.USER32(?,0000102B,00000000,00000008), ref: 6CF064B9
SendMessageW.USER32(?,0000102B,?,00000008), ref: 6CF064F4
SendMessageW.USER32(?,00001013,?,00000001), ref: 6CF06510

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1ab4268fbacb329b4b6183187e3855379113e9b475d2d5d37c7c667065790391
Instruction ID: 5b352489d3338dc28e2b05c06279babd5b9e4a7b3bda3e59ddd39ec97d7f80c1
Opcode Fuzzy Hash: 1ab4268fbacb329b4b6183187e3855379113e9b475d2d5d37c7c667065790391
Instruction Fuzzy Hash: 9921A471F00208ABEB20DF66C955BAEB7B8FF45B10F10461DF965AB2C0C7B09944CB50

Function 6CF298C0 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

UnregisterClassW.USER32(00000000), ref: 6CF298EB
IsWindow.USER32(?), ref: 6CF29914
DestroyWindow.USER32(?), ref: 6CF2991F
IsWindow.USER32(?), ref: 6CF29953

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Window$ClassDestroyUnregister
String ID:
API String ID: 1257303165-0
Opcode ID: b4b9b6905b0f582e348a6b43f5683c41da9dde627cda428d84e760607275c65f
Instruction ID: 4348c07c0830cb0c1b95ce30d233fd9f8ce7d528129cf031570dfd5b1c3a24be
Opcode Fuzzy Hash: b4b9b6905b0f582e348a6b43f5683c41da9dde627cda428d84e760607275c65f
Instruction Fuzzy Hash: FA11A333B241008FDF41AFBAD884A5AB7B8FF4A3647114615E864A7610DB74AD40EBA4

Function 6CF06650 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6CF06684
ShowScrollBar.USER32(?,00000001,00000000), ref: 6CF066CD
SetScrollInfo.USER32(?,00000001,0000001C,00000001), ref: 6CF066DE
GetScrollPos.USER32(?,00000001), ref: 6CF066E9

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Scroll$ClientInfoRectShow
String ID:
API String ID: 3162684138-0
Opcode ID: ba60e31e4f652483da2e6053f327491cfb50af8c7a07aa41496635fabe1879f0
Instruction ID: e50809e4e41537bfbc0c23846b524691fac360fa782f82270e0a510117c3760e
Opcode Fuzzy Hash: ba60e31e4f652483da2e6053f327491cfb50af8c7a07aa41496635fabe1879f0
Instruction Fuzzy Hash: 0F213771A10608DFDB20CF69C949BAEBBF5FF08700F108929E556A7650D7B2A944CB54

Function 6CF21B8C Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001003,00000000,00000000), ref: 6CF21BB5
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 6CF21BC9
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 6CF21BDC
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000127), ref: 6CF21C07

Part of subcall function 6CF1FFF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 6CF20039
Part of subcall function 6CF1FFF0: SendMessageA.USER32(?,00000047,00000000,?), ref: 6CF20067
Part of subcall function 6CF1FFF0: SetWindowLongW.USER32(?,000000F0,00000000), ref: 6CF2007E
Part of subcall function 6CF1FFF0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000127), ref: 6CF20096

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSendWindow$Long
String ID:
API String ID: 3430364388-0
Opcode ID: 87f1469736b6970156081c94d5b47e293c159aa7991cf49729304397801a22f1
Instruction ID: daafae24e5cc54eb9343913adf07101c36bb45375db9c01bca835683cca84766
Opcode Fuzzy Hash: 87f1469736b6970156081c94d5b47e293c159aa7991cf49729304397801a22f1
Instruction Fuzzy Hash: 44014231B80104BBD7048BB4CC06FE9B775FB48305F108125F2189F5D1CBB6A8609BC4

Function 6CF5A8AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CF5672E,00000000,00000001,00000000,?,?,6CF4FAD9,?,00000000,00000000), ref: 6CF5A8C1
GetLastError.KERNEL32(?,6CF5672E,00000000,00000001,00000000,?,?,6CF4FAD9,?,00000000,00000000,?,?,?,6CF500B3,00000000), ref: 6CF5A8CD

Part of subcall function 6CF5A893: CloseHandle.KERNEL32(FFFFFFFE,6CF5A8DD,?,6CF5672E,00000000,00000001,00000000,?,?,6CF4FAD9,?,00000000,00000000,?,?), ref: 6CF5A8A3

___initconout.LIBCMT ref: 6CF5A8DD

Part of subcall function 6CF5A855: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CF5A884,6CF5671B,?,?,6CF4FAD9,?,00000000,00000000,?), ref: 6CF5A868

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CF5672E,00000000,00000001,00000000,?,?,6CF4FAD9,?,00000000,00000000,?), ref: 6CF5A8F2

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3db18b9e3203a9720e46aec9703fa297a275604c3100503db7a4fa462db690d4
Instruction ID: ee84dcbcbea16fc7de74f69673d6477776fd6d76ecb53bf2d5ad256acbbac554
Opcode Fuzzy Hash: 3db18b9e3203a9720e46aec9703fa297a275604c3100503db7a4fa462db690d4
Instruction Fuzzy Hash: 74F01C36A10255BFCF521F92CC08AAD7F76EB0A3B2B544120FA1995560C672C8729BA4

Function 6CF3BE66 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,6CF3BE03,00000064), ref: 6CF3BE89
LeaveCriticalSection.KERNEL32(6CF9D840,00000001,?,6CF3BE03,00000064,?,6CEFACFF,6CF9E7B0,00000000,00000000,?,6CF04074), ref: 6CF3BE93
WaitForSingleObjectEx.KERNEL32(00000001,00000000,?,6CF3BE03,00000064,?,6CEFACFF,6CF9E7B0,00000000,00000000,?,6CF04074), ref: 6CF3BEA4
EnterCriticalSection.KERNEL32(6CF9D840,?,6CF3BE03,00000064,?,6CEFACFF,6CF9E7B0,00000000,00000000,?,6CF04074), ref: 6CF3BEAB

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 7a046159b6749d52a2e98f243eccdc77377d84d04c0852ff16cc200142b98957
Instruction ID: 1de235ac31b1d9b353def074589a395dc17c0bc18a4e35142f336b3a408ddf21
Opcode Fuzzy Hash: 7a046159b6749d52a2e98f243eccdc77377d84d04c0852ff16cc200142b98957
Instruction Fuzzy Hash: 85E09232A21424B7CE421F46CC08FAA3F38EB46711B350010F90A52552C67298008BC8

Function 6CF26E40 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040F,?,00000000), ref: 6CF26F4A

Strings

M, xrefs: 6CF27021
gfff, xrefs: 6CF26EB2

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID: M$gfff
API String ID: 3850602802-4252381157
Opcode ID: 103fc57f75d40b4c41c18b45842411c7190440994ca704de35c4500cd7899da5
Instruction ID: c758c27482fadf0cceec55dfba6993b98aea36a6686ee3389740828528ff2730
Opcode Fuzzy Hash: 103fc57f75d40b4c41c18b45842411c7190440994ca704de35c4500cd7899da5
Instruction Fuzzy Hash: A471C132A01205DFDB14CF98D880AA9F7B9FF49318F1542AAE919DBB50E735E904CB91

Function 6CF1EE20 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 203windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000101F,00000000,00000000), ref: 6CF1EF68
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 6CF1EF74

Strings

----, xrefs: 6CF1EF15

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID: ----
API String ID: 3850602802-645692374
Opcode ID: aef25b29564e421de3b00e248382f8d3dd3abf47951b1c609c5d09a02db01cdc
Instruction ID: bbb22124aef4d205d094a8454171a7322f1ac7c2e1ba14794a10db74f0621f23
Opcode Fuzzy Hash: aef25b29564e421de3b00e248382f8d3dd3abf47951b1c609c5d09a02db01cdc
Instruction Fuzzy Hash: 85815A74E097098FDB14CFA9C984B9EBBB1FF49314F248629E8156BF44E770A944CB90

Function 6CEFD790 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 195stringCOMMON

Download Yara Rule

APIs

IsBadStringPtrA.KERNEL32(00000000,00000004), ref: 6CEFD909
lstrlenA.KERNEL32(00000000), ref: 6CEFD919

Strings

M, xrefs: 6CEFD8EE, 6CEFD928

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Stringlstrlen
String ID: M
API String ID: 2797733557-519822722
Opcode ID: 90b61dd7226abcb4cee41018f22e688867abaa6277ab0f7f87ed5a2a73b4fc91
Instruction ID: 438d15300f344a1b324c1a10fdd0af9c01c7c4a961d6866620ac73eeefb56ed8
Opcode Fuzzy Hash: 90b61dd7226abcb4cee41018f22e688867abaa6277ab0f7f87ed5a2a73b4fc91
Instruction Fuzzy Hash: AF61C579A412469BDB018F99C890B6EBFB4EF4631CF300219E835D7B60D3B5DA42CB91

Function 6CF2BB70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131stringwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000417,?,?), ref: 6CF2BC01
lstrlenA.KERNEL32(00000000), ref: 6CF2BC5E

Strings

M, xrefs: 6CF2BC6C

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSendlstrlen
String ID: M
API String ID: 1933689666-519822722
Opcode ID: 2126f0e6af2b3eb27f58e726dca2bdfebfb5d4db39791d97f5747fa4142d1545
Instruction ID: cfb15dbb9f460faae8541a8ef884b2aaad2bda03ffe1b4be5d7a94078c7faeff
Opcode Fuzzy Hash: 2126f0e6af2b3eb27f58e726dca2bdfebfb5d4db39791d97f5747fa4142d1545
Instruction Fuzzy Hash: AD417271A412189FDB00CFA5C984FAEB7B8EF49714F154999EC1AAB740DB74E9408BE0

Function 6CF30CB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF30D72
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6CF30D81

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF30D6A

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessagePostProp
String ID: {478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 2382592484-2367190246
Opcode ID: 77e1240c06576fa33dfab5151f97f062058de13a93567eb5cb622d9327741899
Instruction ID: 2bb9a7b97d42cb54d42bf1669fe722f61b376543404a52907017b6ce8a686dad
Opcode Fuzzy Hash: 77e1240c06576fa33dfab5151f97f062058de13a93567eb5cb622d9327741899
Instruction Fuzzy Hash: 5241BF70A11250AFDB14CF25C864B96BBF4FF05308F19869AE44D9F6A1D7B1E880CBD0

Function 6CEF9300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118registrywindowthreadCOMMON

Download Yara Rule

APIs

RegisterWindowMessageW.USER32({FA6E5F10-1413-48DB-A752-E7F35C5DF3C5},?,?,D1DC5EAD), ref: 6CEF9378
CreateThread.KERNEL32(00000000,00000000,Function_00009130,?,00000000,00000000), ref: 6CEF93A4

Strings

{FA6E5F10-1413-48DB-A752-E7F35C5DF3C5}, xrefs: 6CEF9373

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: CreateMessageRegisterThreadWindow
String ID: {FA6E5F10-1413-48DB-A752-E7F35C5DF3C5}
API String ID: 4086609142-3741062581
Opcode ID: e290fa2389e9ce832107a612f64543c6a62181f6a2fe3495e33f61dd23d01581
Instruction ID: 466313aff4f9fbac9f5b89e13e3133da6cf7d7dda6c732ce56e70c11ca032c0d
Opcode Fuzzy Hash: e290fa2389e9ce832107a612f64543c6a62181f6a2fe3495e33f61dd23d01581
Instruction Fuzzy Hash: 6541EF70E04218DFDF54CF5AC888B5ABBF4FB05718F29866AE0699B790C7B49844CF91

Function 6CF3DDB5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6CF3DDDA

Strings

RCC, xrefs: 6CF3DDF4
MOC, xrefs: 6CF3DDEC

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 03ad92a63dd5af14f62afe8a43f97d0d6701821c85b572293cace1bd4506c6fb
Instruction ID: 54563722183b53651264694c301467f8c9127ce30533ce76c35eda08157c21ff
Opcode Fuzzy Hash: 03ad92a63dd5af14f62afe8a43f97d0d6701821c85b572293cace1bd4506c6fb
Instruction Fuzzy Hash: 04418B72A00219BFCF06CF94CD80AEE7BB5FF48308F159159F918A7691D33599A0DB90

Function 6CF0ADF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,{478011B2-E06D-4B4B-A323-5B4AD8F78DE6},?), ref: 6CF0AE7C
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 6CF0AE8B

Strings

{478011B2-E06D-4B4B-A323-5B4AD8F78DE6}, xrefs: 6CF0AE74

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessagePostProp
String ID: {478011B2-E06D-4B4B-A323-5B4AD8F78DE6}
API String ID: 2382592484-2367190246
Opcode ID: cec2db2bbcc21da0e0441b1f9a5c07ceeaa52c7e9e25d93dfbf189440e5ebd28
Instruction ID: 9036794524edcc9daf859fd13fa90ec2a36c761f4f014038903a32ba81ed32b8
Opcode Fuzzy Hash: cec2db2bbcc21da0e0441b1f9a5c07ceeaa52c7e9e25d93dfbf189440e5ebd28
Instruction Fuzzy Hash: 0B41A270A152109FDB04CF29C865AA5BFF8FF09705F1982AEE84DCF262E7719450DB90

Function 6CF31EF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetPropW.USER32(00000000,{343BF546-3975-41C8-94EB-47E67E2B3670}), ref: 6CF31F43
SetPropW.USER32(00000000,{343BF546-3975-41C8-94EB-47E67E2B3670},00000000), ref: 6CF32041

Strings

{343BF546-3975-41C8-94EB-47E67E2B3670}, xrefs: 6CF31F3B, 6CF32039

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: Prop
String ID: {343BF546-3975-41C8-94EB-47E67E2B3670}
API String ID: 257714900-1567992397
Opcode ID: 1c4452ce57f8977c99113bb14e587c284f23547b494c6516910e795983f78ae7
Instruction ID: 3a2b930111b961139823cb1905431f82c218a73a1c9a8a4185d97e2ac32566f5
Opcode Fuzzy Hash: 1c4452ce57f8977c99113bb14e587c284f23547b494c6516910e795983f78ae7
Instruction Fuzzy Hash: 9841C070A05609AFD742CF29C814B99FBB4FF09314F20C65AE418A7B90E776A594CF80

Function 6CEFAE60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__modf_pentium4.LIBCMT ref: 6CEFAE95

Strings

%04d-%02d-%02d, xrefs: 6CEFAF1F
%02d:%02d:%02d, xrefs: 6CEFAF53

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: __modf_pentium4
String ID: %02d:%02d:%02d$%04d-%02d-%02d
API String ID: 1356473546-2924087144
Opcode ID: b181e9e562416dcf2666388acf6575ec7fda615f747f96c2a9389da641db07e6
Instruction ID: 5efbc84bdf193cc2d8cd2988d1301f3f23ae66d33b5ddfe1ebe427fabf89c692
Opcode Fuzzy Hash: b181e9e562416dcf2666388acf6575ec7fda615f747f96c2a9389da641db07e6
Instruction Fuzzy Hash: DA31FC729047045BC711DF39CC41A8B77F9AFC9304F048B2AF5989A640FB31D659CB82

Function 6CEF8D60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

__modf_pentium4.LIBCMT ref: 6CEF8D94

Strings

%04d-%02d-%02d, xrefs: 6CEF8E1E
%02d:%02d:%02d, xrefs: 6CEF8E4C

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: __modf_pentium4
String ID: %02d:%02d:%02d$%04d-%02d-%02d
API String ID: 1356473546-2924087144
Opcode ID: 6e29afe3619e13f1f3d5f5c468771fc0ae30d99ed367a35a3aaaa66407ce198b
Instruction ID: 1fc682b937b51bf3afa8748dd1dfb346bcb726c9ab01888968299825dfb1df5d
Opcode Fuzzy Hash: 6e29afe3619e13f1f3d5f5c468771fc0ae30d99ed367a35a3aaaa66407ce198b
Instruction Fuzzy Hash: EB31E9B29047005BC755DF249C01A9BBBF8EFC9314F048B2EF99996290E731D558CB92

Function 6CF2B420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000417,?,?), ref: 6CF2B494
SendMessageW.USER32(?,00000440,?,00000020), ref: 6CF2B4B6

Strings

, xrefs: 6CF2B45C

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-3916222277
Opcode ID: ec98827c2ae6d04578497f923cb4bb6bc4116b34847802a6b0c86d213a04abd9
Instruction ID: 81986d4b89895a119e20bac25f42b07ebec7a8610faa08c8732a003b311d0b67
Opcode Fuzzy Hash: ec98827c2ae6d04578497f923cb4bb6bc4116b34847802a6b0c86d213a04abd9
Instruction Fuzzy Hash: E6118E71A187449BE700CF55C985B6BB7F9BFC8714F108E0CF9A596280EBB4E940CB96

Function 6CF3D452 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(E06D7363,00000001,00000003,#l,?,?,?,?,6CEF23E0,?,6CF8EFE8,?,?,?,6CF02EDF,?), ref: 6CF3D4B2

Strings

#l, xrefs: 6CF3D49F, 6CF3D4A2
#l, xrefs: 6CF3D45D

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ExceptionRaise
String ID: #l$#l
API String ID: 3997070919-3705884612
Opcode ID: 716dea9dcae518a781892085a6cf255d58c3acc97635731c23bc5ed79b862abb
Instruction ID: 5f9f884e71c95e32f7bd839b6cd0a101ab63d46b5d75b6b0dc426f87777fe015
Opcode Fuzzy Hash: 716dea9dcae518a781892085a6cf255d58c3acc97635731c23bc5ed79b862abb
Instruction Fuzzy Hash: F201A2B5A10219ABCB019F59D880BAEBBB8FF85708F21405AE915AB391D770E900CBD0

Function 6CF1E680 Relevance: 5.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(000003A8,00000000,?,?,00000000,00000000), ref: 6CF1E6ED
MultiByteToWideChar.KERNEL32(000003A8,00000000,?,?,?,?), ref: 6CF1E727

Part of subcall function 6CF1E4A0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 6CF1E538
Part of subcall function 6CF1E4A0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?), ref: 6CF1E571

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 6CF1E78E
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?), ref: 6CF1E7CC

Memory Dump Source

Source File: 00000000.00000002.1701453612.000000006CEF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6CEF0000, based on PE: true

Associated: 00000000.00000002.1701438702.000000006CEF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701495506.000000006CF60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701523914.000000006CF91000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701538187.000000006CF92000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701552739.000000006CF97000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701567604.000000006CF98000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701590534.000000006CF9D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701606235.000000006CF9F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1701621072.000000006CFA3000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cef0000_YY#U6302#U53f7#U534f#U8bae.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 83b015a37b1d8fa0504162a53494479da4a25998f3c5ad9b659efd4ff45dd12a
Instruction ID: 7704cbe44b13a215548cc47b36a87ada635b402a60183751ec407ddf5aa88569
Opcode Fuzzy Hash: 83b015a37b1d8fa0504162a53494479da4a25998f3c5ad9b659efd4ff45dd12a
Instruction Fuzzy Hash: 73519D32708205BBDB108E599C48BDA7B75EF85328F2842A9F96C9BF40DA319D0287D0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YY#U6302#U53f7#U534f#U8bae.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\iext1.fnr.bbs.125.la

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: YY#U6302#U53f7#U534f#U8bae.exePID: 908, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: YY#U6302#U53f7#U534f#U8bae.exePID: 908, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
YY#U6302#U53f7#U534f#U8bae.exe

Function 6CF03D60 Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 340
filelibraryloaderCOMMON

Function 6CEFAD60 Relevance: 9.1, APIs: 6, Instructions: 80
processCOMMON

Function 6CF3C00E Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CF3C0BE Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CF3BF07 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CF52D9C Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 6CF04EB0 Relevance: 62.0, APIs: 41, Instructions: 548
windowCOMMON

Function 6CF081A0 Relevance: 60.0, APIs: 32, Strings: 2, Instructions: 452
windowCOMMON