Edit tour

Windows Analysis Report
eVirFdGeXm.exe

Overview

General Information

Sample name:	eVirFdGeXm.exe renamed because original name is a hash value
Original sample name:	11e3134472c0035f17a22bfbd2f66416.exe
Analysis ID:	1537103
MD5:	11e3134472c0035f17a22bfbd2f66416
SHA1:	073a4f5698987a9e1d36beadbec29570f9906d46
SHA256:	ef2a8077afd8c42e52b49a2c4f7a1ca49f59f83ef9af4e508bf438b64bc36b11
Tags:	64exe
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Binary contains a suspicious time stamp

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains an invalid checksum

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

eVirFdGeXm.exe (PID: 4668 cmdline: "C:\Users\user\Desktop\eVirFdGeXm.exe" MD5: 11E3134472C0035F17A22BFBD2F66416)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: eVirFdGeXm.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: dccw.pdbGCTL source: eVirFdGeXm.exe
Source:	Binary string: dccw.pdb source: eVirFdGeXm.exe

Source: C:\Users\user\Desktop\eVirFdGeXm.exe

Code function: 0_2_00007FF6BC71EBC4 GetObjectW,GetLastError,GetWindowRect,GetLastError,GetDC,GetLastError,CreateCompatibleDC,GetLastError,SelectObject,CreateCompatibleDC,GetLastError,SetStretchBltMode,GetLastError,CreateCompatibleBitmap,GetLastError,SelectObject,StretchBlt,GetLastError,SendMessageW,DeleteObject,ReleaseDC,DeleteDC,DeleteDC,DeleteObject,

0_2_00007FF6BC71EBC4

Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Code function: 0_2_00007FF6BC711170	0_2_00007FF6BC711170
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Code function: 0_2_00007FF6BC714120	0_2_00007FF6BC714120
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Code function: 0_2_00007FF6BC71EBC4	0_2_00007FF6BC71EBC4
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Code function: 0_2_00007FF6BC712518	0_2_00007FF6BC712518
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Code function: 0_2_00007FF6BC71892C	0_2_00007FF6BC71892C
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Code function: 0_2_00007FF6BC71388C	0_2_00007FF6BC71388C
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Code function: 0_2_00007FF6BC712E8C	0_2_00007FF6BC712E8C

Source: eVirFdGeXm.exe	Binary or memory string: OriginalFilename vs eVirFdGeXm.exe
Source: eVirFdGeXm.exe, 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedccw.exej% vs eVirFdGeXm.exe
Source: eVirFdGeXm.exe	Binary or memory string: OriginalFilenamedccw.exej% vs eVirFdGeXm.exe

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\eVirFdGeXm.exe

Code function: 0_2_00007FF6BC720478 FormatMessageW,LocalFree,GetLastError,

0_2_00007FF6BC720478

Source: C:\Users\user\Desktop\eVirFdGeXm.exe

Code function: 0_2_00007FF6BC711780 CoCreateInstance,

0_2_00007FF6BC711780

Source: C:\Users\user\Desktop\eVirFdGeXm.exe

Code function: 0_2_00007FF6BC71E884 FindResourceW,GetLastError,LoadResource,GetLastError,SizeofResource,LockResource,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,GlobalUnlock,GlobalFree,GlobalUnlock,GetLastError,GdipAlloc,GdipCreateBitmapFromStream,GdipCreateHBITMAPFromBitmap,GetObjectW,GetLastError,

0_2_00007FF6BC71E884

Source: C:\Users\user\Desktop\eVirFdGeXm.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\DCCW Startup Mutex

Source: eVirFdGeXm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eVirFdGeXm.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: dxva2.dll	Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Section loaded: textshaping.dll	Jump to behavior

Source: eVirFdGeXm.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: eVirFdGeXm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eVirFdGeXm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eVirFdGeXm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eVirFdGeXm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eVirFdGeXm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eVirFdGeXm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: eVirFdGeXm.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: eVirFdGeXm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: dccw.pdbGCTL source: eVirFdGeXm.exe
Source:	Binary string: dccw.pdb source: eVirFdGeXm.exe

Source: eVirFdGeXm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eVirFdGeXm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eVirFdGeXm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eVirFdGeXm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eVirFdGeXm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: eVirFdGeXm.exe

Static PE information: 0x9AF322B1 [Sat May 18 06:09:53 2052 UTC]

Source: eVirFdGeXm.exe

Static PE information: real checksum: 0x1f5dd should be: 0x90725

Source: C:\Users\user\Desktop\eVirFdGeXm.exe

API coverage: 5.0 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\eVirFdGeXm.exe

Code function: 0_2_00007FF6BC71F7DC GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00007FF6BC71F7DC

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Code function: 0_2_00007FF6BC721010 SetUnhandledExceptionFilter,		0_2_00007FF6BC721010
Source: C:\Users\user\Desktop\eVirFdGeXm.exe	Code function: 0_2_00007FF6BC720CE8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF6BC720CE8

Source: C:\Users\user\Desktop\eVirFdGeXm.exe

Code function: 0_2_00007FF6BC7211E4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF6BC7211E4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Timestomp	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1537103
Start date and time:	2024-10-18 15:12:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eVirFdGeXm.exe renamed because original name is a hash value
Original Sample Name:	11e3134472c0035f17a22bfbd2f66416.exe
Detection:	CLEAN
Classification:	clean4.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 87
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
VT rate limit hit for: eVirFdGeXm.exe

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	5.943086016037392
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eVirFdGeXm.exe
File size:	551'543 bytes
MD5:	11e3134472c0035f17a22bfbd2f66416
SHA1:	073a4f5698987a9e1d36beadbec29570f9906d46
SHA256:	ef2a8077afd8c42e52b49a2c4f7a1ca49f59f83ef9af4e508bf438b64bc36b11
SHA512:	806b4f3bfc0f012e79a43a08c5ef1dd8d480628d93a21b06241bac46ade1fb7255c5184fa31522681f812be4dc2eef2a74acccc565f0e8ae46ea778f86599602
SSDEEP:	6144:FTC9J2tSpzsSTC9J2tSpzsnTC9J2tSpzsATC9J2tSpzsxTC9J2tSpzs:FTC3/pNTC3/pyTC3/plTC3/pcTC3/p
TLSH:	68C4B44A22B928C4D1BB937DB50E4106D771F0322B2557DF06E0C27AAF27AD1AD37B52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%0dkaQ.8aQ.8aQ.8h).8cQ.8u:.9bQ.8u:.9uQ.8u:.9gQ.8u:.9xQ.8aQ.8.Q.8u:.9MQ.8u:.8`Q.8u:.9`Q.8RichaQ.8........PE..d...."............"

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140010b60
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x9AF322B1 [Sat May 18 06:09:53 2052 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	f9bc8bd9a4625c4e4d51d3742b03ca20

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FB4AC9421B0h
dec eax
add esp, 28h
jmp 00007FB4AC9418B3h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00008521h]
jne 00007FB4AC941B42h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FB4AC941B33h
ret
dec eax
ror ecx, 10h
jmp 00007FB4AC941CB7h
int3
int3
int3
int3
int3
int3
jmp dword ptr [000030EEh]
int3
int3
int3
int3
int3
int3
jmp dword ptr [000030DAh]
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
dec eax
mov eax, dword ptr [000090CCh]
dec eax
mov dword ptr [esp+38h], eax
dec eax
cmp eax, FFFFFFFFh
jne 00007FB4AC941B45h
dec eax
mov eax, dword ptr [00002FF2h]
call dword ptr [00003104h]
dec eax
add esp, 20h
pop ebx
ret
mov ecx, 00000008h
call 00007FB4AC94220Ah
nop
dec eax
mov eax, dword ptr [0000909Ch]
dec eax
mov dword ptr [esp+38h], eax
dec eax
mov eax, dword ptr [00009088h]
dec eax
mov dword ptr [esp+40h], eax
dec esp
lea eax, dword ptr [esp+40h]
dec eax
lea edx, dword ptr [esp+38h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x166e0	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b000	0xad8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1a000	0xca8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0x520	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x159e0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13420	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13538	0x7b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x107de	0x10800	8f020530bf64183b4598b3085a9f6b03	False	0.4820519649621212	data	5.991516424959198	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x12000	0x6164	0x6200	6cba640dbde64f8ce82d1a367478d73e	False	0.33434311224489793	data	4.632881930147428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0xd38	0x600	f926aefd7b803ed4d6a71efdd0c17930	False	0.310546875	data	2.588992496206584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1a000	0xca8	0xe00	5ba08379ab3fd2d06a07780194ffa0ee	False	0.4545200892857143	PEX Binary Archive	4.418455269512572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1b000	0xad8	0xc00	bfe5089f87873e1649a803ed60174128	False	0.3961588541666667	data	4.42197713604801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0x520	0x600	5d61936ce61eecf3201ed8c0c5114361	False	0.541015625	data	5.122423379011978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MUI	0x1b9d0	0x108	data	English	United States	0.5681818181818182
RT_VERSION	0x1b640	0x390	data	English	United States	0.46271929824561403
RT_MANIFEST	0x1b0f0	0x54f	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.41501103752759383

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegQueryInfoKeyW, RegEnumKeyExW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, RegDeleteValueW, EventRegister, EventUnregister, EventWrite, RegQueryValueExW
KERNEL32.dll	WaitForSingleObject, CreateMutexW, HeapSetInformation, InitializeCriticalSection, GetModuleFileNameW, FindResourceExW, LoadResource, ReleaseMutex, MultiByteToWideChar, lstrcmpiW, GetModuleHandleW, LoadLibraryExW, GetProcAddress, FreeLibrary, GetLastError, CloseHandle, CreateFileW, GetTickCount, LockResource, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, LocalFree, FormatMessageW, GetSystemDirectoryW, WriteFile, lstrlenW, WideCharToMultiByte, GetSystemTime, CopyFileW, SizeofResource, EnterCriticalSection, LeaveCriticalSection, RaiseException, DeleteCriticalSection, OutputDebugStringA, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, HeapFree, VirtualFree, GetCurrentProcess, VirtualAlloc, LoadLibraryExA, EncodePointer, HeapAlloc, DecodePointer, GetProcessHeap, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, Sleep, GetStartupInfoW, UnhandledExceptionFilter, GetSystemTimeAsFileTime
GDI32.dll	StretchBlt, CreateCompatibleBitmap, SetStretchBltMode, SelectObject, CreateCompatibleDC, GetObjectW, GetTextExtentPoint32W, SetDeviceGammaRamp, GetDeviceGammaRamp, GetStockObject, SetBkMode, SetBkColor, SetTextColor, CreateSolidBrush, GetDeviceCaps, CreateDCW, DeleteDC, DeleteObject
USER32.dll	LoadStringW, GetWindowLongW, GetWindow, ShowWindow, MessageBoxW, ReleaseDC, GetWindowTextW, GetWindowTextLengthW, GetDC, KillTimer, SetTimer, SetWindowTextW, PostMessageW, MapDialogRect, EnumChildWindows, DisplayConfigGetDeviceInfo, QueryDisplayConfig, GetDisplayConfigBufferSizes, EnumDisplayDevicesW, ShowCursor, LoadCursorW, SetCursor, GetMonitorInfoW, EnumDisplayMonitors, MonitorFromWindow, GetParent, InvalidateRect, MapWindowPoints, GetWindowRect, GetDlgItem, DefWindowProcW, SendMessageW, CallWindowProcW, SetWindowPos, SetForegroundWindow, OpenIcon, SetWindowLongPtrW, GetWindowLongPtrW, MonitorFromRect, SendMessageTimeoutW, AllowSetForegroundWindow, GetWindowThreadProcessId, FindWindowW, RegisterWindowMessageW, GetActiveWindow, GetSystemMetrics, CharNextW, DestroyWindow, UnregisterClassA, MoveWindow
msvcrt.dll	iswupper, towlower, _vsnwprintf, memset, ?terminate@@YAXXZ, realloc, _errno, _onexit, __dllonexit, _unlock, _lock, _commode, _fmode, _wcmdln, _initterm, __setusermatherr, _cexit, _exit, exit, __set_app_type, __wgetmainargs, _amsg_exit, _XcptFilter, _callnewh, swscanf_s, wcsstr, _wcsupr, _purecall, memcpy_s, malloc, wcsncpy_s, free, __C_specific_handler, memcpy, powf
ntdll.dll	RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind, WinSqmAddToStream
dxva2.dll	GetNumberOfPhysicalMonitorsFromHMONITOR, GetPhysicalMonitorsFromHMONITOR, DestroyPhysicalMonitors, GetMonitorBrightness, SetMonitorBrightness, GetMonitorContrast, SetMonitorContrast, SetVCPFeature, GetVCPFeatureAndVCPFeatureReply
mscms.dll	GetColorProfileFromHandle, DccwReleaseDisplayProfileAssociationList, WcsCreateIccProfile, InstallColorProfileW, SetColorProfileElement, CloseColorProfile, DccwSetDisplayProfileAssociationList, WcsGetUsePerUserProfiles, WcsGetDefaultColorProfile, WcsOpenColorProfileW, DccwGetGamutSize, DccwCreateDisplayProfileAssociationList, SetColorProfileElementSize, WcsGetCalibrationManagementState, WcsDisassociateColorProfileFromDevice, WcsSetDefaultColorProfile, UninstallColorProfileW, DccwGetDisplayProfileAssociationList, GetColorDirectoryW, WcsSetCalibrationManagementState
SHELL32.dll	ShellExecuteW
GDIPLUS.dll	GdipCreateHBITMAPFromBitmap, GdipDisposeImage, GdipCloneImage, GdipFree, GdipCreateLineBrushI, GdipFillRectangleI, GdipAlloc, GdipDeleteBrush, GdipCreateSolidFill, GdipDeleteGraphics, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromStream
COMCTL32.dll	TaskDialogIndirect, DestroyPropertySheetPage, CreatePropertySheetPageW, PropertySheetW
OLEAUT32.dll	SysFreeString, VarUI4FromStr, SysAllocString
api-ms-win-core-com-l1-1-0.dll	CoCreateInstance, StringFromCLSID, CreateStreamOnHGlobal, CoTaskMemRealloc, CoTaskMemFree, CoTaskMemAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	09:13:13
Start date:	18/10/2024
Path:	C:\Users\user\Desktop\eVirFdGeXm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\eVirFdGeXm.exe"
Imagebase:	0x7ff6bc710000
File size:	551'543 bytes
MD5 hash:	11E3134472C0035F17A22BFBD2F66416
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.8%
Total number of Nodes:	1574
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF6BC714120 Relevance: 40.9, APIs: 16, Strings: 7, Instructions: 603
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNELBASE ref: 00007FF6BC71414D
GetLastError.KERNEL32 ref: 00007FF6BC71416B
WaitForSingleObject.KERNEL32 ref: 00007FF6BC714188
RegisterWindowMessageW.USER32 ref: 00007FF6BC71419B
FindWindowW.USER32 ref: 00007FF6BC7141E4
GetWindowThreadProcessId.USER32 ref: 00007FF6BC71420E
AllowSetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC714221
SendMessageTimeoutW.USER32 ref: 00007FF6BC714256
RegisterWindowMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC7149BD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC7149EC
WcsGetCalibrationManagementState.MSCMS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC714A12
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC714A22
WcsSetCalibrationManagementState.MSCMS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC714A51
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC714A61
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC714A9A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC714AAD

Part of subcall function 00007FF6BC72076C: malloc.MSVCRT ref: 00007FF6BC72078A

Part of subcall function 00007FF6BC719468: memset.MSVCRT ref: 00007FF6BC7194A3
Part of subcall function 00007FF6BC719468: CreateSolidBrush.GDI32 ref: 00007FF6BC719571

Strings

NativeHWNDHost, xrefs: 00007FF6BC7141DD
Microsoft.Windows.ICM.DCCW.Activate, xrefs: 00007FF6BC714194
A, xrefs: 00007FF6BC7145CA
strg, xrefs: 00007FF6BC714ADA
Local\DCCW Startup Mutex, xrefs: 00007FF6BC714139
F, xrefs: 00007FF6BC7145C2
dccw, xrefs: 00007FF6BC714267

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$ErrorLast$Message$CalibrationCreateManagementMutexRegisterState$AllowBrushCloseFindForegroundHandleObjectProcessReleaseSendSingleSolidThreadTimeoutWaitmallocmemset
String ID: A$F$Local\DCCW Startup Mutex$Microsoft.Windows.ICM.DCCW.Activate$NativeHWNDHost$dccw$strg
API String ID: 506832570-4174002938
Opcode ID: 880fce475d726c71b8c1d90ba3ae6b59f6f9329bd1a1e61e96336bbe0ea2cbc5
Instruction ID: 4a74536498e401d0f6d58f46687acc6a1e6b11d566ece18ad430b8719f784388
Opcode Fuzzy Hash: 880fce475d726c71b8c1d90ba3ae6b59f6f9329bd1a1e61e96336bbe0ea2cbc5
Instruction Fuzzy Hash: 90427C31B09B5287EB549B6EA4602BAB7A4FF89B84F544034DB4ECB785DF3CE6158700

Function 00007FF6BC711170 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 279
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapSetInformation.KERNEL32 ref: 00007FF6BC71119E
GetCurrentThreadId.KERNEL32 ref: 00007FF6BC7111EB
EventRegister.ADVAPI32 ref: 00007FF6BC71125C
GdiplusStartup.GDIPLUS ref: 00007FF6BC711287
GetSystemMetrics.USER32 ref: 00007FF6BC711312
memset.MSVCRT ref: 00007FF6BC711393
GetActiveWindow.USER32 ref: 00007FF6BC71140F

Part of subcall function 00007FF6BC711638: GetCurrentThreadId.KERNEL32 ref: 00007FF6BC71167C
Part of subcall function 00007FF6BC711638: EnterCriticalSection.KERNEL32 ref: 00007FF6BC711692
Part of subcall function 00007FF6BC711638: LeaveCriticalSection.KERNEL32 ref: 00007FF6BC7116B7
Part of subcall function 00007FF6BC711638: PropertySheetW.COMCTL32 ref: 00007FF6BC7116C7
Part of subcall function 00007FF6BC711638: free.MSVCRT ref: 00007FF6BC7116EE

GdiplusShutdown.GDIPLUS ref: 00007FF6BC711447
EventUnregister.ADVAPI32 ref: 00007FF6BC71145F
EnterCriticalSection.KERNEL32 ref: 00007FF6BC711492
DestroyWindow.USER32 ref: 00007FF6BC7114B6
free.MSVCRT ref: 00007FF6BC7114D6
LeaveCriticalSection.KERNEL32 ref: 00007FF6BC7114FC
free.MSVCRT ref: 00007FF6BC71151C
free.MSVCRT ref: 00007FF6BC711534

Part of subcall function 00007FF6BC713F74: memset.MSVCRT ref: 00007FF6BC714044

Part of subcall function 00007FF6BC714120: CreateMutexExW.KERNELBASE ref: 00007FF6BC71414D
Part of subcall function 00007FF6BC714120: GetLastError.KERNEL32 ref: 00007FF6BC71416B
Part of subcall function 00007FF6BC714120: WaitForSingleObject.KERNEL32 ref: 00007FF6BC714188
Part of subcall function 00007FF6BC714120: RegisterWindowMessageW.USER32 ref: 00007FF6BC71419B
Part of subcall function 00007FF6BC714120: FindWindowW.USER32 ref: 00007FF6BC7141E4
Part of subcall function 00007FF6BC714120: GetWindowThreadProcessId.USER32 ref: 00007FF6BC71420E
Part of subcall function 00007FF6BC714120: AllowSetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000820,00000000), ref: 00007FF6BC714221
Part of subcall function 00007FF6BC714120: SendMessageTimeoutW.USER32 ref: 00007FF6BC714256

Strings

strg, xrefs: 00007FF6BC711293

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$CriticalSectionfree$Thread$CurrentEnterEventGdiplusLeaveMessageRegistermemset$ActiveAllowCreateDestroyErrorFindForegroundHeapInformationLastMetricsMutexObjectProcessPropertySendSheetShutdownSingleStartupSystemTimeoutUnregisterWait
String ID: strg
API String ID: 2231437722-3320446829
Opcode ID: 29b999820bd207e3dfc09787f2ebd763114e3b650abaee725bbe52b6a6442c37
Instruction ID: d7fbc23696c144d7afb18c150897cd49d56cda3ae09f1be573458a59964ac238
Opcode Fuzzy Hash: 29b999820bd207e3dfc09787f2ebd763114e3b650abaee725bbe52b6a6442c37
Instruction Fuzzy Hash: D3D13B35A18A5682EA149F2DE4601B9B7A4FF8AB80F489035DF5E8B765DF3CE644C700

Function 00007FF6BC7208F0 Relevance: 10.6, APIs: 7, Instructions: 143
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF6BC720918
Sleep.KERNEL32 ref: 00007FF6BC72094F
_amsg_exit.MSVCRT ref: 00007FF6BC72096D
_initterm.MSVCRT ref: 00007FF6BC7209F8
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6BC720A25
exit.MSVCRT ref: 00007FF6BC720ACA
_cexit.MSVCRT ref: 00007FF6BC720AD9

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
String ID:
API String ID: 642454821-0
Opcode ID: 6c1e11f1ebf1920713f8c1fc65071ad98dd96a502b8230403199e6c74c4cd5c1
Instruction ID: 0baaa53b4f75314f300d861ac6b417498d0b9b9ee564b415e2aa51bc1022a631
Opcode Fuzzy Hash: 6c1e11f1ebf1920713f8c1fc65071ad98dd96a502b8230403199e6c74c4cd5c1
Instruction Fuzzy Hash: 2C612335A0864686FB609F2DE86027977E4FB46780F544036DB8EDB6A4DF3CEB818710

Function 00007FF6BC71EF88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE ref: 00007FF6BC71EFC6
RegQueryValueExW.ADVAPI32 ref: 00007FF6BC71EFFC
RegCloseKey.ADVAPI32 ref: 00007FF6BC71F028

Strings

UseSimulator, xrefs: 00007FF6BC71EFF0
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator, xrefs: 00007FF6BC71EFB3

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator$UseSimulator
API String ID: 3677997916-1182467772
Opcode ID: 324c6c47381fdb6126d5e04ba265083ed8e80dfd715c38f96470452bf5792154
Instruction ID: 3f1ea86f917ccd62b7494e190ff02b4b85ec25862367369d56e7b965ee45f763
Opcode Fuzzy Hash: 324c6c47381fdb6126d5e04ba265083ed8e80dfd715c38f96470452bf5792154
Instruction Fuzzy Hash: 7A219D37604B52CEE7208F29E8901A87BA4FB4939DF491235EB0E87B54EF38D585C740

Function 00007FF6BC711638 Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6BC71167C
EnterCriticalSection.KERNEL32 ref: 00007FF6BC711692
LeaveCriticalSection.KERNEL32 ref: 00007FF6BC7116B7
PropertySheetW.COMCTL32 ref: 00007FF6BC7116C7
free.MSVCRT ref: 00007FF6BC7116EE

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeavePropertySheetThreadfree
String ID:
API String ID: 422299603-0
Opcode ID: beff49f172d0528a608b0f057ddb429f9fbb632655c9bfd8846fd3a0e38d1527
Instruction ID: 202c9eed69d4837008f5aeb879f58c9167a6c6cbb4ac8acbe885fcef872f4c4e
Opcode Fuzzy Hash: beff49f172d0528a608b0f057ddb429f9fbb632655c9bfd8846fd3a0e38d1527
Instruction Fuzzy Hash: 61211932A15B868BDB408F29E5643B8B7B0FB4AB59F188134CB5D8B764DF39D15AC700

Function 00007FF6BC719468 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF6BC7194A3
CreateSolidBrush.GDI32 ref: 00007FF6BC719571

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: BrushCreateSolidmemset
String ID:
API String ID: 1302505579-0
Opcode ID: 2e1c53eced954e63c49af98b94018f358c8e14bfdaeb3a53d9e4906ac26c8afa
Instruction ID: 41366aa4a5e713062df2eba009fe3a5b4b3965512eb5d4d9081e9cf2bafdf2bf
Opcode Fuzzy Hash: 2e1c53eced954e63c49af98b94018f358c8e14bfdaeb3a53d9e4906ac26c8afa
Instruction Fuzzy Hash: BE310432615B858BE3648B29F4943AAB7B4F708758F108139C7EE4AB60DF7DE199C740

Function 00007FF6BC720234 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6BC72076C: malloc.MSVCRT ref: 00007FF6BC72078A

LoadStringW.USER32 ref: 00007FF6BC720274

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: LoadStringmalloc
String ID:
API String ID: 905986743-0
Opcode ID: 4c6ff5139db4d972557f54c97b4cdf57c119e39ac3b0321e5bfc280501f11e71
Instruction ID: 3f707584ba5a0f5e784e0eb376d8f4fc7ba67c5835dcfe97fbe043d18059b285
Opcode Fuzzy Hash: 4c6ff5139db4d972557f54c97b4cdf57c119e39ac3b0321e5bfc280501f11e71
Instruction Fuzzy Hash: 1121D531B0D64282EE149F6AA4602795BD0BF4ABD4F048239EF6D9FBC2DE3CD6418750

Function 00007FF6BC7208A0 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 00007FF6BC7208D8

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 7794cf88437b67fb74ca6628a44354258c93d0fbee989022b65bbec9e1e19274
Instruction ID: b6083040816897bfe61f57f0025ab884787012a10a9fd8c88c15bb1576aa417e
Opcode Fuzzy Hash: 7794cf88437b67fb74ca6628a44354258c93d0fbee989022b65bbec9e1e19274
Instruction Fuzzy Hash: E4E07574E0964BD6EB008B18E8608A037E1BB16304F880132CA2C9A730DE3DA349CB44

Function 00007FF6BC72076C Relevance: 1.3, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF6BC72078A

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 409a51d12d4346e0ccf929c9ba02bb5b589005c5bcbd961b2aa3be7f1e686cfc
Instruction ID: 11838bd8a90a257b9b274dcffb7ad587ca6c6f9e13db92f742c0d8a350c1e082
Opcode Fuzzy Hash: 409a51d12d4346e0ccf929c9ba02bb5b589005c5bcbd961b2aa3be7f1e686cfc
Instruction Fuzzy Hash: 1AD0C220B0D64640FD145B3A62A027947504F4ABC0F084030DF4D8E796EE2CE6828F20

Non-executed Functions

Function 00007FF6BC712E8C Relevance: 58.4, APIs: 28, Strings: 5, Instructions: 669registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC712CA0: CharNextW.USER32(00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712CDF
Part of subcall function 00007FF6BC712CA0: CharNextW.USER32(00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712D15
Part of subcall function 00007FF6BC712CA0: CharNextW.USER32 ref: 00007FF6BC712DDB

lstrcmpiW.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?), ref: 00007FF6BC712F0E
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712F2F
CharNextW.USER32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712F83
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712FB2
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC71302B
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC71305D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC713106
RegDeleteValueW.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC713129
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC713148
CharNextW.USER32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC71317C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC7131CF
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC7131EB
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC713227
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC713241
RegCreateKeyExW.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC71328D
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC7132AD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC713388
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC7133A8
wcsncpy_s.MSVCRT ref: 00007FF6BC7133E8
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF6BC71350A
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC713530
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF6BC7135B1
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC7135D6
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?), ref: 00007FF6BC713638

Strings

NoRemove, xrefs: 00007FF6BC713021
Val, xrefs: 00007FF6BC713053
Delete, xrefs: 00007FF6BC712F01
ForceRemove, xrefs: 00007FF6BC712F1C
fRt 1), xrefs: 00007FF6BC712EAE, 00007FF6BC7136D9

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Close$lstrcmpi$CharNext$Open$InfoQuery$CreateDeleteValuewcsncpy_s
String ID: Delete$ForceRemove$NoRemove$Val$fRt 1)
API String ID: 1824292420-735408262
Opcode ID: 9c8114f7b109bc2cfec2f099707de75b4727bb0cf6a25533f7cb13d4532c693c
Instruction ID: f196efc2843fc5fe9f1127b12d7368a3da20f5cc0c24124c7e7ed47795d69559
Opcode Fuzzy Hash: 9c8114f7b109bc2cfec2f099707de75b4727bb0cf6a25533f7cb13d4532c693c
Instruction Fuzzy Hash: FF427021A08B6287FB149B6EA46027AA7A5FF89B94F409131DF4DC7B94DF3CE6458700

Function 00007FF6BC71EBC4 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 242
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetObjectW.GDI32 ref: 00007FF6BC71EC34
GetLastError.KERNEL32 ref: 00007FF6BC71EC5E
GetWindowRect.USER32 ref: 00007FF6BC71EC84
GetLastError.KERNEL32 ref: 00007FF6BC71ECB6
GetDC.USER32 ref: 00007FF6BC71ECD7
GetLastError.KERNEL32 ref: 00007FF6BC71ECEB
CreateCompatibleDC.GDI32 ref: 00007FF6BC71ED10
GetLastError.KERNEL32 ref: 00007FF6BC71ED24
SelectObject.GDI32 ref: 00007FF6BC71ED4E
CreateCompatibleDC.GDI32 ref: 00007FF6BC71ED70
GetLastError.KERNEL32 ref: 00007FF6BC71ED84
SetStretchBltMode.GDI32 ref: 00007FF6BC71EDAE
GetLastError.KERNEL32 ref: 00007FF6BC71EDBE
CreateCompatibleBitmap.GDI32 ref: 00007FF6BC71EDE9
GetLastError.KERNEL32 ref: 00007FF6BC71EDFD
SelectObject.GDI32 ref: 00007FF6BC71EE25
StretchBlt.GDI32 ref: 00007FF6BC71EE7B
GetLastError.KERNEL32 ref: 00007FF6BC71EE8B
SendMessageW.USER32 ref: 00007FF6BC71EEB7
DeleteObject.GDI32 ref: 00007FF6BC71EEDD
ReleaseDC.USER32 ref: 00007FF6BC71EEF4
DeleteDC.GDI32 ref: 00007FF6BC71EF08
DeleteDC.GDI32 ref: 00007FF6BC71EF1C
DeleteObject.GDI32 ref: 00007FF6BC71EF34

Strings

SendMessage(STM_SETIMAGE, 0x%08x) returned 0x%08x, xrefs: 00007FF6BC71EEC6
, xrefs: 00007FF6BC71EE4B
fRt 1), xrefs: 00007FF6BC71EBDB

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorLast$Object$Delete$CompatibleCreate$SelectStretch$BitmapMessageModeRectReleaseSendWindow
String ID: $SendMessage(STM_SETIMAGE, 0x%08x) returned 0x%08x$fRt 1)
API String ID: 1596057509-4091570535
Opcode ID: 256468c35a5c333182ec0d9b5386298bcb3ba475755d42762c654f0558f1f5e9
Instruction ID: 4783e97da4f6b2ab05da2c0f2029d943f1508d8aee0c6bc7669110f910d5bd28
Opcode Fuzzy Hash: 256468c35a5c333182ec0d9b5386298bcb3ba475755d42762c654f0558f1f5e9
Instruction Fuzzy Hash: 3BA15131A087528BF7509B6EA46437ABBE8FF8AB95F448134DF4E86750DF3DE5048A10

Function 00007FF6BC71388C Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 344
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF6BC7138D7
FindResourceExW.KERNEL32 ref: 00007FF6BC713903
FreeLibrary.KERNEL32 ref: 00007FF6BC7139FB

Part of subcall function 00007FF6BC7120C8: GetLastError.KERNEL32 ref: 00007FF6BC7120CC

Strings

Module, xrefs: 00007FF6BC713CB9
Module_Raw, xrefs: 00007FF6BC713D0A
fRt 1), xrefs: 00007FF6BC7138A2, 00007FF6BC713A6B
APPID, xrefs: 00007FF6BC713AFF
REGISTRY, xrefs: 00007FF6BC713D5E

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Library$ErrorFindFreeLastLoadResource
String ID: APPID$Module$Module_Raw$REGISTRY$fRt 1)
API String ID: 3418355812-1571938973
Opcode ID: 90801f9c52664019273394f5020d6b8e6cfbc601308a39d8e4dabb760c36f2cc
Instruction ID: 1fcce44c8786e55c55d367452fd5748353376b5d0fa942170bf3a51c54b9edc7
Opcode Fuzzy Hash: 90801f9c52664019273394f5020d6b8e6cfbc601308a39d8e4dabb760c36f2cc
Instruction Fuzzy Hash: 5CD1C522B18A9297EB108F2DE4602B9A7A4FB49B94F545235DB4EC7794EF3CD744C700

Function 00007FF6BC71E884 Relevance: 31.7, APIs: 21, Instructions: 219
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E8C9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E8DD
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E901
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E915
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E939
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E94B
GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E974
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E988
GlobalLock.KERNEL32 ref: 00007FF6BC71E9B8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E9CC
memcpy.MSVCRT ref: 00007FF6BC71E9F6
CreateStreamOnHGlobal.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71EA08
GlobalUnlock.KERNEL32 ref: 00007FF6BC71EA1D
GlobalFree.KERNEL32 ref: 00007FF6BC71EA2C
GlobalUnlock.KERNEL32 ref: 00007FF6BC71EA40
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71EA50
GdipAlloc.GDIPLUS(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71EA74
GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF6BC71EAA2
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71EAE6
GetObjectW.GDI32 ref: 00007FF6BC71EB27
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71EB53

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorGlobalLast$Resource$CreateGdip$AllocBitmapFromLockStreamUnlock$FindFreeLoadObjectSizeofmemcpy
String ID:
API String ID: 4269010864-0
Opcode ID: 34cc1bb78437ef507faa5e9d081eb9913bc9026a120fc61a3abe12c9706583ce
Instruction ID: 8602e290fb7fcde6534584da09aea1c007fd164e86fdff23eeeb5536f098e16f
Opcode Fuzzy Hash: 34cc1bb78437ef507faa5e9d081eb9913bc9026a120fc61a3abe12c9706583ce
Instruction Fuzzy Hash: 6F913B72608B5287EB504B2E9868679BBE5FF8AF91F058135DF4E87390DF3CE6058600

Function 00007FF6BC71892C Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 238timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FF6BC718A52
powf.MSVCRT ref: 00007FF6BC718B85
powf.MSVCRT ref: 00007FF6BC718B98

Part of subcall function 00007FF6BC720234: LoadStringW.USER32 ref: 00007FF6BC720274

powf.MSVCRT ref: 00007FF6BC718BAC

Part of subcall function 00007FF6BC720324: _vsnwprintf.MSVCRT ref: 00007FF6BC72039C

WcsOpenColorProfileW.MSCMS ref: 00007FF6BC718C97
GetLastError.KERNEL32 ref: 00007FF6BC718CAC

Strings

strg, xrefs: 00007FF6BC718A81
strg, xrefs: 00007FF6BC718BCC
<cal:AdapterGammaConfiguration><cal:ParameterizedCurves><wcs:RedTRC Gamma="%f" Gain="%f" Offset1="0.0"/><wcs:GreenT, xrefs: 00007FF6BC718BB7
fRt 1), xrefs: 00007FF6BC718963
strg, xrefs: 00007FF6BC71898C
%4d-%02d-%02dT%02d:%02d:%02d, xrefs: 00007FF6BC718A8A
<?xml version="1.0" encoding="utf-16"?><cdm:ColorDeviceModel%txmlns:cdm="http://schemas.microsoft.com/windows/2005/02/color/Colo, xrefs: 00007FF6BC718AAA
</cdm:Calibration></cdm:ColorDeviceModel>, xrefs: 00007FF6BC718C21
D65.camp, xrefs: 00007FF6BC718C61

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: powf$ColorErrorLastLoadOpenProfileStringSystemTime_vsnwprintf
String ID: </cdm:Calibration></cdm:ColorDeviceModel>$<cal:AdapterGammaConfiguration><cal:ParameterizedCurves><wcs:RedTRC Gamma="%f" Gain="%f" Offset1="0.0"/><wcs:GreenT$%4d-%02d-%02dT%02d:%02d:%02d$<?xml version="1.0" encoding="utf-16"?><cdm:ColorDeviceModel%txmlns:cdm="http://schemas.microsoft.com/windows/2005/02/color/Colo$D65.camp$fRt 1)$strg$strg$strg
API String ID: 853045475-1474963839
Opcode ID: 30428f47329bbed1be8f2258951527f5bce59d329196f4d18e643bae5999475b
Instruction ID: ba8393fe51b595234e8a5cc60a63915280e8ea74e6b929cf717966a2c7bade4f
Opcode Fuzzy Hash: 30428f47329bbed1be8f2258951527f5bce59d329196f4d18e643bae5999475b
Instruction Fuzzy Hash: 11B1CD32A18B9686E701DF2DE4905AA7BA4FF4A784F404336EF4D97665DF38E641C700

Function 00007FF6BC712518 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 322registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC712CA0: CharNextW.USER32(00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712CDF
Part of subcall function 00007FF6BC712CA0: CharNextW.USER32(00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712D15
Part of subcall function 00007FF6BC712CA0: CharNextW.USER32 ref: 00007FF6BC712DDB

lstrcmpiW.KERNEL32(?,00000000,00000001,00000000,00000000,?,00000000,?,?,?,?,00000000,?,?,00000000,00000000), ref: 00007FF6BC712584
CharNextW.USER32(?,00000000,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000), ref: 00007FF6BC7125D1
CharNextW.USER32(?,00000000,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000), ref: 00007FF6BC712694
CharNextW.USER32(?,00000000,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000), ref: 00007FF6BC7126B6
RegSetValueExW.ADVAPI32(?,00000000,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000), ref: 00007FF6BC712722

Part of subcall function 00007FF6BC712CA0: CharNextW.USER32 ref: 00007FF6BC712D35
Part of subcall function 00007FF6BC712CA0: CharNextW.USER32 ref: 00007FF6BC712D53
Part of subcall function 00007FF6BC712CA0: CharNextW.USER32 ref: 00007FF6BC712D68
Part of subcall function 00007FF6BC712CA0: CharNextW.USER32(00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712E05

Strings

fRt 1), xrefs: 00007FF6BC71253A

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CharNext$Valuelstrcmpi
String ID: fRt 1)
API String ID: 4139903544-1967341498
Opcode ID: 0d9dc5bc92d5043922235264c6d298780074dfb5e9f2cb1316378155485a9d56
Instruction ID: a88c0e1cd2f3a677ec17dceef46565e997513a46ed76a4b27be5e9f9ae8fade3
Opcode Fuzzy Hash: 0d9dc5bc92d5043922235264c6d298780074dfb5e9f2cb1316378155485a9d56
Instruction Fuzzy Hash: 57C1D632A086A286EB609F2DD474279A7A1FB85BA1F804131EB5DC7BD4DF7CE645C700

Function 00007FF6BC7211E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6BC721214
GetCurrentProcessId.KERNEL32 ref: 00007FF6BC721222
GetCurrentThreadId.KERNEL32 ref: 00007FF6BC72122E
GetTickCount.KERNEL32 ref: 00007FF6BC72123A
GetTickCount.KERNEL32 ref: 00007FF6BC72124A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6BC721265

Strings

fRt 1), xrefs: 00007FF6BC721200

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID: fRt 1)
API String ID: 4104442557-1967341498
Opcode ID: 65dc1b7222ee4bc63c0c8e5d9ed277b49e7a5b34b0b1713c0f847b39d273f1e5
Instruction ID: f70fe598cd8e9d42d20dcb0c2137fb01c7492288d93ab2d219a365d1b0941607
Opcode Fuzzy Hash: 65dc1b7222ee4bc63c0c8e5d9ed277b49e7a5b34b0b1713c0f847b39d273f1e5
Instruction Fuzzy Hash: 81112E26B04B458BEB10DF79E8642A833E4FB0A758F441A35EB6D8B754DF7CD6A48340

Function 00007FF6BC71F7DC Relevance: 5.0, APIs: 4, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF6BC71F70F,?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F7F8
HeapAlloc.KERNEL32(?,?,?,00007FF6BC71F70F,?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F810
GetProcessHeap.KERNEL32(?,?,?,00007FF6BC71F70F,?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F82E
HeapFree.KERNEL32(?,?,?,00007FF6BC71F70F,?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F842

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 299feaa0420b7858bdce015f6d0638767cce41464ea664b4bbc8ca619658b0b7
Instruction ID: 69ed173c95f281c871a73a0a9c165df2224c8caa57d013084193bbee45642ac4
Opcode Fuzzy Hash: 299feaa0420b7858bdce015f6d0638767cce41464ea664b4bbc8ca619658b0b7
Instruction Fuzzy Hash: E401E831605B45D7EB458B2AE810279BBE4FB4EB95F489138CE0D8B354EF39D990CB50

Function 00007FF6BC720478 Relevance: 4.5, APIs: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF6BC7204BC
LocalFree.KERNEL32 ref: 00007FF6BC7204EB
GetLastError.KERNEL32 ref: 00007FF6BC7204F9

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: 07a143f27d637a182613afe3872ed03f0372d4f24c26b0b94736ed47b6b82a84
Instruction ID: 85f6a1b906f781fed160433c79569ce22677296577d2b77ca5f73b3dc1e21fc1
Opcode Fuzzy Hash: 07a143f27d637a182613afe3872ed03f0372d4f24c26b0b94736ed47b6b82a84
Instruction Fuzzy Hash: 7A117072714B01CAEB108B25E4987BDB7E8FB5A751F514234CB5D8A340DF39DA54C750

Function 00007FF6BC711780 Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF6BC7117C2

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: ec3cbdc53d36a99e4103560137412fffa0eb78cc167c5e6028a12185ec617cc2
Instruction ID: 2b74fc6293b7762ffab0260aa8168907f8f5e8f841a751e6960e670cabc7a010
Opcode Fuzzy Hash: ec3cbdc53d36a99e4103560137412fffa0eb78cc167c5e6028a12185ec617cc2
Instruction Fuzzy Hash: 2101713A608A5683E7108F2DE460069B7B5FB84BC4B54C032DB4D87728DF3CD656C700

Function 00007FF6BC721010 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6BC72101B

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a76db6f9ecfeb1ddcb4407d13828a342284b2f33d4def26b4bb5199a2fa0a3d9
Instruction ID: c84c7cfcb64c82c418ccea073168b4286e8efb2c249850d435eda3bc4c78154e
Opcode Fuzzy Hash: a76db6f9ecfeb1ddcb4407d13828a342284b2f33d4def26b4bb5199a2fa0a3d9
Instruction Fuzzy Hash: DDB01220F65442C3D604BF26DCA506413E0BF9D300FC00430C20DCC124DE1CD39B8710

Function 00007FF6BC716390 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromWindow.USER32 ref: 00007FF6BC7163A8
LoadCursorW.USER32 ref: 00007FF6BC717C6E
SetCursor.USER32 ref: 00007FF6BC717C7D
ShowCursor.USER32 ref: 00007FF6BC717C90
GetNumberOfPhysicalMonitorsFromHMONITOR.DXVA2 ref: 00007FF6BC717CFC
DeleteDC.GDI32 ref: 00007FF6BC717D36
EnumDisplayMonitors.USER32 ref: 00007FF6BC717D54
GetDeviceCaps.GDI32 ref: 00007FF6BC717D82
GetPhysicalMonitorsFromHMONITOR.DXVA2 ref: 00007FF6BC717DBD
DccwCreateDisplayProfileAssociationList.MSCMS ref: 00007FF6BC717E3A
ShowCursor.USER32 ref: 00007FF6BC717F4C
LoadCursorW.USER32 ref: 00007FF6BC717F5F
SetCursor.USER32 ref: 00007FF6BC717F6E

Strings

fRt 1), xrefs: 00007FF6BC717C4E

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Cursor$FromMonitors$DisplayLoadPhysicalShow$AssociationCapsCreateDccwDeleteDeviceEnumListMonitorNumberProfileWindow
String ID: fRt 1)
API String ID: 1515302180-1967341498
Opcode ID: d59255762fc596ecea68111d695f0a055db75ebb4911d35f6ece792140594a71
Instruction ID: 8b4476cf8bd1d8689b67aa6b41c83817b52b3c9d3bdbc9c8de91796baa086fb7
Opcode Fuzzy Hash: d59255762fc596ecea68111d695f0a055db75ebb4911d35f6ece792140594a71
Instruction Fuzzy Hash: 1EA15F31B08B5387EB148F6EA4A1179ABA8FB8AB90F445135DF4E87750DF3CE6568700

Function 00007FF6BC7172B0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 181
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6BC71892C: GetSystemTime.KERNEL32 ref: 00007FF6BC718A52

WcsCreateIccProfile.MSCMS ref: 00007FF6BC7172FE
GetLastError.KERNEL32 ref: 00007FF6BC717312
GetColorProfileFromHandle.MSCMS ref: 00007FF6BC717348
GetLastError.KERNEL32 ref: 00007FF6BC717358
GetColorProfileFromHandle.MSCMS ref: 00007FF6BC7173B6
GetLastError.KERNEL32 ref: 00007FF6BC7173C6
CreateFileW.KERNEL32 ref: 00007FF6BC71740F
GetLastError.KERNEL32 ref: 00007FF6BC717424
WriteFile.KERNEL32 ref: 00007FF6BC71745A
GetLastError.KERNEL32 ref: 00007FF6BC717479
CloseHandle.KERNEL32 ref: 00007FF6BC71749A
InstallColorProfileW.MSCMS ref: 00007FF6BC7174B4
GetLastError.KERNEL32 ref: 00007FF6BC7174C4
CloseHandle.KERNEL32 ref: 00007FF6BC717501
CloseColorProfile.MSCMS ref: 00007FF6BC717518
CloseColorProfile.MSCMS ref: 00007FF6BC71752C

Strings

strg, xrefs: 00007FF6BC717540

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorLastProfile$Color$CloseHandle$CreateFileFrom$InstallSystemTimeWrite
String ID: strg
API String ID: 3772428985-3320446829
Opcode ID: 18ee14e70dc7c17f7d28d135e43027df69b2e4ad680ac93a5a5052a0c232d38c
Instruction ID: 942a016d9992b1da1baa1d1999bb2ef954662d8cb5d07975d580aeb5fdc4d955
Opcode Fuzzy Hash: 18ee14e70dc7c17f7d28d135e43027df69b2e4ad680ac93a5a5052a0c232d38c
Instruction Fuzzy Hash: 7C717132604A6287F7105F2D94243B9ABA5FF8ABA5F464231DF2EC7790DF3CD5458610

Function 00007FF6BC71AF24 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC71970C: MapDialogRect.USER32 ref: 00007FF6BC71973D
Part of subcall function 00007FF6BC71970C: GetWindowRect.USER32 ref: 00007FF6BC719769
Part of subcall function 00007FF6BC71970C: EnumChildWindows.USER32 ref: 00007FF6BC719802
Part of subcall function 00007FF6BC71970C: InvalidateRect.USER32 ref: 00007FF6BC719818

GetDlgItem.USER32 ref: 00007FF6BC71AFAC

Part of subcall function 00007FF6BC71E884: FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E8C9
Part of subcall function 00007FF6BC71E884: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E8DD
Part of subcall function 00007FF6BC71E884: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E901
Part of subcall function 00007FF6BC71E884: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E915
Part of subcall function 00007FF6BC71E884: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E939
Part of subcall function 00007FF6BC71E884: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E94B
Part of subcall function 00007FF6BC71E884: GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E974
Part of subcall function 00007FF6BC71E884: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E988
Part of subcall function 00007FF6BC71E884: GlobalLock.KERNEL32 ref: 00007FF6BC71E9B8
Part of subcall function 00007FF6BC71E884: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6BC715A8B), ref: 00007FF6BC71E9CC
Part of subcall function 00007FF6BC71E884: memcpy.MSVCRT ref: 00007FF6BC71E9F6

GetWindowRect.USER32 ref: 00007FF6BC71AFEE
MapWindowPoints.USER32 ref: 00007FF6BC71B00E
GetLastError.KERNEL32 ref: 00007FF6BC71B01C
MoveWindow.USER32 ref: 00007FF6BC71B09E
GetLastError.KERNEL32 ref: 00007FF6BC71B0AE
InvalidateRect.USER32 ref: 00007FF6BC71B0F8
GetDlgItem.USER32 ref: 00007FF6BC71B10D
GetWindowRect.USER32 ref: 00007FF6BC71B123
MapWindowPoints.USER32 ref: 00007FF6BC71B143
GetLastError.KERNEL32 ref: 00007FF6BC71B151
MoveWindow.USER32 ref: 00007FF6BC71B1A4
GetLastError.KERNEL32 ref: 00007FF6BC71B1B4
DeleteObject.GDI32 ref: 00007FF6BC71B1C9

Strings

fRt 1), xrefs: 00007FF6BC71AF42

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorLast$Window$Rect$Resource$GlobalInvalidateItemLockMovePoints$AllocChildDeleteDialogEnumFindLoadObjectSizeofWindowsmemcpy
String ID: fRt 1)
API String ID: 3272798517-1967341498
Opcode ID: 2c537e02b8859332e34ba3de272a0cd0033032187a92642127ef4a28d88d561b
Instruction ID: 516bb66ab24630cd06298976a39ef26f85bae5f01df8053cf7bf4bbf046362f6
Opcode Fuzzy Hash: 2c537e02b8859332e34ba3de272a0cd0033032187a92642127ef4a28d88d561b
Instruction Fuzzy Hash: 68815972B14A528BE710CF79E4546ADBBB4FB4AB88F408231DF0A97654CF38E645CB40

Function 00007FF6BC718EC4 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 240stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF6BC717335), ref: 00007FF6BC718F8A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF6BC717335), ref: 00007FF6BC718F9D
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF6BC717335), ref: 00007FF6BC718FFB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF6BC717335), ref: 00007FF6BC71900B
memset.MSVCRT ref: 00007FF6BC71909B

Part of subcall function 00007FF6BC720234: LoadStringW.USER32 ref: 00007FF6BC720274

memcpy.MSVCRT ref: 00007FF6BC7190C1
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF6BC717335), ref: 00007FF6BC7190D0
SetColorProfileElementSize.MSCMS(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF6BC717335), ref: 00007FF6BC719178
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF6BC717335), ref: 00007FF6BC719188
SetColorProfileElement.MSCMS(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF6BC717335), ref: 00007FF6BC7191BC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00007FF6BC717335), ref: 00007FF6BC7191CC

Strings

csed, xrefs: 00007FF6BC719165
strg, xrefs: 00007FF6BC718EEA

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorLast$ByteCharColorElementMultiProfileWide$LoadSizeStringlstrlenmemcpymemset
String ID: csed$strg
API String ID: 658256186-994031623
Opcode ID: 74895fc5265322c011d18fc8d1ceb18fd9ce42abd742992fd9784cc63d00f51e
Instruction ID: fb9b766ec8072a1a221f431115dee349dd171cd42b206a1d5db400b6f827be71
Opcode Fuzzy Hash: 74895fc5265322c011d18fc8d1ceb18fd9ce42abd742992fd9784cc63d00f51e
Instruction Fuzzy Hash: 6491E432E04A628AE7109F2D98242B96BA4FB4ABE4F054234DF5ED7794DF3CD545C350

Function 00007FF6BC711850 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC711DB0: InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,00007FF6BC71102E), ref: 00007FF6BC711DB4

GetModuleFileNameW.KERNEL32 ref: 00007FF6BC711932

Strings

Module, xrefs: 00007FF6BC711AA6
Module_Raw, xrefs: 00007FF6BC711AF4
fRt 1), xrefs: 00007FF6BC71186B
APPID, xrefs: 00007FF6BC7118FD
REGISTRY, xrefs: 00007FF6BC711B31

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CriticalFileInitializeModuleNameSection
String ID: APPID$Module$Module_Raw$REGISTRY$fRt 1)
API String ID: 867279363-1571938973
Opcode ID: a0d5b1299a812fab3d06bc3ae251e4010f43a90b9c47b7608e2cbb004c1e17e1
Instruction ID: 68f43fcaaa1c603ff20319cc964a2fd8c87b54e2df8c1dacbce503f42cd3a94b
Opcode Fuzzy Hash: a0d5b1299a812fab3d06bc3ae251e4010f43a90b9c47b7608e2cbb004c1e17e1
Instruction Fuzzy Hash: EA81E522B28A9697EB108F2CE4602F9A7A4FF95758F405235DB4E8B794EF7CD244C700

Function 00007FF6BC717FA4 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 00007FF6BC717FF6
GetLastError.KERNEL32 ref: 00007FF6BC71800B
EnumDisplayDevicesW.USER32 ref: 00007FF6BC71803E
GetLastError.KERNEL32 ref: 00007FF6BC71804E
StringFromCLSID.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF6BC718078
_wcsupr.MSVCRT ref: 00007FF6BC718095
wcsstr.MSVCRT ref: 00007FF6BC7180AD
swscanf_s.MSVCRT ref: 00007FF6BC718107
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF6BC718124

Strings

%04d, xrefs: 00007FF6BC7180FC
h, xrefs: 00007FF6BC717FDA
fRt 1), xrefs: 00007FF6BC717FC6

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorLast$DevicesDisplayEnumFreeFromInfoMonitorStringTask_wcsuprswscanf_swcsstr
String ID: %04d$fRt 1)$h
API String ID: 4201562086-345513037
Opcode ID: 209c7a5670a4b3daa481664d0a544e8291762fe8d2151f43cac6e2786236de3d
Instruction ID: 8b0fcee35750324728303fe0de5cae7ccb915671bbb0bd8940a3eb791fe63a17
Opcode Fuzzy Hash: 209c7a5670a4b3daa481664d0a544e8291762fe8d2151f43cac6e2786236de3d
Instruction Fuzzy Hash: A0419332704B96C6E7108F29E8A42B9BBA4FB89B94F814275DF4E87350DF38D605C710

Function 00007FF6BC712228 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 208memorystringCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.API-MS-WIN-CORE-COM-L1-1-0(00000002,?,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000), ref: 00007FF6BC7122A5
CharNextW.USER32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC7122D9
CharNextW.USER32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712311
CharNextW.USER32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712340
wcsncpy_s.MSVCRT ref: 00007FF6BC71237F
EnterCriticalSection.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC7123BB
lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC7123DF

Strings

fRt 1), xrefs: 00007FF6BC712244

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CharNext$AllocCriticalEnterSectionTasklstrcmpiwcsncpy_s
String ID: fRt 1)
API String ID: 1163771381-1967341498
Opcode ID: 7dd8356095bd221745c62d516dae8cc70c03e980f949df3011462a31d4d8d254
Instruction ID: 15ef55ccb009666ef8d85cd79c0bedb70cc7867b450d93535e7c7c8d4812a439
Opcode Fuzzy Hash: 7dd8356095bd221745c62d516dae8cc70c03e980f949df3011462a31d4d8d254
Instruction Fuzzy Hash: 3081A072B08A5286EB648F5EE46027C67A4FB49B65F518235CF6EC77D0DE3CDA418300

Function 00007FF6BC71A670 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF6BC71A6BC
GetWindowRect.USER32 ref: 00007FF6BC71A6DC
GetWindowRect.USER32 ref: 00007FF6BC71A6FC
MoveWindow.USER32 ref: 00007FF6BC71A769
MoveWindow.USER32 ref: 00007FF6BC71A7DA
MoveWindow.USER32 ref: 00007FF6BC71A807
MoveWindow.USER32 ref: 00007FF6BC71A850
MoveWindow.USER32 ref: 00007FF6BC71A889
InvalidateRect.USER32 ref: 00007FF6BC71A89E

Strings

VUUU, xrefs: 00007FF6BC71A779
fRt 1), xrefs: 00007FF6BC71A695

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$Move$Rect$Invalidate
String ID: VUUU$fRt 1)
API String ID: 1073283866-2126614922
Opcode ID: dc7ebb7c3b751ccec863f153c438df20f1d0b4bf0f6f0267bb1b78b73d031641
Instruction ID: 7c360d13d13fbd6673f12858fd4a48c6f0ae9c6226eab087dbb4f2f98530ca22
Opcode Fuzzy Hash: dc7ebb7c3b751ccec863f153c438df20f1d0b4bf0f6f0267bb1b78b73d031641
Instruction Fuzzy Hash: 8B51D2327146558BC750CF29E4589AABBA9FB89B94F058235EF4D83B14CF39E945CF00

Function 00007FF6BC718658 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

WcsSetCalibrationManagementState.MSCMS ref: 00007FF6BC718681
GetLastError.KERNEL32 ref: 00007FF6BC71869B
WcsSetDefaultColorProfile.MSCMS ref: 00007FF6BC7186E6
GetLastError.KERNEL32 ref: 00007FF6BC7186F6
WcsGetUsePerUserProfiles.MSCMS ref: 00007FF6BC718728
GetLastError.KERNEL32 ref: 00007FF6BC718738
WcsSetDefaultColorProfile.MSCMS ref: 00007FF6BC71878E
GetLastError.KERNEL32 ref: 00007FF6BC71879E
WcsSetCalibrationManagementState.MSCMS ref: 00007FF6BC7187BB
GetLastError.KERNEL32 ref: 00007FF6BC7187CB

Strings

rtnm, xrefs: 00007FF6BC718723

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorLast$CalibrationColorDefaultManagementProfileState$ProfilesUser
String ID: rtnm
API String ID: 2534168751-2079796299
Opcode ID: b6672c1d9691e88341621d4b322fa2c6210088fb5cec0679313760fe48dfae33
Instruction ID: 93375ce21dc76a0d115ffe18f99b428ebe645f5b8fe32f0f3846679fd8cddfda
Opcode Fuzzy Hash: b6672c1d9691e88341621d4b322fa2c6210088fb5cec0679313760fe48dfae33
Instruction Fuzzy Hash: AC41AC71A08B628BF7105F7DA89013AABE8FB49B91F054275EF5986690DF3CE6408620

Function 00007FF6BC715AF8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF6BC715B43
GetWindowRect.USER32 ref: 00007FF6BC715B62
GetWindowRect.USER32 ref: 00007FF6BC715B81
MapWindowPoints.USER32 ref: 00007FF6BC715BA7
MapWindowPoints.USER32 ref: 00007FF6BC715BC0
MapWindowPoints.USER32 ref: 00007FF6BC715BD9
MoveWindow.USER32 ref: 00007FF6BC715CD2
InvalidateRect.USER32 ref: 00007FF6BC715D04
InvalidateRect.USER32 ref: 00007FF6BC715D3C

Strings

fRt 1), xrefs: 00007FF6BC715B1D

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$Rect$Points$Invalidate$Move
String ID: fRt 1)
API String ID: 2372563702-1967341498
Opcode ID: b5e42835b65b5714dee55272bbcddf71df76dded149d3ad740da8efdff0d8173
Instruction ID: 88071e501e2656f9f0a25def35d89d069bde880d7420663f3de9932d5ff414b3
Opcode Fuzzy Hash: b5e42835b65b5714dee55272bbcddf71df76dded149d3ad740da8efdff0d8173
Instruction Fuzzy Hash: 0761D332B156568AE755CF3AD8506ACBB60FB4AB84F448232DF4EA7710DF38E555CB00

Function 00007FF6BC71D4CC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC715AF8: GetWindowRect.USER32 ref: 00007FF6BC715B43
Part of subcall function 00007FF6BC715AF8: GetWindowRect.USER32 ref: 00007FF6BC715B62
Part of subcall function 00007FF6BC715AF8: GetWindowRect.USER32 ref: 00007FF6BC715B81
Part of subcall function 00007FF6BC715AF8: MapWindowPoints.USER32 ref: 00007FF6BC715BA7
Part of subcall function 00007FF6BC715AF8: MapWindowPoints.USER32 ref: 00007FF6BC715BC0
Part of subcall function 00007FF6BC715AF8: MapWindowPoints.USER32 ref: 00007FF6BC715BD9

GetWindowRect.USER32 ref: 00007FF6BC71D527
GetWindowRect.USER32 ref: 00007FF6BC71D547
GetWindowRect.USER32 ref: 00007FF6BC71D567
MoveWindow.USER32 ref: 00007FF6BC71D639
MoveWindow.USER32 ref: 00007FF6BC71D65C
MoveWindow.USER32 ref: 00007FF6BC71D6A1
MoveWindow.USER32 ref: 00007FF6BC71D6C8
MoveWindow.USER32 ref: 00007FF6BC71D6F7
MoveWindow.USER32 ref: 00007FF6BC71D71A

Strings

fRt 1), xrefs: 00007FF6BC71D4F8

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$MoveRect$Points
String ID: fRt 1)
API String ID: 3814651327-1967341498
Opcode ID: 6de4dd33fd5e914a2d99448d9529bb0ccb490a421b64d3f9f903543980557cd2
Instruction ID: d0d3dc2beb0af3b552485e58d49b78a7eaadc96d85e58b42275483e864709031
Opcode Fuzzy Hash: 6de4dd33fd5e914a2d99448d9529bb0ccb490a421b64d3f9f903543980557cd2
Instruction Fuzzy Hash: BD61C332A146858BD7518F2AE450669BBA8FF8EB94F059335EE4DA7720DF38E544CF00

Function 00007FF6BC717958 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

WcsGetUsePerUserProfiles.MSCMS ref: 00007FF6BC7179A5
GetLastError.KERNEL32 ref: 00007FF6BC7179BB
WcsGetDefaultColorProfile.MSCMS ref: 00007FF6BC717A0E
GetLastError.KERNEL32 ref: 00007FF6BC717A1E
WcsOpenColorProfileW.MSCMS ref: 00007FF6BC717A75
GetLastError.KERNEL32 ref: 00007FF6BC717A89
DccwGetGamutSize.MSCMS ref: 00007FF6BC717AAF
CloseColorProfile.MSCMS ref: 00007FF6BC717AF4

Strings

rtnm, xrefs: 00007FF6BC717996
fRt 1), xrefs: 00007FF6BC717973

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ColorErrorLastProfile$CloseDccwDefaultGamutOpenProfilesSizeUser
String ID: fRt 1)$rtnm
API String ID: 1332131993-2054933478
Opcode ID: 5c43d64f98effe6da1e2c8069a68113787f86015f51c19e9e0da06ec9c17c809
Instruction ID: a30d240497397831d474d9ef9f10a36c6a4f7f593ede5269abb023f52bb10801
Opcode Fuzzy Hash: 5c43d64f98effe6da1e2c8069a68113787f86015f51c19e9e0da06ec9c17c809
Instruction Fuzzy Hash: 39416332608B828BE7508F69A49426AFBE4FB89B90F504235DF8D97714DF7DD645CB00

Function 00007FF6BC720610 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

iswupper.MSVCRT(?,00000001,?,00007FF6BC719269), ref: 00007FF6BC720652
towlower.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC720665
iswupper.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC720677
towlower.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC72068A
iswupper.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC7206C3
towlower.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC7206D6
iswupper.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC7206E8
towlower.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC7206FB

Strings

{4D36E96E-E325-11CE-BFC1-08002BE10318}, xrefs: 00007FF6BC72063E

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: iswuppertowlower
String ID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
API String ID: 2404469642-206008433
Opcode ID: 563ddadf80f7de0fbb6dbf25a669bed17193fc76f8038d0d5a2e51552778707c
Instruction ID: 48a6bc87152353609df494e4c46e5f8012d3eae7fa7c354bea98f6b82afa9fe6
Opcode Fuzzy Hash: 563ddadf80f7de0fbb6dbf25a669bed17193fc76f8038d0d5a2e51552778707c
Instruction Fuzzy Hash: C0315032D047A296EB509F2AA464039BFE0FB46B82B498135DF898B680DF3CD644D720

Function 00007FF6BC712BAC Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6BC712BD1
GetProcAddress.KERNEL32 ref: 00007FF6BC712BEC
LoadLibraryExW.KERNEL32 ref: 00007FF6BC712C0A
GetProcAddress.KERNEL32 ref: 00007FF6BC712C25
GetLastError.KERNEL32 ref: 00007FF6BC712C69

Strings

API-MS-Win-Core-LocalRegistry-L1-1-0.dll, xrefs: 00007FF6BC712BCA
RegDeleteKeyW, xrefs: 00007FF6BC712C1B
RegDeleteKeyExW, xrefs: 00007FF6BC712BE2
advapi32.dll, xrefs: 00007FF6BC712C01

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: AddressProc$ErrorHandleLastLibraryLoadModule
String ID: API-MS-Win-Core-LocalRegistry-L1-1-0.dll$RegDeleteKeyExW$RegDeleteKeyW$advapi32.dll
API String ID: 856554993-2654589138
Opcode ID: c1bfc09b0fb2b6c5194e534f89997beb9cd58ed6d0cca4cbd513029e47de3b92
Instruction ID: 04f2c47d9f476a9db17d5871a8bade3105b64f5eddff230ff4ba6df2a76b7d6d
Opcode Fuzzy Hash: c1bfc09b0fb2b6c5194e534f89997beb9cd58ed6d0cca4cbd513029e47de3b92
Instruction Fuzzy Hash: B3211821A09B5682EF148F2DE4A4378A7A0FF4EF85F598435CB4E8A354DF3CE6448600

Function 00007FF6BC71CDF0 Relevance: 15.2, APIs: 10, Instructions: 152windowtimeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF6BC71CE54
SendMessageW.USER32 ref: 00007FF6BC71CE80
SendMessageW.USER32 ref: 00007FF6BC71CEC7
SendMessageW.USER32 ref: 00007FF6BC71CF1B
SendMessageW.USER32 ref: 00007FF6BC71CF47
SendMessageW.USER32 ref: 00007FF6BC71CF8E
SendMessageW.USER32 ref: 00007FF6BC71CFE2
SendMessageW.USER32 ref: 00007FF6BC71D00E
SendMessageW.USER32 ref: 00007FF6BC71D051
SetTimer.USER32 ref: 00007FF6BC71D06A

Part of subcall function 00007FF6BC7198C0: GetParent.USER32 ref: 00007FF6BC7198CD
Part of subcall function 00007FF6BC7198C0: PostMessageW.USER32 ref: 00007FF6BC7198EA
Part of subcall function 00007FF6BC7198C0: GetParent.USER32 ref: 00007FF6BC7198FA
Part of subcall function 00007FF6BC7198C0: SendMessageW.USER32 ref: 00007FF6BC719918

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Message$Send$Parent$PostTimer
String ID:
API String ID: 1672226202-0
Opcode ID: ca5a3957e2fdce0ee4560c8256c5fb09fe481c8488b61be5a40724cb0d1e8577
Instruction ID: 4230b24df95c9cc6984dd161cb3445c26c77f5e94e7dc3485045979cd4818676
Opcode Fuzzy Hash: ca5a3957e2fdce0ee4560c8256c5fb09fe481c8488b61be5a40724cb0d1e8577
Instruction Fuzzy Hash: 06614936704A99C3D7148F2AE8646BABB64F78AF85F458036CB5E87724CF38E145C740

Function 00007FF6BC71F340 Relevance: 15.1, APIs: 10, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6BC71F366
EnumDisplayMonitors.USER32 ref: 00007FF6BC71F38B
ReleaseDC.USER32 ref: 00007FF6BC71F39D
GetLastError.KERNEL32 ref: 00007FF6BC71F3AB
GetParent.USER32 ref: 00007FF6BC71F41D
PostMessageW.USER32 ref: 00007FF6BC71F43B
GetWindowLongW.USER32 ref: 00007FF6BC71F456
GetParent.USER32 ref: 00007FF6BC71F46B
GetWindow.USER32 ref: 00007FF6BC71F47E
ShowWindow.USER32 ref: 00007FF6BC71F498

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$Parent$DisplayEnumErrorLastLongMessageMonitorsPostReleaseShow
String ID:
API String ID: 459077176-0
Opcode ID: e46bbc2574ad347921db876fdcdf812524d8b3d323288188b84672f3afe7f0fb
Instruction ID: ebc26cc45f46049f56c3c15cdcd6fbd490fd56d2e102293a7eae00f420ccbf14
Opcode Fuzzy Hash: e46bbc2574ad347921db876fdcdf812524d8b3d323288188b84672f3afe7f0fb
Instruction Fuzzy Hash: 7D417122608B52C7E7049F5EA464179ABA0FB8EB65F488131DF6E87390DF3CE9458240

Function 00007FF6BC71922C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC720610: iswupper.MSVCRT(?,00000001,?,00007FF6BC719269), ref: 00007FF6BC720652
Part of subcall function 00007FF6BC720610: towlower.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC720665
Part of subcall function 00007FF6BC720610: iswupper.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC720677
Part of subcall function 00007FF6BC720610: towlower.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC72068A
Part of subcall function 00007FF6BC720610: iswupper.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC7206C3
Part of subcall function 00007FF6BC720610: towlower.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC7206D6
Part of subcall function 00007FF6BC720610: iswupper.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC7206E8
Part of subcall function 00007FF6BC720610: towlower.MSVCRT(?,00007FF6BC719269), ref: 00007FF6BC7206FB

GetDisplayConfigBufferSizes.USER32 ref: 00007FF6BC719290

Strings

T, xrefs: 00007FF6BC719371
fRt 1), xrefs: 00007FF6BC71924B

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: iswuppertowlower$BufferConfigDisplaySizes
String ID: T$fRt 1)
API String ID: 3551102313-1262330307
Opcode ID: 0d707571cffa7e7f14a53604cf7930673be2afe00d14126f899496c2402a5b65
Instruction ID: 80f8d0c91fa5d77d0d04a40036eb2fd7936ad12db4329cea100cf98653159149
Opcode Fuzzy Hash: 0d707571cffa7e7f14a53604cf7930673be2afe00d14126f899496c2402a5b65
Instruction Fuzzy Hash: 8A51C432A1968287EB218F2DE4547BAB7A0FB89794F404234DF5E87780DF3CE6468700

Function 00007FF6BC71BAC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC715AF8: GetWindowRect.USER32 ref: 00007FF6BC715B43
Part of subcall function 00007FF6BC715AF8: GetWindowRect.USER32 ref: 00007FF6BC715B62
Part of subcall function 00007FF6BC715AF8: GetWindowRect.USER32 ref: 00007FF6BC715B81
Part of subcall function 00007FF6BC715AF8: MapWindowPoints.USER32 ref: 00007FF6BC715BA7
Part of subcall function 00007FF6BC715AF8: MapWindowPoints.USER32 ref: 00007FF6BC715BC0
Part of subcall function 00007FF6BC715AF8: MapWindowPoints.USER32 ref: 00007FF6BC715BD9

GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BC71A0EC), ref: 00007FF6BC71BB0C
GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BC71A0EC), ref: 00007FF6BC71BB2C
GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6BC71A0EC), ref: 00007FF6BC71BB4C
MoveWindow.USER32 ref: 00007FF6BC71BBD9
MoveWindow.USER32 ref: 00007FF6BC71BC04

Strings

VUUU, xrefs: 00007FF6BC71BBA7
fRt 1), xrefs: 00007FF6BC71BADD

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$Rect$Points$Move
String ID: VUUU$fRt 1)
API String ID: 1829183498-2126614922
Opcode ID: fecf5a2456b7f029a469970d7321628e87bbefcce9d7ec21ace3412258f14f29
Instruction ID: 4ec853fe6833fe87360606a5ff93a16b24672bdc6ef2dd79f4108faf742b9290
Opcode Fuzzy Hash: fecf5a2456b7f029a469970d7321628e87bbefcce9d7ec21ace3412258f14f29
Instruction Fuzzy Hash: 3E418E32714A85CBD7208F2DE8506A9BBA5F789B84F445131EB4D87B58CF38E644CB40

Function 00007FF6BC718804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

WcsDisassociateColorProfileFromDevice.MSCMS(?,?,?,00007FF6BC7185FE), ref: 00007FF6BC71884A
GetLastError.KERNEL32(?,?,?,00007FF6BC7185FE), ref: 00007FF6BC71885A
WcsGetUsePerUserProfiles.MSCMS(?,?,?,00007FF6BC7185FE), ref: 00007FF6BC718896
GetLastError.KERNEL32(?,?,?,00007FF6BC7185FE), ref: 00007FF6BC7188A6
WcsDisassociateColorProfileFromDevice.MSCMS(?,?,?,00007FF6BC7185FE), ref: 00007FF6BC7188D6
GetLastError.KERNEL32(?,?,?,00007FF6BC7185FE), ref: 00007FF6BC7188E6

Strings

rtnm, xrefs: 00007FF6BC718891

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorLast$ColorDeviceDisassociateFromProfile$ProfilesUser
String ID: rtnm
API String ID: 2382097621-2079796299
Opcode ID: c652882f58854bc14bdc5bc9bc34118772c24ee11bda7732498b04ac48ea0347
Instruction ID: 95471f8e6421807845cc754db33dac32ecd298998406a582ba0b28da16eaedb9
Opcode Fuzzy Hash: c652882f58854bc14bdc5bc9bc34118772c24ee11bda7732498b04ac48ea0347
Instruction Fuzzy Hash: 6E31E531A04B9287E7101B6EA454279BFE4FF89B90F558275DB6EC3390DF3CE9018220

Function 00007FF6BC719DE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF6BC719E3C
SendMessageW.USER32 ref: 00007FF6BC719E56
GetSystemDirectoryW.KERNEL32 ref: 00007FF6BC719E76
ShellExecuteW.SHELL32 ref: 00007FF6BC719EE2

Strings

open, xrefs: 00007FF6BC719ED6
fRt 1), xrefs: 00007FF6BC719DED
CTTune.exe, xrefs: 00007FF6BC719EAC

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: DirectoryExecuteItemMessageSendShellSystem
String ID: CTTune.exe$fRt 1)$open
API String ID: 2938676387-192630430
Opcode ID: cb874b20edd749bce99f2c7ab0612aff82f4437cd797591c8e11be2d46af0fd0
Instruction ID: a9308dc8239b2566489c83b5b652e93dacde0b27d9deacec7816ad145702b039
Opcode Fuzzy Hash: cb874b20edd749bce99f2c7ab0612aff82f4437cd797591c8e11be2d46af0fd0
Instruction Fuzzy Hash: 67314F32718A9286E7609B2DE8643BA67A4FB89B44F805035DB5ECB754CF3CE649C700

Function 00007FF6BC714CF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50synchronizationwindowCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32 ref: 00007FF6BC714D1B
CloseHandle.KERNEL32 ref: 00007FF6BC714D2E
OpenIcon.USER32 ref: 00007FF6BC714D4D
SetForegroundWindow.USER32 ref: 00007FF6BC714D5C
SetWindowPos.USER32 ref: 00007FF6BC714D85
CallWindowProcW.USER32 ref: 00007FF6BC714DAD

Strings

dccw, xrefs: 00007FF6BC714D91

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$CallCloseForegroundHandleIconMutexOpenProcRelease
String ID: dccw
API String ID: 1295780963-1595938506
Opcode ID: 03ffaee57d747bab8e01ba1dbbe1cbc3f2e85c525dba98c1716d424acc1d6664
Instruction ID: 506b28c4b589d56dbf0633dfe9c1e8660e477c2af9dc58c87662af46dff81f02
Opcode Fuzzy Hash: 03ffaee57d747bab8e01ba1dbbe1cbc3f2e85c525dba98c1716d424acc1d6664
Instruction Fuzzy Hash: 5121CC35918B42C7EB108F1AF865279BB64FB8AB95F589171DB8E87714CF3CD1448B00

Function 00007FF6BC71D760 Relevance: 12.1, APIs: 8, Instructions: 120COMMON

Download Yara Rule

APIs

GdipCreateSolidFill.GDIPLUS ref: 00007FF6BC71D7B7
GdipCreateFromHDC.GDIPLUS ref: 00007FF6BC71D7D4
GdipFillRectangleI.GDIPLUS ref: 00007FF6BC71D811
GdipCreateLineBrushI.GDIPLUS ref: 00007FF6BC71D86B
GdipFillRectangleI.GDIPLUS ref: 00007FF6BC71D8CC
GdipDeleteBrush.GDIPLUS ref: 00007FF6BC71D8DB
GdipDeleteGraphics.GDIPLUS ref: 00007FF6BC71D8EA
GdipDeleteBrush.GDIPLUS ref: 00007FF6BC71D8F9

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Gdip$BrushCreateDeleteFill$Rectangle$FromGraphicsLineSolid
String ID:
API String ID: 1713370201-0
Opcode ID: 305c7895e1ae9107b0811e31dae8082fb42cd4769c84d7fec64c31bed545858e
Instruction ID: c827ffaf52f66447db07afeeb8ed02b6386e4e95046e339305010d9a441ce883
Opcode Fuzzy Hash: 305c7895e1ae9107b0811e31dae8082fb42cd4769c84d7fec64c31bed545858e
Instruction Fuzzy Hash: 06415C72604A41CBD724CF69E858BAC7BA9F78DB99F458235DF0A87B18CF38D5458B00

Function 00007FF6BC71BC3C Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

APIs

GdipCreateFromHDC.GDIPLUS(?,?,?,?,?,?,?,00007FF6BC71A105), ref: 00007FF6BC71BC6D
GdipCreateSolidFill.GDIPLUS(?,?,?,?,?,?,?,00007FF6BC71A105), ref: 00007FF6BC71BC8A
GdipFillRectangleI.GDIPLUS(?,?,?,?,?,?,?,00007FF6BC71A105), ref: 00007FF6BC71BCC2
GdipCreateLineBrushI.GDIPLUS(?,?,?,?,?,?,?,00007FF6BC71A105), ref: 00007FF6BC71BD0B
GdipFillRectangleI.GDIPLUS(?,?,?,?,?,?,?,00007FF6BC71A105), ref: 00007FF6BC71BD4D
GdipDeleteBrush.GDIPLUS(?,?,?,?,?,?,?,00007FF6BC71A105), ref: 00007FF6BC71BD5C
GdipDeleteBrush.GDIPLUS(?,?,?,?,?,?,?,00007FF6BC71A105), ref: 00007FF6BC71BD6B
GdipDeleteGraphics.GDIPLUS(?,?,?,?,?,?,?,00007FF6BC71A105), ref: 00007FF6BC71BD7A

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Gdip$BrushCreateDeleteFill$Rectangle$FromGraphicsLineSolid
String ID:
API String ID: 1713370201-0
Opcode ID: 784bbbcdff2f6bdf5bea241e12e044093f5952970fb30e5de84a13180cb43276
Instruction ID: bc913517ba8f9051f43a0a36cc293673a666eb1c840efd9b6dc463d223b281c1
Opcode Fuzzy Hash: 784bbbcdff2f6bdf5bea241e12e044093f5952970fb30e5de84a13180cb43276
Instruction Fuzzy Hash: 05311A72A04A41DFD7248F69E8548ACBF78F74EB99B459265EE0A47B08CF38D545CB00

Function 00007FF6BC712CA0 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

CharNextW.USER32(00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712CDF
CharNextW.USER32(00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712D15
CharNextW.USER32 ref: 00007FF6BC712D35
CharNextW.USER32 ref: 00007FF6BC712D53
CharNextW.USER32 ref: 00007FF6BC712D68
CharNextW.USER32 ref: 00007FF6BC712DDB
CharNextW.USER32(00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712E05

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 93a3f1f8908d4afb299c742935aab6fdb0b643a7c6d025abd797d03cfcaa7e3f
Instruction ID: 05add7d5b5f04d9ce4d17b04d645643e90b6db01f470475ab27f78ba4b842f62
Opcode Fuzzy Hash: 93a3f1f8908d4afb299c742935aab6fdb0b643a7c6d025abd797d03cfcaa7e3f
Instruction Fuzzy Hash: 5B515036B19AA286EB248F1DD42417877A5FB59F82F448032DB4E87754EF3CDA568304

Function 00007FF6BC715372 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32 ref: 00007FF6BC71542E
GetWindowLongPtrW.USER32 ref: 00007FF6BC715445
CallWindowProcW.USER32 ref: 00007FF6BC71546A
GetWindowLongPtrW.USER32 ref: 00007FF6BC715490
SetWindowLongPtrW.USER32 ref: 00007FF6BC7154AE

Strings

8, xrefs: 00007FF6BC7153ED

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: 8
API String ID: 513923721-4194326291
Opcode ID: 354cf88fa4be489d31bfcd03446ff328b2f0db7b2f3e9e42136fd0cae314b07e
Instruction ID: a21b2e139fbe24dad51cf3ea1c72d7ffba979f764e8425cbfb8190d06646c8e0
Opcode Fuzzy Hash: 354cf88fa4be489d31bfcd03446ff328b2f0db7b2f3e9e42136fd0cae314b07e
Instruction Fuzzy Hash: 6C414832A04B50CAE7508F2AE85426C77B8F749F99F148235DE9D9BB58CF39CA52C740

Function 00007FF6BC71E600 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF6BC71E6A6
FormatMessageW.KERNEL32 ref: 00007FF6BC71E72D
LocalFree.KERNEL32 ref: 00007FF6BC71E752
LocalFree.KERNEL32 ref: 00007FF6BC71E767

Part of subcall function 00007FF6BC71E50C: EventWrite.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF6BC71E749), ref: 00007FF6BC71E577
Part of subcall function 00007FF6BC71E50C: MessageBoxW.USER32 ref: 00007FF6BC71E5C3

Strings

strg, xrefs: 00007FF6BC71E63A
strg, xrefs: 00007FF6BC71E6E5

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Message$FormatFreeLocal$EventWrite
String ID: strg$strg
API String ID: 3780319976-3117884289
Opcode ID: a04c8770deb543ec97a1be9886b5f51c88836da2e6f4a2ec76660b089775088a
Instruction ID: 63d880f5a9359ec6fd290d72a2a9ba2614cdd004273c919c5edfe9a2b74d04e6
Opcode Fuzzy Hash: a04c8770deb543ec97a1be9886b5f51c88836da2e6f4a2ec76660b089775088a
Instruction Fuzzy Hash: 47419D32B04B218AFB108B29E8A46AD77B4FB49784F445135EF4E97B58DF38D641C740

Function 00007FF6BC717570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32 ref: 00007FF6BC7175A2
GetLastError.KERNEL32 ref: 00007FF6BC7175B4
WcsSetCalibrationManagementState.MSCMS ref: 00007FF6BC717629
GetLastError.KERNEL32 ref: 00007FF6BC717639
EventWrite.ADVAPI32 ref: 00007FF6BC7176DC

Strings

fRt 1), xrefs: 00007FF6BC71757F

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ErrorLast$CalibrationCopyEventFileManagementStateWrite
String ID: fRt 1)
API String ID: 4173155175-1967341498
Opcode ID: 52c41e660492b1f9c46799f6bb78ce9a21a042d81271af6c1ca98465aee8dd0f
Instruction ID: 7ca4bcd68778a9f1e99a544028f8cbe1b27db1a9af560b04dd9f184306b990b9
Opcode Fuzzy Hash: 52c41e660492b1f9c46799f6bb78ce9a21a042d81271af6c1ca98465aee8dd0f
Instruction Fuzzy Hash: 96419F71B08B5286EB148B2DA5A027AB7A0FB8ABD4F404231DF5DC7794DF3DE2118B10

Function 00007FF6BC712A48 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6BC712AA4
RegCloseKey.ADVAPI32 ref: 00007FF6BC712AC4
RegEnumKeyExW.ADVAPI32 ref: 00007FF6BC712B30
RegCloseKey.ADVAPI32 ref: 00007FF6BC712B4A
RegCloseKey.ADVAPI32 ref: 00007FF6BC712B73

Strings

fRt 1), xrefs: 00007FF6BC712A5F

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Close$EnumOpen
String ID: fRt 1)
API String ID: 138425441-1967341498
Opcode ID: fcc75acab5664485096b839409b67691493508688e218170a450ae212a980972
Instruction ID: ffdf93a50651caf41715214493920161961e3ccd9481cb4a60de48f621afb24a
Opcode Fuzzy Hash: fcc75acab5664485096b839409b67691493508688e218170a450ae212a980972
Instruction Fuzzy Hash: 30419132608B8686E7208F59F4A43BAB7B0FB8AB85F544131DB4D8AA54DF3CD644CB00

Function 00007FF6BC718168 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetColorDirectoryW.MSCMS ref: 00007FF6BC71819A
GetLastError.KERNEL32 ref: 00007FF6BC7181AA

Strings

CalibratedDisplayProfile-%d.icc, xrefs: 00007FF6BC7181DA
CalibratedDisplayProfile-%d-Temp.icc, xrefs: 00007FF6BC71821F
%s\%s, xrefs: 00007FF6BC7181FF, 00007FF6BC718244
fRt 1), xrefs: 00007FF6BC718171

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ColorDirectoryErrorLast
String ID: %s\%s$CalibratedDisplayProfile-%d-Temp.icc$CalibratedDisplayProfile-%d.icc$fRt 1)
API String ID: 3534830153-3332179164
Opcode ID: 295f6d6d43a81ea9da509c125966d27f02527dcff106f25ccd3350642bc93633
Instruction ID: 371fa6940a6b0bfe8a260f62c56c5d8ceeee1dc57a6d9b31395ee9e0e8aa93af
Opcode Fuzzy Hash: 295f6d6d43a81ea9da509c125966d27f02527dcff106f25ccd3350642bc93633
Instruction Fuzzy Hash: 31210C31714A8787EB519F29A8746F963A0FB86B48F845036DB4DCB199DE38D609C710

Function 00007FF6BC720524 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF6BC720557
SysAllocString.OLEAUT32 ref: 00007FF6BC720570
WinSqmAddToStream.NTDLL ref: 00007FF6BC7205B2
SysFreeString.OLEAUT32 ref: 00007FF6BC7205EF

Strings

mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1, xrefs: 00007FF6BC720569
COLOR_MANAGEMENT_CALIBRATE_DISPLAY, xrefs: 00007FF6BC720598

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: String$AllocCreateFreeInstanceStream
String ID: COLOR_MANAGEMENT_CALIBRATE_DISPLAY$mshelp://windows/?id=27a2764a-ad05-4a52-96f4-eac32ae3c9e1
API String ID: 148082582-1466657646
Opcode ID: e70f9497615a0087b04c6fcef08ffa40f79f47e2d7a3d8dd0d863143300300c5
Instruction ID: 418ec6cd725dcb07966d87c6d4abc35b7986847c9a43e3505dc766a890a04f2c
Opcode Fuzzy Hash: e70f9497615a0087b04c6fcef08ffa40f79f47e2d7a3d8dd0d863143300300c5
Instruction Fuzzy Hash: AF213D36718B46C7E7008F1AE894679B7A4FB89B90F918132DB1E87764CF79DA48C700

Function 00007FF6BC719628 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6BC71963E
EnumChildWindows.USER32 ref: 00007FF6BC71968F
EnumChildWindows.USER32 ref: 00007FF6BC7196DE

Strings

false, xrefs: 00007FF6BC71965B
true, xrefs: 00007FF6BC719650
IDD = %d: m_bIsRtl = %s, xrefs: 00007FF6BC71966E

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ChildEnumWindows$LongWindow
String ID: IDD = %d: m_bIsRtl = %s$false$true
API String ID: 92254136-2899959848
Opcode ID: b92b9d19439ad2494f69601789a170c79adcb754724acc663b9636ddb8709558
Instruction ID: 2aefd388ac5bd7cc896b74696496ae637cca59e2e545cf9995ca269670722e58
Opcode Fuzzy Hash: b92b9d19439ad2494f69601789a170c79adcb754724acc663b9636ddb8709558
Instruction Fuzzy Hash: 7D215E31604A83C6EB008B2DE4603B87760FB46B59F485231DB6E8E395DF3CD64AC310

Function 00007FF6BC71FC04 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(?,?,00000000,00007FF6BC71F975,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71FC19

Part of subcall function 00007FF6BC71F870: GetProcAddress.KERNEL32(?,?,00000000,00007FF6BC71FDD7,?,?,?,00007FF6BC71FAFF,?,?,?,00007FF6BC715229), ref: 00007FF6BC71F879
Part of subcall function 00007FF6BC71F870: EncodePointer.KERNEL32(?,?,00000000,00007FF6BC71FDD7,?,?,?,00007FF6BC71FAFF,?,?,?,00007FF6BC715229), ref: 00007FF6BC71F88D

Strings

AtlThunk_InitData, xrefs: 00007FF6BC71FC55
AtlThunk_FreeData, xrefs: 00007FF6BC71FC89
AtlThunk_DataToCode, xrefs: 00007FF6BC71FC6F
AtlThunk_AllocateData, xrefs: 00007FF6BC71FC3B
atlthunk.dll, xrefs: 00007FF6BC71FC0C

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: AddressEncodeLibraryLoadPointerProc
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1836850294-1745123996
Opcode ID: a45addfb00c366bd3982274187ddfea4e8fe2f12e3c8fd08f6cdaebf70e9698f
Instruction ID: 9e2b84bb6fb8ccbf66af459f6273da09e166e56293fb59ebdfa69cd8299f9769
Opcode Fuzzy Hash: a45addfb00c366bd3982274187ddfea4e8fe2f12e3c8fd08f6cdaebf70e9698f
Instruction Fuzzy Hash: 01115E65E1D64A91FB45DB5ED8702F02790AF467A0F880032CF4DCA291AF3DEB89D380

Function 00007FF6BC71FB3C Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(?,?,00000000,00007FF6BC71F8EF,?,?,?,00007FF6BC7152B4), ref: 00007FF6BC71FB51

Part of subcall function 00007FF6BC71F870: GetProcAddress.KERNEL32(?,?,00000000,00007FF6BC71FDD7,?,?,?,00007FF6BC71FAFF,?,?,?,00007FF6BC715229), ref: 00007FF6BC71F879
Part of subcall function 00007FF6BC71F870: EncodePointer.KERNEL32(?,?,00000000,00007FF6BC71FDD7,?,?,?,00007FF6BC71FAFF,?,?,?,00007FF6BC715229), ref: 00007FF6BC71F88D

Strings

AtlThunk_InitData, xrefs: 00007FF6BC71FB8D
AtlThunk_FreeData, xrefs: 00007FF6BC71FBC1
AtlThunk_DataToCode, xrefs: 00007FF6BC71FBA7
AtlThunk_AllocateData, xrefs: 00007FF6BC71FB73
atlthunk.dll, xrefs: 00007FF6BC71FB44

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: AddressEncodeLibraryLoadPointerProc
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1836850294-1745123996
Opcode ID: 5604a0a84585cc6c1c696b0629681a59622625ad6788879ae97d7f5805bf7934
Instruction ID: c13aad4beb6cba4d5f406e0a4a399e9e9a0a476bfe2627055342cfd6f30c648e
Opcode Fuzzy Hash: 5604a0a84585cc6c1c696b0629681a59622625ad6788879ae97d7f5805bf7934
Instruction Fuzzy Hash: 8F112165E1D65691FB51DB2ED8702F02791AF86750F884072CB4DDA291AF3CEB86C280

Function 00007FF6BC71FD94 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(?,?,?,00007FF6BC71FAFF,?,?,?,00007FF6BC715229), ref: 00007FF6BC71FDA9

Part of subcall function 00007FF6BC71F870: GetProcAddress.KERNEL32(?,?,00000000,00007FF6BC71FDD7,?,?,?,00007FF6BC71FAFF,?,?,?,00007FF6BC715229), ref: 00007FF6BC71F879
Part of subcall function 00007FF6BC71F870: EncodePointer.KERNEL32(?,?,00000000,00007FF6BC71FDD7,?,?,?,00007FF6BC71FAFF,?,?,?,00007FF6BC715229), ref: 00007FF6BC71F88D

Strings

AtlThunk_InitData, xrefs: 00007FF6BC71FDE5
AtlThunk_FreeData, xrefs: 00007FF6BC71FE19
AtlThunk_DataToCode, xrefs: 00007FF6BC71FDFF
AtlThunk_AllocateData, xrefs: 00007FF6BC71FDCB
atlthunk.dll, xrefs: 00007FF6BC71FD9C

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: AddressEncodeLibraryLoadPointerProc
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1836850294-1745123996
Opcode ID: a97bc39d5e686c2ee0481e45ba44346645baee52c9adc324c3a2bc3c81a7301a
Instruction ID: 4f729db877aee829f0cb7a10d2b9792c52dd77065c1cc0a737a79a1cf8167eea
Opcode Fuzzy Hash: a97bc39d5e686c2ee0481e45ba44346645baee52c9adc324c3a2bc3c81a7301a
Instruction Fuzzy Hash: 6C117364E0D64691FB51DB2ED8702F02794AF4A750F880436CB4CDA291EF3DEB89C380

Function 00007FF6BC71FCCC Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(?,?,?,00007FF6BC71FA77,?,?,?,00007FF6BC7152AB), ref: 00007FF6BC71FCE1

Part of subcall function 00007FF6BC71F870: GetProcAddress.KERNEL32(?,?,00000000,00007FF6BC71FDD7,?,?,?,00007FF6BC71FAFF,?,?,?,00007FF6BC715229), ref: 00007FF6BC71F879
Part of subcall function 00007FF6BC71F870: EncodePointer.KERNEL32(?,?,00000000,00007FF6BC71FDD7,?,?,?,00007FF6BC71FAFF,?,?,?,00007FF6BC715229), ref: 00007FF6BC71F88D

Strings

AtlThunk_InitData, xrefs: 00007FF6BC71FD1D
AtlThunk_FreeData, xrefs: 00007FF6BC71FD51
AtlThunk_DataToCode, xrefs: 00007FF6BC71FD37
AtlThunk_AllocateData, xrefs: 00007FF6BC71FD03
atlthunk.dll, xrefs: 00007FF6BC71FCD4

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: AddressEncodeLibraryLoadPointerProc
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1836850294-1745123996
Opcode ID: 4433701769e2d4165ca05da55ae652ee0f368b50fa5700177a30dd84d6bf462a
Instruction ID: 85ee367bc43fe2efc968611752491f17840f80ee4315d94185ee3e919e632606
Opcode Fuzzy Hash: 4433701769e2d4165ca05da55ae652ee0f368b50fa5700177a30dd84d6bf462a
Instruction Fuzzy Hash: 11112465D1D65691FB41DB1DD8712F02791AF4A760F884032CB8DDA295DF3CEB85C680

Function 00007FF6BC72130C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF6BC721338
RtlLookupFunctionEntry.NTDLL ref: 00007FF6BC721351
RtlVirtualUnwind.NTDLL ref: 00007FF6BC72138D
OutputDebugStringA.KERNEL32 ref: 00007FF6BC7213BC

Strings

fRt 1), xrefs: 00007FF6BC721321
Invalid parameter passed to C runtime function., xrefs: 00007FF6BC7213B5

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CaptureContextDebugEntryFunctionLookupOutputStringUnwindVirtual
String ID: Invalid parameter passed to C runtime function.$fRt 1)
API String ID: 711593133-1217894009
Opcode ID: 65f05955836b6ad00e5a0705551acb6f93f5cba8257d08c0eaa574472f830083
Instruction ID: 6aee746001feb6ec1f425a0bc9e5d03f9e170477f2ad562908415a8292abcd97
Opcode Fuzzy Hash: 65f05955836b6ad00e5a0705551acb6f93f5cba8257d08c0eaa574472f830083
Instruction Fuzzy Hash: 7711FE3661CF8592DA608B19F8A03ABB365FB89755F541135DB8D8AB94EF3CD284CF00

Function 00007FF6BC7140A8 Relevance: 9.1, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

DestroyPropertySheetPage.COMCTL32 ref: 00007FF6BC7151D3
free.MSVCRT ref: 00007FF6BC7151F9

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: DestroyPagePropertySheetfree
String ID:
API String ID: 75348250-0
Opcode ID: a501d7a06c700a00791920ad37270b21661e3087ce96e879347e952117b93a86
Instruction ID: bd6ed4a9c02e307f2936d2508c420296f46806d56c53ff8547dfaff21d42265e
Opcode Fuzzy Hash: a501d7a06c700a00791920ad37270b21661e3087ce96e879347e952117b93a86
Instruction Fuzzy Hash: F7516B32A09B9186EB448F29E4603B977A0FB89F99F188135DB5D8B799CF38D645C300

Function 00007FF6BC71F5F0 Relevance: 9.1, APIs: 6, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00007FF6BC71F628
PostMessageW.USER32 ref: 00007FF6BC71F645
GetWindowLongW.USER32 ref: 00007FF6BC71F660
GetParent.USER32 ref: 00007FF6BC71F675
GetWindow.USER32 ref: 00007FF6BC71F688
ShowWindow.USER32 ref: 00007FF6BC71F6A2

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$Parent$LongMessagePostShow
String ID:
API String ID: 3500748212-0
Opcode ID: bf41d0b00489db893d5f80c4116ba7e9a7d2d6becdd5d9d7274ca2ffb029caeb
Instruction ID: 7ec277cea020f41af066205726d5cfd306459b97e936f24d5c9173d2f8031bf7
Opcode Fuzzy Hash: bf41d0b00489db893d5f80c4116ba7e9a7d2d6becdd5d9d7274ca2ffb029caeb
Instruction Fuzzy Hash: 09217832608B82C7EB048B2EE46417DBBA0FB8AF84B448531DF5E87764CF38E9418700

Function 00007FF6BC71D0A0 Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC715A14: GetDlgItem.USER32 ref: 00007FF6BC715A4A
Part of subcall function 00007FF6BC715A14: GetDlgItem.USER32 ref: 00007FF6BC715AA7

GetDlgItem.USER32 ref: 00007FF6BC71D0C7
GetDlgItem.USER32 ref: 00007FF6BC71D0E3
GetDlgItem.USER32 ref: 00007FF6BC71D0FF
GetDlgItem.USER32 ref: 00007FF6BC71D11B
GetDlgItem.USER32 ref: 00007FF6BC71D137
GetDlgItem.USER32 ref: 00007FF6BC71D153

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Item
String ID:
API String ID: 3207170592-0
Opcode ID: 0d4906199eddd417610d9637573d8079676d96d169cddfe168b1fadfa14e4adc
Instruction ID: 3328e5b13ebd4d486e28555de638533de7ccab27f05213057ba17cc0ce6c1f01
Opcode Fuzzy Hash: 0d4906199eddd417610d9637573d8079676d96d169cddfe168b1fadfa14e4adc
Instruction Fuzzy Hash: 3F212E31905F81C2E7558F28E4542A8B7A5F78AFA9F198230CF5D4B788DF39D490C710

Function 00007FF6BC714B08 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 00007FF6BC714BA6
MonitorFromRect.USER32 ref: 00007FF6BC714C80

Strings

New rect (%d, %d, %d, %d) is on display 0x%08x, xrefs: 00007FF6BC714BCC, 00007FF6BC714CA3
Current display is 0x%08x, xrefs: 00007FF6BC714C4B
fRt 1), xrefs: 00007FF6BC714B1D

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: FromMonitorRect
String ID: Current display is 0x%08x$New rect (%d, %d, %d, %d) is on display 0x%08x$fRt 1)
API String ID: 2578442757-360643689
Opcode ID: c144f971c02ea4fcf4e3ab1791330c53da1d81cc1387930055153d6b87eb5a95
Instruction ID: 3f5666b29cbe4de10dd5f077717418b56f02c1c98e6487f73a55277325ad9ffa
Opcode Fuzzy Hash: c144f971c02ea4fcf4e3ab1791330c53da1d81cc1387930055153d6b87eb5a95
Instruction Fuzzy Hash: 1C512476B14A118BEB14CF2AD8646AD7774FB88B84B148536CF1D97B68CF38E545CB00

Function 00007FF6BC71970C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

MapDialogRect.USER32 ref: 00007FF6BC71973D
GetWindowRect.USER32 ref: 00007FF6BC719769
EnumChildWindows.USER32 ref: 00007FF6BC719802
InvalidateRect.USER32 ref: 00007FF6BC719818

Strings

fRt 1), xrefs: 00007FF6BC719712

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Rect$ChildDialogEnumInvalidateWindowWindows
String ID: fRt 1)
API String ID: 102734436-1967341498
Opcode ID: 67e608d1668fcd2e05b84ba607845e57a82d6db35225d93ffc45fa2c42f71712
Instruction ID: 4acd571070097060ecceebe235f7975a620d4ce53380c9e17b6d044b2cf5cc69
Opcode Fuzzy Hash: 67e608d1668fcd2e05b84ba607845e57a82d6db35225d93ffc45fa2c42f71712
Instruction Fuzzy Hash: F831A87261858287D7208F3DD4147A97BA0F799B48F488230DF8DCB648DF78E685CB00

Function 00007FF6BC720B90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF6BC720D43
RtlLookupFunctionEntry.NTDLL ref: 00007FF6BC720D62
RtlVirtualUnwind.NTDLL ref: 00007FF6BC720DAF
__raise_securityfailure.LIBCMT ref: 00007FF6BC720E94

Strings

fRt 1), xrefs: 00007FF6BC720E3D, 00007FF6BC720E6C

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID: fRt 1)
API String ID: 140117192-1967341498
Opcode ID: c9b49c1ba67d949dc36895266a5f69cb5620672250b45e487ba1d0df3559b863
Instruction ID: 1f7443223863c8766cae8f8bc0aaeeea683acf41a6058bff5fca30c74d613ce9
Opcode Fuzzy Hash: c9b49c1ba67d949dc36895266a5f69cb5620672250b45e487ba1d0df3559b863
Instruction Fuzzy Hash: 3641BA35A09B4981EB508F1CF8A03A5B3A4FB8A754F945035DB9D8B7A4DF3DE654C700

Function 00007FF6BC71E33C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6BC71E37C
RegQueryValueExW.ADVAPI32 ref: 00007FF6BC71E3B3
RegQueryValueExW.ADVAPI32 ref: 00007FF6BC71E3F5
RegCloseKey.ADVAPI32 ref: 00007FF6BC71E413

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator, xrefs: 00007FF6BC71E365

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator
API String ID: 1586453840-1252446219
Opcode ID: e89b2486e9b9178f228b10d11138ba9c9377e09a9522b9f6059df1ba8fc37b53
Instruction ID: 334d515ee5f99130d33bfeab71af0843562d77326cff95367ab406137c3ca945
Opcode Fuzzy Hash: e89b2486e9b9178f228b10d11138ba9c9377e09a9522b9f6059df1ba8fc37b53
Instruction Fuzzy Hash: B0316932A14B519BE7508F69D8587BC77A4FB09798F404235EF1D86B54EF38D685C700

Function 00007FF6BC71B3B4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC715AF8: GetWindowRect.USER32 ref: 00007FF6BC715B43
Part of subcall function 00007FF6BC715AF8: GetWindowRect.USER32 ref: 00007FF6BC715B62
Part of subcall function 00007FF6BC715AF8: GetWindowRect.USER32 ref: 00007FF6BC715B81
Part of subcall function 00007FF6BC715AF8: MapWindowPoints.USER32 ref: 00007FF6BC715BA7
Part of subcall function 00007FF6BC715AF8: MapWindowPoints.USER32 ref: 00007FF6BC715BC0
Part of subcall function 00007FF6BC715AF8: MapWindowPoints.USER32 ref: 00007FF6BC715BD9

GetWindowRect.USER32 ref: 00007FF6BC71B3F1
GetWindowRect.USER32 ref: 00007FF6BC71B411
GetWindowRect.USER32 ref: 00007FF6BC71B431
MoveWindow.USER32 ref: 00007FF6BC71B4A8

Strings

fRt 1), xrefs: 00007FF6BC71B3C2

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$Rect$Points$Move
String ID: fRt 1)
API String ID: 1829183498-1967341498
Opcode ID: d853eb77c1993bc72c43a56b7ffb0fd35e61071e5af087d4e7a00167afceb475
Instruction ID: 5f58d159de64ba5c6903b3c4d1bb4fb44482e18f0bbdfd40a68dcbf67c607fa3
Opcode Fuzzy Hash: d853eb77c1993bc72c43a56b7ffb0fd35e61071e5af087d4e7a00167afceb475
Instruction Fuzzy Hash: 25214F716285968BDB548B3EE450669BBA0FB89B85F449130EF5E87B54DF3CEA04CF00

Function 00007FF6BC71D920 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6BC71D946
GetWindowTextLengthW.USER32 ref: 00007FF6BC71D95C
GetWindowTextW.USER32 ref: 00007FF6BC71D9A1
GetTextExtentPoint32W.GDI32 ref: 00007FF6BC71D9BB
MoveWindow.USER32 ref: 00007FF6BC71D9F8

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: TextWindow$ExtentLengthMovePoint32
String ID:
API String ID: 2192411186-0
Opcode ID: c1693cb014175f5d756a270371ebaa844625c5a66db525acb07682540776ffab
Instruction ID: 507ce0d042235e109d0239f1baaac85aa6ce9493ff3c38f27eee2b05d6e0869d
Opcode Fuzzy Hash: c1693cb014175f5d756a270371ebaa844625c5a66db525acb07682540776ffab
Instruction Fuzzy Hash: 3C213B36609A4187DB00CF2AA8145B9BBA1F78EFD5F484235EF9E8B795DF38D1058B40

Function 00007FF6BC71F6F4 Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

InterlockedPopEntrySList.KERNEL32(?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F71A

Part of subcall function 00007FF6BC71F7DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6BC71F70F,?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F7F8
Part of subcall function 00007FF6BC71F7DC: HeapAlloc.KERNEL32(?,?,?,00007FF6BC71F70F,?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F810
Part of subcall function 00007FF6BC71F7DC: GetProcessHeap.KERNEL32(?,?,?,00007FF6BC71F70F,?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F82E
Part of subcall function 00007FF6BC71F7DC: HeapFree.KERNEL32(?,?,?,00007FF6BC71F70F,?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F842

VirtualAlloc.KERNEL32(?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F74D
InterlockedPopEntrySList.KERNEL32(?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F76E
VirtualFree.KERNEL32(?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F78D
InterlockedPushEntrySList.KERNEL32(?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F7AF

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Heap$EntryInterlockedList$AllocFreeProcessVirtual$Push
String ID:
API String ID: 2531268086-0
Opcode ID: d296f0fe4961c95ed08eb5d4380052970f27871fef40dc15be9dffc1221b50f0
Instruction ID: a5d4862b4f2a069197b14f7f1d59e797371cef3bb288214903ac658ef37ae7c0
Opcode Fuzzy Hash: d296f0fe4961c95ed08eb5d4380052970f27871fef40dc15be9dffc1221b50f0
Instruction Fuzzy Hash: EA214521A19B5686FA159B7EE420179A790FF8AF90F499135CB0ECB750DF3CE6408750

Function 00007FF6BC71F91C Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F922
HeapAlloc.KERNEL32(?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F93A
DecodePointer.KERNEL32(?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F962
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F9A0
HeapFree.KERNEL32(?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F9B4

Part of subcall function 00007FF6BC71FC04: LoadLibraryExA.KERNEL32(?,?,00000000,00007FF6BC71F975,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71FC19

Part of subcall function 00007FF6BC71F6F4: InterlockedPopEntrySList.KERNEL32(?,?,?,00007FF6BC71F997,?,?,00000000,00007FF6BC715294), ref: 00007FF6BC71F71A

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Heap$Process$AllocDecodeEntryFreeInterlockedLibraryListLoadPointer
String ID:
API String ID: 1550753294-0
Opcode ID: db8cca7276de10053edb699f8cb4e8d03232566dfa5a8fe2afb51f2de96b0956
Instruction ID: 87ccaeaffe3bf6ffd616163328e9545fe72c3a1bc0db0d63deb0007accf10ab9
Opcode Fuzzy Hash: db8cca7276de10053edb699f8cb4e8d03232566dfa5a8fe2afb51f2de96b0956
Instruction Fuzzy Hash: 05113321A19B5797EB15AB6E9430178AFE5EF4AB41F098135CB0ECA350DF3CEA848750

Function 00007FF6BC711D00 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF6BC711953), ref: 00007FF6BC711D1E

Part of subcall function 00007FF6BC711BF8: free.MSVCRT ref: 00007FF6BC711C51
Part of subcall function 00007FF6BC711BF8: free.MSVCRT ref: 00007FF6BC711C6A

LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF6BC711953), ref: 00007FF6BC711D36
DeleteCriticalSection.KERNEL32(?,?,00000000,00007FF6BC711953), ref: 00007FF6BC711D4F
free.MSVCRT ref: 00007FF6BC711D6D
free.MSVCRT ref: 00007FF6BC711D87

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: free$CriticalSection$DeleteEnterLeave
String ID:
API String ID: 3880800478-0
Opcode ID: 45cd7fc0d88c7475b441ccf9348f0eec5900d0605fa82b777ce22087e7d42000
Instruction ID: 583fdc97cb8646d57a738233cb2e2ef754992f0b93c7bb051f57e576ec381b19
Opcode Fuzzy Hash: 45cd7fc0d88c7475b441ccf9348f0eec5900d0605fa82b777ce22087e7d42000
Instruction Fuzzy Hash: C4114F32614A92DBEB048F29D0A537CBB60FB4AF49F448130CB5E4A654CF3CD659C740

Function 00007FF6BC7136BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 125stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC71375E
CoTaskMemFree.API-MS-WIN-CORE-COM-L1-1-0(?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC71384C

Part of subcall function 00007FF6BC712E8C: lstrcmpiW.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?), ref: 00007FF6BC712F0E
Part of subcall function 00007FF6BC712E8C: lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712F2F
Part of subcall function 00007FF6BC712E8C: lstrcmpiW.KERNEL32(?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000,?,?,00000000,00000000,?,00007FF6BC7139F6), ref: 00007FF6BC712FB2

CharNextW.USER32(?,?,00000002,?,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000), ref: 00007FF6BC713828

Strings

fRt 1), xrefs: 00007FF6BC712EAE, 00007FF6BC7136D9

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: lstrcmpi$CharFreeNextTask
String ID: fRt 1)
API String ID: 1985931122-1967341498
Opcode ID: 2505f4c42a60053815f7288d65b686d317b6ada75733889c74faae781fe5974a
Instruction ID: a1f6db1c5978940ee873f497b3150131ae43696aa33b9d882e15fb33a06d6bf7
Opcode Fuzzy Hash: 2505f4c42a60053815f7288d65b686d317b6ada75733889c74faae781fe5974a
Instruction Fuzzy Hash: CC41A062F087A287FB205B1EA864679A7A4FB49B80F409031DF4D87B45DF3CEA41C310

Function 00007FF6BC717B38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6BC717B6F

Part of subcall function 00007FF6BC71922C: GetDisplayConfigBufferSizes.USER32 ref: 00007FF6BC719290

DisplayConfigGetDeviceInfo.USER32 ref: 00007FF6BC717BB4

Strings

, xrefs: 00007FF6BC717BAC
fRt 1), xrefs: 00007FF6BC717B4F

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ConfigDisplay$BufferDeviceInfoSizesmemset
String ID: $fRt 1)
API String ID: 4257415688-1663516329
Opcode ID: a3a2e229b9deeafa57497ce574d3fa45393e5bfdbfaa5e1f11468031fb68ff97
Instruction ID: 059b2bd757f8f31c9825875e32dea12d68b1220d5273b1eb853bc9d0753c8a02
Opcode Fuzzy Hash: a3a2e229b9deeafa57497ce574d3fa45393e5bfdbfaa5e1f11468031fb68ff97
Instruction Fuzzy Hash: 98214B32708B9686EB209B2DE46036AB7E4FB88744F504136EB9DC3655DF7CEA058B40

Function 00007FF6BC71AE28 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC719628: GetWindowLongPtrW.USER32 ref: 00007FF6BC71963E
Part of subcall function 00007FF6BC719628: EnumChildWindows.USER32 ref: 00007FF6BC71968F
Part of subcall function 00007FF6BC719628: EnumChildWindows.USER32 ref: 00007FF6BC7196DE

GetDlgItem.USER32 ref: 00007FF6BC71AEC6
SetWindowTextW.USER32 ref: 00007FF6BC71AED9

Strings

strg, xrefs: 00007FF6BC71AEAE
fRt 1), xrefs: 00007FF6BC71AE3F

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ChildEnumWindowWindows$ItemLongText
String ID: fRt 1)$strg
API String ID: 2822888986-3294959808
Opcode ID: 852a61d4e620c2b1a17f04eafa77e09c3eb1f4200b5a6c68634e2b02e2252a0a
Instruction ID: 4812e1de641318e58eb539e72d614603c5f62a2e6d86ec9dd38b561aad4c5896
Opcode Fuzzy Hash: 852a61d4e620c2b1a17f04eafa77e09c3eb1f4200b5a6c68634e2b02e2252a0a
Instruction Fuzzy Hash: C2212532B14A568AEB00CF6AE8501AC77B5FB49B88F444139DF1C97B08CF38E651CB40

Function 00007FF6BC71E50C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53windowCOMMON

Download Yara Rule

APIs

EventWrite.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF6BC71E749), ref: 00007FF6BC71E577
MessageBoxW.USER32 ref: 00007FF6BC71E5C3

Strings

fRt 1), xrefs: 00007FF6BC71E51B
strg, xrefs: 00007FF6BC71E5CF

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: EventMessageWrite
String ID: fRt 1)$strg
API String ID: 2344367845-3294959808
Opcode ID: f7f4fc336de24d43ba5f6c6d845824287026bcdd3a9ef2e8057735fe543ca7ba
Instruction ID: f75d6739945306b4613633aa3cb1e8590b56798230678a0adc0d30dd07a1cae6
Opcode Fuzzy Hash: f7f4fc336de24d43ba5f6c6d845824287026bcdd3a9ef2e8057735fe543ca7ba
Instruction Fuzzy Hash: F2217431618A5582EA108F1DF46416ABBB0FB89B94F444231EBAD8B7A4DF3CD2418B40

Function 00007FF6BC71E43C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6BC71E481
RegSetValueExW.ADVAPI32 ref: 00007FF6BC71E4AF
RegCloseKey.ADVAPI32 ref: 00007FF6BC71E4C7

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator, xrefs: 00007FF6BC71E470

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CloseOpenValue
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\DCCW\Simulator
API String ID: 779948276-1252446219
Opcode ID: b5da6085f2d64a0a0ada41293d81bd7aca40904baa9a4b265a8a6e988cc5638b
Instruction ID: 458b3550be9728f6d97973711d6712f8d79714c628ee5f1066107d0e432eb839
Opcode Fuzzy Hash: b5da6085f2d64a0a0ada41293d81bd7aca40904baa9a4b265a8a6e988cc5638b
Instruction Fuzzy Hash: 8111B232714B9086D7008B1AF854729B7A8FB49BD0F554131EFAC87714DF79D944C700

Function 00007FF6BC71B874 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC715A14: GetDlgItem.USER32 ref: 00007FF6BC715A4A
Part of subcall function 00007FF6BC715A14: GetDlgItem.USER32 ref: 00007FF6BC715AA7

GetDlgItem.USER32 ref: 00007FF6BC71B8A6
GetDlgItem.USER32 ref: 00007FF6BC71B8C7
GetWindowRect.USER32(?,?,?,?,?,?,?,00007FF6BC71A023), ref: 00007FF6BC71B8EB

Strings

fRt 1), xrefs: 00007FF6BC71B87E

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Item$RectWindow
String ID: fRt 1)
API String ID: 3676387299-1967341498
Opcode ID: b2514bd4a331ad49d821909f22d79921733673efac123469af8e30cfc6b050bc
Instruction ID: 7ddb9e9144bff871e1e2254537f5555a57dd2a1e05f4d6b2ab8f50c084efe318
Opcode Fuzzy Hash: b2514bd4a331ad49d821909f22d79921733673efac123469af8e30cfc6b050bc
Instruction Fuzzy Hash: 5D113371609B82D7EA548B1DE46026DBBA0FF89B64F044634DBAD87794DF3CE5618B00

Function 00007FF6BC7178C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 00007FF6BC7178F7
CreateDCW.GDI32 ref: 00007FF6BC717917

Strings

h, xrefs: 00007FF6BC7178EF
fRt 1), xrefs: 00007FF6BC7178CD

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CreateInfoMonitor
String ID: fRt 1)$h
API String ID: 3263162237-1528038527
Opcode ID: 6ba843ee36406657eaea8e5f0b9d036495acd5a989d86a4cceeda31b6847bf78
Instruction ID: 163e460da213081f43eb0413abc3f682f63e251e93417a63b0af0aa23ce90a6a
Opcode Fuzzy Hash: 6ba843ee36406657eaea8e5f0b9d036495acd5a989d86a4cceeda31b6847bf78
Instruction Fuzzy Hash: A8011A23608B8587EA609F19F5613AAB7A4FB9A784F855135CB8D86A14CF3CD258CA00

Function 00007FF6BC711DE0 Relevance: 6.2, APIs: 4, Instructions: 195COMMON

Download Yara Rule

APIs

memcpy_s.MSVCRT ref: 00007FF6BC711E94
memcpy_s.MSVCRT ref: 00007FF6BC711ED4

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 984e15d3f6d58c3db374fb7819415dd98e0202ca8e3c7aa63692510e6444bbc9
Instruction ID: d93cc295562198ac634bbec9cf4daac9cf07e63cdc2a2963a3fb6fdb8477893f
Opcode Fuzzy Hash: 984e15d3f6d58c3db374fb7819415dd98e0202ca8e3c7aa63692510e6444bbc9
Instruction Fuzzy Hash: 9351F225A19B5287EE249F1EE464279A7A4EF4ABD0F184534EF5DCBB95CF3CE6408300

Function 00007FF6BC719B40 Relevance: 6.1, APIs: 4, Instructions: 101threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6BC719B6B
EnterCriticalSection.KERNEL32 ref: 00007FF6BC719B81
LeaveCriticalSection.KERNEL32 ref: 00007FF6BC719BA6
SetWindowLongPtrW.USER32 ref: 00007FF6BC719C5E

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: 66c63f4ec5f38d52d2f1e18288e5d3978d2b9e7677e0354247e7a029493c451f
Instruction ID: 4b9c2789a30a6a6907563993193f1be5aeab79f46b3b00437925240be87e02f3
Opcode Fuzzy Hash: 66c63f4ec5f38d52d2f1e18288e5d3978d2b9e7677e0354247e7a029493c451f
Instruction Fuzzy Hash: 1C316D31A18B5686EA149F2EA860178B7A4FB8AFC0F594035CF5D87794DE3CE642C300

Function 00007FF6BC71F140 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6BC719628: GetWindowLongPtrW.USER32 ref: 00007FF6BC71963E
Part of subcall function 00007FF6BC719628: EnumChildWindows.USER32 ref: 00007FF6BC71968F
Part of subcall function 00007FF6BC719628: EnumChildWindows.USER32 ref: 00007FF6BC7196DE

GetWindowLongW.USER32 ref: 00007FF6BC71F1C2
GetParent.USER32 ref: 00007FF6BC71F1D7

Part of subcall function 00007FF6BC720524: CoCreateInstance.API-MS-WIN-CORE-COM-L1-1-0 ref: 00007FF6BC720557
Part of subcall function 00007FF6BC720524: SysAllocString.OLEAUT32 ref: 00007FF6BC720570
Part of subcall function 00007FF6BC720524: WinSqmAddToStream.NTDLL ref: 00007FF6BC7205B2
Part of subcall function 00007FF6BC720524: SysFreeString.OLEAUT32 ref: 00007FF6BC7205EF

GetWindow.USER32 ref: 00007FF6BC71F1EA
ShowWindow.USER32 ref: 00007FF6BC71F204

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$ChildEnumLongStringWindows$AllocCreateFreeInstanceParentShowStream
String ID:
API String ID: 4193537704-0
Opcode ID: fcbdc9ca71afc6ad04da2f95da1fe6c578162f14402b1af35b5d41485b905bb9
Instruction ID: 136a7f7d30b0b0018eb867c4d414fceaa949814f07ddc4eda9b61200751d77e3
Opcode Fuzzy Hash: fcbdc9ca71afc6ad04da2f95da1fe6c578162f14402b1af35b5d41485b905bb9
Instruction Fuzzy Hash: 7B41C336A08791CAF6108F1EA4146BD77A4FB4AB94F558130DF59C7794DF38EA42CB40

Function 00007FF6BC71B6C0 Relevance: 6.1, APIs: 4, Instructions: 80windowtimeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF6BC71B71F
SendMessageW.USER32 ref: 00007FF6BC71B74F
SendMessageW.USER32 ref: 00007FF6BC71B7A8
SetTimer.USER32 ref: 00007FF6BC71B7C2

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: MessageSend$Timer
String ID:
API String ID: 3847069531-0
Opcode ID: 952d937b3b9c5cfe163483b8612ff935b941efc20580cbab3a38b28a3273c66c
Instruction ID: d6fdf68dc4e9f2725206de5b23bfdbff07e809cdded24d2c8cffabd877ea493e
Opcode Fuzzy Hash: 952d937b3b9c5cfe163483b8612ff935b941efc20580cbab3a38b28a3273c66c
Instruction Fuzzy Hash: 6731613670469587D700CF2EE8546BABBA0E78AF95F454035DF4D8B758CE38D941CB10

Function 00007FF6BC714F5C Relevance: 6.1, APIs: 4, Instructions: 77windowCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32 ref: 00007FF6BC714FAB
SendMessageW.USER32 ref: 00007FF6BC714FEA
DestroyWindow.USER32 ref: 00007FF6BC714FFF
SendMessageW.USER32 ref: 00007FF6BC71504C

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: MessageSendWindow$CallDestroyProc
String ID:
API String ID: 3326080945-0
Opcode ID: 1200654fa35afaf75797bd83765577c863e3610782fb01ed2173d0674c359eba
Instruction ID: a7f7fef49ee2e51fd4496cbcf30cea839dd932098d40c44b00b224955e3cf430
Opcode Fuzzy Hash: 1200654fa35afaf75797bd83765577c863e3610782fb01ed2173d0674c359eba
Instruction Fuzzy Hash: 92319232B18B528AEB648F59E06067AB7A4F785B80F154031DF4E47B50DF79E9418B40

Function 00007FF6BC718D40 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

DestroyPhysicalMonitors.DXVA2(?,?,000001F8,00007FF6BC716300), ref: 00007FF6BC718D6E
DeleteDC.GDI32 ref: 00007FF6BC718D8E
DccwReleaseDisplayProfileAssociationList.MSCMS(?,?,000001F8,00007FF6BC716300), ref: 00007FF6BC718E33
DccwReleaseDisplayProfileAssociationList.MSCMS(?,?,000001F8,00007FF6BC716300), ref: 00007FF6BC718E46

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: AssociationDccwDisplayListProfileRelease$DeleteDestroyMonitorsPhysical
String ID:
API String ID: 896183022-0
Opcode ID: 760934e03d699396dfe7a0f670bcc6449b8ebf4b5bf17b6e0d1801f9eb0fee6e
Instruction ID: 6aed045b719b4e0fb2f81848eb0a602acc5681b439336ddd434f2832700ebf70
Opcode Fuzzy Hash: 760934e03d699396dfe7a0f670bcc6449b8ebf4b5bf17b6e0d1801f9eb0fee6e
Instruction Fuzzy Hash: 7941E632514B9185E750CF28E8502EC77A9FB49F88F588136DF898BB88CF348656C760

Function 00007FF6BC71AA10 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6BC71AABB
SetTextColor.GDI32 ref: 00007FF6BC71AAD2
SetBkMode.GDI32 ref: 00007FF6BC71AAE6
GetStockObject.GDI32 ref: 00007FF6BC71AAF7

Part of subcall function 00007FF6BC71ABE0: GetDlgItem.USER32 ref: 00007FF6BC71AC34

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ColorItemLongModeObjectStockTextWindow
String ID:
API String ID: 3442870416-0
Opcode ID: 1f8d087893418f67aa9a7923c0f3dba43f6769cae607a8512cf14a9126b06e51
Instruction ID: 654c9b734aac6db96fd9d9f3cf61efc8eb4fcd31a72801f1ff09167760c6760d
Opcode Fuzzy Hash: 1f8d087893418f67aa9a7923c0f3dba43f6769cae607a8512cf14a9126b06e51
Instruction Fuzzy Hash: B4218631608791CAE7608F1AA41076ABBA5FB85BA5F448130DF8987794CF3CD6418B00

Function 00007FF6BC719D00 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00007FF6BC719D16
PostMessageW.USER32 ref: 00007FF6BC719D31
GetDlgItem.USER32 ref: 00007FF6BC719D56
SendMessageW.USER32 ref: 00007FF6BC719D70

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Message$ItemParentPostSend
String ID:
API String ID: 3857695281-0
Opcode ID: f732d57b81738436f8381d25c53ea4e0c620ded6d1b2c46fc134829a262a17e3
Instruction ID: ff34d561811a104dc043aee20ac35857fa15247896f813fb5a75c113d85916cf
Opcode Fuzzy Hash: f732d57b81738436f8381d25c53ea4e0c620ded6d1b2c46fc134829a262a17e3
Instruction Fuzzy Hash: 4C117C32708A86D7E7448B2AE4657B9BB60FB8AF89F548035CF5E87750CF38D5918740

Function 00007FF6BC720EA8 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF6BC720EB3
RtlLookupFunctionEntry.NTDLL ref: 00007FF6BC720ED2
RtlVirtualUnwind.NTDLL ref: 00007FF6BC720F1F
__raise_securityfailure.LIBCMT ref: 00007FF6BC720F95

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 5e200e1c01bc124c9eb2180146da26f8c608149072e225a40b8ebdcc3de3a973
Instruction ID: 67825dea8be035377b28785a75d92abd89e05e4cbe5ba6928afd649fb8b89db8
Opcode Fuzzy Hash: 5e200e1c01bc124c9eb2180146da26f8c608149072e225a40b8ebdcc3de3a973
Instruction Fuzzy Hash: 4421B935A09B4986E7108F18F8A07A9B3B4FB86754F541035DB9D8B764DF7DE294CB00

Function 00007FF6BC721722 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

UnregisterClassA.USER32 ref: 00007FF6BC721730
free.MSVCRT ref: 00007FF6BC721758
DeleteCriticalSection.KERNEL32 ref: 00007FF6BC721781
free.MSVCRT ref: 00007FF6BC7217A0

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: free$ClassCriticalDeleteSectionUnregister
String ID:
API String ID: 46291987-0
Opcode ID: 8b446e1c58f0a2a6c8cb766c3dfc84a308263afb6678daee419b153277a9abc1
Instruction ID: 0e38250e35e15ebcdf01ce350cb2b33ffba95712649e2de7cdbe98bf186c054f
Opcode Fuzzy Hash: 8b446e1c58f0a2a6c8cb766c3dfc84a308263afb6678daee419b153277a9abc1
Instruction Fuzzy Hash: 6111FE31A19A468BE7008B1AE4A43747760FF57766F481134C76ECE2A4DF7DA6448700

Function 00007FF6BC71FAA8 Relevance: 6.0, APIs: 4, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

InterlockedPushEntrySList.KERNEL32(?,?,?,00007FF6BC715229), ref: 00007FF6BC71FACE
DecodePointer.KERNEL32(?,?,?,00007FF6BC715229), ref: 00007FF6BC71FAEC
GetProcessHeap.KERNEL32(?,?,?,00007FF6BC715229), ref: 00007FF6BC71FB0E
HeapFree.KERNEL32(?,?,?,00007FF6BC715229), ref: 00007FF6BC71FB22

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Heap$DecodeEntryFreeInterlockedListPointerProcessPush
String ID:
API String ID: 815838099-0
Opcode ID: ef3aa70d54d759817c3593ffa80fcac5a0a57ce52dda818df6f546d7609f0b82
Instruction ID: e000c1128a19fae7a8f78c7d3285ad1d9abd576ffb8d21afcb1c2a0a87578647
Opcode Fuzzy Hash: ef3aa70d54d759817c3593ffa80fcac5a0a57ce52dda818df6f546d7609f0b82
Instruction Fuzzy Hash: FA011261909546C7FB159B6ED834178A7A1FF8AB41F188031CB0EC92A0CF3CEA81C640

Function 00007FF6BC71F2C0 Relevance: 6.0, APIs: 4, Instructions: 25windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00007FF6BC71F2CD
PostMessageW.USER32 ref: 00007FF6BC71F2EA
GetParent.USER32 ref: 00007FF6BC71F2FA
SendMessageW.USER32 ref: 00007FF6BC71F318

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: MessageParent$PostSend
String ID:
API String ID: 2241083247-0
Opcode ID: 7bea99c9abf0adcca23cf8905648386d8a1d22ce1bad1a89d8c639bf77f946db
Instruction ID: e34aa8a6e2912c1d6c95e4b7562d1509a24fea1639686636e3869209e46edaf8
Opcode Fuzzy Hash: 7bea99c9abf0adcca23cf8905648386d8a1d22ce1bad1a89d8c639bf77f946db
Instruction Fuzzy Hash: C5F0FE71615945DBE7005B55E825678AF60FB9FF49F499130DF4E87710CF3C85868B40

Function 00007FF6BC7198C0 Relevance: 6.0, APIs: 4, Instructions: 25windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00007FF6BC7198CD
PostMessageW.USER32 ref: 00007FF6BC7198EA
GetParent.USER32 ref: 00007FF6BC7198FA
SendMessageW.USER32 ref: 00007FF6BC719918

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: MessageParent$PostSend
String ID:
API String ID: 2241083247-0
Opcode ID: 24c5a789098b731075dc03a80d2238898d2c43ad0da075f53a215b9c85bb989d
Instruction ID: 4472b6bdc8b02476bb0aeff89ffcf9dbed2303128b34927ef237171f96eed690
Opcode Fuzzy Hash: 24c5a789098b731075dc03a80d2238898d2c43ad0da075f53a215b9c85bb989d
Instruction Fuzzy Hash: 51F0FE71615945DBE7005B55E824678AF64FB9FF49F499130DF4E87710CF3C85868B40

Function 00007FF6BC7120F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

CoTaskMemRealloc.API-MS-WIN-CORE-COM-L1-1-0(?,?,?,?,?,00007FF6BC712306,?,?,00000000,?,?,00000000,00000000,00007FF6BC713804,?,00000000), ref: 00007FF6BC712164
memcpy_s.MSVCRT ref: 00007FF6BC7121A8

Strings

fRt 1), xrefs: 00007FF6BC712244

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: ReallocTaskmemcpy_s
String ID: fRt 1)
API String ID: 2795195975-1967341498
Opcode ID: 728fb521fc1f2e8d419dfdd8d9b6aa8224949cfc1aac56b6021d205d8cc08c93
Instruction ID: 97921a265236c9bc952f4b167d57765f01cf8c61aab475d0efbff9dc39c98abd
Opcode Fuzzy Hash: 728fb521fc1f2e8d419dfdd8d9b6aa8224949cfc1aac56b6021d205d8cc08c93
Instruction Fuzzy Hash: 0941B322B0465297EB14CF5DD9A027C63A0EB49BA5F14853ADF1DC7795DE38EAA18300

Function 00007FF6BC71CB40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

EventWrite.ADVAPI32 ref: 00007FF6BC71CD90

Strings

strg, xrefs: 00007FF6BC71CD9C
fRt 1), xrefs: 00007FF6BC71CB5D

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: EventWrite
String ID: fRt 1)$strg
API String ID: 2971232827-3294959808
Opcode ID: 924c9954dad6284f97d1bf93618481a05af1498efd2aea678fde0d9f41d0004f
Instruction ID: f549d40074444e71a2192cf1c98c04ce3a7356f9242920ca10bcc858b651f319
Opcode Fuzzy Hash: 924c9954dad6284f97d1bf93618481a05af1498efd2aea678fde0d9f41d0004f
Instruction Fuzzy Hash: F0611836604F8599EB60CF29E8903EA37A4F748B48F541136CB9C8B7A8DF39D245CB00

Function 00007FF6BC71A3E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

EventWrite.ADVAPI32 ref: 00007FF6BC71A58E

Part of subcall function 00007FF6BC71B5A0: EventWrite.ADVAPI32 ref: 00007FF6BC71B679

Strings

strg, xrefs: 00007FF6BC71A59A
fRt 1), xrefs: 00007FF6BC71A3FE

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: EventWrite
String ID: fRt 1)$strg
API String ID: 2971232827-3294959808
Opcode ID: 0abfb52bc590658364f266ec1905afc0d88fc6d4dc44940ff25638c491dda9d1
Instruction ID: a6d6a3c31237afa74abe3356be3a5de089673142800f9a9a51872a8cad1142e1
Opcode Fuzzy Hash: 0abfb52bc590658364f266ec1905afc0d88fc6d4dc44940ff25638c491dda9d1
Instruction Fuzzy Hash: 0C514E36604F8589EB20CF29E8543EA37A4FB48B98F540236DB5C8B798DF39D645CB00

Function 00007FF6BC71B5A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

EventWrite.ADVAPI32 ref: 00007FF6BC71B679

Strings

strg, xrefs: 00007FF6BC71B5E0
fRt 1), xrefs: 00007FF6BC71B5B2

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: EventWrite
String ID: fRt 1)$strg
API String ID: 2971232827-3294959808
Opcode ID: 7712e33f6c9ecaca0f6b512fcdd7c5736550fe698e494bdd79443ce4307c1f61
Instruction ID: 7872bff2a9ef62778b4a25a5df9a6846b60f1c8fda6d13b5edfd6afcfc140978
Opcode Fuzzy Hash: 7712e33f6c9ecaca0f6b512fcdd7c5736550fe698e494bdd79443ce4307c1f61
Instruction Fuzzy Hash: D031F772B04B1699EB00CB69D8602AD77B4BB58B98F540236CF2D977A8DF38D245C740

Function 00007FF6BC715920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EventWrite.ADVAPI32 ref: 00007FF6BC7159AF

Strings

strg, xrefs: 00007FF6BC7159BB
fRt 1), xrefs: 00007FF6BC715924

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: EventWrite
String ID: fRt 1)$strg
API String ID: 2971232827-3294959808
Opcode ID: 059b31899c832e4a1c3ca13a35e82460b859c697ea3d3eff519d509b95b48207
Instruction ID: c1f3a8f6214cf71405172ccbc3fc94ea76ead9281433b52876b9f1aa9d437f0e
Opcode Fuzzy Hash: 059b31899c832e4a1c3ca13a35e82460b859c697ea3d3eff519d509b95b48207
Instruction Fuzzy Hash: D111A731A18A4686EA60CB1DE461169B770FB99764F400232DBADC77A4DF3DD301CB00

Function 00007FF6BC719A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF6BC719A3D
MapWindowPoints.USER32 ref: 00007FF6BC719A5E

Strings

fRt 1), xrefs: 00007FF6BC719A26

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: Window$PointsRect
String ID: fRt 1)
API String ID: 83551929-1967341498
Opcode ID: d23c44b5e9fd1836d14184b6333dc7a258be3239e40f8e806cb5aa9db7607f54
Instruction ID: 22ff7d18b414df184e2ab4879ec4d1417d07c6423162cd8bdae3ee51abb7d174
Opcode Fuzzy Hash: d23c44b5e9fd1836d14184b6333dc7a258be3239e40f8e806cb5aa9db7607f54
Instruction Fuzzy Hash: 38017572A18A8687EB608F29D8217B977A0FB49B49F049531DF4E8A354EF3CD644CB10

Function 00007FF6BC71C54C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetDeviceGammaRamp.GDI32 ref: 00007FF6BC71C585
SetDeviceGammaRamp.GDI32 ref: 00007FF6BC71C59E

Strings

fRt 1), xrefs: 00007FF6BC71C559

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: DeviceGammaRamp
String ID: fRt 1)
API String ID: 982816047-1967341498
Opcode ID: b60c0378e74a21a047e839b6486dc3643ce2f72ff769aecc7d321cc621edc6a2
Instruction ID: b00f4efcfd72a9c869769d12e3a899e9099541435a7f08cf1efa52d98c689237
Opcode Fuzzy Hash: b60c0378e74a21a047e839b6486dc3643ce2f72ff769aecc7d321cc621edc6a2
Instruction Fuzzy Hash: A1016232714A8586EB608F29E4213AAB7A1FBCDB84F844131CB4D8B654DF3DD615CB44

Function 00007FF6BC711BF8 Relevance: 5.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6BC711C51
free.MSVCRT ref: 00007FF6BC711C6A
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00007FF6BC711D33,?,?,00000000,00007FF6BC711953), ref: 00007FF6BC711CC4
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00007FF6BC711D33,?,?,00000000,00007FF6BC711953), ref: 00007FF6BC711CDE

Memory Dump Source

Source File: 00000000.00000002.1514843063.00007FF6BC711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6BC710000, based on PE: true

Associated: 00000000.00000002.1514821011.00007FF6BC710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514870707.00007FF6BC722000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514888762.00007FF6BC729000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1514905406.00007FF6BC72A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6bc710000_eVirFdGeXm.jbxd

Similarity

API ID: CriticalSectionfree$EnterLeave
String ID:
API String ID: 2088343094-0
Opcode ID: e68614f39c478d410cc6f70b69c0e32401fcef85c15813319dc20719b095f813
Instruction ID: bfd0ce8c97b72b71ddfd9da0900c1bd9beec78406ba01b0f50ee991ba79d9415
Opcode Fuzzy Hash: e68614f39c478d410cc6f70b69c0e32401fcef85c15813319dc20719b095f813
Instruction Fuzzy Hash: 4F214A32A14A5187EB048F69E0A037DA7A0FF89F88F458131DB5E9B755CF38D9518740

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eVirFdGeXm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: eVirFdGeXm.exePID: 4668, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: eVirFdGeXm.exePID: 4668, Parent PID: 4084COMMON

Execution Graph

Graph

Executed Functions

Function 00007FF6BC714120 Relevance: 40.9, APIs: 16, Strings: 7, Instructions: 603synchronizationwindowregistryCOMMON

Control-flow Graph

Function 00007FF6BC711170 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 279memorythreadCOMMON

Control-flow Graph

Function 00007FF6BC7208F0 Relevance: 10.6, APIs: 7, Instructions: 143sleepCOMMON

Windows Analysis Report
eVirFdGeXm.exe

Function 00007FF6BC714120 Relevance: 40.9, APIs: 16, Strings: 7, Instructions: 603
synchronizationwindowregistryCOMMON

Function 00007FF6BC711170 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 279
memorythreadCOMMON

Function 00007FF6BC7208F0 Relevance: 10.6, APIs: 7, Instructions: 143
sleepCOMMON

Function 00007FF6BC71EF88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55
registryCOMMON

Function 00007FF6BC711638 Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Function 00007FF6BC719468 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 00007FF6BC720234 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00007FF6BC7208A0 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Function 00007FF6BC72076C Relevance: 1.3, APIs: 1, Instructions: 19
COMMON

Function 00007FF6BC71EBC4 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 242
windowCOMMON

Function 00007FF6BC71388C Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 344
libraryCOMMON

Function 00007FF6BC71E884 Relevance: 31.7, APIs: 21, Instructions: 219
memorywindowCOMMON

Function 00007FF6BC716390 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 236
COMMON

Function 00007FF6BC7172B0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 181
fileCOMMON