Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.GenericKD.45695593.9197.12080

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.45695593.9197.12080 (renamed file extension from 12080 to exe)
Analysis ID:356835
MD5:bb663ffdda23f4277af1d261ac43a88e
SHA1:8f4e7653ba71af974226415ed512f44a6168abcc
SHA256:145539dcc07505d1a41913332a55d78398f93c35d7332346e6a58c2006a79714
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472JoeSecurity_RaccoonYara detected Raccoon StealerJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeMetadefender: Detection: 29%Perma Link
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeReversingLabs: Detection: 89%
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472, type: MEMORY
    Machine Learning detection for sampleShow sources
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040A1F6 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,0_2_0040A1F6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004245C3 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,0_2_004245C3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00424796 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,0_2_00424796
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040A7BA GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,0_2_0040A7BA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040C9A1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,0_2_0040C9A1

    Compliance:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeUnpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack
    Uses 32bit PE filesShow sources
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Uses new MSVCR DllsShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49727 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.4:49728 version: TLS 1.2
    Binary contains paths to debug symbolsShow sources
    Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: ktmw32.pdb~p source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: ktmw32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdbN source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdbbp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: winnsi.pdb2 source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: schannel.pdb, source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdb4 source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: shcore.pdbdp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdbhp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: webio.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdbpp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dpapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_0043E217
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,0_2_0043E387
    Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
    Source: unknownDNS traffic detected: queries for: telete.in
    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
    Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49727 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.199.58:443 -> 192.168.2.4:49728 version: TLS 1.2
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004266C0 GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,0_2_004266C0

    E-Banking Fraud:

    barindex
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472, type: MEMORY
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042693B0_2_0042693B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00414B7F0_2_00414B7F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0045A2490_2_0045A249
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0044824A0_2_0044824A
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0044A2100_2_0044A210
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0045A3690_2_0045A369
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0041A4E60_2_0041A4E6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004644EB0_2_004644EB
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004144A80_2_004144A8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042865E0_2_0042865E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004187C00_2_004187C0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040A7BA0_2_0040A7BA
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042495F0_2_0042495F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004129300_2_00412930
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043C9900_2_0043C990
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040C9A10_2_0040C9A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00436ACF0_2_00436ACF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00442BF00_2_00442BF0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: String function: 004102CD appears 47 times
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: String function: 0043FC0D appears 47 times
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: String function: 0044EE89 appears 33 times
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: String function: 004677E0 appears 74 times
    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 684
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.675310906.0000000004170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.675301791.0000000004160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe, 00000000.00000002.675152667.00000000040A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal76.troj.evad.winEXE@2/4@2/3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00438121 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW,0_2_00438121
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043483A CoCreateInstance,0_2_0043483A
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess472
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeMutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4564.tmpJump to behavior
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeMetadefender: Detection: 29%
    Source: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeReversingLabs: Detection: 89%
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 684
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: ktmw32.pdb~p source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: ktmw32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdbN source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdbbp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: mskeyprotect.pdb_ source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: msvcr100.i386.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: schannel.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: winnsi.pdb2 source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: schannel.pdb, source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc.pdb4 source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: shcore.pdbdp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: fltLib.pdbhp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: webio.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: bcrypt.pdbpp source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000005.00000003.660730906.00000000055D2000.00000004.00000040.sdmp
    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.660800358.00000000055D0000.00000004.00000040.sdmp
    Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: dpapi.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.660759508.0000000005441000.00000004.00000001.sdmp
    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp
    Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.660811839.00000000055D9000.00000004.00000040.sdmp

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeUnpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeUnpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,0_2_0042495F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004400B4 push ecx; ret 0_2_004400C6
    Source: initial sampleStatic PE information: section name: .text entropy: 7.76039382624
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe TID: 3436Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043E217 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,0_2_0043E217
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0043E387 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,0_2_0043E387
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00436ACF _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,0_2_00436ACF
    Source: WerFault.exe, 00000005.00000002.672972673.0000000005240000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: WerFault.exe, 00000005.00000002.672718308.0000000004F40000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: WerFault.exe, 00000005.00000002.672972673.0000000005240000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: WerFault.exe, 00000005.00000002.672972673.0000000005240000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: WerFault.exe, 00000005.00000002.672972673.0000000005240000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0045C2E6 IsDebuggerPresent,OutputDebugStringW,0_2_0045C2E6
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,0_2_0042495F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00446991 mov eax, dword ptr fs:[00000030h]0_2_00446991
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0040A3FB GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_0040A3FB
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004402A4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004402A4
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004463B5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004463B5
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00440406 SetUnhandledExceptionFilter,0_2_00440406
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004405C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004405C8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004400C8 cpuid 0_2_004400C8
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,0_2_0042693B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00462121
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: EnumSystemLocalesW,0_2_00458367
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: EnumSystemLocalesW,0_2_004623C3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: EnumSystemLocalesW,0_2_0046240E
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: EnumSystemLocalesW,0_2_004624A9
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00462534
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,0_2_00462787
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004628AD
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,0_2_00458994
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetLocaleInfoW,0_2_004629B3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: _strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,0_2_00436ACF
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00462A82
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_00440470 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00440470
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042693B CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,0_2_0042693B
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_004364C1 GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,0_2_004364C1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCode function: 0_2_0042495F GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,0_2_0042495F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsNative API1Path InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery2Remote ServicesScreen Capture1Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing22LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery25Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe32%MetadefenderBrowse
    SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe90%ReversingLabsWin32.Trojan.Azorult
    SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    0.2.SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe.400000.0.unpack100%AviraHEUR/AGEN.1137972Download File
    5.2.WerFault.exe.5530000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    yearofthepig.top
    		172.67.199.58
    		truefalse
      		unknown
      telete.in
      		195.201.225.248
      		truefalse
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        195.201.225.248
        		unknownGermany
        		24940HETZNER-ASDEfalse
        172.67.199.58
        		unknownUnited States
        		13335CLOUDFLARENETUSfalse

        Private

        IP
        192.168.2.1

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:356835
        Start date:23.02.2021
        Start time:17:35:11
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 6m 42s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:SecuriteInfo.com.Trojan.GenericKD.45695593.9197.12080 (renamed file extension from 12080 to exe)
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:20
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal76.troj.evad.winEXE@2/4@2/3
        EGA Information:Failed
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 14
        • Number of non-executed functions: 78
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 51.104.139.180, 104.42.151.234, 204.79.197.200, 13.107.21.200, 40.88.32.150, 13.64.90.137, 23.211.6.115, 104.43.193.48, 168.61.161.212, 52.255.188.83, 52.155.217.156, 20.54.26.129, 8.253.207.120, 8.248.97.254, 8.238.85.126, 8.241.80.126, 8.248.115.254, 67.26.75.254, 8.248.117.254, 8.248.145.254, 8.248.139.254, 8.248.125.254, 51.11.168.160, 92.122.213.194, 92.122.213.247
        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356835/sample/SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        17:36:00API Interceptor1x Sleep call for process: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe modified
        17:36:10API Interceptor1x Sleep call for process: WerFault.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        195.201.225.248http://telete.inGet hashmaliciousBrowse
        • telete.in/
        172.67.199.581vuet1S3tI.exeGet hashmaliciousBrowse
          SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
            SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
              SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                yearofthepig.top1vuet1S3tI.exeGet hashmaliciousBrowse
                • 172.67.199.58
                seed.exeGet hashmaliciousBrowse
                • 104.21.50.15
                SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                • 104.21.50.15
                SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                • 104.21.50.15
                SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                • 104.21.50.15
                SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                • 172.67.199.58
                SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                • 104.21.50.15
                SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                • 104.21.50.15
                SecuriteInfo.com.W32.AIDetectGBM.malware.02.16429.exeGet hashmaliciousBrowse
                • 104.21.50.15
                telete.inseed.exeGet hashmaliciousBrowse
                • 195.201.225.248
                SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                • 195.201.225.248
                SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                • 195.201.225.248
                SecuriteInfo.com.W32.AIDetectGBM.malware.02.16429.exeGet hashmaliciousBrowse
                • 195.201.225.248
                A6Qom7We0l.exeGet hashmaliciousBrowse
                • 195.201.225.248
                BHuuI8LETf.exeGet hashmaliciousBrowse
                • 195.201.225.248
                m1hholPLan.exeGet hashmaliciousBrowse
                • 195.201.225.248
                nyDyMJGKWD.exeGet hashmaliciousBrowse
                • 195.201.225.248
                HA2a7FagC6.exeGet hashmaliciousBrowse
                • 195.201.225.248
                MakYpSHZKE.exeGet hashmaliciousBrowse
                • 195.201.225.248
                HDMInstaller.exeGet hashmaliciousBrowse
                • 195.201.225.248
                helper.exeGet hashmaliciousBrowse
                • 195.201.225.248
                tyxCV1ouryr7.exeGet hashmaliciousBrowse
                • 195.201.225.248
                e7zQwqIDCO.exeGet hashmaliciousBrowse
                • 195.201.225.248
                RddH6rLRfH.exeGet hashmaliciousBrowse
                • 195.201.225.248
                4PDNbYK5fj.exeGet hashmaliciousBrowse
                • 195.201.225.248
                pmTdQ57tvM.exeGet hashmaliciousBrowse
                • 195.201.225.248
                7BtV39hziI.exeGet hashmaliciousBrowse
                • 195.201.225.248
                dc4AaqW6Aa.exeGet hashmaliciousBrowse
                • 195.201.225.248
                lAy87VNPiL.exeGet hashmaliciousBrowse
                • 195.201.225.248

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                HETZNER-ASDESecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                • 88.99.66.31
                1vuet1S3tI.exeGet hashmaliciousBrowse
                • 88.99.66.31
                MV9tCJw8Xr.exeGet hashmaliciousBrowse
                • 195.201.56.70
                seed.exeGet hashmaliciousBrowse
                • 88.99.66.31
                SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                • 88.99.66.31
                SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                • 95.216.186.40
                SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                • 88.99.66.31
                SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                • 195.201.225.248
                SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                • 88.99.66.31
                SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                • 95.216.186.40
                SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                • 95.216.186.40
                SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                • 195.201.225.248
                8WjU4jrBIr.exeGet hashmaliciousBrowse
                • 94.130.165.85
                Quotation-Project at Hor Al Anz CAIRO_012245666.pdf.exeGet hashmaliciousBrowse
                • 188.40.67.173
                8TD8GfTtaW.exeGet hashmaliciousBrowse
                • 88.99.66.31
                Order_20180218001.exeGet hashmaliciousBrowse
                • 135.181.57.206
                unmapped_executable_of_polyglot_duke.dllGet hashmaliciousBrowse
                • 5.9.110.84
                DHL eInvoice_Pdf.exeGet hashmaliciousBrowse
                • 195.201.179.80
                Subconract 504.xlsmGet hashmaliciousBrowse
                • 95.216.245.130
                ydQ0ICWj5v.exeGet hashmaliciousBrowse
                • 88.99.66.31
                CLOUDFLARENETUSSecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                • 104.23.98.190
                1vuet1S3tI.exeGet hashmaliciousBrowse
                • 172.67.199.58
                P00760000.exeGet hashmaliciousBrowse
                • 104.21.19.200
                Order.docGet hashmaliciousBrowse
                • 104.21.19.200
                QUOTE.docGet hashmaliciousBrowse
                • 104.21.19.200
                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                • 172.67.188.154
                2070121_SN-WS.exeGet hashmaliciousBrowse
                • 104.21.71.230
                purchase order.exeGet hashmaliciousBrowse
                • 104.21.19.200
                9073782912,pdf.exeGet hashmaliciousBrowse
                • 104.21.19.200
                payment_advice.docGet hashmaliciousBrowse
                • 172.67.172.17
                IMG_57109_Scanned.docGet hashmaliciousBrowse
                • 172.67.188.154
                Purchase Order.exeGet hashmaliciousBrowse
                • 104.21.19.200
                dot crypted.exeGet hashmaliciousBrowse
                • 104.21.19.200
                New Order 2300030317388 InterMetro.exeGet hashmaliciousBrowse
                • 172.67.172.17
                CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                • 172.67.172.17
                Purchase Order list.exeGet hashmaliciousBrowse
                • 104.21.23.61
                RkoKlvuLh6.exeGet hashmaliciousBrowse
                • 162.159.136.232
                i0fOtOV8v0.exeGet hashmaliciousBrowse
                • 104.23.99.190
                P3knxzE7wN.exeGet hashmaliciousBrowse
                • 162.159.128.233
                zLyXzE7WZi.exeGet hashmaliciousBrowse
                • 162.159.138.232

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                ce5f3254611a8c095a3d821d44539877SHIPPING-DOCUMENT.docxGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                svhost.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                SecuriteInfo.com.Trojan.GenericKDZ.73123.31244.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                SecuriteInfo.com.Trojan.GenericKD.36273230.25906.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                proposal.xlsmGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                rieuro.dllGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                ydQ0ICWj5v.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                r4yGYPyWb7.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                aif9fEvN5g.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                bZ9avvcHvE.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                proposal.xlsmGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                CmJ6qDTzvM.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                124992436.docxGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                RRLrVfeAXb.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                m3eJIFyc68.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                SecuriteInfo.com.W32.AIDetectGBM.malware.02.16429.exeGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248
                AswpCUetE0.docGet hashmaliciousBrowse
                • 172.67.199.58
                • 195.201.225.248

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_SecuriteInfo.com_fa89342e16e181a3dbd56be6cbf2ebfd3176a8_1217e092_1aaf5f93\Report.wer
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):13626
                Entropy (8bit):3.7756019665944156
                Encrypted:false
                SSDEEP:192:ETk4aVDnmHHnh+MjIgKUzn/u7sdS274ItUPi:q+V7Inh+Mjz/u7sdX4ItUPi
                MD5:F5D14946B3EE1D39197F25B5A8B38B27
                SHA1:35C0A2ECFFE2A055BB32B394E9AE17525D9D4DBD
                SHA-256:FBFAEA42F92E97D98F30244D2221A2D86D4BB494B10E96BA3ED485ECC9F3ED75
                SHA-512:C0C544E2CA8757D7A5D235C9211AD358E86AA955387AAFCE1E89028E4D1BEC9FA818E905BF2A22CA028584C211C666BC9EE6D095C17850396671C34B90549EEC
                Malicious:false
                Reputation:low
                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.7.1.7.6.3.8.8.1.5.7.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.7.1.7.6.8.8.8.1.5.5.8.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.6.9.7.7.4.6.-.1.0.7.8.-.4.6.5.7.-.a.6.5.4.-.8.6.6.7.3.e.e.7.0.e.1.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.b.6.b.a.6.6.-.0.5.1.2.-.4.b.3.1.-.8.8.e.5.-.3.0.3.e.0.3.8.5.8.8.c.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...G.e.n.e.r.i.c.K.D...4.5.6.9.5.5.9.3...9.1.9.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.d.8.-.0.0.0.1.-.0.0.1.b.-.f.3.2.5.-.a.e.f.6.0.1.0.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.c.5.f.c.b.1.b.a.f.0.5.8.f.4.3.2.9.f.e.2.0.1.0.c.d.d.0.9.1.b.7.0.0.0.0.0.9.0.4.!.0.0.0.0.8.f.4.e.7.6.5.3.b.a.7.1.a.f.9.7.4.2.2.6.4.1.5.e.d.5.
                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4564.tmp.dmp
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:Mini DuMP crash report, 15 streams, Tue Feb 23 16:36:05 2021, 0x1205a4 type
                Category:dropped
                Size (bytes):99638
                Entropy (8bit):2.2152406060018883
                Encrypted:false
                SSDEEP:384:+1bBpyQl5ozXTfPFmiiHFwU2W8wIDzPrETbXPEztsLH+JXMRwBocodfXY7Hcts+r:+tl5ozXTkiiHKU2W8BzP07fg7H2rr
                MD5:25B92DC24BC6C96C0883762252AE46BA
                SHA1:34C67117971A84920E753455B78309E764C8BDFA
                SHA-256:6C340216EAED6E06362B5CC108A4EC98318EB39BDCA4724B988F05F2C70AAEC7
                SHA-512:78E92EBD8C00033AAFD7EDBADCC81A4E148B9EADE97E2F670ED4658116E8F5A32C26DC74714467B1202D64125C8E08B82457BF984E5A2E0F34337F79C9FBF8F1
                Malicious:false
                Reputation:low
                Preview: MDMP....... .........5`...................U...........B......\#......GenuineIntelW...........T.............5`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D35.tmp.WERInternalMetadata.xml
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):8468
                Entropy (8bit):3.7053421713288905
                Encrypted:false
                SSDEEP:192:Rrl7r3GLNibi6nTS6YrJSUUObtgDgGgmfs4N8Sk+pD989bMBSOsf1Em:RrlsNiu6nm6YFSUUObQgmfs4ySaMWfj
                MD5:A22EA84E8A89107C7B24C32B98F15AE7
                SHA1:B40042CAB99EE07F1CA3D3953A06894DBDBB61F2
                SHA-256:CB1831E0435F4570F68455571D762741C3D93FDAA1387BC20BA40C8AF9355D52
                SHA-512:DD8D7716410E1DB608FB57D1481337536E3C24613DEBAE7460A449901B4F08EAA269FBF1F8D5D1107794553544DCC1EDB1CF816EEF65712DEAB66710531C6728
                Malicious:false
                Reputation:low
                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.2.<./.P.i.d.>.........
                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F2A.tmp.xml
                Process:C:\Windows\SysWOW64\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4759
                Entropy (8bit):4.566463537716662
                Encrypted:false
                SSDEEP:48:cvIwSD8zs+JgtWI9ykjWSC8Bv8fm8M4J3CIPFn+q8axSUt7y1YrYsd:uITf0MSSNSJ/rtyq8sd
                MD5:B37EEB0EDF38004D8731941C057742B8
                SHA1:A299CD2EDCBA078D97F0D7BA0C0419EAE29EE070
                SHA-256:6D3DCD2EB90FC9591A2527F3A15B86921CAB5FC7EEA966587AD0A63F4F6F2DB2
                SHA-512:5346D0ACB8883CFAC3B079550D806802CC1F00DE068A10D1B1BCD6AFB8E6F7E87A478AA415480BA1B7493EF2EFC79E694E127FE392EAB0D43B8BD133A7A74D34
                Malicious:false
                Reputation:low
                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="874186" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.5802607551094
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
                File size:536576
                MD5:bb663ffdda23f4277af1d261ac43a88e
                SHA1:8f4e7653ba71af974226415ed512f44a6168abcc
                SHA256:145539dcc07505d1a41913332a55d78398f93c35d7332346e6a58c2006a79714
                SHA512:65ddb7db4a0a2b6c37a56cc292113573d111088ba6919a6f70976f00fd23ba95fbf46fd146a6ddb9cc874075446c63cfdf43338ca2ff238514df9ca38a6e3867
                SSDEEP:12288:QQn7dXPlGbOW3se6+Aq9XnHgVRGwwoYtrKXf1gxF7Alq:QQ7HGbP3s63DV/tUgxelq
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................U.......`.......a.......X...............d.......P.......Q.......V.....Rich............................PE..L..

                File Icon

                Icon Hash:96b0c444ecbae2e6

                Static PE Info

                General

                Entrypoint:0x403ad0
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                Time Stamp:0x5D580EA3 [Sat Aug 17 14:26:43 2019 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:a6e2c959b82a7e7f36f0071d2cdb1c19

                Entrypoint Preview

                Instruction
                mov edi, edi
                push ebp
                mov ebp, esp
                call 00007F7184EA9F4Bh
                call 00007F7184EA1996h
                pop ebp
                ret
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                int3
                mov edi, edi
                push ebp
                mov ebp, esp
                push FFFFFFFEh
                push 0047DF70h
                push 00407040h
                mov eax, dword ptr fs:[00000000h]
                push eax
                add esp, FFFFFF98h
                push ebx
                push esi
                push edi
                mov eax, dword ptr [00480090h]
                xor dword ptr [ebp-08h], eax
                xor eax, ebp
                push eax
                lea eax, dword ptr [ebp-10h]
                mov dword ptr fs:[00000000h], eax
                mov dword ptr [ebp-18h], esp
                mov dword ptr [ebp-70h], 00000000h
                lea eax, dword ptr [ebp-60h]
                push eax
                call dword ptr [004760ACh]
                cmp dword ptr [0227076Ch], 00000000h
                jne 00007F7184EA1990h
                push 00000000h
                push 00000000h
                push 00000001h
                push 00000000h
                call dword ptr [004760A8h]
                call 00007F7184EA1B13h
                mov dword ptr [ebp-6Ch], eax
                call 00007F7184EABB7Bh
                test eax, eax
                jne 00007F7184EA198Ch
                push 0000001Ch
                call 00007F7184EA1AD0h
                add esp, 04h
                call 00007F7184EAB4D8h
                test eax, eax
                jne 00007F7184EA198Ch
                push 00000010h
                call 00007F7184EA1ABDh
                add esp, 04h
                push 00000001h
                call 00007F7184EA8F63h
                add esp, 04h
                call 00007F7184EAB3EBh
                mov dword ptr [ebp-04h], 00000000h
                call 00007F7184EAAFCFh
                test eax, eax

                Rich Headers

                Programming Language:
                • [LNK] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [C++] VS2010 build 30319
                • [EXP] VS2010 build 30319
                • [RES] VS2010 build 30319
                • [IMP] VS2008 SP1 build 30729

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x7f3700x53.rdata
                IMAGE_DIRECTORY_ENTRY_IMPORT0x7e9a80x50.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e720000x1fa8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x7dbb80x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x760000x1a4.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x74db10x74e00False0.833246991979data7.76039382624IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x760000x93c30x9400False0.2763671875data4.51893730397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x800000x1df17700x2a00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .rsrc0x1e720000x1fa80x2000False0.73779296875data6.40095282491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                LUBECIYIKORUPEHELIDATINAJ0x1e732300xbf7ASCII text, with very long lines, with no line terminatorsUzbekCyrillic
                RT_ICON0x1e721700x10a8dataVietnameseVietnam
                RT_GROUP_ICON0x1e732180x14dataVietnameseVietnam
                RT_VERSION0x1e73e280x180dataUzbekCyrillic

                Imports

                DLLImport
                KERNEL32.dllGetModuleHandleExA, FindResourceExW, FindResourceW, MapUserPhysicalPages, FreeLibrary, LoadResource, SetConsoleTextAttribute, GetCurrentProcess, ScrollConsoleScreenBufferW, SetEnvironmentVariableW, SetHandleInformation, GetTimeFormatA, GetTickCount, FindNextVolumeMountPointA, GetLocaleInfoW, SetSystemTimeAdjustment, lstrlenA, GetExitCodeProcess, ExitThread, GetConsoleAliasesW, BeginUpdateResourceW, EnumDateFormatsExA, CreateTimerQueueTimer, LocalAlloc, GetProfileStringA, SetProcessWorkingSetSize, SetConsoleCursorInfo, VirtualProtect, GetFileAttributesExW, ReleaseMutex, lstrcpyW, HeapCreate, GlobalFix, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCommandLineA, HeapSetInformation, GetStartupInfoW, GetModuleFileNameW, RaiseException, EncodePointer, DecodePointer, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, HeapValidate, IsBadReadPtr, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetLastError, WriteFile, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, LoadLibraryW, SetFilePointer, GetConsoleCP, GetConsoleMode, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, RtlUnwind, MultiByteToWideChar, HeapAlloc, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, SetStdHandle, GetStringTypeW, LCMapStringW, FlushFileBuffers, ReadFile, CreateFileW, CloseHandle
                USER32.dllGetDesktopWindow
                ADVAPI32.dllOpenSCManagerA

                Exports

                NameOrdinalAddress
                Gun10x475380
                Smoke20x475390

                Version Infos

                DescriptionData
                FileVersions7.0.0.15
                LegalCopyrightsWsegd
                ProductVersions67.0.20.5
                Translation0x0409 0x086f

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                UzbekCyrillic
                VietnameseVietnam

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 23, 2021 17:35:59.152193069 CET49727443192.168.2.4195.201.225.248
                Feb 23, 2021 17:35:59.219677925 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.219785929 CET49727443192.168.2.4195.201.225.248
                Feb 23, 2021 17:35:59.222937107 CET49727443192.168.2.4195.201.225.248
                Feb 23, 2021 17:35:59.290201902 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.294521093 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.294572115 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.294594049 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.294688940 CET49727443192.168.2.4195.201.225.248
                Feb 23, 2021 17:35:59.300297022 CET49727443192.168.2.4195.201.225.248
                Feb 23, 2021 17:35:59.368562937 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.433873892 CET49727443192.168.2.4195.201.225.248
                Feb 23, 2021 17:35:59.543055058 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.545188904 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.545228958 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.545254946 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.545278072 CET44349727195.201.225.248192.168.2.4
                Feb 23, 2021 17:35:59.545331001 CET49727443192.168.2.4195.201.225.248
                Feb 23, 2021 17:35:59.545384884 CET49727443192.168.2.4195.201.225.248
                Feb 23, 2021 17:35:59.731317997 CET49728443192.168.2.4172.67.199.58
                Feb 23, 2021 17:35:59.793131113 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:35:59.793287992 CET49728443192.168.2.4172.67.199.58
                Feb 23, 2021 17:35:59.793965101 CET49728443192.168.2.4172.67.199.58
                Feb 23, 2021 17:35:59.855645895 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:35:59.860349894 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:35:59.860382080 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:35:59.860399008 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:35:59.860470057 CET49728443192.168.2.4172.67.199.58
                Feb 23, 2021 17:35:59.868735075 CET49728443192.168.2.4172.67.199.58
                Feb 23, 2021 17:35:59.933478117 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:35:59.933506966 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:35:59.939737082 CET49728443192.168.2.4172.67.199.58
                Feb 23, 2021 17:35:59.939795017 CET49728443192.168.2.4172.67.199.58
                Feb 23, 2021 17:36:00.001507998 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:36:00.001533031 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:36:00.540595055 CET44349728172.67.199.58192.168.2.4
                Feb 23, 2021 17:36:00.681730986 CET49728443192.168.2.4172.67.199.58
                Feb 23, 2021 17:36:14.428153038 CET49728443192.168.2.4172.67.199.58
                Feb 23, 2021 17:36:14.428603888 CET49727443192.168.2.4195.201.225.248

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 23, 2021 17:35:50.142370939 CET5372353192.168.2.48.8.8.8
                Feb 23, 2021 17:35:50.191144943 CET53537238.8.8.8192.168.2.4
                Feb 23, 2021 17:35:50.193095922 CET6464653192.168.2.48.8.8.8
                Feb 23, 2021 17:35:50.241734982 CET53646468.8.8.8192.168.2.4
                Feb 23, 2021 17:35:50.254102945 CET6529853192.168.2.48.8.8.8
                Feb 23, 2021 17:35:50.303050041 CET53652988.8.8.8192.168.2.4
                Feb 23, 2021 17:35:51.417978048 CET5912353192.168.2.48.8.8.8
                Feb 23, 2021 17:35:51.466639042 CET53591238.8.8.8192.168.2.4
                Feb 23, 2021 17:35:52.583728075 CET5453153192.168.2.48.8.8.8
                Feb 23, 2021 17:35:52.635212898 CET53545318.8.8.8192.168.2.4
                Feb 23, 2021 17:35:53.555807114 CET4971453192.168.2.48.8.8.8
                Feb 23, 2021 17:35:53.604379892 CET53497148.8.8.8192.168.2.4
                Feb 23, 2021 17:35:54.248496056 CET5802853192.168.2.48.8.8.8
                Feb 23, 2021 17:35:54.306917906 CET53580288.8.8.8192.168.2.4
                Feb 23, 2021 17:35:55.265141964 CET5309753192.168.2.48.8.8.8
                Feb 23, 2021 17:35:55.330346107 CET53530978.8.8.8192.168.2.4
                Feb 23, 2021 17:35:56.529586077 CET4925753192.168.2.48.8.8.8
                Feb 23, 2021 17:35:56.578253031 CET53492578.8.8.8192.168.2.4
                Feb 23, 2021 17:35:57.824987888 CET6238953192.168.2.48.8.8.8
                Feb 23, 2021 17:35:57.876635075 CET53623898.8.8.8192.168.2.4
                Feb 23, 2021 17:35:58.922497034 CET4991053192.168.2.48.8.8.8
                Feb 23, 2021 17:35:58.971787930 CET53499108.8.8.8192.168.2.4
                Feb 23, 2021 17:35:59.081043959 CET5585453192.168.2.48.8.8.8
                Feb 23, 2021 17:35:59.141963005 CET53558548.8.8.8192.168.2.4
                Feb 23, 2021 17:35:59.569375992 CET6454953192.168.2.48.8.8.8
                Feb 23, 2021 17:35:59.729662895 CET53645498.8.8.8192.168.2.4
                Feb 23, 2021 17:36:00.167732954 CET6315353192.168.2.48.8.8.8
                Feb 23, 2021 17:36:00.230173111 CET53631538.8.8.8192.168.2.4
                Feb 23, 2021 17:36:01.217159986 CET5299153192.168.2.48.8.8.8
                Feb 23, 2021 17:36:01.267622948 CET53529918.8.8.8192.168.2.4
                Feb 23, 2021 17:36:02.294167995 CET5370053192.168.2.48.8.8.8
                Feb 23, 2021 17:36:02.345812082 CET53537008.8.8.8192.168.2.4
                Feb 23, 2021 17:36:03.297039032 CET5172653192.168.2.48.8.8.8
                Feb 23, 2021 17:36:03.359441042 CET53517268.8.8.8192.168.2.4
                Feb 23, 2021 17:36:04.700814962 CET5679453192.168.2.48.8.8.8
                Feb 23, 2021 17:36:04.751020908 CET53567948.8.8.8192.168.2.4
                Feb 23, 2021 17:36:05.930583000 CET5653453192.168.2.48.8.8.8
                Feb 23, 2021 17:36:05.980983019 CET53565348.8.8.8192.168.2.4
                Feb 23, 2021 17:36:06.987103939 CET5662753192.168.2.48.8.8.8
                Feb 23, 2021 17:36:07.039613008 CET53566278.8.8.8192.168.2.4
                Feb 23, 2021 17:36:07.953614950 CET5662153192.168.2.48.8.8.8
                Feb 23, 2021 17:36:08.002338886 CET53566218.8.8.8192.168.2.4
                Feb 23, 2021 17:36:09.216990948 CET6311653192.168.2.48.8.8.8
                Feb 23, 2021 17:36:09.265636921 CET53631168.8.8.8192.168.2.4
                Feb 23, 2021 17:36:09.464217901 CET6407853192.168.2.48.8.8.8
                Feb 23, 2021 17:36:09.515743971 CET53640788.8.8.8192.168.2.4
                Feb 23, 2021 17:36:10.029354095 CET6480153192.168.2.48.8.8.8
                Feb 23, 2021 17:36:10.077980042 CET53648018.8.8.8192.168.2.4
                Feb 23, 2021 17:36:10.838110924 CET6172153192.168.2.48.8.8.8
                Feb 23, 2021 17:36:10.886897087 CET53617218.8.8.8192.168.2.4
                Feb 23, 2021 17:36:11.831538916 CET5125553192.168.2.48.8.8.8
                Feb 23, 2021 17:36:11.882992029 CET53512558.8.8.8192.168.2.4
                Feb 23, 2021 17:36:24.557053089 CET6152253192.168.2.48.8.8.8
                Feb 23, 2021 17:36:24.608747005 CET53615228.8.8.8192.168.2.4
                Feb 23, 2021 17:36:43.502980947 CET5233753192.168.2.48.8.8.8
                Feb 23, 2021 17:36:43.563374043 CET53523378.8.8.8192.168.2.4
                Feb 23, 2021 17:36:44.194610119 CET5504653192.168.2.48.8.8.8
                Feb 23, 2021 17:36:44.251579046 CET53550468.8.8.8192.168.2.4
                Feb 23, 2021 17:36:44.846225977 CET4961253192.168.2.48.8.8.8
                Feb 23, 2021 17:36:44.894910097 CET53496128.8.8.8192.168.2.4
                Feb 23, 2021 17:36:45.288297892 CET4928553192.168.2.48.8.8.8
                Feb 23, 2021 17:36:45.329940081 CET5060153192.168.2.48.8.8.8
                Feb 23, 2021 17:36:45.363141060 CET53492858.8.8.8192.168.2.4
                Feb 23, 2021 17:36:45.378593922 CET53506018.8.8.8192.168.2.4
                Feb 23, 2021 17:36:45.909044981 CET6087553192.168.2.48.8.8.8
                Feb 23, 2021 17:36:45.957825899 CET53608758.8.8.8192.168.2.4
                Feb 23, 2021 17:36:46.003303051 CET5644853192.168.2.48.8.8.8
                Feb 23, 2021 17:36:46.063088894 CET53564488.8.8.8192.168.2.4
                Feb 23, 2021 17:36:46.165009022 CET5917253192.168.2.48.8.8.8
                Feb 23, 2021 17:36:46.214962006 CET53591728.8.8.8192.168.2.4
                Feb 23, 2021 17:36:46.514513016 CET6242053192.168.2.48.8.8.8
                Feb 23, 2021 17:36:46.573153973 CET53624208.8.8.8192.168.2.4
                Feb 23, 2021 17:36:47.273731947 CET6057953192.168.2.48.8.8.8
                Feb 23, 2021 17:36:47.330841064 CET53605798.8.8.8192.168.2.4
                Feb 23, 2021 17:36:48.483212948 CET5018353192.168.2.48.8.8.8
                Feb 23, 2021 17:36:48.533288956 CET53501838.8.8.8192.168.2.4
                Feb 23, 2021 17:36:49.931404114 CET6153153192.168.2.48.8.8.8
                Feb 23, 2021 17:36:50.008192062 CET53615318.8.8.8192.168.2.4
                Feb 23, 2021 17:36:50.556224108 CET4922853192.168.2.48.8.8.8
                Feb 23, 2021 17:36:50.613634109 CET53492288.8.8.8192.168.2.4
                Feb 23, 2021 17:36:59.146141052 CET5979453192.168.2.48.8.8.8
                Feb 23, 2021 17:36:59.196616888 CET53597948.8.8.8192.168.2.4
                Feb 23, 2021 17:36:59.360702991 CET5591653192.168.2.48.8.8.8
                Feb 23, 2021 17:36:59.427586079 CET53559168.8.8.8192.168.2.4
                Feb 23, 2021 17:37:04.820287943 CET5275253192.168.2.48.8.8.8
                Feb 23, 2021 17:37:04.890420914 CET53527528.8.8.8192.168.2.4
                Feb 23, 2021 17:37:33.320606947 CET6054253192.168.2.48.8.8.8
                Feb 23, 2021 17:37:33.370970964 CET53605428.8.8.8192.168.2.4
                Feb 23, 2021 17:37:35.547257900 CET6068953192.168.2.48.8.8.8
                Feb 23, 2021 17:37:35.609510899 CET53606898.8.8.8192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Feb 23, 2021 17:35:59.081043959 CET192.168.2.48.8.8.80x2d73Standard query (0)telete.inA (IP address)IN (0x0001)
                Feb 23, 2021 17:35:59.569375992 CET192.168.2.48.8.8.80x6527Standard query (0)yearofthepig.topA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Feb 23, 2021 17:35:59.141963005 CET8.8.8.8192.168.2.40x2d73No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                Feb 23, 2021 17:35:59.729662895 CET8.8.8.8192.168.2.40x6527No error (0)yearofthepig.top172.67.199.58A (IP address)IN (0x0001)
                Feb 23, 2021 17:35:59.729662895 CET8.8.8.8192.168.2.40x6527No error (0)yearofthepig.top104.21.50.15A (IP address)IN (0x0001)

                HTTPS Packets

                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                Feb 23, 2021 17:35:59.294572115 CET195.201.225.248443192.168.2.449727CN=telecut.in CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Wed Feb 17 11:17:19 CET 2021 Wed Oct 07 21:21:40 CEST 2020Tue May 18 12:17:19 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0ce5f3254611a8c095a3d821d44539877
                CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                Feb 23, 2021 17:35:59.860382080 CET172.67.199.58443192.168.2.449728CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEThu Feb 11 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Fri Feb 11 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0ce5f3254611a8c095a3d821d44539877
                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472 Parent PID: 5924

                General

                Start time:17:35:58
                Start date:23/02/2021
                Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe'
                Imagebase:0x400000
                File size:536576 bytes
                MD5 hash:BB663FFDDA23F4277AF1D261AC43A88E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Chronological Activities

                Analysis Process: WerFault.exe PID: 6860 Parent PID: 472

                General

                Start time:17:36:02
                Start date:23/02/2021
                Path:C:\Windows\SysWOW64\WerFault.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 684
                Imagebase:0x3f0000
                File size:434592 bytes
                MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Disassembly

                Code Analysis

                Reset < >

                  Analysis Process: SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exe PID: 472 Parent PID: 5924 SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeCOMMON

                  Executed Functions

                  Function 0042693B, Relevance: 256.2, APIs: 39, Strings: 101, Instructions: 11226threadsleepsynchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 00426961
                    • Part of subcall function 004353D7: OpenMutexA.KERNEL32 ref: 00435426
                    • Part of subcall function 004353D7: CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00435433
                  • CoUninitialize.OLE32(00000000,00000000), ref: 004321BE
                    • Part of subcall function 0043807C: GetCurrentProcess.KERNEL32(00000008,?), ref: 0043808E
                    • Part of subcall function 0043807C: OpenProcessToken.ADVAPI32(00000000), ref: 00438095
                    • Part of subcall function 0043807C: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 004380AF
                    • Part of subcall function 0043807C: GetLastError.KERNEL32 ref: 004380B9
                    • Part of subcall function 0043807C: GlobalAlloc.KERNEL32(00000040,00000000), ref: 004380C9
                    • Part of subcall function 0043807C: GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 004380DD
                    • Part of subcall function 0043807C: ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 004380F1
                    • Part of subcall function 0043807C: GlobalFree.KERNEL32 ref: 00438111
                  • GetUserDefaultLCID.KERNEL32(00001001,?,000000FF), ref: 004269A5
                  • GetLocaleInfoA.KERNEL32(00000000), ref: 004269AC
                    • Part of subcall function 00438121: CreateToolhelp32Snapshot.KERNEL32 ref: 00438185
                    • Part of subcall function 00438121: Process32FirstW.KERNEL32(00000000,0000022C), ref: 0043819F
                    • Part of subcall function 00438121: OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,00000000), ref: 00438213
                    • Part of subcall function 00438121: OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,00000000), ref: 00438225
                    • Part of subcall function 00438121: DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000002,00000001,?,?,?,00000000), ref: 00438240
                    • Part of subcall function 00438121: CloseHandle.KERNEL32(?,?,?,00000000), ref: 0043824D
                    • Part of subcall function 00438121: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00438260
                    • Part of subcall function 00433544: WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,004792FB,00000000), ref: 00433592
                    • Part of subcall function 00433544: WinHttpConnect.WINHTTP(00000000,00000000,000001BB,00000000,?,?,?,?,004792FB,00000000), ref: 0043365F
                    • Part of subcall function 0040FFFF: _Deallocate.LIBCONCRT ref: 00410014
                    • Part of subcall function 0041021C: _Deallocate.LIBCONCRT ref: 0041022B
                  • Sleep.KERNEL32(00001388,004792FB), ref: 00426F21
                  • GetUserNameA.ADVAPI32(?,00000101), ref: 00427261
                    • Part of subcall function 00434ACB: _strcat.LIBCMT ref: 00434B28
                  • _strlen.LIBCMT ref: 004274FF
                  • _strlen.LIBCMT ref: 00427519
                  • CreateThread.KERNEL32(00000000,00000000,Function_00013FD7,00000000,00000000,00000000), ref: 0042776E
                  • CreateThread.KERNEL32(00000000,00000000,Function_000144A8,00000000,00000000,00000000), ref: 00427780
                  • CreateThread.KERNEL32(00000000,00000000,Function_00014B7F,00000000,00000000,00000000), ref: 00427792
                  • CreateThread.KERNEL32(00000000,00000000,Function_000152A0,00000000,00000000,00000000), ref: 004277A4
                  • CreateThread.KERNEL32(00000000,00000000,Function_00015AD7,00000000,00000000,00000000), ref: 004277B6
                  • CreateThread.KERNEL32(00000000,00000000,Function_00015DA1,00000000,00000000,00000000), ref: 004277C8
                  • CreateThread.KERNEL32(00000000,00000000,Function_000161ED,00000000,00000000,00000000), ref: 004277DA
                  • CreateThread.KERNEL32(00000000,00000000,Function_00016452,00000000,00000000,00000000), ref: 004277EC
                  • CreateThread.KERNEL32(00000000,00000000,Function_00024E97,00000000,00000000,00000000), ref: 004279F5
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00427A02
                    • Part of subcall function 00434F64: GetEnvironmentVariableA.KERNEL32(?,?,00000104,00000000), ref: 00434FAE
                    • Part of subcall function 0043391A: WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,eE8sF0yG2eQ6fT7,0000000F,00489E24), ref: 00433957
                    • Part of subcall function 0043391A: CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 0043397B
                    • Part of subcall function 0043391A: WinHttpConnect.WINHTTP(?,00000000,000001BB,00000000,?,00000001,00000000,00000002,00000080,00000000), ref: 00433A44
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Create$Thread$Open$Token$HttpProcess$ConnectDeallocateFileGlobalInformationMutexNameUser_strlen$AllocCloseConvertCurrentDefaultDuplicateEnvironmentErrorFirstFreeHandleInfoInitializeLastLocaleModuleObjectProcess32SingleSleepSnapshotStringToolhelp32UninitializeVariableWait_strcat
                  • String ID: $"$#hBYBHK$$$$$$*$%$%$'$'9:$($*$+$+$-$-$.$0$1$1$2USF$4$8070$87$9$9$9$9$:$:x_V$<$=$?$?$?43;$A$C$D$D$E$F$F$G$GET$H$J$K$M$O$O$POST$Qw7l;">?$S[T$T$U$W$Y$Z$Z$[9f$[HOI$]$]$]$_$_id$`$a$a$b$b$e$e18ceace04ca88f3394b1f39dfd2e092 $eE8sF0yG2eQ6fT7$eN9fR0jZ9wL1gM2$f$f,$i$l$latitude$location$longitude$m$machineinfo.txt$o2BKQv61NXYL5PbYz5wXu5RUAO6YT5fxzcEH5RrOELAAXh8Y1CMQPQ== $qSVdAbi/K2pP5PzejMhd4MMaCbjBRMKlyZYF $s$screen.jpeg$sq$sqlite3.dll$t$u$v$v$w$wallets\$y$y$zip${$~
                  • API String ID: 3687077892-2339428212
                  • Opcode ID: dfe0419e959aa7910071be5b3535440e8a8ffa3bba189f704466daf45e70478a
                  • Instruction ID: 76245fab467d042c0533ae5d0a73a902bbcaf8909df43b4d7a41cbc081f5a859
                  • Opcode Fuzzy Hash: dfe0419e959aa7910071be5b3535440e8a8ffa3bba189f704466daf45e70478a
                  • Instruction Fuzzy Hash: 95347D31D092A89ADB25EB669C62FDDBB705F25304F4400DEA549372C3DA785BC8CF1A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414B7F, Relevance: 8.0, Strings: 6, Instructions: 488COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Transaction$Deallocate$CommitCopyCreateFileRollbackTransacted
                  • String ID: !$;zkk$UTC_$\YLY$iX${vavf~
                  • API String ID: 3460940935-2356302325
                  • Opcode ID: fcd0dfc6d283ce0b73a65b564d338b37f620ab168e9a1227c5c424992dee34a3
                  • Instruction ID: 2bb053adc0166a9410bf353a4518308d87547d9ecdedfbcdfa386a7680e94cf9
                  • Opcode Fuzzy Hash: fcd0dfc6d283ce0b73a65b564d338b37f620ab168e9a1227c5c424992dee34a3
                  • Instruction Fuzzy Hash: C122FF30D0428CCADF15EBB5C9A06EDFBB1AF59304F2441AEE44577282DB781E89CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00433544, Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 306COMMON
                  Download Yara Rule
                  APIs
                  • WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,004792FB,00000000), ref: 00433592
                  • WinHttpConnect.WINHTTP(00000000,00000000,000001BB,00000000,?,?,?,?,004792FB,00000000), ref: 0043365F
                    • Part of subcall function 00437EF1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 00437F16
                    • Part of subcall function 00437EF1: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 00437F4B
                  • WinHttpConnect.WINHTTP(00000000,00000000,00000050,00000000,?,?,?,?,004792FB,00000000), ref: 004336B3
                  • WinHttpOpenRequest.WINHTTP(00000000,?,00000000,00000000,00000000,00000000,00800100,?,?,?,?,004792FB,00000000), ref: 00433736
                  • WinHttpOpenRequest.WINHTTP(00000000,?,00000000,00000000,00000000,00000000,00000100,?,?,?,?,004792FB,00000000), ref: 004337A8
                  • _strlen.LIBCMT ref: 004337D6
                  • _strlen.LIBCMT ref: 004337E0
                  • WinHttpSendRequest.WINHTTP(00000000,Content-Type: text/plain; charset=UTF-8,000000FF,?,00000000,00000000,00000000,?,?,?,004792FB,00000000), ref: 004337F7
                  • WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,004792FB,00000000), ref: 00433809
                  • WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,?,?,004792FB,00000000), ref: 00433821
                  • WinHttpReadData.WINHTTP(00000000,00000000,?,?,?,?,?,?,?,?,?,004792FB,00000000), ref: 0043384D
                  • GetLastError.KERNEL32(?,?,?,004792FB,00000000), ref: 004338E8
                  • WinHttpCloseHandle.WINHTTP(00000000,?,?,?,004792FB,00000000), ref: 004338F2
                  • WinHttpCloseHandle.WINHTTP(00000000,?,?,?,004792FB,00000000), ref: 004338FC
                  • WinHttpCloseHandle.WINHTTP(00000000,?,?,?,004792FB,00000000), ref: 00433903
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Http$CloseHandleOpenRequest$ByteCharConnectDataMultiWide_strlen$AvailableErrorLastQueryReadReceiveResponseSend
                  • String ID: %99[^:]://%99[^/]%99[^]$Content-Type: text/plain; charset=UTF-8$`+No$ji
                  • API String ID: 2459271378-1885360117
                  • Opcode ID: e6f3dd0cdbd63c8104dd4fc82dba5760b21d495eee7672c871c6d6877c83e58a
                  • Instruction ID: 70eba32ece42ebc77b27d2ed08e263848b1217a3f59f811cc65c7ea5a46a1e87
                  • Opcode Fuzzy Hash: e6f3dd0cdbd63c8104dd4fc82dba5760b21d495eee7672c871c6d6877c83e58a
                  • Instruction Fuzzy Hash: 39C182719012189FDB18DF65C985AFEB7B4EF09304F1081AEE405A7241EB749F49CF69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043807C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000008,?), ref: 0043808E
                  • OpenProcessToken.ADVAPI32(00000000), ref: 00438095
                  • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 004380AF
                  • GetLastError.KERNEL32 ref: 004380B9
                  • GlobalAlloc.KERNEL32(00000040,00000000), ref: 004380C9
                  • GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 004380DD
                  • ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 004380F1
                  • GlobalFree.KERNEL32 ref: 00438111
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Token$GlobalInformationProcess$AllocConvertCurrentErrorFreeLastOpenString
                  • String ID: S-1-5-18
                  • API String ID: 857934279-4289277601
                  • Opcode ID: d6edb749d9408a3ea40f5663012898d27188a7347c287f7e57697d206770b822
                  • Instruction ID: 1c2fceff7e4ac7716f4791b4e914bb9b39cd462ec03f35671b08ce6f216c91ae
                  • Opcode Fuzzy Hash: d6edb749d9408a3ea40f5663012898d27188a7347c287f7e57697d206770b822
                  • Instruction Fuzzy Hash: A2112B76A00204FBDF209BE2DC49BAFBF78EB48755F10406AF901E1191EB748A05DB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041E4E9, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • std::bad_exception::bad_exception.LIBCMT ref: 0041E544
                  • std::bad_exception::bad_exception.LIBCMT ref: 0041E554
                  • std::bad_exception::bad_exception.LIBCMT ref: 0041E564
                  • std::bad_exception::bad_exception.LIBCMT ref: 0041E587
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: std::bad_exception::bad_exception
                  • String ID: C:\Users\a13xuiop1337\Desktop\_Work\rc-build-v1-exe\json.hpp$false$hD`H$h`H
                  • API String ID: 2160870905-2834071688
                  • Opcode ID: 0b83c1cd91eddf72933d8c6ce9c5d5eb6c053787cbb51260f43cc5d8383d55c5
                  • Instruction ID: a7a6efc64e2c3370057450d787760e6bfc4749f55610feb3d13a7ba6c9c7fb31
                  • Opcode Fuzzy Hash: 0b83c1cd91eddf72933d8c6ce9c5d5eb6c053787cbb51260f43cc5d8383d55c5
                  • Instruction Fuzzy Hash: ED112775840314B5CB1AE7ABCC49FEF3766AB0530CB24850FBA12215C1A56D958AC25E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00437D6D, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?,00000000,00000000,00000000), ref: 00437DF1
                  • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000040), ref: 00437E3E
                  • RegCloseKey.ADVAPI32(?), ref: 00437E5F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID: <q]_TURY{IUX$@
                  • API String ID: 3677997916-2052253215
                  • Opcode ID: c7ad2e8a4ec51baab929556eb5838be0ae8b8ea32853cc5a6c0ec2f0cd598c5d
                  • Instruction ID: 5e8ad90b13d2ec46b1f3d3d5531b86cf53e56058e22b2ef8bfa59c0eb83c8893
                  • Opcode Fuzzy Hash: c7ad2e8a4ec51baab929556eb5838be0ae8b8ea32853cc5a6c0ec2f0cd598c5d
                  • Instruction Fuzzy Hash: 0B418E71D0529C9ECB21DFA8D981AEEFBF8BF09304F1041AEE485B7212D7744A89CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004603A5, Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 004603AE
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0046041C
                    • Part of subcall function 0045A91E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,0045C955,?,00000000,00000000), ref: 0045A9C0
                    • Part of subcall function 00458F7E: RtlAllocateHeap.NTDLL(00000000,0043E8E3,00000000,?,00440BCE,00000002,00000000,?,00488A38,?,00408226,0043E8E3,00000004,00000000,00000000,00000000), ref: 00458FB0
                  • _free.LIBCMT ref: 0046040D
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
                  • String ID:
                  • API String ID: 2560199156-0
                  • Opcode ID: 34a6e0acbbed95da1c9f2f6e4e784403a41c4db72934700d835720ec821037d0
                  • Instruction ID: 811fd5d34a69986e503a94cfd6bb0d2afd2055938172bc065060fca5b68f334d
                  • Opcode Fuzzy Hash: 34a6e0acbbed95da1c9f2f6e4e784403a41c4db72934700d835720ec821037d0
                  • Instruction Fuzzy Hash: 3B01A7B26026257B273117B71C8DCBB696DDEC6B99315013EFE05D2203FE688D0281BB
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00454603, Relevance: 3.1, APIs: 2, Instructions: 119COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 1c9363b1098c24326679c184eb96bff7f8f8c63bddd1e78f66655ef88452ba41
                  • Instruction ID: 0dc41cb1d05015e57368e3427f8f1137c086e58ee1a0ac5fbca7be551e2ae004
                  • Opcode Fuzzy Hash: 1c9363b1098c24326679c184eb96bff7f8f8c63bddd1e78f66655ef88452ba41
                  • Instruction Fuzzy Hash: 7241E736A002009FCB10DFB9C880A5EB7F6EF8A718B16446DEA55EF342DB34AD45C784
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0045DC1C, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 0045DC3D
                    • Part of subcall function 00458F7E: RtlAllocateHeap.NTDLL(00000000,0043E8E3,00000000,?,00440BCE,00000002,00000000,?,00488A38,?,00408226,0043E8E3,00000004,00000000,00000000,00000000), ref: 00458FB0
                  • RtlReAllocateHeap.NTDLL(00000000,?,?,00000004,00000000,?,004604C2,?,00000004,00000000,?,?,?,0045468C,?,00000000), ref: 0045DC79
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: AllocateHeap$_free
                  • String ID:
                  • API String ID: 1482568997-0
                  • Opcode ID: b9f32775c9c7b7cdd7605dd33f1c78af0780c178d5105713871701765e860776
                  • Instruction ID: b608beda7864ee123394448b85dea7f820f50c19b796963bef05fed3e230594c
                  • Opcode Fuzzy Hash: b9f32775c9c7b7cdd7605dd33f1c78af0780c178d5105713871701765e860776
                  • Instruction Fuzzy Hash: 75F0F632A05104669B372F26AC04B6B37699FD27B7F10402BFC15A6293DFACD80CC1AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004353D7, Relevance: 3.0, APIs: 2, Instructions: 41synchronizationCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004350C3: GetUserNameA.ADVAPI32(?,?), ref: 004350DE
                  • OpenMutexA.KERNEL32 ref: 00435426
                  • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00435433
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Mutex$CreateNameOpenUser
                  • String ID:
                  • API String ID: 1251385603-0
                  • Opcode ID: 789d1982ca00ac24ac0db183ed7d83ffb6636918998a2d248cb3e12e842c3803
                  • Instruction ID: a156b0a0316c163836d1a195e920f580be5dac5ca9738254927496ae904e5dee
                  • Opcode Fuzzy Hash: 789d1982ca00ac24ac0db183ed7d83ffb6636918998a2d248cb3e12e842c3803
                  • Instruction Fuzzy Hash: 96F0FC20545358BBDB04EBF558845EFBFB8AE2A294B10A0A5E442E3202E6754A49C39E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004540E7, Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 555ae75b6e2a1cd63eff7530eab98e501eb9338da3984a4ad1d36b82ffbe1616
                  • Instruction ID: 449727134fe2859832d15948721a831afad70dce4c4d26dc766dea96d61a9eff
                  • Opcode Fuzzy Hash: 555ae75b6e2a1cd63eff7530eab98e501eb9338da3984a4ad1d36b82ffbe1616
                  • Instruction Fuzzy Hash: 54E0A722545911529211672B7C0566F19964FD137FB11423FEC20CA5D3EE7C44CA42AE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00442F03, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,00000000,00488A38,?,0043E8F1,00000000,004854A8,?), ref: 00442F63
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: DispatcherExceptionUser
                  • String ID:
                  • API String ID: 6842923-0
                  • Opcode ID: 69a65c417ce7b7bd257e059fb719e10d3be6cebc33071181a79ab9a481018b90
                  • Instruction ID: 429c2bcc8e6af426560a01ec7e7499b042b7a00f183c19994818f79747674c31
                  • Opcode Fuzzy Hash: 69a65c417ce7b7bd257e059fb719e10d3be6cebc33071181a79ab9a481018b90
                  • Instruction Fuzzy Hash: 2D01DF31900209ABD701DF58D990BAEBBB8EF54700F41409AFD04AB3A0E7B0AD01CB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00458F7E, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,0043E8E3,00000000,?,00440BCE,00000002,00000000,?,00488A38,?,00408226,0043E8E3,00000004,00000000,00000000,00000000), ref: 00458FB0
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: aa970b3e87f6750cfb8ad2c2dcc6928982852ca66543fc2972ad42ec9ed4ddd8
                  • Instruction ID: 60c44de772e7260334b7587e79a35e1b9f5a8c010cc9fdf20d7c700de7471b3a
                  • Opcode Fuzzy Hash: aa970b3e87f6750cfb8ad2c2dcc6928982852ca66543fc2972ad42ec9ed4ddd8
                  • Instruction Fuzzy Hash: CBE0A03310511067972037669C00B5BBB4B9B897A7B15002FEC44B2283DF28CC0882AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004350C3, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  APIs
                  • GetUserNameA.ADVAPI32(?,?), ref: 004350DE
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: NameUser
                  • String ID:
                  • API String ID: 2645101109-0
                  • Opcode ID: 61f5ba5c05d30305611304f49ad6eb72e951543a1afcd66fa6b76d218acbb846
                  • Instruction ID: cdb59cd0f94429d4d66104043b97c2d866e40b7933060b8ae6305b36cffb063e
                  • Opcode Fuzzy Hash: 61f5ba5c05d30305611304f49ad6eb72e951543a1afcd66fa6b76d218acbb846
                  • Instruction Fuzzy Hash: 67D0C97480810DEBCF50DB90D989AC9B7BCAB00308F0004A294C1E3140EAF4ABC99B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 00436ACF, Relevance: 93.9, APIs: 12, Strings: 41, Instructions: 1161COMMON
                  Download Yara Rule
                  APIs
                  • _strftime.LIBCMT ref: 00436C01
                  • GetUserDefaultLCID.KERNEL32(00001001,?,00000100), ref: 00436C29
                  • GetLocaleInfoA.KERNEL32(00000000), ref: 00436C30
                  • GetUserNameA.ADVAPI32(?,?), ref: 00436E7C
                  • GetComputerNameA.KERNEL32 ref: 00437516
                  • GetUserNameA.ADVAPI32(?,00000101), ref: 00437590
                  • GetSystemInfo.KERNEL32(?,?,?,?,?,00000001), ref: 004378B8
                  • GlobalMemoryStatusEx.KERNEL32(?,?,?,00000001), ref: 004379A2
                  • GetSystemMetrics.USER32 ref: 00437B37
                  • GetSystemMetrics.USER32 ref: 00437B5F
                  • EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 00437BE9
                  • EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000000), ref: 00437C43
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: NameSystemUser$DevicesDisplayEnumInfoMetrics$ComputerDefaultGlobalLocaleMemoryStatus_strftime
                  • String ID: -J@Y$#$&3$(z]F$)$/"$)?2L$* &0$+1$,Je`$-7$/)?>$4I$4|?4$78$@$FAFO$GEI_$KG$Mxyr$N$Nnnc$OOOOOOOOOOOOO$R$Sun Jan 10 14:58:01 2021$TN :$Uyu$V$]DEX$^~=1,;-w$bOOOOOOOOOOOOO$dpvt$fkz~ez$h$hr$machineinfo.txt$n$noya~ez$s$u1<1$y$}
                  • API String ID: 244678567-1568436232
                  • Opcode ID: d071c75cf92834da5f917ad62c29beb324b7f9bc5a1a6c9ad1bdf224659aba96
                  • Instruction ID: 27e76a53a365db24bd315ebfc6ea00851952acbc451326d0611dc4ca1dc28b09
                  • Opcode Fuzzy Hash: d071c75cf92834da5f917ad62c29beb324b7f9bc5a1a6c9ad1bdf224659aba96
                  • Instruction Fuzzy Hash: C4B2F670A082988ACF29DB74C8517EDBB71AF59304F0441EED4896B242EB785FC9CF59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042865E, Relevance: 83.2, APIs: 15, Strings: 31, Instructions: 2707COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: swprintf
                  • String ID: $$+$+$0$1$6$9$9$9$<$?$C$D$G$H$J$M$M$U$W$`$eN9fR0jZ9wL1gM2$i$l$latitude$location$longitude$machineinfo.txt$s$sqlite3.dll${
                  • API String ID: 233258989-2747165619
                  • Opcode ID: a79c62cf86db8a008c926d4015e1dbc1978f7c8ddd6610f14f6aefc664ef37b0
                  • Instruction ID: 7f60053815742d1565e1e36c7cc42a1bd802dfdc658cc4f7432db2e2dc9f2b37
                  • Opcode Fuzzy Hash: a79c62cf86db8a008c926d4015e1dbc1978f7c8ddd6610f14f6aefc664ef37b0
                  • Instruction Fuzzy Hash: 17436A31D462A8AADB25EB629C52FDDBB705F25304F4400DEA559332C2DA785BC8CF1E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042495F, Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 421stringlibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetVersionExW.KERNEL32(?), ref: 004249A7
                  • LoadLibraryW.KERNEL32(vaultcli.dll), ref: 004249CB
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00424A18
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00424A54
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00424A8B
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00424AC6
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00424B03
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00424B3C
                  • lstrlenW.KERNEL32(?), ref: 00424BFF
                  • lstrcpyW.KERNEL32 ref: 00424C1A
                  • lstrlenW.KERNEL32(?), ref: 00424C27
                  • lstrcpyW.KERNEL32 ref: 00424C46
                  • lstrlenW.KERNEL32(?), ref: 00424C53
                  • lstrcpyW.KERNEL32 ref: 00424C77
                  • lstrlenW.KERNEL32(?), ref: 00424CAB
                  • lstrcpyW.KERNEL32 ref: 00424CCC
                  • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 00424DE3
                  • lstrlenW.KERNEL32(00000000), ref: 00424DEE
                  • lstrlenW.KERNEL32(?), ref: 00424DFE
                  • FreeLibrary.KERNEL32(00000000), ref: 00424E8C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: AddressProclstrlen$lstrcpy$Library$FreeLoadVersion
                  • String ID: -{LXAYk_HH$BS[E$Internet Explorer$vaultcli.dll
                  • API String ID: 4222390991-1505458194
                  • Opcode ID: a7a51673e07da0190beac0bd30b41d1b8b49cc19349aad952c80805330154a59
                  • Instruction ID: bcb705ad5140a38fa50b9586dcf461baaee5ef563a446fe45340e62dc707dd7a
                  • Opcode Fuzzy Hash: a7a51673e07da0190beac0bd30b41d1b8b49cc19349aad952c80805330154a59
                  • Instruction Fuzzy Hash: 6AF191B0D002589FEF14DFA8EC88BEEBBB8EF49304F40446AE445E7211E7749945CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004266C0, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 193windowmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004266F3
                  • GetDesktopWindow.USER32 ref: 004266F9
                  • GetWindowRect.USER32 ref: 00426706
                  • GetWindowDC.USER32(00000000), ref: 0042670D
                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042672D
                  • CreateCompatibleDC.GDI32(00000000), ref: 00426736
                  • CreateDIBSection.GDI32(?,00000028,00000001,?,00000000,00000000), ref: 00426781
                  • DeleteDC.GDI32(00000000), ref: 00426795
                  • DeleteDC.GDI32(?), ref: 0042679A
                  • SaveDC.GDI32(00000000), ref: 004267A1
                  • SelectObject.GDI32(00000000,?), ref: 004267AD
                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004267C6
                  • RestoreDC.GDI32(00000000,00000000), ref: 004267CE
                  • DeleteDC.GDI32(00000000), ref: 004267DB
                  • DeleteDC.GDI32(?), ref: 004267E0
                  • GdipAlloc.GDIPLUS(00000010), ref: 004267E4
                  • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 00426804
                  • _mbstowcs.LIBCMT ref: 00426877
                  • GdipSaveImageToFile.GDIPLUS(?,00000000,?,?), ref: 00426894
                  • DeleteObject.GDI32(00000010), ref: 004268B9
                  • GdiplusShutdown.GDIPLUS(?), ref: 004268C2
                    • Part of subcall function 0041021C: _Deallocate.LIBCONCRT ref: 0041022B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Delete$CreateGdipWindow$GdiplusObjectSave$AllocBitmapCapsCompatibleDeallocateDesktopDeviceFileFromImageRectRestoreSectionSelectShutdownStartup_mbstowcs
                  • String ID: (
                  • API String ID: 6261361-3887548279
                  • Opcode ID: c6c7fcb494a2898786b3140edc4ebbc681972344799c4b68df5ab71cffb4b1cd
                  • Instruction ID: 0c1cafd06d12ba4b0476b16f431330ae24400dbc15d708fa37a0a3715086ceaa
                  • Opcode Fuzzy Hash: c6c7fcb494a2898786b3140edc4ebbc681972344799c4b68df5ab71cffb4b1cd
                  • Instruction Fuzzy Hash: 297116B1D00219EFDB11DFA5DC849AEBBB8FF08340F10412AE956E7210E7745945CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C9A1, Relevance: 32.3, APIs: 13, Strings: 5, Instructions: 826libraryloaderencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcAddress.KERNEL32(?,?), ref: 0040C9F4
                  • GetProcAddress.KERNEL32(?,?), ref: 0040CA26
                  • GetProcAddress.KERNEL32(?,?), ref: 0040CA65
                  • GetProcAddress.KERNEL32(?,?), ref: 0040CA9D
                  • GetProcAddress.KERNEL32(?,?), ref: 0040CAD2
                  • GetProcAddress.KERNEL32(?,?), ref: 0040CB07
                  • GetProcAddress.KERNEL32(?,?), ref: 0040CB38
                  • GetProcAddress.KERNEL32(?,?), ref: 0040CB7A
                  • wsprintfA.USER32 ref: 0040CBEE
                    • Part of subcall function 0040FFFF: _Deallocate.LIBCONCRT ref: 00410014
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040D255
                  • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040D2B4
                  • LocalFree.KERNEL32(?), ref: 0040D369
                    • Part of subcall function 0040A1F6: BCryptOpenAlgorithmProvider.BCRYPT(?,AES,00000000,00000000), ref: 0040A261
                    • Part of subcall function 0040A1F6: BCryptSetProperty.BCRYPT(?,ChainingMode,ChainingModeGCM,00000020,00000000), ref: 0040A27F
                    • Part of subcall function 0040A1F6: BCryptGenerateSymmetricKey.BCRYPT(?,00000010,00000000,00000000,?,00000020,00000000), ref: 0040A2A0
                    • Part of subcall function 0040A1F6: LocalAlloc.KERNEL32(00000040,?), ref: 0040A2F7
                    • Part of subcall function 0040A1F6: BCryptDecrypt.BCRYPT(00000010,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040A322
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040D32E
                    • Part of subcall function 0040A09D: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,00000000,?,?,?,?,?), ref: 0040A0B0
                    • Part of subcall function 0040A09D: DeleteFileTransactedA.KERNEL32(?,00000000), ref: 0040A0C7
                    • Part of subcall function 0040A09D: CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,?), ref: 0040A0D2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: AddressProc$Crypt$Local$DataFreeTransactionUnprotect$AlgorithmAllocCommitCreateDeallocateDecryptDeleteFileGenerateOpenPropertyProviderSymmetricTransactedwsprintf
                  • String ID: "},$360Browser$Opera$UCBrowser$v10
                  • API String ID: 3237620425-3198395839
                  • Opcode ID: 65ed05b7b3c188741e560c3ab061dcc5778a1ab96ea687462b929008347767c7
                  • Instruction ID: d9826c1b261f83151ada644784c2e01c016f7dba5bf9c778867db9e953e1f600
                  • Opcode Fuzzy Hash: 65ed05b7b3c188741e560c3ab061dcc5778a1ab96ea687462b929008347767c7
                  • Instruction Fuzzy Hash: 3C72CD30D0025CDBDF21EBA4DC91AEEBBB5AF55304F1040AEE44977292EB745E88CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004245C3, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 169encryptionstringCOMMON
                  Download Yara Rule
                  APIs
                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 004245E8
                  • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 00424609
                  • lstrlenW.KERNEL32 ref: 00424618
                  • CryptHashData.ADVAPI32(?,?,00000000,00000000), ref: 0042462B
                  • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,00000000), ref: 0042464E
                  • wsprintfW.USER32 ref: 0042468A
                  • lstrcatW.KERNEL32(00000000,?), ref: 00424698
                  • wsprintfW.USER32 ref: 004246B8
                  • lstrcatW.KERNEL32(00000000,?), ref: 004246C6
                  • CryptDestroyHash.ADVAPI32(?,?,00000000,00000000), ref: 004246CF
                  • CryptReleaseContext.ADVAPI32(?,00000000), ref: 004246DA
                  • lstrlenW.KERNEL32 ref: 00424721
                  • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,00000001,?), ref: 00424744
                  • LocalFree.KERNEL32(00000000), ref: 0042477D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Crypt$Hash$ContextDatalstrcatlstrlenwsprintf$AcquireCreateDestroyFreeLocalParamReleaseUnprotect
                  • String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • API String ID: 1004607082-2450551051
                  • Opcode ID: 69951294b23e896f96ae30ff9b828f66f250e0fb33639d219a803366fab500c9
                  • Instruction ID: c124676e6240767da8e88dde9fd78c02153400b51e3c5cdc35d1e3984c90eb7c
                  • Opcode Fuzzy Hash: 69951294b23e896f96ae30ff9b828f66f250e0fb33639d219a803366fab500c9
                  • Instruction Fuzzy Hash: 385130B1E00219AFEB119BE4EC49FFF77BCEF45300F14402AE511E2151E7B89A058B69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00438121, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 140processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00438185
                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0043819F
                  • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,00000000), ref: 00438213
                  • OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,00000000), ref: 00438225
                  • DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000002,00000001,?,?,?,00000000), ref: 00438240
                  • CloseHandle.KERNEL32(?,?,?,00000000), ref: 0043824D
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00438260
                  • _strlen.LIBCMT ref: 0043826D
                  • _mbstowcs.LIBCMT ref: 00438282
                  • CreateProcessWithTokenW.ADVAPI32(?,00000001,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0043829C
                  • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 004382A3
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 004382B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ProcessToken$CloseCreateHandleOpenProcess32$DuplicateFileFirstModuleNameNextSnapshotToolhelp32With_mbstowcs_strlen
                  • String ID: 6SNF$S$ZYDS
                  • API String ID: 674227017-618299555
                  • Opcode ID: 6676c9e4770c19517cb8fadadc54ddd1bcf9505d8acf60d049df9aa6f4be0637
                  • Instruction ID: ef0f86784f7bec91924cd665459f810acd82b410f0e66b670f2fb33c0f0e047d
                  • Opcode Fuzzy Hash: 6676c9e4770c19517cb8fadadc54ddd1bcf9505d8acf60d049df9aa6f4be0637
                  • Instruction Fuzzy Hash: 6C416D71A00209AFDF10DFA1DD85AEFB77DEF08305F1080AAF505A6151EE789E498B69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A7BA, Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 499libraryloaderencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcAddress.KERNEL32(?,?), ref: 0040A807
                  • GetProcAddress.KERNEL32(?,?), ref: 0040A839
                  • GetProcAddress.KERNEL32(?,?), ref: 0040A878
                  • GetProcAddress.KERNEL32(?,?), ref: 0040A8B0
                  • GetProcAddress.KERNEL32(?,?), ref: 0040A8E5
                  • GetProcAddress.KERNEL32(?,?), ref: 0040A916
                  • GetProcAddress.KERNEL32(?,BDA0A22E), ref: 0040A958
                  • wsprintfA.USER32 ref: 0040A9B9
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040AC03
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: AddressProc$CryptDataUnprotectwsprintf
                  • String ID: 4
                  • API String ID: 425045506-4088798008
                  • Opcode ID: d1c7dab606386cffa15fe41b785085894fcf151408d81aacd8838e521eeadfa7
                  • Instruction ID: f6f699f2bf6e44d78b6ef89c81678a9c95a63e431ce84a04998ab7d5a8403ac4
                  • Opcode Fuzzy Hash: d1c7dab606386cffa15fe41b785085894fcf151408d81aacd8838e521eeadfa7
                  • Instruction Fuzzy Hash: 41120330D0039C9BDF11EFA4D8406EEBBB5AF59304F1480AEE445B72A2DB741E89CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A1F6, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 152memoryCOMMON
                  Download Yara Rule
                  APIs
                  • BCryptOpenAlgorithmProvider.BCRYPT(?,AES,00000000,00000000), ref: 0040A261
                  • BCryptSetProperty.BCRYPT(?,ChainingMode,ChainingModeGCM,00000020,00000000), ref: 0040A27F
                  • BCryptGenerateSymmetricKey.BCRYPT(?,00000010,00000000,00000000,?,00000020,00000000), ref: 0040A2A0
                  • LocalAlloc.KERNEL32(00000040,?), ref: 0040A2F7
                  • BCryptDecrypt.BCRYPT(00000010,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040A322
                  • BCryptCloseAlgorithmProvider.BCRYPT(00000000,00000000), ref: 0040A389
                  • BCryptDestroyKey.BCRYPT(00000000), ref: 0040A399
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Crypt$AlgorithmProvider$AllocCloseDecryptDestroyGenerateLocalOpenPropertySymmetric
                  • String ID: AES$ChainingMode$ChainingModeGCM
                  • API String ID: 2220362970-1213888626
                  • Opcode ID: 375b5282a91a8d9b3c7fad6a4fb5c745d19b3a2273ad3f85df6e320c4f63b578
                  • Instruction ID: 70e29e5ff1c395bb306373d127da951bc080826973eed75c0fa0814770097ad5
                  • Opcode Fuzzy Hash: 375b5282a91a8d9b3c7fad6a4fb5c745d19b3a2273ad3f85df6e320c4f63b578
                  • Instruction Fuzzy Hash: 57515CB1900308AFDB10DF95D985AEEBBB8FF04704F10452EF915A7291E7789A44CB66
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043E387, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 266COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 0043E449
                  • GetLastError.KERNEL32 ref: 0043E453
                  • ___std_fs_open_handle@16.LIBCPMT ref: 0043E4BB
                  • GetLastError.KERNEL32 ref: 0043E525
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ErrorLast$AttributesFile___std_fs_open_handle@16
                  • String ID: GetFileInformationByHandleEx$kernel32.dll
                  • API String ID: 1210884149-1782754588
                  • Opcode ID: 16ff7e4fba78bd3ff893ebc491da86d717eaaa4f02a761e4073efd21b937d597
                  • Instruction ID: 0fba63c7fa995db980e6cf6a79ef55872a9786ea24547241b1ff7e1069405202
                  • Opcode Fuzzy Hash: 16ff7e4fba78bd3ff893ebc491da86d717eaaa4f02a761e4073efd21b937d597
                  • Instruction Fuzzy Hash: 13A1AC709012199FDB24CF69C885BAAB7F4AF08324F1442AAEC25EB3D1E778DD41CB55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424796, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?), ref: 004247BC
                  • lstrlenW.KERNEL32(00000002), ref: 004247CD
                  • CredEnumerateW.ADVAPI32(Microsoft_WinInet_*,00000000,?,?), ref: 004247F6
                  • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000001,?), ref: 0042483C
                  • LocalFree.KERNEL32(?), ref: 00424866
                  • CredFree.ADVAPI32(?), ref: 0042487F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: CredFreelstrlen$CryptDataEnumerateLocalUnprotect
                  • String ID: J$Microsoft_WinInet_*$abe2869f-9b47-4cd9-a358-c22904dba7f7
                  • API String ID: 186292201-3120203912
                  • Opcode ID: 3d2de0325e9abd8678ca8313384af61c5419a4cae62e3185ef984aeec967eb3a
                  • Instruction ID: e934e653e0407fd26a4c540c6639f549db8f7d2993c94c9c4cb165967ec2ea1c
                  • Opcode Fuzzy Hash: 3d2de0325e9abd8678ca8313384af61c5419a4cae62e3185ef984aeec967eb3a
                  • Instruction Fuzzy Hash: E9315776E00258EBCB20DFA5DC849EFBBB9FB84710F50416AE911E3241E7749A01CFA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412930, Relevance: 15.6, APIs: 1, Strings: 7, Instructions: 1612COMMON
                  Download Yara Rule
                  APIs
                  • GetDriveTypeA.KERNEL32(?,?,?,004792FB,004792FB), ref: 00412B73
                    • Part of subcall function 0041021C: _Deallocate.LIBCONCRT ref: 0041022B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: DeallocateDriveType
                  • String ID: %$0$8$:$F$Lb "'$eN9fR0jZ9wL1gM2
                  • API String ID: 1092882496-55130003
                  • Opcode ID: 364288df037b84ca8037b3ec4d0124fcc162cd15641fc7eb3114fb6f2411f170
                  • Instruction ID: 04c67b5180b27454ad995526e779db86adf25f2fa96885c01811c87e063df913
                  • Opcode Fuzzy Hash: 364288df037b84ca8037b3ec4d0124fcc162cd15641fc7eb3114fb6f2411f170
                  • Instruction Fuzzy Hash: 50E2CE71D0025CDACF24EFA5C991AEDB7B5AF14308F1041AEE406B7282DB785F89CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041A4E6, Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 404timeCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004197AF: SetFilePointer.KERNEL32(?,?,00000000,?), ref: 004197E2
                  • _strcat.LIBCMT ref: 0041A659
                  • _strcat.LIBCMT ref: 0041A6D4
                  • SystemTimeToFileTime.KERNEL32(?,000007BC), ref: 0041A829
                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0041A849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: FileTime$_strcat$LocalPointerSystem
                  • String ID: /../$/..\$\../$\..\
                  • API String ID: 3418985325-3885502717
                  • Opcode ID: 3883cf17fac00e5a259e49b6d7180a57681d453ac02dcfacb5702afb77f692b7
                  • Instruction ID: 0221ffb88f98342ab8f47a0cf3f9dc5c3b5bf45057c8468b94213e90b95ef1ee
                  • Opcode Fuzzy Hash: 3883cf17fac00e5a259e49b6d7180a57681d453ac02dcfacb5702afb77f692b7
                  • Instruction Fuzzy Hash: 8FE1D1715093419BC315CF29C4816EBBBE1AF89304F18892FE4E9C7382D739D995CB9A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00462121, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00456FBB: GetLastError.KERNEL32(?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 00456FC0
                    • Part of subcall function 00456FBB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000), ref: 0045705E
                  • GetACP.KERNEL32(?,?,?,?,?,?,004553F0,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 004621E2
                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004553F0,?,?,?,00000055,?,-00000050,?,?), ref: 0046220D
                  • _wcschr.LIBVCRUNTIME ref: 004622A1
                  • _wcschr.LIBVCRUNTIME ref: 004622AF
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00462370
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                  • String ID: utf8
                  • API String ID: 4147378913-905460609
                  • Opcode ID: 01480cd688ee488daf06af0f185df241d1d3ff1eea9c37af4dcba91562d0e84f
                  • Instruction ID: c0ec50bb0176f79c71a888a2be529ce24b094e10f8c71d56428e24aa327f64a5
                  • Opcode Fuzzy Hash: 01480cd688ee488daf06af0f185df241d1d3ff1eea9c37af4dcba91562d0e84f
                  • Instruction Fuzzy Hash: A971F671600B02BAD725AB35CD42BB773A8AF45744F14442BFA0597281FBBCA941866B
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004644EB, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                  • API String ID: 4168288129-2761157908
                  • Opcode ID: 48d744148692727f954f2fd2515b750140219c095e65496eb118174f1869e35c
                  • Instruction ID: 6ada25e9123e2d2be1c60c14754c22895b8e28d38f4d81ec01020df3547a66d8
                  • Opcode Fuzzy Hash: 48d744148692727f954f2fd2515b750140219c095e65496eb118174f1869e35c
                  • Instruction Fuzzy Hash: B3C23871E046288FDF25CE28DD407EAB3B5EB89305F1541EBD84DA7240E779AE818F46
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004628AD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(?,2000000B,00462BCB,00000002,00000000,?,?,?,00462BCB,?,00000000), ref: 00462946
                  • GetLocaleInfoW.KERNEL32(?,20001004,00462BCB,00000002,00000000,?,?,?,00462BCB,?,00000000), ref: 0046296F
                  • GetACP.KERNEL32(?,?,00462BCB,?,00000000), ref: 00462984
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: InfoLocale
                  • String ID: ACP$OCP
                  • API String ID: 2299586839-711371036
                  • Opcode ID: da4cd997c8b69ae28c37699b415adf93369019a46b24032af41af9289bbc8ae3
                  • Instruction ID: 3b01666b312e930ae8f73bad3d7c21e7378fb1977e3a6e8ff32e080caa7f0504
                  • Opcode Fuzzy Hash: da4cd997c8b69ae28c37699b415adf93369019a46b24032af41af9289bbc8ae3
                  • Instruction Fuzzy Hash: 862127B2700901B6DB309B10CE00BA7B3A6FBD0B54F568526E94AD7210F7BACD45C79A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004144A8, Relevance: 8.0, Strings: 6, Instructions: 468COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Transaction$Create$CommitDeallocateTransacted$CopyDirectoryFile
                  • String ID: !`qqe`u`$M|$j$kmz|$uu|m${c
                  • API String ID: 2045272108-2744886791
                  • Opcode ID: d7683e4de1e7be1bd5d336e155dbe6c61022b1bcef82ecfb40dc6fd7a718dfdc
                  • Instruction ID: 71cc51df436c61b3912aebd050ec405fcc77b85958e2735fcf01ec1e0e60967e
                  • Opcode Fuzzy Hash: d7683e4de1e7be1bd5d336e155dbe6c61022b1bcef82ecfb40dc6fd7a718dfdc
                  • Instruction Fuzzy Hash: 4B12BF30D0428CCADF15EBB5C951AEDFBB1AF99308F2441AED44177282DB781E89CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00462A82, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00456FBB: GetLastError.KERNEL32(?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 00456FC0
                    • Part of subcall function 00456FBB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000), ref: 0045705E
                    • Part of subcall function 00456FBB: _free.LIBCMT ref: 0045701D
                    • Part of subcall function 00456FBB: _free.LIBCMT ref: 00457053
                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00462B8E
                  • IsValidCodePage.KERNEL32(00000000), ref: 00462BD7
                  • IsValidLocale.KERNEL32(?,00000001), ref: 00462BE6
                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00462C2E
                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00462C4D
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                  • String ID:
                  • API String ID: 949163717-0
                  • Opcode ID: e4825271d2b26a7ee1167f9e9888c91c22228d555ed1cd4cfac0524c8c3da401
                  • Instruction ID: c1d56edad4854fcb22996269896a0a167671099fb8c602a82346b4d96f42bde2
                  • Opcode Fuzzy Hash: e4825271d2b26a7ee1167f9e9888c91c22228d555ed1cd4cfac0524c8c3da401
                  • Instruction Fuzzy Hash: A8515171A00605BBDB10DFA5DD41ABB73B8FF44B01F14446BE904E7251FBF8AA448B6A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043E217, Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  • FindClose.KERNEL32(000000FF,?,004117CC,?,7FFFFFFF,?,00000000,00411508,?,?,?,0041081C,00411508,00000000,00411508,?), ref: 0043E223
                  • FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 0043E253
                  • GetLastError.KERNEL32(?,?,?,?,004117CC,?,7FFFFFFF,?,00000000,00411508,?,?,?,0041081C,00411508,00000000), ref: 0043E260
                  • FindFirstFileExW.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,?,?,?,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 0043E27A
                  • GetLastError.KERNEL32(?,?,?,?,004117CC,?,7FFFFFFF,?,00000000,00411508,?,?,?,0041081C,00411508,00000000), ref: 0043E287
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Find$ErrorFileFirstLast$Close
                  • String ID:
                  • API String ID: 569926201-0
                  • Opcode ID: a41c8e2ae2038ebd777fe46b62cd7069cc44b761b922704209fb22ef628d10c3
                  • Instruction ID: 38e3f7b6556588ad09352e70c6a81f0c015053b48b3a69d54183e0af43ec4f8b
                  • Opcode Fuzzy Hash: a41c8e2ae2038ebd777fe46b62cd7069cc44b761b922704209fb22ef628d10c3
                  • Instruction Fuzzy Hash: 19015231001184BBCB201FB7EC4CC6B3F7DEBDA721F10566AF968915E1D7718861DA69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004364C1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetTimeZoneInformation.KERNEL32(?), ref: 004364E3
                    • Part of subcall function 004105DD: std::locale::_Init.LIBCPMT ref: 00410600
                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00436624
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: InformationInitIos_base_dtorTimeZonestd::ios_base::_std::locale::_
                  • String ID: m$xG
                  • API String ID: 3991488653-3680498416
                  • Opcode ID: c560131e6150621404c5db5f92c9718a412f9d8490a04c07a54a55e4077933c7
                  • Instruction ID: d9f95aeac852975f227c79fe4c6e2ea2c63425272fe72248a342bcfe58b4b145
                  • Opcode Fuzzy Hash: c560131e6150621404c5db5f92c9718a412f9d8490a04c07a54a55e4077933c7
                  • Instruction Fuzzy Hash: DA41BE70D00248DBDB11DFAAC9457EEFBB5AF48304F1081AED4097B242EB786A89CF55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A3FB, Relevance: 5.3, APIs: 4, Instructions: 271memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 0040A518
                  • HeapFree.KERNEL32(00000000,?,?), ref: 0040A51F
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040A6AE
                  • HeapFree.KERNEL32(00000000), ref: 0040A6B5
                    • Part of subcall function 0040FFFF: _Deallocate.LIBCONCRT ref: 00410014
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Heap$FreeProcess$Deallocate
                  • String ID:
                  • API String ID: 3683097869-0
                  • Opcode ID: f98b358b978df7bfdaec1089a6be50bc98a16b8c0b8ed12d37843783534a88cf
                  • Instruction ID: 29844e986e23b03c541e44f55f09a04b83e6ba510b37834b82bf2b9beada1e36
                  • Opcode Fuzzy Hash: f98b358b978df7bfdaec1089a6be50bc98a16b8c0b8ed12d37843783534a88cf
                  • Instruction Fuzzy Hash: 41B12871C0021DDBCF15EBE5C995AEDB7B4AF18308F24416EE40177282EB786E48CBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00462534, Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00456FBB: GetLastError.KERNEL32(?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 00456FC0
                    • Part of subcall function 00456FBB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000), ref: 0045705E
                    • Part of subcall function 00456FBB: _free.LIBCMT ref: 0045701D
                    • Part of subcall function 00456FBB: _free.LIBCMT ref: 00457053
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00462588
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004625D2
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00462698
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: InfoLocale$ErrorLast_free
                  • String ID:
                  • API String ID: 3140898709-0
                  • Opcode ID: 7bbf9718f7ba7fe3fc41dac44d4734544bf9c2ec7a9e2fb8abf7206b6bee120f
                  • Instruction ID: afa84ce40961b7e58e7f536b2e2c068b3ec9966733afa2aff580e79e2981ff63
                  • Opcode Fuzzy Hash: 7bbf9718f7ba7fe3fc41dac44d4734544bf9c2ec7a9e2fb8abf7206b6bee120f
                  • Instruction Fuzzy Hash: 5F619271600907ABDB289F24DE82BBB73A8EF04305F10407BED05D6685F7B8D985DB5A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004463B5, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0043E8E3), ref: 004464AD
                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0043E8E3), ref: 004464B7
                  • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0043E8E3), ref: 004464C4
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID:
                  • API String ID: 3906539128-0
                  • Opcode ID: 5f91bf94a87c8254ebcd041f06a7014dd17ff4f3e8202913c924fa47ee1c5447
                  • Instruction ID: bdbe02196d0043b30466a4703c2bf5709af1304efb77281fd75b10f641b3aaeb
                  • Opcode Fuzzy Hash: 5f91bf94a87c8254ebcd041f06a7014dd17ff4f3e8202913c924fa47ee1c5447
                  • Instruction Fuzzy Hash: 4331D6749412289BDB21DF65D98979DB7B8BF08310F5041EAE80CA7260EB749B858F49
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00446991, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00411508,?,00446990,000000FF,?,00411508,000000FF,00411508,?), ref: 004469B3
                  • TerminateProcess.KERNEL32(00000000,?,00446990,000000FF,?,00411508,000000FF,00411508,?), ref: 004469BA
                  • ExitProcess.KERNEL32 ref: 004469CC
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 33f32b213f743f3767cfff11261c86ec7ebdb48ca6a64c697c3c5e4265cb45f9
                  • Instruction ID: 7345f05a3e1d06e07622e28af21cd5690e0e32284a71563797206f56cf5adc6f
                  • Opcode Fuzzy Hash: 33f32b213f743f3767cfff11261c86ec7ebdb48ca6a64c697c3c5e4265cb45f9
                  • Instruction Fuzzy Hash: 26E08CB2000148FFCF116F94DC59A2A3B29FB01342F05082AF84586631DBBEED81CB8A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0046240E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00456FBB: GetLastError.KERNEL32(?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 00456FC0
                    • Part of subcall function 00456FBB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000), ref: 0045705E
                  • EnumSystemLocalesW.KERNEL32(00462534,00000001,00000000,?,-00000050,?,00462B62,00000000,?,?,?,00000055,?), ref: 00462480
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem
                  • String ID: b+F
                  • API String ID: 2417226690-1574821776
                  • Opcode ID: 26e50e111a08081a2667880cbcd2749aa75f5c7f768c817555371215614f408d
                  • Instruction ID: 4578ffd1325a150a84f9595f643486d62d8ad7ef8fdcba4d569af49992eb9163
                  • Opcode Fuzzy Hash: 26e50e111a08081a2667880cbcd2749aa75f5c7f768c817555371215614f408d
                  • Instruction Fuzzy Hash: 4A110637200B016FDB189F39C9915BBB791FF80358B14442EE98747740E7B5A902CB44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0044A210, Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 22f1fbe1e7b0749f567a14033822f7bc3df05a30d44e7dfb069ca6a326744bf5
                  • Instruction ID: ba22eb4e1f982a3db5eb0d6a0ae2da0e127bd1cb07e96d8e5fb15c469b1acf54
                  • Opcode Fuzzy Hash: 22f1fbe1e7b0749f567a14033822f7bc3df05a30d44e7dfb069ca6a326744bf5
                  • Instruction Fuzzy Hash: CAF16071E012199FEF14CFA8C9806AEB7B1FF88314F15826ED819AB344D734AD11CB95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0045C2E6, Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32(?,00000000,?,0044E7BA,?,Microsoft Visual C++ Runtime Library,00012012,?,00000240,00000000,?,?,?,?,00000000,00000480), ref: 0045C26F
                  • OutputDebugStringW.KERNEL32(?,?,0044E7BA,?,Microsoft Visual C++ Runtime Library,00012012,?,00000240,00000000,?,?,?,?,00000000,00000480,C:\Users\a13xuiop1337\Desktop\_Work\rc-build-v1-exe\json.hpp), ref: 0045C286
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: DebugDebuggerOutputPresentString
                  • String ID:
                  • API String ID: 4086329628-0
                  • Opcode ID: bca80f1353a5c6385304e6656d1946b78cb7bd2e48fa836985edfde6a39d4b59
                  • Instruction ID: ebb084989fad202494570a1e445b41a6c9ebee41c77b28a90dc7aec0ad77e916
                  • Opcode Fuzzy Hash: bca80f1353a5c6385304e6656d1946b78cb7bd2e48fa836985edfde6a39d4b59
                  • Instruction Fuzzy Hash: 2D01A732845318BFDA202AD25C86B7B375DEF02757F14048BFD09E6243CE29D84995BE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004400C8, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004400DE
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: FeaturePresentProcessor
                  • String ID:
                  • API String ID: 2325560087-0
                  • Opcode ID: dce6577e17377a78d93b58d2a172f5f35872cf881dea77f530d2c607e34c4528
                  • Instruction ID: 832e286a30792ebc6ae4d608c9a5bdf6280f2a25194d03438242f1d1e01e3ec5
                  • Opcode Fuzzy Hash: dce6577e17377a78d93b58d2a172f5f35872cf881dea77f530d2c607e34c4528
                  • Instruction Fuzzy Hash: 4D513FB1A006058BEB15CF69D8857AEBBF0FB48310F24896ED505EB350D7B99D10CF58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043483A, Relevance: 1.6, APIs: 1, Instructions: 94comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.OLE32(0046C9D0,00000000,00000001,0046C9A0,?), ref: 0043485D
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: CreateInstance
                  • String ID:
                  • API String ID: 542301482-0
                  • Opcode ID: 3654242e0cd84e90c83be71ae8d6d3f223a2b59e5bb5148151cae31183f2c2cc
                  • Instruction ID: 4f0dc45d7d240b48b5fc94602d720bc98909be1683484f80a2ec37ff7eb00790
                  • Opcode Fuzzy Hash: 3654242e0cd84e90c83be71ae8d6d3f223a2b59e5bb5148151cae31183f2c2cc
                  • Instruction Fuzzy Hash: 173175B1600219AFDB14DBA9DC89EDB77BCDF89754F100099F408D7250EA34EE04CB95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00462787, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00456FBB: GetLastError.KERNEL32(?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 00456FC0
                    • Part of subcall function 00456FBB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000), ref: 0045705E
                    • Part of subcall function 00456FBB: _free.LIBCMT ref: 0045701D
                    • Part of subcall function 00456FBB: _free.LIBCMT ref: 00457053
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004627DB
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ErrorLast_free$InfoLocale
                  • String ID:
                  • API String ID: 2003897158-0
                  • Opcode ID: 5ff42215cd41ef7e85f2325ef2b66c71edfe9350f302d49f831cce63c7df8411
                  • Instruction ID: 340c4fcba5c89625e36823f2c30b0a576bbf9a72425f09d0ba349509071f1824
                  • Opcode Fuzzy Hash: 5ff42215cd41ef7e85f2325ef2b66c71edfe9350f302d49f831cce63c7df8411
                  • Instruction Fuzzy Hash: 5521D332A01A06ABDB28AA25DD41ABB73A8EF04315F10017FFD01D7251FBB89C04C75A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004629B3, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00456FBB: GetLastError.KERNEL32(?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 00456FC0
                    • Part of subcall function 00456FBB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000), ref: 0045705E
                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00462750,00000000,00000000,?), ref: 004629DF
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ErrorLast$InfoLocale
                  • String ID:
                  • API String ID: 3736152602-0
                  • Opcode ID: aae9d76427dc5ea6c6ca8431400ef7371a60ac27c20a17980c6d63f5127db8dd
                  • Instruction ID: 179427e8a90fdeb9973086a5cd240dea58cc43b70e836944538e026b3dd57ceb
                  • Opcode Fuzzy Hash: aae9d76427dc5ea6c6ca8431400ef7371a60ac27c20a17980c6d63f5127db8dd
                  • Instruction Fuzzy Hash: 82F0D632A005127BDB345A619D49ABB7758EB40764F05442AEC06B3340FAF8FD42C5A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004624A9, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00456FBB: GetLastError.KERNEL32(?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 00456FC0
                    • Part of subcall function 00456FBB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000), ref: 0045705E
                  • EnumSystemLocalesW.KERNEL32(00462787,00000001,00000000,?,-00000050,?,00462B26,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004624F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem
                  • String ID:
                  • API String ID: 2417226690-0
                  • Opcode ID: b09b29ce6619bd277dfe2af360c658f15bb6663bf28ed59804c3592d6747aa20
                  • Instruction ID: ecde264e6e1e54cdc7c089b8609921ac895ba278f8146db1e4446ca3c2968982
                  • Opcode Fuzzy Hash: b09b29ce6619bd277dfe2af360c658f15bb6663bf28ed59804c3592d6747aa20
                  • Instruction Fuzzy Hash: BAF04C363007043FDB245F359D81E7B7B94EF80358B05842EF9464B680E6F9AC01C654
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00458367, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004522E1: EnterCriticalSection.KERNEL32(-0004E295,?,00453BEB,00000000,00485A20,0000000C,00453BB2,?,?,00458330,?,?,0045715D,00000001,00000364,00000008), ref: 004522F0
                  • EnumSystemLocalesW.KERNEL32(0045835A,00000001,00485C00,0000000C,00458839,00000000), ref: 0045839F
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: CriticalEnterEnumLocalesSectionSystem
                  • String ID:
                  • API String ID: 1272433827-0
                  • Opcode ID: f6eea2558a3772a43aef8c29ac1e6c54635d3e0494bc79bfe6a1048e9acd6974
                  • Instruction ID: 4cbec5aa35c839925d220274e2d65d0eb596599b5a7b03d86801d2d7c8c7e6ec
                  • Opcode Fuzzy Hash: f6eea2558a3772a43aef8c29ac1e6c54635d3e0494bc79bfe6a1048e9acd6974
                  • Instruction Fuzzy Hash: 66F01976A00204DFDB00EF99E842B9D77E0FB09725F10456EF910AB2A1CBB949049B99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004623C3, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00456FBB: GetLastError.KERNEL32(?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 00456FC0
                    • Part of subcall function 00456FBB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000), ref: 0045705E
                  • EnumSystemLocalesW.KERNEL32(0046231C,00000001,00000000,?,?,00462B84,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 004623FA
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem
                  • String ID:
                  • API String ID: 2417226690-0
                  • Opcode ID: e7b55ce2dc29939ef89fe3e0665e262ac761da2cc54e3b3997657e9b6f5718c3
                  • Instruction ID: c81e32fefdefed1c75a153ff47a83c3c4711ce818b816ba57c51df64ffdc83ae
                  • Opcode Fuzzy Hash: e7b55ce2dc29939ef89fe3e0665e262ac761da2cc54e3b3997657e9b6f5718c3
                  • Instruction Fuzzy Hash: 09F0EC3630020567CB049F35D95577A7F94EFC1714B06405AFE05CB791D6B99883C755
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00458994, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00455F6D,?,20001004,00000000,00000002,?,?,00455558), ref: 004589C8
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: InfoLocale
                  • String ID:
                  • API String ID: 2299586839-0
                  • Opcode ID: 870918a037317614bcbd58b721d1f8e7cf59b0a3f8f9e0a0599f457551d93eb9
                  • Instruction ID: 417b22187f90d4ef29123eb59f0ec7fab01787cade13840cd3795052a320646d
                  • Opcode Fuzzy Hash: 870918a037317614bcbd58b721d1f8e7cf59b0a3f8f9e0a0599f457551d93eb9
                  • Instruction Fuzzy Hash: 6CE01A71500218BBCF122F61DC04EAE3B1AAB84752F04802AFC4565222DF7A8D61AA9A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00440406, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_00040412,0043FD14), ref: 0044040B
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: e027e635587252c397f336fc51193f40dd2f0a7e682823dc6c3dca81afacbff7
                  • Instruction ID: 5da3d013d788753135b0dff600df3dbac1744f18d536f8976cdbbc9d95af8586
                  • Opcode Fuzzy Hash: e027e635587252c397f336fc51193f40dd2f0a7e682823dc6c3dca81afacbff7
                  • Instruction Fuzzy Hash:
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004187C0, Relevance: .3, Instructions: 347COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b5b0e66b16ccbd8f0a40714c19fa5bdb7e71b6b32d28678020640cb824cf4a89
                  • Instruction ID: 575112d2e891fb5c16b34a208e7c4eb349961418c9fce2da5d87d0e0c8e71cb8
                  • Opcode Fuzzy Hash: b5b0e66b16ccbd8f0a40714c19fa5bdb7e71b6b32d28678020640cb824cf4a89
                  • Instruction Fuzzy Hash: 17E1E371E102198FCF14CFA8D580AEDBBF1FF98354F25816AE855E7344DA34AA818F94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0044824A, Relevance: .2, Instructions: 159COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0999db6164b926aa87411d793e851c4f5f3bae8bb88c1ad1b8fd4c9abd374af0
                  • Instruction ID: dc52358269195cf09ef97626454f9fea34f66c5aec3e6b1ff57916d665513828
                  • Opcode Fuzzy Hash: 0999db6164b926aa87411d793e851c4f5f3bae8bb88c1ad1b8fd4c9abd374af0
                  • Instruction Fuzzy Hash: 05515F71E00119AFEF04CF99C941AAEBBB2FF88304F19809DE905AB341D7399E51DB95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0045A369, Relevance: .1, Instructions: 104COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3b60fc464ea6f943a002b12cdd8249e8e0ab51b2c4c231176577b61601cbbba1
                  • Instruction ID: b8746ad66141096c42b80b60bbaca50a8ae21156dcceebb9b056d644b577ce25
                  • Opcode Fuzzy Hash: 3b60fc464ea6f943a002b12cdd8249e8e0ab51b2c4c231176577b61601cbbba1
                  • Instruction Fuzzy Hash: 4E21B373F205394B7B0CC47E8C572BDB6E1C68C601745823EE8A6EA2C1D968D917E2E4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0045A249, Relevance: .1, Instructions: 81COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e890811cd5c49902daf55f0e080f89e2a1be049ed81ec45e35cebcb0da73d24
                  • Instruction ID: ae711cf1330dd75f63e859091b8b1655cfaeee9692cb1cf4ed0022fc0f10d988
                  • Opcode Fuzzy Hash: 1e890811cd5c49902daf55f0e080f89e2a1be049ed81ec45e35cebcb0da73d24
                  • Instruction Fuzzy Hash: FF117733F30C295B675C81698C1727AA5D2EBD825070F537ED826E7384E9A4DE23D290
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00442BF0, Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction ID: b9b66fad257860ab3beb9557d8f298202ce2e30452ac0cd237e50f1d8803a261
                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction Fuzzy Hash: D3115BB720048243F6188A2DCBF46BFA395EBD63217EC837BF0428B758C5EAD845950C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043C990, Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2dee57d305e28e21a748860119ac299b0b4184d6167935b044ed75b8ce49766b
                  • Instruction ID: 6ae521ee9f2b1a8bb36207a90fccd33e175a8a52a4dc31802f449caabf8c983f
                  • Opcode Fuzzy Hash: 2dee57d305e28e21a748860119ac299b0b4184d6167935b044ed75b8ce49766b
                  • Instruction Fuzzy Hash: F72124B55240B10A860C8A3AAC65537FBD0DB8B24378B42BBE98BE90C2C52DD565D7E4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00434647, Relevance: 28.6, APIs: 3, Strings: 16, Instructions: 102stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00433DF6: LoadLibraryA.KERNEL32(?), ref: 00433E37
                    • Part of subcall function 00433DF6: GetProcAddress.KERNEL32(00000000,?), ref: 00433E74
                    • Part of subcall function 00433DF6: FreeLibrary.KERNEL32(00000000), ref: 00433EA8
                    • Part of subcall function 00434254: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00434279
                    • Part of subcall function 00434254: RegEnumKeyExW.ADVAPI32 ref: 0043430A
                    • Part of subcall function 00434254: RegCloseKey.ADVAPI32(?), ref: 00434317
                    • Part of subcall function 00434321: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00434348
                    • Part of subcall function 00434321: RegEnumKeyExW.ADVAPI32 ref: 00434373
                    • Part of subcall function 00434321: lstrlenW.KERNEL32(?), ref: 0043438A
                    • Part of subcall function 00434321: lstrlenW.KERNEL32(?), ref: 00434397
                    • Part of subcall function 00434321: lstrcpyW.KERNEL32 ref: 004343B8
                    • Part of subcall function 00434321: lstrcatW.KERNEL32(00000000,0047E094), ref: 004343C4
                    • Part of subcall function 00434321: lstrcatW.KERNEL32(00000000,?), ref: 004343D2
                    • Part of subcall function 00434321: lstrcatW.KERNEL32(00000000,?), ref: 004343DE
                    • Part of subcall function 00434321: RegEnumKeyExW.ADVAPI32 ref: 00434418
                    • Part of subcall function 00434321: RegCloseKey.ADVAPI32(?), ref: 0043442D
                    • Part of subcall function 00434C24: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,?,00000000), ref: 00434C6C
                    • Part of subcall function 00434C24: RegQueryValueExW.ADVAPI32(00000100,?,00000000,?,00000000,00000000,?,00000000), ref: 00434C8B
                    • Part of subcall function 00434C24: RegQueryValueExW.ADVAPI32(00000100,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00434CC6
                    • Part of subcall function 00434C24: RegCloseKey.ADVAPI32(00000100,?,00000000), ref: 00434CE7
                  • lstrlenW.KERNEL32(00000000), ref: 004346A9
                  • lstrcpyW.KERNEL32 ref: 004346C1
                  • lstrcpyW.KERNEL32 ref: 004346CD
                    • Part of subcall function 00434254: lstrlenW.KERNEL32(?), ref: 0043429F
                    • Part of subcall function 00434254: lstrcpyW.KERNEL32 ref: 004342BC
                    • Part of subcall function 00434254: lstrcatW.KERNEL32(00000000,0047E094), ref: 004342C8
                    • Part of subcall function 00434254: lstrcatW.KERNEL32(00000000,?), ref: 004342D6
                    • Part of subcall function 004457E5: _free.LIBCMT ref: 004457F8
                  Strings
                  • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, xrefs: 00434743
                  • Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook, xrefs: 0043475F
                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings, xrefs: 00434700
                  • \Accounts, xrefs: 004346C7
                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook, xrefs: 0043470B
                  • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook, xrefs: 00434751
                  • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00434665
                  • Software\Microsoft\Internet Account Manager, xrefs: 0043468F
                  • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 004346EE
                  • Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook, xrefs: 00434735
                  • Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook, xrefs: 00434727
                  • Identities, xrefs: 0043467B
                  • Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook, xrefs: 00434773
                  • Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook, xrefs: 00434719
                  • Outlook, xrefs: 0043468A
                  • \Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00434671
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: lstrcat$lstrcpylstrlen$CloseEnumOpen$LibraryQueryValue$AddressFreeLoadProc_free
                  • String ID: Identities$Outlook$Software\Microsoft\Internet Account Manager$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook$\Accounts$\Software\Microsoft\Internet Account Manager\Accounts
                  • API String ID: 527226083-92925148
                  • Opcode ID: a67c6bfb8a901a1908666d40c04ed0132cdcd90d47cf7b29c65e8dda7864612e
                  • Instruction ID: 937f44236db94daee0fe8681f54342f9248f9fc092468155fe89038a22341108
                  • Opcode Fuzzy Hash: a67c6bfb8a901a1908666d40c04ed0132cdcd90d47cf7b29c65e8dda7864612e
                  • Instruction Fuzzy Hash: FD316F71600208BAEB04EBD3DDC3DEE73ACDB9C748FA0559EF40516582EB7C6E059629
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0045A9CB, Relevance: 25.9, APIs: 17, Instructions: 411COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: _free$___from_strstr_to_strchr
                  • String ID:
                  • API String ID: 3409252457-0
                  • Opcode ID: d4849e19121b66cb68c46ee0de09dd2f8e7d3acad32b513155af73aeb6bd2c64
                  • Instruction ID: 4d7435f2f43632320906564b76ed70d90fdb0359c98c351148159b68fd597337
                  • Opcode Fuzzy Hash: d4849e19121b66cb68c46ee0de09dd2f8e7d3acad32b513155af73aeb6bd2c64
                  • Instruction Fuzzy Hash: 66D13971904201AFDB21AF659882A7F77F5AF01316F10426FEE1097383EA3D9958C79E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0044E7F3, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 403COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0044E899
                  • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0044E8BD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Module$FileHandleName
                  • String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program: $\
                  • API String ID: 4146042529-3261600717
                  • Opcode ID: fa584cc12be249277f46e6eb16782f2fd4260267eb2c83723c5d729449ac1285
                  • Instruction ID: 763ffe11ca69e1f41dc85d1219a3c083aac7ed2c021c9c70100fc064e7fd0990
                  • Opcode Fuzzy Hash: fa584cc12be249277f46e6eb16782f2fd4260267eb2c83723c5d729449ac1285
                  • Instruction Fuzzy Hash: 9EC1D671A402156AEB24AA77CDC6FFF7268EF66704F04006AFC09D2352F6389E45866D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043453F, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 99stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00433D53: lstrlenW.KERNEL32(?,?,004345A9), ref: 00433D77
                    • Part of subcall function 00433D53: lstrcpyW.KERNEL32 ref: 00433D8E
                    • Part of subcall function 00433D53: CoTaskMemFree.OLE32(?,?,004345A9), ref: 00433D97
                  • lstrcmpiW.KERNEL32(00000000,identification,00000000), ref: 004345C1
                  • lstrcmpiW.KERNEL32(?,identitymgr), ref: 004345CF
                  • lstrcmpiW.KERNEL32(00000000,inetcomm server passwords), ref: 004345EF
                  • lstrcmpiW.KERNEL32(00000000,outlook account manager passwords), ref: 004345FB
                  • lstrcmpiW.KERNEL32(00000000,identities), ref: 00434607
                  • CoTaskMemFree.OLE32(?), ref: 0043463D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: lstrcmpi$FreeTask$lstrcpylstrlen
                  • String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
                  • API String ID: 1606502731-4287852900
                  • Opcode ID: 61fdbcbf8bacfaec8a683728ea24ebe6259e0edeeea25b2ca6f1b2c6a9e81fdd
                  • Instruction ID: 56fb3bc5911e434bd9749875f6e8941db1e845d7bd7f049087c6c18a06d43e40
                  • Opcode Fuzzy Hash: 61fdbcbf8bacfaec8a683728ea24ebe6259e0edeeea25b2ca6f1b2c6a9e81fdd
                  • Instruction Fuzzy Hash: FF31B57090021AFBCF119F95DC82AEF7F79EF89710F10401AF80462251D779EA11DBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00460BA2, Relevance: 18.4, APIs: 12, Instructions: 374COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: 85cba608a878c17336dac6015fdefd077284b344d1091d311f664d6a05ff6999
                  • Instruction ID: e3d0d96d721dcfef16e85b6e5abccd235fa4e304253660390130c603c098e0ef
                  • Opcode Fuzzy Hash: 85cba608a878c17336dac6015fdefd077284b344d1091d311f664d6a05ff6999
                  • Instruction Fuzzy Hash: E5C11272D40208BBDB20DBA9CC42FEB77B8AF08705F14456AFE05EB282F674E9458755
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041AADE, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 188filetimeCOMMON
                  Download Yara Rule
                  APIs
                  • _strcat.LIBCMT ref: 0041AB9C
                  • wsprintfA.USER32 ref: 0041ABF6
                  • wsprintfA.USER32 ref: 0041AC17
                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000010,00000000), ref: 0041AC46
                  • WriteFile.KERNEL32(?,?,00000000,000000FF,00000000), ref: 0041ACB8
                  • SetFileTime.KERNEL32(?,?,?,?), ref: 0041ACF2
                  • CloseHandle.KERNEL32(?), ref: 0041AD02
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: File$wsprintf$CloseCreateHandleTimeWrite_strcat
                  • String ID: %s%s$%s%s%s$:
                  • API String ID: 840165387-3034790606
                  • Opcode ID: 88fa41dbfbd0bf5003afcd29f85da1abe962f453455cdad54885803929e0a840
                  • Instruction ID: 63a224d45850cb6429e31840998f079c384e410d748b85ec9cf0d0aac3af6d7a
                  • Opcode Fuzzy Hash: 88fa41dbfbd0bf5003afcd29f85da1abe962f453455cdad54885803929e0a840
                  • Instruction Fuzzy Hash: B2613A305093489BCB20DF68C884BEA776AAF05304F14406FF59997281E778AEE5DB5F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043CBF5, Relevance: 16.7, APIs: 11, Instructions: 184fileCOMMON
                  Download Yara Rule
                  APIs
                  • GetFileInformationByHandle.KERNEL32(?,?), ref: 0043CC09
                  • GetFileSize.KERNEL32(?,00000000,?,?), ref: 0043CC89
                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 0043CCA0
                  • ReadFile.KERNEL32(?,?,00000002,?,00000000,?,?), ref: 0043CCB3
                  • SetFilePointer.KERNEL32(?,00000024,00000000,00000000,?,?), ref: 0043CCC0
                  • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?), ref: 0043CCD3
                  • SetFilePointer.KERNEL32(?,?,00000000,00000000,?,?), ref: 0043CCF4
                  • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?), ref: 0043CD07
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: File$PointerRead$HandleInformationSize
                  • String ID:
                  • API String ID: 2979504256-0
                  • Opcode ID: 32036fcea8bb15512b4ca03d51f4756ba7dade0290743d3303039c117f15ae65
                  • Instruction ID: 218648a85eaad1f58ce84cdf2a82cece8f58a5470a4316aa073d5b06f85d5db6
                  • Opcode Fuzzy Hash: 32036fcea8bb15512b4ca03d51f4756ba7dade0290743d3303039c117f15ae65
                  • Instruction Fuzzy Hash: FD5151B1A40218BBEB14DF64CCD5BBFBBB9EB48700F14583AF906E7281D6749D008B64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004241E7, Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?,?,?,?), ref: 00424206
                  • lstrlenW.KERNEL32(?,?,?,?,?), ref: 00424213
                  • StrCmpNW.SHLWAPI(?,DPAPI: ,00000007,?,?,?,?), ref: 0042422D
                  • StrCmpNW.SHLWAPI(?,Microsoft_WinInet_,00000012,?,DPAPI: ,00000007,?,?,?,?), ref: 0042423E
                  • StrCmpNW.SHLWAPI(?,ftp://,00000006,?,Microsoft_WinInet_,00000012,?,DPAPI: ,00000007,?,?,?,?), ref: 0042424F
                  • lstrlenW.KERNEL32(?,?,ftp://,00000006,?,Microsoft_WinInet_,00000012,?,DPAPI: ,00000007,?,?,?,?), ref: 00424283
                  • lstrlenW.KERNEL32(?,?,?,ftp://,00000006,?,Microsoft_WinInet_,00000012,?,DPAPI: ,00000007,?,?,?,?), ref: 004242B4
                    • Part of subcall function 0040DC35: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040DC63
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: lstrlen$Ios_base_dtorstd::ios_base::_
                  • String ID: DPAPI: $Microsoft_WinInet_$ftp://
                  • API String ID: 861872374-2984799227
                  • Opcode ID: 402a94d655a0935f0832727c5e5cc46f8d3080b877fb06707bab3004fd0edb2e
                  • Instruction ID: b110c82db53fd9443a1ef155c4e55fccb440cd31e879f292ae063eaf75f65370
                  • Opcode Fuzzy Hash: 402a94d655a0935f0832727c5e5cc46f8d3080b877fb06707bab3004fd0edb2e
                  • Instruction Fuzzy Hash: 64411C30A00385AACF15EBA5CC51BEEBB759F59344F40809FE40977282DE789E49CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00434321, Relevance: 15.1, APIs: 10, Instructions: 102stringregistryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00434348
                  • RegEnumKeyExW.ADVAPI32 ref: 00434373
                  • lstrlenW.KERNEL32(?), ref: 0043438A
                  • lstrlenW.KERNEL32(?), ref: 00434397
                  • lstrcpyW.KERNEL32 ref: 004343B8
                  • lstrcatW.KERNEL32(00000000,0047E094), ref: 004343C4
                  • lstrcatW.KERNEL32(00000000,?), ref: 004343D2
                  • lstrcatW.KERNEL32(00000000,?), ref: 004343DE
                  • RegEnumKeyExW.ADVAPI32 ref: 00434418
                  • RegCloseKey.ADVAPI32(?), ref: 0043442D
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: lstrcat$Enumlstrlen$CloseOpenlstrcpy
                  • String ID:
                  • API String ID: 3646165539-0
                  • Opcode ID: 303c2c412979cc48d8c1eb92c41751e599bacc0aa5b470d32e6dc63edd76b387
                  • Instruction ID: edcf6358a5545bc4351ff4b41facd75367495da6f22975dbed046679669dbfe1
                  • Opcode Fuzzy Hash: 303c2c412979cc48d8c1eb92c41751e599bacc0aa5b470d32e6dc63edd76b387
                  • Instruction Fuzzy Hash: 87315271500149BBEB109B91DC88EFF7BBCEFC9744F04406AF945E2210EB789A41DE65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00434437, Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 97stringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0043448B
                  • lstrlenW.KERNEL32(00000010), ref: 0043449B
                    • Part of subcall function 00434D17: lstrlenA.KERNEL32(?,?,73B769A0,?,?), ref: 00434D48
                    • Part of subcall function 00434D17: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000,?,73B769A0,?,?), ref: 00434D67
                    • Part of subcall function 00434D17: lstrcpyA.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,73B769A0,?,?), ref: 00434D8A
                    • Part of subcall function 00434D17: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,73B769A0), ref: 00434DB6
                  • lstrlenA.KERNEL32(00000000), ref: 004344B7
                    • Part of subcall function 00434DD4: lstrlenA.KERNEL32(?,?,?,?,?,?,?,0042427B,00000001,?,ftp://,00000006,?,Microsoft_WinInet_,00000012), ref: 00434DF9
                    • Part of subcall function 00434DD4: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,0042427B,00000001,?,ftp://,00000006,?,Microsoft_WinInet_,00000012), ref: 00434E20
                  • lstrlenA.KERNEL32(?), ref: 004344CE
                  • lstrlenA.KERNEL32(00000000), ref: 004344E5
                  • lstrlenW.KERNEL32(00000000), ref: 004344F8
                  • lstrlenA.KERNEL32(0047E0E8), ref: 0043450C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: lstrlen$ByteCharMultiWidelstrcpy$wsprintf
                  • String ID: SUBTYPE GUID="$" NAME="${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                  • API String ID: 130686893-594057230
                  • Opcode ID: 1dab152b7f1adbe0fac423fde0a61fa07b7001e5ed347014d6b3764d91ab053a
                  • Instruction ID: ec6508744c286dd52854d6fc500fb815f13e2146b3d63bc7740fe233e7951491
                  • Opcode Fuzzy Hash: 1dab152b7f1adbe0fac423fde0a61fa07b7001e5ed347014d6b3764d91ab053a
                  • Instruction Fuzzy Hash: 6331C7B55041546FCB21AB6A9C809FFBBED9F8C310B14845BF6D9C3281DA7CE9009B65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043CAE2, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: _strlen
                  • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                  • API String ID: 4218353326-51310709
                  • Opcode ID: c956e2c667dab141d95f5c569a42b0d7cff511139f95c49f4c751871719b9cdc
                  • Instruction ID: ee246df4950662393981a60776152d131a6d0e2992517726c757e4566b3898f2
                  • Opcode Fuzzy Hash: c956e2c667dab141d95f5c569a42b0d7cff511139f95c49f4c751871719b9cdc
                  • Instruction Fuzzy Hash: 8D114F16248B1234B5296137BC43FAB97885E0A734F38156FE408749C3EE9DB546426D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00458564, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: api-ms-$ext-ms-
                  • API String ID: 0-537541572
                  • Opcode ID: c24ff15a6e940031e93de70274f33fec7e4f58ef19c1fa903223bad470c73441
                  • Instruction ID: 7b4e2d923f192af0fb717d5e812078e0a7dd1245f90383e931d50bbb40c24041
                  • Opcode Fuzzy Hash: c24ff15a6e940031e93de70274f33fec7e4f58ef19c1fa903223bad470c73441
                  • Instruction Fuzzy Hash: 79210871A01214BBCB214B648C40A6B3758AB01762F21057BEC56B7393EE78ED09C5ED
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00434254, Relevance: 10.6, APIs: 7, Instructions: 75stringregistryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00434279
                  • lstrlenW.KERNEL32(?), ref: 0043429F
                  • lstrcpyW.KERNEL32 ref: 004342BC
                  • lstrcatW.KERNEL32(00000000,0047E094), ref: 004342C8
                  • lstrcatW.KERNEL32(00000000,?), ref: 004342D6
                  • RegEnumKeyExW.ADVAPI32 ref: 0043430A
                  • RegCloseKey.ADVAPI32(?), ref: 00434317
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: lstrcat$CloseEnumOpenlstrcpylstrlen
                  • String ID:
                  • API String ID: 2943937744-0
                  • Opcode ID: 52936945e0e3e010b34dfc360d1b2b4d16965a16465c9f72b3839c2e0fc0c95d
                  • Instruction ID: aaec0f7c92eb7ca899ae2b4798c6a9e0e8e5427e27878ead3c00f99c6116ae7d
                  • Opcode Fuzzy Hash: 52936945e0e3e010b34dfc360d1b2b4d16965a16465c9f72b3839c2e0fc0c95d
                  • Instruction Fuzzy Hash: E3215E75501128FFEB119B91ED89DEF7B7CEF09354F0040A6F949E2111E6746A408AA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041E5C1, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • std::bad_exception::bad_exception.LIBCMT ref: 0041E61C
                  • std::bad_exception::bad_exception.LIBCMT ref: 0041E62C
                  • std::bad_exception::bad_exception.LIBCMT ref: 0041E63C
                  • std::bad_exception::bad_exception.LIBCMT ref: 0041E65F
                  Strings
                  • false, xrefs: 0041E605
                  • C:\Users\a13xuiop1337\Desktop\_Work\rc-build-v1-exe\json.hpp, xrefs: 0041E600
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: std::bad_exception::bad_exception
                  • String ID: C:\Users\a13xuiop1337\Desktop\_Work\rc-build-v1-exe\json.hpp$false
                  • API String ID: 2160870905-989211897
                  • Opcode ID: ef89b56b5c2c621f10d0fa8346ab4223338adc51df888fd0cd163c671d99d9e5
                  • Instruction ID: c6bf861c258c7d696936c29a821bf65107a9108853038034dd4ee1e2b1c0f5e2
                  • Opcode Fuzzy Hash: ef89b56b5c2c621f10d0fa8346ab4223338adc51df888fd0cd163c671d99d9e5
                  • Instruction Fuzzy Hash: 79115939940304E9CB0AF76BCC5AFEF77206B21708FE4810FB912225C2866DA48EC35D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004087DE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 004087F3
                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00408830
                    • Part of subcall function 0043EBA4: _Yarn.LIBCPMT ref: 0043EBC3
                    • Part of subcall function 0043EBA4: _Yarn.LIBCPMT ref: 0043EBE7
                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00408871
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004088E2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: std::_$Locinfo::_LockitYarn$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                  • String ID: bad locale name
                  • API String ID: 2090653598-1405518554
                  • Opcode ID: de5132a7eaae374e1a3d12d55bf334ee086e3dc7ad8e22a7cf09d83aafd45d39
                  • Instruction ID: 87e005f7945419031a688270a08144a9b105f1be1d84d9c416ea2eca4d760a3d
                  • Opcode Fuzzy Hash: de5132a7eaae374e1a3d12d55bf334ee086e3dc7ad8e22a7cf09d83aafd45d39
                  • Instruction Fuzzy Hash: 77318D72405B40DFD735AF1AD94161BFBF0FF48714B508A3FE09A92A91DB38A501CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042488A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.OLE32(0046C990,00000000,00000015,0046C9B0,?), ref: 004248AA
                  • StrStrIW.SHLWAPI(?,0047D774), ref: 004248FB
                  • CoTaskMemFree.OLE32(?), ref: 00424919
                  • CoTaskMemFree.OLE32(?), ref: 00424927
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: FreeTask$CreateInstance
                  • String ID: (
                  • API String ID: 2903366249-3887548279
                  • Opcode ID: 9ae798e4799b60fd1db3eef6985ff4473c5b80904585ea00c0eeb34dc52b9fc8
                  • Instruction ID: 24f00eef687ba5138ea879cf40e2debaa4f2dc950c0f436f247f0e9733d122f3
                  • Opcode Fuzzy Hash: 9ae798e4799b60fd1db3eef6985ff4473c5b80904585ea00c0eeb34dc52b9fc8
                  • Instruction Fuzzy Hash: A6216BB4B00219EFCB00DFA9E884DAEBBB9FF88304B10816AF415E7250DB749D44CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004382DC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70processCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00438311
                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0043839A
                  • CloseHandle.KERNEL32(?), ref: 004383A3
                  • CloseHandle.KERNEL32(?), ref: 004383AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: CloseHandle$CreateFileModuleNameProcess
                  • String ID: }
                  • API String ID: 2820832629-4239843852
                  • Opcode ID: a95f857867c024fe12d5f9bc77beb9b5a2e93a26fa801f37393e1504205b9c08
                  • Instruction ID: 821987a074e432ce89c5bdadd29389cf4a4780c2a8611662982d04eb9a828cb3
                  • Opcode Fuzzy Hash: a95f857867c024fe12d5f9bc77beb9b5a2e93a26fa801f37393e1504205b9c08
                  • Instruction Fuzzy Hash: DC219572D0024CBBEB019BE4DC81EEEB7BCEF58304F005166F645A1022F6715A89CB65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004443CE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044448F,?,?,0048CADC,00000000,?,004445BA,00000004,InitializeCriticalSectionEx,004707A0,004707A8,00000000), ref: 0044445E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: FreeLibrary
                  • String ID: api-ms-
                  • API String ID: 3664257935-2084034818
                  • Opcode ID: 1c44fd20675b147f31c24609f98dd2ee3b2a0615068dc53139f9e684acf6e00a
                  • Instruction ID: 5c96f3b6ebe8230dec842e0fc8c737702ccca032f21c81a2f141c520b7981c3a
                  • Opcode Fuzzy Hash: 1c44fd20675b147f31c24609f98dd2ee3b2a0615068dc53139f9e684acf6e00a
                  • Instruction Fuzzy Hash: E7118A31A01621ABEF214BA89C8576A37949F81775F150163ED55E7380D778FD008ADE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004469D3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004469C8,00411508,?,00446990,000000FF,?,00411508), ref: 004469E8
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,004469C8,00411508,?,00446990,000000FF,?,00411508), ref: 004469FB
                  • FreeLibrary.KERNEL32(00000000,?,?,004469C8,00411508,?,00446990,000000FF,?,00411508), ref: 00446A1E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-1276376045
                  • Opcode ID: 2c3558538c215dd9f86f34c1afb0b23672d7fe43918634b548c31de57e451036
                  • Instruction ID: 8c6c19b49ac2c37aec918b19046dfb20dc84b9c0fed29a42a55399f78a974c6a
                  • Opcode Fuzzy Hash: 2c3558538c215dd9f86f34c1afb0b23672d7fe43918634b548c31de57e451036
                  • Instruction Fuzzy Hash: 99F08930501614FBEB119B90DC49BDE7A65EB01755F104061E805B1250D7B48E00DE9A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041EB16, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 23COMMON
                  Download Yara Rule
                  APIs
                  • std::exception::exception.LIBCMT ref: 0041EB22
                    • Part of subcall function 0040822F: ___std_exception_copy.LIBVCRUNTIME ref: 0040824D
                  • std::exception::exception.LIBCMT ref: 0041EB3A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: std::exception::exception$___std_exception_copy
                  • String ID: prA$yA$yA
                  • API String ID: 3231571295-2720465497
                  • Opcode ID: da46a8181b937c30dd4f8f0e51116fb805ba04bfa415ec160d7c6c92507347f8
                  • Instruction ID: ec6e23af6ccf7664c8d9c56b340893f3e81d4de84d50ec6f95cbfa29bf545886
                  • Opcode Fuzzy Hash: da46a8181b937c30dd4f8f0e51116fb805ba04bfa415ec160d7c6c92507347f8
                  • Instruction Fuzzy Hash: 0BE04F722003046BC704EF56E8C18A6F7BCFA55724300856FE9548B341DBB4E9148BA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0045C7A9, Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                  Download Yara Rule
                  APIs
                  • __alloca_probe_16.LIBCMT ref: 0045C82D
                  • __alloca_probe_16.LIBCMT ref: 0045C8F3
                  • __freea.LIBCMT ref: 0045C95F
                    • Part of subcall function 00458F7E: RtlAllocateHeap.NTDLL(00000000,0043E8E3,00000000,?,00440BCE,00000002,00000000,?,00488A38,?,00408226,0043E8E3,00000004,00000000,00000000,00000000), ref: 00458FB0
                  • __freea.LIBCMT ref: 0045C968
                  • __freea.LIBCMT ref: 0045C98B
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: __freea$__alloca_probe_16$AllocateHeap
                  • String ID:
                  • API String ID: 1423051803-0
                  • Opcode ID: 5c67c5c5b79460f4a99158f5e8ed08d47e9b27ab68c5c9d1e789bcd64ea14b9c
                  • Instruction ID: 44494f841a6b82cdf261ee49cdb7e9d1ca18d57e7194e33fae6b5e2d3ed46b1b
                  • Opcode Fuzzy Hash: 5c67c5c5b79460f4a99158f5e8ed08d47e9b27ab68c5c9d1e789bcd64ea14b9c
                  • Instruction Fuzzy Hash: B451F5B2500306AFDB205F658C81EBB36A9EF45756F15012FFC04A7252EB38DC49D6A9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041AA1B, Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesA.KERNEL32 ref: 0041AA2F
                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 0041AA3D
                  • _strcat.LIBCMT ref: 0041AAA3
                  • GetFileAttributesA.KERNEL32(00000000), ref: 0041AAC0
                  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0041AAD4
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: AttributesCreateDirectoryFile$_strcat
                  • String ID:
                  • API String ID: 2481838186-0
                  • Opcode ID: 442e2358c6721c62c0c68270a6cd9c3f138e99689ee9d23d8d655599549cb27b
                  • Instruction ID: 15091bae0bebc3946bb6fef06d222c554a12eecf39b9940ba3e6610770e5b157
                  • Opcode Fuzzy Hash: 442e2358c6721c62c0c68270a6cd9c3f138e99689ee9d23d8d655599549cb27b
                  • Instruction Fuzzy Hash: 10115C315013141BCB208668AD88BEB776C9F56750F1402A7F59593282E7B84EC5CA6E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004108F7, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0041090A
                  • int.LIBCPMT ref: 00410921
                    • Part of subcall function 004088FA: std::_Lockit::_Lockit.LIBCPMT ref: 0040890B
                    • Part of subcall function 004088FA: std::_Lockit::~_Lockit.LIBCPMT ref: 00408925
                  • std::_Facet_Register.LIBCPMT ref: 0041095B
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410971
                  • Concurrency::cancel_current_task.LIBCPMT ref: 00410986
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                  • String ID:
                  • API String ID: 2081738530-0
                  • Opcode ID: c351ded7f4e078ef76c07818d910eb4836843ff1ff953ab370f7303febee7bf7
                  • Instruction ID: 6d22768f98c64963358f3feae5ac68b0450f03d093439e050af7d9d66572369d
                  • Opcode Fuzzy Hash: c351ded7f4e078ef76c07818d910eb4836843ff1ff953ab370f7303febee7bf7
                  • Instruction Fuzzy Hash: 5A1125B29112249BCB14EB95D915AEE7764EF44324F10051FF451B73C1DF789D40C798
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004523B2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00456FBB: GetLastError.KERNEL32(?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000,00411508), ref: 00456FC0
                    • Part of subcall function 00456FBB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00451DA6,004859E0,00000008,0043E236,?,004117CC,?,7FFFFFFF,?,00000000), ref: 0045705E
                  • _free.LIBCMT ref: 00452461
                  • _free.LIBCMT ref: 0045248F
                  • _free.LIBCMT ref: 004524D7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: _free$ErrorLast
                  • String ID: %E
                  • API String ID: 3291180501-175436132
                  • Opcode ID: 7acae16938f6fbacdb7a8c5fbf71477d90f7c08512396147a0060b55b39c3402
                  • Instruction ID: 02fe08ec3681c9f4536e164697278f378bc1bc761039757167234fb0ccecf915
                  • Opcode Fuzzy Hash: 7acae16938f6fbacdb7a8c5fbf71477d90f7c08512396147a0060b55b39c3402
                  • Instruction Fuzzy Hash: E341AE31604205AFDB24CF5CCD81A6AB3F9EF4A315B24056FE805D7392EB75EC189B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408BE9, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • std::system_error::system_error.LIBCPMT ref: 00408C57
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: std::system_error::system_error
                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 2416138045-1866435925
                  • Opcode ID: ad4e5a60375189c5b23f10bbe3162270d93e9acee5983faafc3d2dc7209ab615
                  • Instruction ID: 75d62ed49fd1f0b0523a358eccdc5545b9690aa12aa77f5b7cae35b38ebfcb80
                  • Opcode Fuzzy Hash: ad4e5a60375189c5b23f10bbe3162270d93e9acee5983faafc3d2dc7209ab615
                  • Instruction Fuzzy Hash: 3701F7729052086BDB14AA54CD02BEA77A89B04354F54803FFEC9BB1C2DE7D9D4287AC
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004665FE, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 004666CE
                  • _free.LIBCMT ref: 004666F7
                  • SetEndOfFile.KERNEL32(00000000,00463ECC,00000000,0045A6C9,?,?,?,?,?,?,?,00463ECC,0045A6C9,00000000), ref: 00466729
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00463ECC,0045A6C9,00000000,?,?,?,?,00000000), ref: 00466745
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: _free$ErrorFileLast
                  • String ID:
                  • API String ID: 1547350101-0
                  • Opcode ID: e58e2d7b40de3064f3440ae61ddf64ff44367563b9c0def11f9c4b6a60d99448
                  • Instruction ID: 857fc7efa1643ca3efe2173e0335ea54e373308c5993cbb9d8db0241aad402e6
                  • Opcode Fuzzy Hash: e58e2d7b40de3064f3440ae61ddf64ff44367563b9c0def11f9c4b6a60d99448
                  • Instruction Fuzzy Hash: C141FA325006019BDB11AFBADC42A9E7765EF44369F16011BF914E7292FB3CD844876E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041287B, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  • CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000), ref: 00412891
                  • CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 004128B7
                  • CommitTransaction.KTMW32(00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004128C2
                  • RollbackTransaction.KTMW32(00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 004128CA
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Transaction$CommitCopyCreateFileRollbackTransacted
                  • String ID:
                  • API String ID: 2868256026-0
                  • Opcode ID: 960f22376e5add92b8441b4299c7749014b695dfabf9c0f682a0adbb781a3c76
                  • Instruction ID: 7b6295c7f8b82d28b203b980784666d5f54b83a90212c8b54da377198da4f514
                  • Opcode Fuzzy Hash: 960f22376e5add92b8441b4299c7749014b695dfabf9c0f682a0adbb781a3c76
                  • Instruction Fuzzy Hash: 70F0A471210114BFF7146A689E88DB7366CDB4A3707100722FD25D22D0E7E49CD187BA
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004128DD, Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                  Download Yara Rule
                  APIs
                  • CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000), ref: 004128F1
                  • CreateDirectoryTransactedA.KERNEL32 ref: 0041290A
                  • CommitTransaction.KTMW32(00000000,?,00000000,00000000), ref: 00412915
                  • RollbackTransaction.KTMW32(00000000,?,00000000,00000000), ref: 0041291D
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Transaction$Create$CommitDirectoryRollbackTransacted
                  • String ID:
                  • API String ID: 629542334-0
                  • Opcode ID: 241a8682b4aee2f6670cb3c1aa15cac357cf68a0c6136eb28f747a9eaf5189b5
                  • Instruction ID: 60223e21ec84160e2ff7a732262b03939d82321b1a0b4789536cbd45651bdff3
                  • Opcode Fuzzy Hash: 241a8682b4aee2f6670cb3c1aa15cac357cf68a0c6136eb28f747a9eaf5189b5
                  • Instruction Fuzzy Hash: 85F0BBB1210114BFE61027695DCCDB7375CD7467B4B100222F562D21D0E6E09C9186B9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A09D, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  • CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,00000000,?,?,?,?,?), ref: 0040A0B0
                  • DeleteFileTransactedA.KERNEL32(?,00000000), ref: 0040A0C7
                  • CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,?), ref: 0040A0D2
                  • RollbackTransaction.KTMW32(00000000,?,00000000,?,?,?,?,?), ref: 0040A0DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Transaction$CommitCreateDeleteFileRollbackTransacted
                  • String ID:
                  • API String ID: 3802493581-0
                  • Opcode ID: e9202e9ac5576d4b96ad9f69ee15c6621fcf12c4ef66c3ff4f06941274b7f67c
                  • Instruction ID: 85eb220867b59e98ab7c206fdefa415f75f9c88bfc8c9881e1848566e75372c7
                  • Opcode Fuzzy Hash: e9202e9ac5576d4b96ad9f69ee15c6621fcf12c4ef66c3ff4f06941274b7f67c
                  • Instruction Fuzzy Hash: B7F0BE72200204BFE6205B699C4CC7B366CDB86B707104636FC62E22D0E6B1AC41867B
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004268E1, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  • CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000), ref: 004268F4
                  • RemoveDirectoryTransactedA.KERNEL32 ref: 0042690B
                  • CommitTransaction.KTMW32(00000000,?,00000000), ref: 00426916
                  • RollbackTransaction.KTMW32(00000000,?,00000000), ref: 0042691E
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: Transaction$CommitCreateDirectoryRemoveRollbackTransacted
                  • String ID:
                  • API String ID: 1201024725-0
                  • Opcode ID: 66f09594c4ce7f5b06aed701061c675555fb2da6a6e71a781ecab2431f40b099
                  • Instruction ID: cb0eacf5aea81900fa3a2b5e961708e741142819201c528b4b150ffbb3dee8df
                  • Opcode Fuzzy Hash: 66f09594c4ce7f5b06aed701061c675555fb2da6a6e71a781ecab2431f40b099
                  • Instruction Fuzzy Hash: 89F054B1200120FFE6101775BC4CD77366CDB46770751072AF962D22D0EEB59D81867A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004664FB, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0046320F,00000000,00000001,00000000,00000000,?,0045775B,00000000,UD,00000000), ref: 00466512
                  • GetLastError.KERNEL32(?,0046320F,00000000,00000001,00000000,00000000,?,0045775B,00000000,UD,00000000,00000000,00000000,?,00457CAF,00000000), ref: 0046651E
                    • Part of subcall function 004664E4: CloseHandle.KERNEL32(FFFFFFFE,0046652E,?,0046320F,00000000,00000001,00000000,00000000,?,0045775B,00000000,UD,00000000,00000000,00000000), ref: 004664F4
                  • ___initconout.LIBCMT ref: 0046652E
                    • Part of subcall function 004664A6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004664D5,004631FC,00000000,?,0045775B,00000000,UD,00000000,00000000), ref: 004664B9
                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,0046320F,00000000,00000001,00000000,00000000,?,0045775B,00000000,UD,00000000,00000000), ref: 00466543
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                  • String ID:
                  • API String ID: 2744216297-0
                  • Opcode ID: d2a14a4d4d8a0431a7d46cfe457be35950f5a935016e106225a78b7c3e638dff
                  • Instruction ID: d45b7528bf61f478484cb5382485b2d49b0a4c1342dae0f0c93d10ed71a09509
                  • Opcode Fuzzy Hash: d2a14a4d4d8a0431a7d46cfe457be35950f5a935016e106225a78b7c3e638dff
                  • Instruction Fuzzy Hash: A2F03736401159BFCF222FD5DC4599E3F65FB053A0B014065FD19A5131EA3188209BDA
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00454922, Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 0045492B
                    • Part of subcall function 00457DD3: HeapFree.KERNEL32(00000000,00000000,?,004611FB,?,00000000,?,00000002,?,0046149E,?,00000007,?,?,0046189F,?), ref: 00457DE9
                    • Part of subcall function 00457DD3: GetLastError.KERNEL32(?,?,004611FB,?,00000000,?,00000002,?,0046149E,?,00000007,?,?,0046189F,?,?), ref: 00457DFB
                  • _free.LIBCMT ref: 0045493E
                  • _free.LIBCMT ref: 0045494F
                  • _free.LIBCMT ref: 00454960
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 6d43cf462c7248de8a2f84ee1856063457c67e7f7ca6af7158a675d217dd39b6
                  • Instruction ID: 5443628c95004d2d930962af89fca876671d0fd61e6e3de87ec52e593974efc8
                  • Opcode Fuzzy Hash: 6d43cf462c7248de8a2f84ee1856063457c67e7f7ca6af7158a675d217dd39b6
                  • Instruction Fuzzy Hash: F8E09AB1815220EA8A026F15FD8646F3B63AF48756301583FF81012673C77606799BEE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004526CD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                  Download Yara Rule
                  APIs
                  • __startOneArgErrorHandling.LIBCMT ref: 0045275D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: ErrorHandling__start
                  • String ID: pow
                  • API String ID: 3213639722-2276729525
                  • Opcode ID: 8e3672804adeb96ccf5e2a6ccfba9b9d8e2330130dd3d46d46006ac1d4f3f772
                  • Instruction ID: e38e1fc098b31678af74a663b23ec67be7d74bc63121764bd0204b53f0c03ddc
                  • Opcode Fuzzy Hash: 8e3672804adeb96ccf5e2a6ccfba9b9d8e2330130dd3d46d46006ac1d4f3f772
                  • Instruction Fuzzy Hash: 7F517C6190810286DB1ABB16CB0136F27A4DB41703F204D6FECC9413EBEA7C8DCD9A4E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426630, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0042664B
                  • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00426670
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: EncodersGdipImage$Size
                  • String ID: image/jpeg
                  • API String ID: 864223233-3785015651
                  • Opcode ID: e67a0c0a116af0f35cd419b213894898307e8e58f0187972bd164122655cdc75
                  • Instruction ID: 3ea92ed3b3fa543dac2c2ae8fccdb9d0ebc88b5d6b754f768e7bf3d21e7ae0c0
                  • Opcode Fuzzy Hash: e67a0c0a116af0f35cd419b213894898307e8e58f0187972bd164122655cdc75
                  • Instruction Fuzzy Hash: CF11E776E00118EB8B01DF99AC8059EBBBAFE41320F61026FE810B2280C7755E458A58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041242C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog2.LIBCMT ref: 00412433
                    • Part of subcall function 00442F03: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,00000000,00488A38,?,0043E8F1,00000000,004854A8,?), ref: 00442F63
                  • ___std_fs_copy_file@12.LIBCPMT ref: 00412496
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: DispatcherExceptionH_prolog2User___std_fs_copy_file@12
                  • String ID: copy
                  • API String ID: 3104767705-1304083330
                  • Opcode ID: 8fbe3ac2e0044531287dc307b7d545045b5e3f88a379b878d1ff47841e410b81
                  • Instruction ID: caa7d9e83a65a262913cce6972f752fc5e8db4d7c61c2d67bd4e065ce03ba636
                  • Opcode Fuzzy Hash: 8fbe3ac2e0044531287dc307b7d545045b5e3f88a379b878d1ff47841e410b81
                  • Instruction Fuzzy Hash: 5F01C471501219ABCB00EFA0CD41EDAB77DEF4971CF10809EF508AB142DAB5E985CBB4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0043E912, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13COMMON
                  Download Yara Rule
                  APIs
                  • std::bad_exception::bad_exception.LIBCMT ref: 0043E91E
                    • Part of subcall function 0041711B: std::exception::exception.LIBCONCRT ref: 00417124
                    • Part of subcall function 00442F03: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,00000000,00488A38,?,0043E8F1,00000000,004854A8,?), ref: 00442F63
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.674130643.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  Similarity
                  • API ID: DispatcherExceptionUserstd::bad_exception::bad_exceptionstd::exception::exception
                  • String ID: bad function call$h UH
                  • API String ID: 2128049600-643655919
                  • Opcode ID: 765b0cc63eccaf395495984de13f068987ef8c53791991121f4f5f33804ede0e
                  • Instruction ID: 645d73aa961675ead7089840f052e3470a1804717a9971b9b33a86a14cae7daa
                  • Opcode Fuzzy Hash: 765b0cc63eccaf395495984de13f068987ef8c53791991121f4f5f33804ede0e
                  • Instruction Fuzzy Hash: E4C01238C0110C77CB00B6B5E8578CCB73C6A04744BD04866B61096956E7B8A6188799
                  Uniqueness

                  Uniqueness Score: -1.00%