Play interactive tour

Edit tour

Windows Analysis Report yjOapKcgE1

Overview

General Information

Sample Name:	yjOapKcgE1 (renamed file extension from none to exe)
Analysis ID:	492525
MD5:	1d46afb839b846ede01cb925470f0488
SHA1:	8cffc99cda16d5d6b5192c62fefae6c0ac89b33d
SHA256:	d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1
Tags:	exeTroldesh
Infos:
Most interesting Screenshot:

Detection

CryptOne Shade

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Shade Ransomware

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Detected CryptOne packer

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Found Tor onion address

Contains functionalty to change the wallpaper

May use the Tor software to hide its network traffic

Deletes shadow drive data (may be related to ransomware)

Drops PE files with benign system names

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

yjOapKcgE1.exe (PID: 6320 cmdline: 'C:\Users\user\Desktop\yjOapKcgE1.exe' MD5: 1D46AFB839B846EDE01CB925470F0488)

csrss.exe (PID: 5888 cmdline: 'C:\ProgramData\Windows\csrss.exe' MD5: 1D46AFB839B846EDE01CB925470F0488)

csrss.exe (PID: 5636 cmdline: 'C:\ProgramData\Windows\csrss.exe' MD5: 1D46AFB839B846EDE01CB925470F0488)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: csrss.exe PID: 5636	JoeSecurity_Shade	Yara detected Shade Ransomware	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: yjOapKcgE1.exe	Virustotal: Detection: 67%	Perma Link
Source: yjOapKcgE1.exe	Metadefender: Detection: 68%	Perma Link
Source: yjOapKcgE1.exe	ReversingLabs: Detection: 86%

Antivirus / Scanner detection for submitted sample

Show sources

Source: yjOapKcgE1.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\ProgramData\Windows\csrss.exe

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\Windows\csrss.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\ProgramData\Windows\csrss.exe	Metadefender: Detection: 68%	Perma Link
Source: C:\ProgramData\Windows\csrss.exe	ReversingLabs: Detection: 86%

Source: 4.0.csrss.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.yjOapKcgE1.exe.400000.0.unpack	Avira: Label: TR/Crypt.FKM.Gen
Source: 4.2.csrss.exe.2480000.2.unpack	Avira: Label: TR/Crypt.FKM.Gen
Source: 2.2.csrss.exe.400000.0.unpack	Avira: Label: TR/Crypt.FKM.Gen
Source: 2.2.csrss.exe.2480000.2.unpack	Avira: Label: TR/Crypt.FKM.Gen
Source: 0.2.yjOapKcgE1.exe.2270000.2.unpack	Avira: Label: TR/Crypt.FKM.Gen
Source: 2.0.csrss.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 0.0.yjOapKcgE1.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 4.2.csrss.exe.400000.0.unpack	Avira: Label: TR/Crypt.FKM.Gen

Source: C:\ProgramData\Windows\csrss.exe

Code function: 2_2_00525289 CryptAcquireContextA,GetLastError,CryptGenRandom,

2_2_00525289

Source: yjOapKcgE1.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: yjOapKcgE1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.6:49776 version: TLS 1.2

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,		0_2_00416D6D
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,		2_2_00416D6D

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Code function: 0_2_00416AEC _memset,_memset,GetLogicalDriveStringsW,GetSystemDirectoryW,GetDriveTypeW,GetDriveTypeW,

0_2_00416AEC

Networking:

Found Tor onion address

Show sources

Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp	String found in binary or memory: ExVersion4.0.0.1SOFTWARE\System32\Configuration\System32Windowscsrss.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystemcsrss.lnkClient Server Runtime Subsystemxpkxmodexstatexcntxwpxixsysxmailshstsh1sh2shsntxfsMicrosoft\Windows\User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0127.0.0.1:--ignore-missing-torrc--SOCKSPort--DataDirectory--bridgeWatcher: Walker: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=si=sh=shb=sha=cp=st=fl=m=u=nocache=can not create dircan not copy filecan not add to autoruncan not save value (mark)std exception: unknown c++ exceptioninvalid parameter exceptionSEH exceptionSEHSTD: C++0x
Source: csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp	String found in binary or memory: ExVersion4.0.0.1SOFTWARE\System32\Configuration\System32Windowscsrss.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystemcsrss.lnkClient Server Runtime Subsystemxpkxmodexstatexcntxwpxixsysxmailshstsh1sh2shsntxfsMicrosoft\Windows\User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0127.0.0.1:--ignore-missing-torrc--SOCKSPort--DataDirectory--bridgeWatcher: Walker: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=si=sh=shb=sha=cp=st=fl=m=u=nocache=can not create dircan not copy filecan not add to autoruncan not save value (mark)std exception: unknown c++ exceptioninvalid parameter exceptionSEH exceptionSEHSTD: C++0x
Source: csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	String found in binary or memory: ExVersion4.0.0.1SOFTWARE\System32\Configuration\System32Windowscsrss.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystemcsrss.lnkClient Server Runtime Subsystemxpkxmodexstatexcntxwpxixsysxmailshstsh1sh2shsntxfsMicrosoft\Windows\User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0127.0.0.1:--ignore-missing-torrc--SOCKSPort--DataDirectory--bridgeWatcher: Walker: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=si=sh=shb=sha=cp=st=fl=m=u=nocache=can not create dircan not copy filecan not add to autoruncan not save value (mark)std exception: unknown c++ exceptioninvalid parameter exceptionSEH exceptionSEHSTD: C++0x

Source: Joe Sandbox View

JA3 fingerprint: 1be3ecebe5aa9d3654e6e703d81f6928

Source: Joe Sandbox View

IP Address: 154.35.32.5 154.35.32.5

Source: global traffic

TCP traffic: 192.168.2.6:49777 -> 76.73.17.194:9090

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown	TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown	TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown	TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown	TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown	TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown	TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown	TCP traffic detected without corresponding DNS query: 193.23.244.244
Source: unknown	TCP traffic detected without corresponding DNS query: 76.73.17.194
Source: unknown	TCP traffic detected without corresponding DNS query: 76.73.17.194
Source: unknown	TCP traffic detected without corresponding DNS query: 76.73.17.194
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.32.5
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.32.5
Source: unknown	TCP traffic detected without corresponding DNS query: 154.35.32.5

Source: csrss.exe, 00000002.00000002.419372600.000000000298C000.00000004.00000001.sdmp, csrss.exe, 00000004.00000002.443512303.000000000298C000.00000004.00000001.sdmp	String found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: csrss.exe, 00000004.00000002.443512303.000000000298C000.00000004.00000001.sdmp	String found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.orgd1 equals www.yahoo.com (Yahoo)
Source: csrss.exe, 00000002.00000002.419372600.000000000298C000.00000004.00000001.sdmp	String found in binary or memory: ww.mit.edu,www.yahoo.com,www.slashdot.orgml equals www.yahoo.com (Yahoo)
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: yjOapKcgE1.exe, 00000000.00000003.591659793.0000000003E4A000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.421233940.0000000003C01000.00000004.00000001.sdmp, csrss.exe, 00000004.00000002.444247411.0000000003E01000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: yjOapKcgE1.exe, 00000000.00000003.591659793.0000000003E4A000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.coms equals www.yahoo.com (Yahoo)

Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	String found in binary or memory: http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=s
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com///whatismyipaddress.com/ip/Click
Source: csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	String found in binary or memory: http://whatsmyip.net/
Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: yjOapKcgE1.exe, 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html.
Source: yjOapKcgE1.exe, yjOapKcgE1.exe, 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, csrss.exe, csrss.exe, 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: https://www.torproject.org/

Source: unknown

HTTPS traffic detected: 193.23.244.244:443 -> 192.168.2.6:49776 version: TLS 1.2

Source: csrss.exe, 00000002.00000002.417573745.0000000000A12000.00000004.00000001.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Shade Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: csrss.exe PID: 5636, type: MEMORYSTR

Contains functionalty to change the wallpaper

Show sources

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_0040AC3A __EH_prolog,_memset,SystemParametersInfoW,SystemParametersInfoW,		0_2_0040AC3A
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0040AC3A __EH_prolog,_memset,SystemParametersInfoW,SystemParametersInfoW,		2_2_0040AC3A

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp	Binary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST
Source: csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp	Binary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST
Source: csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	Binary or memory string: vssadmin.exediskshadow.exeList ShadowsDelete Shadows /All /QuietDELETE SHADOWS ALLrunas/s ROOT\CIMV2WQLAVAST

Source: yjOapKcgE1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00416D6D	0_2_00416D6D
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_0041D211	0_2_0041D211
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00413375	0_2_00413375
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00409519	0_2_00409519
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00405D99	0_2_00405D99
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00417EB5	0_2_00417EB5
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_005700E0	0_2_005700E0
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_0046216A	0_2_0046216A
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00578217	0_2_00578217
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_004182F7	0_2_004182F7
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_005702E0	0_2_005702E0
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_0047C295	0_2_0047C295
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00458591	0_2_00458591
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00578600	0_2_00578600
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00412699	0_2_00412699
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00572886	0_2_00572886
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00424930	0_2_00424930
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_0055CA56	0_2_0055CA56
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00448BF0	0_2_00448BF0
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_0040AC3A	0_2_0040AC3A
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00412CBF	0_2_00412CBF
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_0055AD61	0_2_0055AD61
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00574D00	0_2_00574D00
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00414D81	0_2_00414D81
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00478E5B	0_2_00478E5B
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00572EF9	0_2_00572EF9
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00416D6D	2_2_00416D6D
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00405D99	2_2_00405D99
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_005700E0	2_2_005700E0
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0046216A	2_2_0046216A
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00578217	2_2_00578217
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_004182F7	2_2_004182F7
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_005702E0	2_2_005702E0
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0047C295	2_2_0047C295
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00458591	2_2_00458591
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00578600	2_2_00578600
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00412699	2_2_00412699
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00572886	2_2_00572886
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00424930	2_2_00424930
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0055CA56	2_2_0055CA56
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00448BF0	2_2_00448BF0
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0040AC3A	2_2_0040AC3A
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00412CBF	2_2_00412CBF
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0055AD61	2_2_0055AD61
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00574D00	2_2_00574D00
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00414D81	2_2_00414D81
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00478E5B	2_2_00478E5B
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00572EF9	2_2_00572EF9
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00573180	2_2_00573180
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_004411B7	2_2_004411B7
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0041D211	2_2_0041D211
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00571230	2_2_00571230
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00575290	2_2_00575290
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00413375	2_2_00413375
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00559480	2_2_00559480
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00409519	2_2_00409519
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_005756D7	2_2_005756D7
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_005716C0	2_2_005716C0
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_005737C0	2_2_005737C0
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0041B9C0	2_2_0041B9C0
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00571980	2_2_00571980
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0054D9A0	2_2_0054D9A0
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00407B25	2_2_00407B25
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0056FD80	2_2_0056FD80
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0044BEFB	2_2_0044BEFB
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00417EB5	2_2_00417EB5
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00457EB0	2_2_00457EB0
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00443FA6	2_2_00443FA6

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: String function: 0056F5DC appears 126 times
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: String function: 0055E5C0 appears 125 times
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: String function: 004427B6 appears 56 times
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: String function: 0040383F appears 56 times
Source: C:\ProgramData\Windows\csrss.exe	Code function: String function: 005501C8 appears 43 times
Source: C:\ProgramData\Windows\csrss.exe	Code function: String function: 004427B6 appears 100 times
Source: C:\ProgramData\Windows\csrss.exe	Code function: String function: 0040383F appears 91 times
Source: C:\ProgramData\Windows\csrss.exe	Code function: String function: 0056F5DC appears 218 times
Source: C:\ProgramData\Windows\csrss.exe	Code function: String function: 0055E5C0 appears 191 times

Source: C:\ProgramData\Windows\csrss.exe

Code function: 2_2_00417871: DeviceIoControl,CloseHandle,

2_2_00417871

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Process Stats: CPU usage > 98%

Source: yjOapKcgE1.exe, 00000000.00000003.356494984.0000000003275000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWEXTRACT.EXE V vs yjOapKcgE1.exe
Source: yjOapKcgE1.exe, 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCSRSS.Exej% vs yjOapKcgE1.exe
Source: yjOapKcgE1.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE V vs yjOapKcgE1.exe

Source: yjOapKcgE1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: yjOapKcgE1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: yjOapKcgE1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csrss.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csrss.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: csrss.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Section loaded: mswsock.dll	Jump to behavior

Source: yjOapKcgE1.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: csrss.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: yjOapKcgE1.exe	Virustotal: Detection: 67%
Source: yjOapKcgE1.exe	Metadefender: Detection: 68%
Source: yjOapKcgE1.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

File read: C:\Users\user\Desktop\yjOapKcgE1.exe

Jump to behavior

Source: yjOapKcgE1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\yjOapKcgE1.exe 'C:\Users\user\Desktop\yjOapKcgE1.exe'
Source: unknown	Process created: C:\ProgramData\Windows\csrss.exe 'C:\ProgramData\Windows\csrss.exe'
Source: unknown	Process created: C:\ProgramData\Windows\csrss.exe 'C:\ProgramData\Windows\csrss.exe'

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

File created: C:\Users\user\AppData\Local\Temp\6893A5D897\

Jump to behavior

Source: classification engine

Classification label: mal100.rans.evad.winEXE@3/3@0/4

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Code function: 0_2_00449089 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,_memset,GetTickCount,GetTickCount,Heap32ListFirst,_memset,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,FindCloseChangeNotification,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

0_2_00449089

Source: yjOapKcgE1.exe	String found in binary or memory: 7300e4301afb0f11bd3e3bbb680dcd5a4f16132b src/or/tor_main.c babb5c60712b93b4aec373dbb16184bfa538c647 src/or/addressmap.c 1c2e8b3d7f6d19f4c3fecef13d8e29ea45d69028 src/or/buffers.c 52fbb8124bfb04bb83d44f1bbaaa2a1ebfa42870 src/or/channel.c 050ce52841624546a391
Source: yjOapKcgE1.exe	String found in binary or memory: 68e src/or/addressmap.h fc122cd5462d0445cb668278744dd8778472cf54 src/or/buffers.h 03bcf0ecb460f7814ab484deb6f638f727704b94 src/or/channel.h 52340d597aa7c6cc5500f654f46733a4e577905a src/or/channeltls.h ff3a5693416ccf243f608a7bb943a078418c16d8 src/or/circpa
Source: yjOapKcgE1.exe	String found in binary or memory: accounting/interval-start
Source: yjOapKcgE1.exe	String found in binary or memory: X-Your-Address-Is:
Source: yjOapKcgE1.exe	String found in binary or memory: X-Your-Address-Is: %s
Source: yjOapKcgE1.exe	String found in binary or memory: introduction-point %s ip-address %s onion-port %d onion-key %sservice-key %s
Source: yjOapKcgE1.exe	String found in binary or memory: %d.%d.%d.%d.in-addr.arpa
Source: yjOapKcgE1.exe	String found in binary or memory: set-addPolicy
Source: yjOapKcgE1.exe	String found in binary or memory: --help
Source: yjOapKcgE1.exe	String found in binary or memory: --help
Source: yjOapKcgE1.exe	String found in binary or memory: tor-fw-helper
Source: yjOapKcgE1.exe	String found in binary or memory: ip-address
Source: yjOapKcgE1.exe	String found in binary or memory: dir-address
Source: yjOapKcgE1.exe	String found in binary or memory: or-address %s:%d
Source: yjOapKcgE1.exe	String found in binary or memory: or-address
Source: yjOapKcgE1.exe	String found in binary or memory: cp+(end-start_of_annotations) == router->cache_info.signed_descriptor_body+len
Source: yjOapKcgE1.exe	String found in binary or memory: id-cmc-addExtensions
Source: yjOapKcgE1.exe	String found in binary or memory: .in-addr.arpa
Source: yjOapKcgE1.exe	String found in binary or memory: cffd2d9eef71f1ae5f7eb4e16aa56b728abe65aa src/common/address.h 3890e58a3754bc0de32e7cf38de8a790c2c282af src/common/backtrace.h 947ef902f15f556f176b1115f09d9966e377347d src/common/aes.h 2ad59cee80471c42536e66e24e73a8948e345dcf src/common/ciphers.inc ceaa37cf
Source: yjOapKcgE1.exe	String found in binary or memory: --install
Source: yjOapKcgE1.exe	String found in binary or memory: -install
Source: csrss.exe	String found in binary or memory: 7300e4301afb0f11bd3e3bbb680dcd5a4f16132b src/or/tor_main.c babb5c60712b93b4aec373dbb16184bfa538c647 src/or/addressmap.c 1c2e8b3d7f6d19f4c3fecef13d8e29ea45d69028 src/or/buffers.c 52fbb8124bfb04bb83d44f1bbaaa2a1ebfa42870 src/or/channel.c 050ce52841624546a391
Source: csrss.exe	String found in binary or memory: 68e src/or/addressmap.h fc122cd5462d0445cb668278744dd8778472cf54 src/or/buffers.h 03bcf0ecb460f7814ab484deb6f638f727704b94 src/or/channel.h 52340d597aa7c6cc5500f654f46733a4e577905a src/or/channeltls.h ff3a5693416ccf243f608a7bb943a078418c16d8 src/or/circpa
Source: csrss.exe	String found in binary or memory: accounting/interval-start
Source: csrss.exe	String found in binary or memory: X-Your-Address-Is:
Source: csrss.exe	String found in binary or memory: X-Your-Address-Is: %s
Source: csrss.exe	String found in binary or memory: introduction-point %s ip-address %s onion-port %d onion-key %sservice-key %s
Source: csrss.exe	String found in binary or memory: %d.%d.%d.%d.in-addr.arpa
Source: csrss.exe	String found in binary or memory: set-addPolicy
Source: csrss.exe	String found in binary or memory: --help
Source: csrss.exe	String found in binary or memory: --help
Source: csrss.exe	String found in binary or memory: tor-fw-helper
Source: csrss.exe	String found in binary or memory: ip-address
Source: csrss.exe	String found in binary or memory: dir-address
Source: csrss.exe	String found in binary or memory: or-address %s:%d
Source: csrss.exe	String found in binary or memory: or-address
Source: csrss.exe	String found in binary or memory: cp+(end-start_of_annotations) == router->cache_info.signed_descriptor_body+len
Source: csrss.exe	String found in binary or memory: id-cmc-addExtensions
Source: csrss.exe	String found in binary or memory: .in-addr.arpa
Source: csrss.exe	String found in binary or memory: cffd2d9eef71f1ae5f7eb4e16aa56b728abe65aa src/common/address.h 3890e58a3754bc0de32e7cf38de8a790c2c282af src/common/backtrace.h 947ef902f15f556f176b1115f09d9966e377347d src/common/aes.h 2ad59cee80471c42536e66e24e73a8948e345dcf src/common/ciphers.inc ceaa37cf
Source: csrss.exe	String found in binary or memory: --install
Source: csrss.exe	String found in binary or memory: -install

Source: yjOapKcgE1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: yjOapKcgE1.exe

Static file information: File size 1244429 > 1048576

Source: yjOapKcgE1.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x113200

Data Obfuscation:

Detected CryptOne packer

Show sources

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}	Jump to behavior

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_0055020D push ecx; ret	0_2_00550220
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_0044CC0D push ss; iretd	0_2_0044CC11
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0055020D push ecx; ret	2_2_00550220
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0044CC0D push ss; iretd	2_2_0044CC11
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0056F5DC push eax; ret	2_2_0056F5FA
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_004016F7 push edi; retn 0014h	2_2_004016FC
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_007E40E0 push edx; ret	2_2_007E41F1
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_007E4080 push edx; ret	2_2_007E408B
Source: C:\ProgramData\Windows\csrss.exe	Code function: 4_2_007E40E0 push edx; ret	4_2_007E41F1
Source: C:\ProgramData\Windows\csrss.exe	Code function: 4_2_007E4080 push edx; ret	4_2_007E408B

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Code function: 0_2_0041A13C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041A13C

Source: yjOapKcgE1.exe	Static PE information: real checksum: 0x139bcd should be: 0x139579
Source: csrss.exe.0.dr	Static PE information: real checksum: 0x139bcd should be: 0x139579

Source: initial sample	Static PE information: section name: .text entropy: 7.1245745803
Source: initial sample	Static PE information: section name: .text entropy: 7.1245745803

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

File created: C:\ProgramData\Windows\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

File created: C:\ProgramData\Windows\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

File created: C:\ProgramData\Windows\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime Subsystem			Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime Subsystem			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

May use the Tor software to hide its network traffic

Show sources

Source: yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp

Binary or memory string: onion-port

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

0_2_0041A13C

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Windows\csrss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\yjOapKcgE1.exe TID: 6888	Thread sleep count: 780 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe TID: 6888	Thread sleep time: -78000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe TID: 6364	Thread sleep count: 765 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe TID: 6364	Thread sleep time: -76500s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

0_2_00449089

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Window / User API: threadDelayed 780			Jump to behavior
Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Window / User API: threadDelayed 765			Jump to behavior

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Code function: 0_2_0040AA8F __EH_prolog,GetSystemInfo,

0_2_0040AA8F

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,		0_2_00416D6D
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00416D6D _memset,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,		2_2_00416D6D

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Code function: 0_2_00416AEC _memset,_memset,GetLogicalDriveStringsW,GetSystemDirectoryW,GetDriveTypeW,GetDriveTypeW,

0_2_00416AEC

Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catat
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b.manifest46\1
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\0S
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumtP
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..ercommon-deployment_31bf3856ad364e35_10.0.17134.1_none_ffda9e2d3858e036.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumEw
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumKk
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\KR
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\]V
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catmgV
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565\H
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catmmum
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\
Source: yjOapKcgE1.exe, 00000000.00000003.407891045.0000000003023000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b\7`
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\RemoteFileBrowse.dll.mui
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catd64_2
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503\>H
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cattcatHv
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumcat
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumm
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum\*
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3.manifest
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.1_none_7305852b7c12035c\amd64_halextintclpiodma.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_24bb2a71e75700a1\amd64_ialpss2i_gpio2_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c3ad514b87278211\3amd64_microsoft-onecore-bluetooth-bthserv_31bf3856ad364e35_10.0.17134.1_none_9e5c1f54d20f8511\amd64_ialpss2i_i2c_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ffa8f5f4e6504efb\amd64_ialpss2i_i2c_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_980be98350adbd52\amd64_hyperv-networking-switch-interface_31bf3856ad364e35_10.0.17134.1_none_cbcae0f157b5d02b\amd64_eventviewersettings.resources_31bf3856ad364e35_10.0.17134.1_en-us_7cb27ecefd0ec555\amd64_hyperv-compute-eventlog.resources_31bf3856ad364e35_10.0.17134.1_en-us_522940f2f04f07f9\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bcfb31102e62eb\2983amd64_ialpss2i_gpio2_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c2ed1a4d3a2524\amd64_hyperv-vmemulateddevices.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1a750046421bf96\amd64_hyperv-commandline-tool.resources_31bf3856ad364e35_10.0.17134.1_en-us_d5c4e754bc26201d\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.17134.1_en-us_30ee0a3c7e36caae\amd64_hyperv-worker-events.resources_31bf3856ad364e35_10.0.17134.1_en-us_9de5622f209a7b21\bamd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.17134.1_none_f80e1506497cdc7d\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\amd64_microsoft-hostguardianclient-service_31bf3856ad364e35_10.0.17134.1_none_a9eb3231da4732e2\amd64_microsoft-hgattest-wmi.resources_31bf3856ad364e35_10.0.17134.1_en-us_f5d00bfe514a12c1\amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\amd64_microsoft-antimalware-scan-interface_31bf3856ad364e35_10.0.17134.1_none_3c34e651403e5e41\amd64_microsoft-appmodel-exec-events_31bf3856ad364e35_10.0.17134.1_none_07677813525018a6\amd64_microsoft-analog-h2-fxpkg-baked_31bf3856ad364e35_10.0.17134.1_none_1be886b2910c8266\amd64_microsoft-composable-start-binaries_31bf3856ad364e35_10.0.17134.1_none_6e6feff719ed9f5c\amd64_microsoft-deviceproxy-wmiv2-provider_31bf3856ad364e35_10.0.17134.1_none_e9f22d8bf1fc7e92\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.17134.1_none_db29adc7273ced52\amd64_microsoft-analog-h2-animpkg-baked_31bf3856ad364e35_10.0.17134.1_none_6eba91e284242d6b\amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8\amd64_microsoft-onecore-assignedaccess
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\3U
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catf6\
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8.manifest
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\amd64_itsas35i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f441e46bcde20aea\amd64_intelpep.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_b919ba664eb8a174\amd64_ipoib6x.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_e59925927d88680e\5b86camd64_keyboard.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_14295de0d5889a92\7d2amd64_kscaptur.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c1b5d113ce4f7314\amd64_ialpssi_gpio.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_a649fe25b1990444\amd64_hyperv-vmsynthnic.resources_31bf3856ad364e35_10.0.17134.1_en-us_32a65f534e80b7d2\amd64_libressl-components-onecore_31bf3856ad364e35_10.0.17134.1_none_d4aeb1dd3dba3b92\amd64_iastorav.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d010957a22aa6cc2\amd64_hyperv-vpci-rootporterr_31bf3856ad364e35_10.0.17134.1_none_4b48602cec1be5d9\b86camd64_ipmidrv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2d93a60324c5d86c\amd64_hyperv-vmserial.resources_31bf3856ad364e35_10.0.17134.1_en-us_6d3c997783423a80\amd64_iastorv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ce7487caeb282db1\444amd64_ksfilter.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_602cbe782df7c0ab\amd64_ialpssi_i2c.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_0a046d4df7f0ac7b\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_59fc9c9cf9be23f2\amd64_mdmmot64.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ff000c8ab0496599\amd64_mdmmoto1.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f75b3576214733f5\amd64_mdmbtmdm.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_96206be438f55483\amd64_mdmusrk1.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_9eb3b46050454167\amd64_mdmirmdm.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_22eea3ac5f721862\585aamd64_mediatransportcontrols-model_31bf3856ad364e35_10.0.17134.1_none_df95a0919952295e\amd64_mausbhost.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_906215b3f2b26ad5\amd64_mdmcxhv6.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_09e8c5d79af537ba\amd64_lsi_sas.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f2367d3fe2c952ed\amd64_lsi_sas2i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_95805ec2a0a23b1e\amd64_lsi_sss.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ad30da42fcd27fef\amd64_mdmhayes.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_8c57d7d49a69f653\amd64_mdmsettingsprov.resources_31bf3856ad364e35_10.0.17134.1_en-us_ad23c7918d89772c\amd64_lsi_sas3i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d9378c0cca16d307\amd64_machine.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2a8d9dcc57300c60\amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503\c601amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45\amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_non
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.408543755.000000000300C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.Format.ps1xmln-US\licyg
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-firewallrules_31bf3856ad364e35_10.0.17134.1_none_b9673992b104448b.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.17134.1_none_611f8a7fa810774a.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumumLu
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1catL
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vmbus_31bf3856ad364e35_10.0.17134.1_none_bcf0637138185dcf.manifestO
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.409144898.000000000301F000.00000004.00000001.sdmp	Binary or memory string: indows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catmum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b\
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat6\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64\]S
Source: yjOapKcgE1.exe, 00000000.00000003.382330764.0000000003CC1000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b.manifestt<9
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.17134.1_none_2457e84548829177.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80\
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b\
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat'
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumt
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-licensing_31bf3856ad364e35_10.0.17134.1_none_369c533be4c3e496.manifestp
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\SnapInAbout.dll.muipsm1xD]
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat3dafb3
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-foundatio..rrordetails-content_31bf3856ad364e35_10.0.17134.1_none_3ab9bf148a4819e5\amd64_microsoft-hgattest-catrustlet.resources_31bf3856ad364e35_10.0.17134.1_en-us_ca3e7fd07ab37c9d\amd64_microsoft-foundatio..ostics-errordetails_31bf3856ad364e35_10.0.17134.1_none_ee9e9b835c95ca17\amd64_microsoft-client-li..platform-pkeyhelper_31bf3856ad364e35_10.0.17134.1_none_80fc199340598eb9\wow64_microsoft-windows-s..vider-dll.resources_31bf3856ad364e35_10.0.17134.1_en-us_edc9b956fc477c98\amd64_microsoft-composabl..aexchange-component_31bf3856ad364e35_10.0.17134.1_none_04e832a0b81922b5\amd64_microsoft-client-licensing-licensingcsp_31bf3856ad364e35_10.0.17134.1_none_30cd32ebc7471f35\amd64_microsoft-composable-dragdrop.resources_31bf3856ad364e35_10.0.17134.1_en-us_7f94f629bf9f24d2\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.17134.1_none_36ef8e95916610d2\amd64_microsoft-composabl..ropcommon-component_31bf3856ad364e35_10.0.17134.1_none_071428093ca833e3\amd64_microsoft-client-li..rm-client.resources_31bf3856ad364e35_10.0.17134.1_en-us_2e935868788b98e3\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.17134.1_none_e7a75aa65b01cbbc\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.17134.1_none_ba6872d2ad3f59a1\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.17134.1_none_5e4e1b442d078889\amd64_microsoft-hostguard..ient-service-plugin_31bf3856ad364e35_10.0.17134.1_none_3d9a07e845b32510\amd64_microsoft-devicepro..-provider.resources_31bf3856ad364e35_10.0.17134.1_en-us_c2a551b5aab687b5\amd64_microsoft-hostguard..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_9b44c1c80f7f69cb\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\0
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-foundatio..rrordetails-content_31bf3856ad364e35_10.0.17134.1_none_3ab9bf148a4819e5\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.17134.1_none_5e4e1b442d078889\amd64_microsoft-devicepro..-provider.resources_31bf3856ad364e35_10.0.17134.1_en-us_c2a551b5aab687b5\amd64_microsoft-hgattest-catrustlet.resources_31bf3856ad364e35_10.0.17134.1_en-us_ca3e7fd07ab37c9d\amd64_microsoft-composabl..aexchange-component_31bf3856ad364e35_10.0.17134.1_none_04e832a0b81922b5\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.17134.1_none_e7a75aa65b01cbbc\wow64_microsoft-windows-s..voicecommon-onecore_31bf3856ad364e35_10.0.17134.1_none_2516ae987d0f5689amd64_microsoft-client-li..rm-client.resources_31bf3856ad364e35_10.0.17134.1_en-us_2e935868788b98e3\amd64_microsoft-foundatio..ostics-errordetails_31bf3856ad364e35_10.0.17134.1_none_ee9e9b835c95ca17\amd64_microsoft-hostguard..ient-service-plugin_31bf3856ad364e35_10.0.17134.1_none_3d9a07e845b32510\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.17134.1_none_36ef8e95916610d2\amd64_microsoft-client-licensing-licensingcsp_31bf3856ad364e35_10.0.17134.1_none_30cd32ebc7471f35\amd64_microsoft-client-li..platform-pkeyhelper_31bf3856ad364e35_10.0.17134.1_none_80fc199340598eb9\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.17134.1_none_ba6872d2ad3f59a1\amd64_microsoft-composabl..ropcommon-component_31bf3856ad364e35_10.0.17134.1_none_071428093ca833e3\amd64_microsoft-composable-dragdrop.resources_31bf3856ad364e35_10.0.17134.1_en-us_7f94f629bf9f24d2\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\amd64_microsoft-hostguard..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_9b44c1c80f7f69cb\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\0
Source: yjOapKcgE1.exe, 00000000.00000003.412712919.0000000003DBC000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..group-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_88bd3c16c482b637.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catmn
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp	Binary or memory string: amd64_hyperv-commandline-tool.resources_31bf3856ad364e35_10.0.17134.1_en-us_d5c4e754bc26201d\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.17134.1_none_7305852b7c12035c\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.17134.1_en-us_30ee0a3c7e36caae\amd64_hyperv-compute-eventlog.resources_31bf3856ad364e35_10.0.17134.1_en-us_522940f2f04f07f9\amd64_eventviewersettings.resources_31bf3856ad364e35_10.0.17134.1_en-us_7cb27ecefd0ec555\amd64_halextintclpiodma.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_24bb2a71e75700a1\amd64_microsoft-onecore-bluetooth-bthserv_31bf3856ad364e35_10.0.17134.1_none_9e5c1f54d20f8511\amd64_hyperv-worker-events.resources_31bf3856ad364e35_10.0.17134.1_en-us_9de5622f209a7b21\eamd64_hyperv-networking-switch-interface_31bf3856ad364e35_10.0.17134.1_none_cbcae0f157b5d02b\3amd64_hyperv-vmemulateddevices.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1a750046421bf96\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bcfb31102e62eb\2983amd64_ialpss2i_gpio2_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c2ed1a4d3a2524\amd64_ialpss2i_gpio2_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c3ad514b87278211\amd64_ialpss2i_i2c_skl.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_980be98350adbd52\amd64_ialpss2i_i2c_bxt_p.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ffa8f5f4e6504efb\amd64_microsoft-analog-h2-animpkg-baked_31bf3856ad364e35_10.0.17134.1_none_6eba91e284242d6b\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.17134.1_none_f80e1506497cdc7d\amd64_microsoft-hgattest-wmi.resources_31bf3856ad364e35_10.0.17134.1_en-us_f5d00bfe514a12c1\amd64_microsoft-hostguardianclient-service_31bf3856ad364e35_10.0.17134.1_none_a9eb3231da4732e2\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\amd64_microsoft-composable-start-binaries_31bf3856ad364e35_10.0.17134.1_none_6e6feff719ed9f5c\amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\amd64_microsoft-deviceproxy-wmiv2-provider_31bf3856ad364e35_10.0.17134.1_none_e9f22d8bf1fc7e92\amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\amd64_microsoft-analog-h2-fxpkg-baked_31bf3856ad364e35_10.0.17134.1_none_1be886b2910c8266\amd64_microsoft-analog-h2-hydrogenrt_31bf3856ad364e35_10.0.17134.1_none_db29adc7273ced52\amd64_microsoft-appmodel-exec-events_31bf3856ad364e35_10.0.17134.1_none_07677813525018a6\amd64_microsoft-antimalware-scan-interface_31bf3856ad364e35_10.0.17134.1_none_3c34e651403e5e41\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f\amd64_microsoft-hyper-v-vpmem.resources_3
Source: yjOapKcgE1.exe, 00000000.00000003.407312582.0000000003022000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.17134.1_none_8ce33edadf477e7a\
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..vices-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_d43b74ba5db8d712.manifest!
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumm
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.18
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1t
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.379896172.0000000003E97000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385.manifest_rega~
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..ers-vmswitch-common_31bf3856ad364e35_10.0.17134.1_none_156e07c0687fe777.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumd64~en-'{
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17.manifest[9U
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumt
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catum\6
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat34.1Qs
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt<
Source: yjOapKcgE1.exe, 00000000.00000003.382657092.0000000003D10000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8.manifest$
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-p..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_7fb4b9d31b9d09e8.manifest38
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1A<
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vid_31bf3856ad364e35_10.0.17134.1_none_864a29a4e381d095.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.17<S
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumfest2
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.1_none_14929ba5ccea66b9.manifest7c\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004\'H
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-k..erformance-counters_31bf3856ad364e35_10.0.17134.1_none_0fa1f97fe68f5a84.manifest
Source: csrss.exe, 00000004.00000003.437124723.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-foundatio..rrordetails-content_31bf3856ad364e35_10.0.17134.1_none_3ab9bf148a4819e5\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.17134.1_none_5e4e1b442d078889\amd64_microsoft-devicepro..-provider.resources_31bf3856ad364e35_10.0.17134.1_en-us_c2a551b5aab687b5\amd64_microsoft-hgattest-catrustlet.resources_31bf3856ad364e35_10.0.17134.1_en-us_ca3e7fd07ab37c9d\amd64_microsoft-composabl..aexchange-component_31bf3856ad364e35_10.0.17134.1_none_04e832a0b81922b5\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.17134.1_none_e7a75aa65b01cbbc\wow64_microsoft-windows-s..vider-dll.resources_31bf3856ad364e35_10.0.17134.1_en-us_edc9b956fc477c98\amd64_microsoft-client-li..rm-client.resources_31bf3856ad364e35_10.0.17134.1_en-us_2e935868788b98e3\amd64_microsoft-foundatio..ostics-errordetails_31bf3856ad364e35_10.0.17134.1_none_ee9e9b835c95ca17\amd64_microsoft-hostguard..ient-service-plugin_31bf3856ad364e35_10.0.17134.1_none_3d9a07e845b32510\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.17134.1_none_36ef8e95916610d2\amd64_microsoft-client-licensing-licensingcsp_31bf3856ad364e35_10.0.17134.1_none_30cd32ebc7471f35\amd64_microsoft-client-li..platform-pkeyhelper_31bf3856ad364e35_10.0.17134.1_none_80fc199340598eb9\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.17134.1_none_ba6872d2ad3f59a1\amd64_microsoft-composabl..ropcommon-component_31bf3856ad364e35_10.0.17134.1_none_071428093ca833e3\amd64_microsoft-composable-dragdrop.resources_31bf3856ad364e35_10.0.17134.1_en-us_7f94f629bf9f24d2\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\amd64_microsoft-hostguard..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_9b44c1c80f7f69cb\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\0
Source: csrss.exe, 00000004.00000003.433142897.0000000000A4D000.00000004.00000001.sdmp	Binary or memory string: MS48AF~1.CDXMSFT_NetEventVmNetworkAdatper.cdxml
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_9c1fa24ea8808bce.manifest9
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580\6b9XI
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\+Q
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-windows-hyper-v-dmvsc_31bf3856ad364e35_10.0.17134.1_none_8c46edec6c2bc4c5.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum*Q
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1mumqR8
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.1
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.cat\|V<
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.368619961.0000000003CB8000.00000004.00000001.sdmp	Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3\
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73.manifesta&
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.1m
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcs
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44.manifest>&k
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcs
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-p..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_d91519867fe67212.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.390581909.0000000003CB8000.00000004.00000001.sdmp	Binary or memory string: $$_syswow64_windowspowershell_v1.0_modules_hyper-v_2.0.0.0_e405d34891a93e8b.cdf-ms67\o
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\0e5b
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum9Vq
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.11.cat
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-storvsp_31bf3856ad364e35_10.0.17134.1_none_fabc5147bcc71691.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412176983.0000000003E0C000.00000004.00000001.sdmp	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcat1a8C=
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catult l
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumW
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-guest-network-drivers_31bf3856ad364e35_10.0.17134.1_none_5c8a4254832126cf.manifestW
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.17134.1_en-us_49c786157c795a73\i_
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catumx
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\VmSynthFcVdev.dll.muii4.y\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_bd1bad59835abed8\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.17134.1_none_14929ba5ccea66b9\
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum=k
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310.manifeste9o
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat6s
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.1_none_1c1693f7c8171ba6.manifesta\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.17134.1_none_6054528c8a07dd45\
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catf
Source: yjOapKcgE1.exe, 00000000.00000003.396549610.0000000003BF4000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.17134.1_none_926214e59f622dbe\Hyper-V.Types.ps1xmlm11
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0.manifest=
Source: yjOapKcgE1.exe, 00000000.00000003.412399466.000000000302F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat(
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f.manifest\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum:
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catnttd6
Source: yjOapKcgE1.exe, 00000000.00000003.368508999.0000000003E39000.00000004.00000001.sdmp	Binary or memory string: MSFT_NetEventVmNetworkAdatper.format.ps1xmll
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_170afe8321651ef9.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-computelib_31bf3856ad364e35_10.0.17134.1_none_9321c5b124bca3df.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-f..wallrules.resources_31bf3856ad364e35_10.0.17134.1_en-us_7d008f07cc0acfbc.manifesti
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat8\
Source: yjOapKcgE1.exe, 00000000.00000003.412712919.0000000003DBC000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum_
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumx
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b\
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor-bcd_31bf3856ad364e35_10.0.17134.1_none_fb42759451b23f2f.manifestA
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack_31bf3856ad364e35_10.0.17134.1_none_4a3dff595d47ce04.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42\
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.17134.1_none_8ce33edadf477e7a.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.17134.1_none_e99c08352e0bfafa\
Source: csrss.exe, 00000004.00000003.432408369.0000000003CF4000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\wow64_microsoft.hyperv.powershell.cmdlets.misc_31bf3856ad364e35_10.0.17134.1_none_9cb6bf37d3c2efb9\Hyper-V.Format.ps1xmlfdC:\Windows\WinSxS\wow64_microsoft.backgroun..r.management.module_31bf3856ad364e35_10.0.17134.1_none_c9225674386b031d\BitsTransfer.Format.ps1xmlC:\Windows\WinSxS\wow64_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_10.0.17134.1_none_3ad5fcef89951812\PortableDeviceTypes.dllll
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\RemoteFileBrowse.dllpsd1top.a
Source: yjOapKcgE1.exe, 00000000.00000003.382657092.0000000003D10000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.17134.1_none_6447f639abdaab84\
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.17134.1_none_076f3325872ef096\\
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\passthruparser.sys.muia
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catY
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908\
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat4.1dk
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c.manifest}8w
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.17134.1_none_e6683e9b0956ac05\BV
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1mum
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mummumJ
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum2
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumoI
Source: yjOapKcgE1.exe, 00000000.00000003.412378941.000000000300C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: csrss.exe, 00000002.00000003.410125040.0000000003AF6000.00000004.00000001.sdmp	Binary or memory string: MSFT_NetEventPacketCaptureProvider.cdxml-nat-poMSFT_NetEventWFPCaptureProvider.format.ps1xmld4414a63ae697c\C:\Windows\WinSxS\wow64_microsofMSFT_NetEventVmSwitchProvider.format.ps1xml.0.1MSFT_NetEventNetworkAdapter.format.ps1xml\WinSxMSFT_NetEventPacketCaptureProvider.cdxml31bf385MSFT_NetEventPacketCaptureProvider.formatl\34MSFT_NetEventNetworkAdapter.format.ps1xmlxmlptMSFT_NetEventPacketCaptureProvider.cdxml1xml47MSFT_NetEventVmNetworkAdatper.format.ps1xmlOSOFMSFT_NetEventVmNetworkAdatper.format.ps1xml.0.1MSFT_NetEventNetworkAdapter.format.ps1xml\WinSxMSFT_NetEventNetworkAdapter.format.ps1xml1bf385MSFT_NetEventNetworkAdapter.format.ps1xmll\keMSFT_NetEventVmNetworkAdatper.format.ps1xmlt-poMSFT_NetEventPacketCaptureProvider.cdxml1xmld4414a63ae697c\oC:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NAT-POWERSHELL_31BF3856AD364E35_10.0.17134.1_NONE_B4D4414A63AE697C\\\\?\C:\Windows\WinSxS\wow64_microsoft-windows-nddeapi_31bf3856ad364e35_10.0.17134.1_none_2a0878d4c8eac9ec\*b\0C:\Windows\WinSxS\wow64_microsoft-windows-ndis-implatform_31bf3856ad364e35_10.0.17134.1_none_45c06433e16a291b\eC:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NAT-POWERSHELL_31BF3856AD364E35_10.0.17134.1_NONE_B4D4414A63AE697C\C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NDIS-IMPLATFORM_31BF3856AD364E35_10.0.17134.1_NONE_45C06433E16A291B\C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\MSFT_NetNat.cdxml_B4D4414A63AE697C\crC:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\C:\Windows\WinSxS\wow64_microsoft-windows-n
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806.manifestJ
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum\*{
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mum
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vpmem.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c966966d5f8cf2.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..ients-firewallrules_31bf3856ad364e35_10.0.17134.1_none_d07683518a4c2ec2.manifestF9J
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e\HyperVSysprepProvider.dll64rast
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cattat
Source: yjOapKcgE1.exe, 00000000.00000003.371378467.0000000003CBF000.00000004.00000001.sdmp	Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3\c7c
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63.manifest/C
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumcat
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_c8885d1044f785b1.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.cattXfp
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49.manifest4.1
Source: csrss.exe, 00000004.00000003.433142897.0000000000A4D000.00000004.00000001.sdmp	Binary or memory string: MS3E67~1.PS1MSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumcatm w
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.17134.1_none_e99c08352e0bfafa.manifest6\D&=
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0dbf3b2f0877a05\VmEmulatedStorage.dllack_S
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.382825264.0000000003D31000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.17134.1_none_c0dbf3b2f0877a05.manifestcEo
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat89e18rl
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..ommon-vm-deployment_31bf3856ad364e35_10.0.17134.1_none_f5e4ea96fd9fee6d.manifest<9
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.17134.1_none_1ac11a9dc8f30e5b\sK
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumpe
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7.manifestaa\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6\)[
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22\
Source: yjOapKcgE1.exe, 00000000.00000003.411826320.0000000003E4D000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt364e
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mummum3?W
Source: csrss.exe, 00000002.00000002.417573745.0000000000A12000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-hypervisor-events_31bf3856ad364e35_10.0.17134.1_none_93bac8ae42b1f037.manifestZ
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1at
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum.Vn
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\f\
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1xs
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat_
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804\
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat\l;
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cattte
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catemory.i
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catp
Source: csrss.exe, 00000004.00000002.441820341.0000000002812000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-foundatio..rrordetails-content_31bf3856ad364e35_10.0.17134.1_none_3ab9bf148a4819e5\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.17134.1_none_5e4e1b442d078889\amd64_microsoft-devicepro..-provider.resources_31bf3856ad364e35_10.0.17134.1_en-us_c2a551b5aab687b5\amd64_microsoft-hgattest-catrustlet.resources_31bf3856ad364e35_10.0.17134.1_en-us_ca3e7fd07ab37c9d\amd64_microsoft-composabl..aexchange-component_31bf3856ad364e35_10.0.17134.1_none_04e832a0b81922b5\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.17134.1_none_e7a75aa65b01cbbc\wow64_microsoft-windows-e..d-keyboardfilterwmi_31bf3856ad364e35_10.0.17134.1_none_4c3ecb4f169ffaf8\amd64_microsoft-client-li..rm-client.resources_31bf3856ad364e35_10.0.17134.1_en-us_2e935868788b98e3\amd64_microsoft-foundatio..ostics-errordetails_31bf3856ad364e35_10.0.17134.1_none_ee9e9b835c95ca17\amd64_microsoft-hostguard..ient-service-plugin_31bf3856ad364e35_10.0.17134.1_none_3d9a07e845b32510\amd64_microsoft-client-li..pgrade-subscription_31bf3856ad364e35_10.0.17134.1_none_36ef8e95916610d2\amd64_microsoft-client-licensing-licensingcsp_31bf3856ad364e35_10.0.17134.1_none_30cd32ebc7471f35\amd64_microsoft-client-li..platform-pkeyhelper_31bf3856ad364e35_10.0.17134.1_none_80fc199340598eb9\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.17134.1_none_ba6872d2ad3f59a1\amd64_microsoft-composabl..ropcommon-component_31bf3856ad364e35_10.0.17134.1_none_071428093ca833e3\amd64_microsoft-composable-dragdrop.resources_31bf3856ad364e35_10.0.17134.1_en-us_7f94f629bf9f24d2\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\amd64_microsoft-hostguard..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_9b44c1c80f7f69cb\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.17134.1_en-us_592a4468e416a24d\0
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumi
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385\
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumient\3.5.0.0__b77a5c561934e089\*93ec\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_bae31ba10711fa29.manifestk
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat875j
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcatt
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt\f
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.414460883.0000000003E11000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\5amd64_microsoft-onecore-a..sourcepolicy-server_31bf3856ad364e35_10.0.17134.1_none_8bb9bb03e61e0547\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3\amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21\amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8\amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385\amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261\amd64_microsoft-hyper-v-vstack-tpm.resources_31bf3856ad364e35_10.0.17134.1_en-us_259560ef1632af7b\amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49\amd64_microsoft-hyper-v-v
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\.R
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21\
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1Z<\|
Source: yjOapKcgE1.exe, 00000000.00000003.376849424.000000000404B000.00000004.00000001.sdmp	Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.17134.1_none_c77057abb7bb80d3.manifest5
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catmdnj
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92.manifestE
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\
Source: yjOapKcgE1.exe, 00000000.00000003.396521607.0000000003CBC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V.Types.ps1xmlmaE
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catata\'w
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp	Binary or memory string: amd64_iastorav.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d010957a22aa6cc2\44amd64_iastorv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ce7487caeb282db1\amd64_intelpep.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_b919ba664eb8a174\amd64_ksfilter.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_602cbe782df7c0ab\amd64_itsas35i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f441e46bcde20aea\amd64_ipmidrv.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2d93a60324c5d86c\amd64_keyboard.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_14295de0d5889a92\amd64_microsoft-hyper-v-vstack-tpm_31bf3856ad364e35_10.0.17134.1_none_604b83348a0c5e92\amd64_kscaptur.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_c1b5d113ce4f7314\e79famd64_hyperv-vpci-rootporterr_31bf3856ad364e35_10.0.17134.1_none_4b48602cec1be5d9\amd64_ipoib6x.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_e59925927d88680e\amd64_ialpssi_gpio.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_a649fe25b1990444\amd64_hyperv-vmserial.resources_31bf3856ad364e35_10.0.17134.1_en-us_6d3c997783423a80\amd64_libressl-components-onecore_31bf3856ad364e35_10.0.17134.1_none_d4aeb1dd3dba3b92\amd64_hyperv-vmsynthnic.resources_31bf3856ad364e35_10.0.17134.1_en-us_32a65f534e80b7d2\amd64_ialpssi_i2c.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_0a046d4df7f0ac7b\famd64_mdmcxhv6.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_09e8c5d79af537ba\585aamd64_mdmmoto1.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f75b3576214733f5\amd64_mdmusrk1.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_9eb3b46050454167\amd64_mediatransportcontrols-model_31bf3856ad364e35_10.0.17134.1_none_df95a0919952295e\amd64_lsi_sas2i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_95805ec2a0a23b1e\amd64_lsi_sss.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ad30da42fcd27fef\amd64_machine.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_2a8d9dcc57300c60\amd64_mausbhost.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_906215b3f2b26ad5\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_59fc9c9cf9be23f2\amd64_mdmhayes.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_8c57d7d49a69f653\amd64_mdmmot64.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_ff000c8ab0496599\amd64_mdmbtmdm.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_96206be438f55483\amd64_lsi_sas3i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_d9378c0cca16d307\amd64_lsi_sas.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f2367d3fe2c952ed\amd64_mdmirmdm.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_22eea3ac5f721862\amd64_mdmsettingsprov.resources_31bf3856ad364e35_10.0.17134.1_en-us_ad23c7918d89772c\amd64_megasas2i.inf.resources_31bf3856ad364e35_10.0.17134.1_en-us_f6956e52f0cb7c0f\amd64_microsoft-etw-ese.resources_31bf3856ad364e35_10.0.17134.1_en-us_d9d3654b48a76eff\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503\c601amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb
Source: yjOapKcgE1.exe, 00000000.00000003.412176983.0000000003E0C000.00000004.00000001.sdmp	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catnx
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_6340c1c9612e407b.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_d4bc3c4a770c0641.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1mum
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-h..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_31bb998e7ce8dbdd.manifestr
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261\cS
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumQs
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1}k
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb.manifestZ
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.1
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.17134.1_none_d74ad2482ffdcb42.manifestl
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-windows-aadjcsp_31bf3856ad364e35_10.0.17134.1_none_600d1259ff3335b6\b9amd64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.17134.1_none_c8c8de01efac1e9a\2amd64_microsoft-windows-aclui_31bf3856ad364e35_10.0.17134.1_none_3a8aea751cd120a6\14c9amd64_microsoft-windows-acpiex_31bf3856ad364e35_10.0.17134.1_none_1a4b31fb42236e50\9aamd64_microsoft-windows-acproxy_31bf3856ad364e35_10.0.17134.1_none_db8fdf238ef4ea20\5bamd64_microsoft-windows-bowser_31bf3856ad364e35_10.0.17134.1_none_0be0194b8d6af782\26amd64_microsoft-onecore-encdump_31bf3856ad364e35_10.0.17134.1_none_c9af4ac1de264540\amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.17134.1_none_8e6c6b9a9f19e7c7\amd64_microsoft-onecore-uiamanager_31bf3856ad364e35_10.0.17134.1_none_b5bc4f47f4347c9a\amd64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.17134.1_none_492d582f5cbd45f0\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.17134.1_none_d2d7886a87bde445\amd64_microsoft-windows-acledit_31bf3856ad364e35_10.0.17134.1_none_4d620c9fc5bc5c30\amd64_microsoft-system-user-ext_31bf3856ad364e35_10.0.17134.1_none_60e18319883c0acb\b9amd64_microsoft-windows-apprep_31bf3856ad364e35_10.0.17134.1_none_f179b7188fea9ad4\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.17134.1_none_b5213c28877f9dde\amd64_microsoft-windows-audio-mci_31bf3856ad364e35_10.0.17134.1_none_028de57d556265b6\amd64_microsoft-windows-attrib_31bf3856ad364e35_10.0.17134.1_none_980ea708f55ee5fa\amd64_microsoft-windows-advpack_31bf3856ad364e35_11.0.17134.1_none_c53d6ca9c6d4d1b1\amd64_microsoft-windows-authext_31bf3856ad364e35_10.0.17134.1_none_cbbe7dc72821babf\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.17134.1_none_c77479a12aeb88d9\f1amd64_microsoft-windows-ahcache_31bf3856ad364e35_10.0.17134.1_none_18d10ab3c30df7a5\amd64_microsoft-windows-aerolite_31bf3856ad364e35_10.0.17134.1_none_bc01bd81d1468e95\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.17134.1_none_145165e81f8f518b\amd64_microsoft-windows-aero_ss_31bf3856ad364e35_10.0.17134.1_none_f198e2bda9113d3e\amd64_microsoft-windows-aero_31bf3856ad364e35_10.0.17134.1_none_91639de28293fc33\amd64_microsoft-windows-appxsip_31bf3856ad364e35_10.0.17134.1_none_aee5b406df304c07\91amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.17134.1_none_3ccc9ca31b51b1f0\amd64_microsoft-windows-appwiz_31bf3856ad364e35_10.0.17134.1_none_f146c4d490108c2f\5f1amd64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.17134.1_none_736718a63a4836c7\amd64_microsoft-windows-bootvid_31bf3856ad364e35_10.0.17134.1_none_1dfa07d0ef5ec285\amd64_microsoft-windows-bits-adm_31bf3856ad364e35_10.0.17134.1_none_558ef083b2ec4ecf\amd64_microsoft-windows-bootconfig_31bf3856ad364e35_10.0.17134.1_none_f197096183727a5e\amd64_microsoft-windows-azma
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.17134.1_none_d80c4ce4e8fa0144\Q
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.11catU
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: csrss.exe, 00000004.00000003.434868674.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: WMSFT_NetEventPacketCaptureProvider.formatlt-poMSFT_NetEventVmSwitchProvider.format.ps1xmlld4MSFT_NetEventNetworkAdapter.format.ps1xmlcrosofMSFT_NetEventNetworkAdapter.format.ps1xml10.0.1MSFT_NetEventPacketCaptureProvider.cdxml1xmlSxMSFT_NetEventVmNetworkAdatper.format.ps1xmlf385MSFT_NetEventVmSwitchProvider.format.ps1xml\MSFT_NetEventWFPCaptureProvider.format.ps1xmlpoMSFT_NetEventVmSwitchProvider.format.ps1xmlld4MSFT_NetEventNetworkAdapter.format.ps1xmlxmlOFMSFT_NetEventNetworkAdapter.format.ps1xml10.0.17134.1_NONE_B4D4414A63AE697C\\WC:\WINDOWS\WINSXMSFT_NetEventPacketCaptureProvider.cdxmlmlF385MSFT_NetEventVmNetworkAdatper.format.ps1xml\wiMSFT_NetEventVmNetworkAdatper.format.ps1xmlT-POMSFT_NetEventPacketCaptureProvider.cdxmlNE_B4D4414A63AE697C\qC:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NAT-POWERSHELL_31BF3856AD364E35_10.0.17134.1_NONE_B4D4414A63AE697CC:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\MSFT_NetNat.cdxmlWinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\C:\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-NAT-POWERSHELL_31BF3856AD364E35_10.0.17134.1_NONE_B4D4414A63AE697C\3C:\Windows\WinSxS\wow64_microsoft-windows-ndis-implatform_31bf3856ad364e35_10.0.17134.1_none_45c06433e16a291b\C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\C:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\fC:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\oC:\Windows\WinSxS\wow64_microsoft-windows-nat-powershell_31bf3856ad364e35_10.0.17134.1_none_b4d4414a63ae697c\
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat4.1.inf_amd64_9f5493180b1252cf\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catpk
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_356d3b5898bc1c7d.manifestL
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.11
Source: yjOapKcgE1.exe, 00000000.00000003.408955641.0000000003000000.00000004.00000001.sdmp	Binary or memory string: Hyper-V\Team\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.cat
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.17134.1_none_18c6a9392dd7eb3e.manifest`
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat\Kl
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum.mum
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.412351488.000000000301E000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cate0416
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vpmem_31bf3856ad364e35_10.0.17134.1_none_c277eb1734798565.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat8
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catxs
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp_31bf3856ad364e35_10.0.17134.1_none_1ac175bdc8f2a7d7\=K
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mummmm7v
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat_amd649l
Source: yjOapKcgE1.exe, 00000000.00000003.382825264.0000000003D31000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.14.1+k
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.17134.1_none_69e85823c476b806\
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catcatt
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catf54688>
Source: yjOapKcgE1.exe, 00000000.00000003.381751774.0000000003E3D000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4.manifestl
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-computelib_31bf3856ad364e35_10.0.17134.1_none_9321c5b124bca3df\
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.17134.1_none_58d19a03c592a9cb\
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.1
Source: yjOapKcgE1.exe, 00000000.00000003.415062404.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mume3
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.17134.1_none_1c1693f7c8171ba6\
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\WindowsHyperVCluster.V2.mofe"\
Source: csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-system-user-ext_31bf3856ad364e35_10.0.17134.1_none_60e18319883c0acb\a6amd64_microsoft-windows-acledit_31bf3856ad364e35_10.0.17134.1_none_4d620c9fc5bc5c30\aamd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a\amd64_microsoft-windows-aadjcsp_31bf3856ad364e35_10.0.17134.1_none_600d1259ff3335b6\7amd64_microsoft-onecore-encdump_31bf3856ad364e35_10.0.17134.1_none_c9af4ac1de264540\5bamd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.17134.1_none_d2d7886a87bde445\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.17134.1_none_c35bb6c84d5e4ad0\amd64_microsoft-windows-acpiex_31bf3856ad364e35_10.0.17134.1_none_1a4b31fb42236e50\4c9amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.17134.1_none_8e6c6b9a9f19e7c7\amd64_microsoft-windows-bowser_31bf3856ad364e35_10.0.17134.1_none_0be0194b8d6af782\26amd64_microsoft-windows-acproxy_31bf3856ad364e35_10.0.17134.1_none_db8fdf238ef4ea20\7amd64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.17134.1_none_c8c8de01efac1e9a\2amd64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.17134.1_none_492d582f5cbd45f0\amd64_microsoft-onecore-uiamanager_31bf3856ad364e35_10.0.17134.1_none_b5bc4f47f4347c9a\amd64_microsoft-windows-aclui_31bf3856ad364e35_10.0.17134.1_none_3a8aea751cd120a6\14c9amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.17134.1_none_2becad3b77bb3580\amd64_microsoft-windows-aero_ss_31bf3856ad364e35_10.0.17134.1_none_f198e2bda9113d3e\amd64_microsoft-windows-advpack_31bf3856ad364e35_11.0.17134.1_none_c53d6ca9c6d4d1b1\amd64_microsoft-windows-aero_31bf3856ad364e35_10.0.17134.1_none_91639de28293fc33\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.17134.1_none_3ccc9ca31b51b1f0\amd64_microsoft-windows-appwiz_31bf3856ad364e35_10.0.17134.1_none_f146c4d490108c2f\amd64_microsoft-windows-authext_31bf3856ad364e35_10.0.17134.1_none_cbbe7dc72821babf\amd64_microsoft-windows-autochk_31bf3856ad364e35_10.0.17134.1_none_c77479a12aeb88d9\amd64_microsoft-windows-appxsip_31bf3856ad364e35_10.0.17134.1_none_aee5b406df304c07\amd64_microsoft-windows-aerolite_31bf3856ad364e35_10.0.17134.1_none_bc01bd81d1468e95\amd64_microsoft-windows-apprep_31bf3856ad364e35_10.0.17134.1_none_f179b7188fea9ad4\amd64_microsoft-windows-atlthunk_31bf3856ad364e35_10.0.17134.1_none_736718a63a4836c7\1amd64_microsoft-windows-attrib_31bf3856ad364e35_10.0.17134.1_none_980ea708f55ee5fa\amd64_microsoft-windows-atbroker_31bf3856ad364e35_10.0.17134.1_none_b5213c28877f9dde\1amd64_microsoft-windows-ahcache_31bf3856ad364e35_10.0.17134.1_none_18d10ab3c30df7a5\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.17134.1_none_145165e81f8f518b\amd64_microsoft-windows-audio-mci_31bf3856ad364e35_10.0.17134.1_none_028de57d556265b6\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.17134.1_none_d40d1fc458900e79\amd64_microsoft-windows-beepsys_31bf3856ad364e35_10.0.17134.1_none_a9a12daa70c7ae45\amd64_microsoft-windows-bootconfig_31bf3856ad364e35_10.0.17134.1_none_f197096183727a5e\amd64_microsoft-windows-bootm
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumcat6s
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..wallrules.resources_31bf3856ad364e35_10.0.17134.1_en-us_c011eec82bd47853.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat%u
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.368571550.0000000003E06000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\WinSxS\wow64_microsoft-windows-label.resources_31bf3856ad364e35_10.0.17134.1_en-us_d69cf21a41b75966\label.exe.muiEventVmNetworkAdatper.format.ps1xmls1xml74d26b1ffcdc7c\*ile.dllioclltication.Identity.Provider.dll
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat02!
Source: yjOapKcgE1.exe, 00000000.00000003.382657092.0000000003D10000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b.manifestst
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mummmm
Source: yjOapKcgE1.exe, 00000000.00000003.412712919.0000000003DBC000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catRk
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49\\|YC
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1m
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.17134.1_none_602fae5e8a21fe6a.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.418759784.0000000003DB5000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.muml
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catm
Source: csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_8051bd2040ebffa9\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.17134.1_none_27198deddb7b50eb\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.17134.1_none_51d671baba10f2e8\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.17134.1_en-us_0d3e2a9bd4020545\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.17134.1_en-us_e3616de0d25a48c4\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.17134.1_none_7338804b0eb50c17\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.17134.1_en-us_02a473bf02f2a824\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.17134.1_en-us_f27d2f48e22200a4\amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.17134.1_none_7743eea1a413bb8c\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.17134.1_none_3ce1277763a2249b\amd64_microsoft-hyper-v-lun-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_15c27a1250ea6310\amd64_microsoft-onecore-a..sourcepolicy-server_31bf3856ad364e35_10.0.17134.1_none_8bb9bb03e61e0547\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.17134.1_en-us_2b9c39681a7206ff\amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.17134.1_en-us_aea0b368e53cc261\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.17134.1_en-us_662e0a371a2edd22\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49\amd64_microsoft-hyper-v-v..omputelib.resources_31bf3856ad364e35_10.0.17134.1_en-us_a1cfee3fcfcbe4d8\amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.17134.1_none_80458ecfde93ef21\amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.17134.1_en-us_bdfc93ec7698eb64\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.17134.1_en-us_9c3432f847f5f8f0\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.17134.1_en-us_a86f4344ed926804\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c\amd64_microsoft-hyper-v-vhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_0b749ee450213385\amd64_microsoft-hyper-v-
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.1!
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp, csrss.exe, 00000002.00000002.418731471.0000000002812000.00000004.00000001.sdmp, csrss.exe, 00000004.00000003.429515280.0000000002818000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8\
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.17134.1_none_b7de7159233ab503.manifest3
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catt
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum"k
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1at
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.17134.1_none_dacb8dcdbfa5382f\
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.17134.1_none_15d1dfb8ceafada1\
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catcat
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1m
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-storflt_31bf3856ad364e35_10.0.17134.1_none_fc7308d7bbb0dfd6.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catt&?`
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c.manifestn
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.17134.1_none_55327e6a748f524c\FS
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.17134.1_none_bb0455987cc9b004.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catR
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catinf_amd
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catWV
Source: yjOapKcgE1.exe, 00000000.00000003.415982243.0000000003047000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat1
Source: yjOapKcgE1.exe, 00000000.00000003.414833592.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.17134.1_en-us_8e782c7a46f14b49.manifesturc
Source: yjOapKcgE1.exe, 00000000.00000003.382825264.0000000003D31000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vdev-offline_31bf3856ad364e35_10.0.17134.1_none_c190bdf9d967faea.manifestfD
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vpcivdev_31bf3856ad364e35_10.0.17134.1_none_7873076add237d80.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.17134.1_none_6efae9ae437759d8.manifest1\[&
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vmsp.resources_31bf3856ad364e35_10.0.17134.1_en-us_96681ed56ec765c6.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.552142955.0000000003DB4000.00000004.00000001.sdmp	Binary or memory string: HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat\*\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414767763.0000000003DB8000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mumeV
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.17134.1_none_2457e84548829177\
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.17134.1_en-us_73034f3cf79a1975.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\\
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.411350534.000000000301B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.382209758.0000000003D32000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.17134.1_en-us_f8bef40208ce4908.manifestiCe
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_3c5b1e1b1b3e66b3\wT
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..oyment-languagepack_31bf3856ad364e35_10.0.17134.1_en-us_705250041d8b5452.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.catwu
Source: yjOapKcgE1.exe, 00000000.00000003.379970460.0000000003D4C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.17134.1_none_84e0eedae46f7b9b.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.403819221.0000000003097000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.17134.1_none_e636218254eba71f\(
Source: yjOapKcgE1.exe, 00000000.00000003.406740318.000000000303F000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.17134.1_none_d23c603739df2f63\
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239\4
Source: yjOapKcgE1.exe, 00000000.00000003.406821447.000000000303C000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.17134.1_en-us_461210c45e54cb44\7\N_
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-p..ru-parser.resources_31bf3856ad364e35_10.0.17134.1_en-us_d16dce7672841ddd.manifestC
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.414722241.0000000003017000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat34.1
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-vpmem.resources_31bf3856ad364e35_10.0.17134.1_en-us_83c966966d5f8cf2\dQM
Source: yjOapKcgE1.exe, 00000000.00000003.412042043.0000000003025000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catc
Source: yjOapKcgE1.exe, 00000000.00000003.376466131.0000000003CC0000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-o..-onecore-deployment_31bf3856ad364e35_10.0.17134.1_none_ca9236a4769cd0cd.manifest^8R
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catmum
Source: yjOapKcgE1.exe, 00000000.00000003.414330695.000000000300F000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catat[r
Source: yjOapKcgE1.exe, 00000000.00000003.414775808.0000000003DBD000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: yjOapKcgE1.exe, 00000000.00000003.408742143.0000000003DBA000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-socket-provider_31bf3856ad364e35_10.0.17134.1_none_f5d736b78ec0a239.manifest
Source: yjOapKcgE1.exe, 00000000.00000003.414935750.000000000300B000.00000004.00000001.sdmp	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
Source: yjOapKcgE1.exe, 00000000.00000003.407295088.0000000003026000.00000004.00000001.sdmp	Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.17134.1_en-us_d370585015d204f5\

Source: C:\ProgramData\Windows\csrss.exe

Code function: 2_2_0054FAAD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_0054FAAD

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

0_2_00449089

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

0_2_0041A13C

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Code function: 0_2_005664B0 TlsGetValue,TlsGetValue,TlsGetValue,TlsGetValue,CreateWaitableTimerA,SetWaitableTimer,WaitForMultipleObjects,CloseHandle,Sleep,CloseHandle,TlsGetValue,ResetEvent,__CxxThrowException@8,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_005664B0

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Memory protected: page write copy | page execute and read and write | page execute and write copy | page guard | page no cache

Jump to behavior

Source: C:\Users\user\Desktop\yjOapKcgE1.exe	Code function: 0_2_00550F9A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00550F9A
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_00550F9A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00550F9A
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0054FAAD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0054FAAD
Source: C:\ProgramData\Windows\csrss.exe	Code function: 2_2_0054DB9A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0054DB9A

Source: C:\ProgramData\Windows\csrss.exe

Code function: 2_2_004078E6 Wow64DisableWow64FsRedirection,GetForegroundWindow,ShellExecuteW,Wow64RevertWow64FsRedirection,

2_2_004078E6

Source: yjOapKcgE1.exe, 00000000.00000002.871799609.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: yjOapKcgE1.exe, 00000000.00000002.871799609.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: yjOapKcgE1.exe, 00000000.00000002.871799609.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: yjOapKcgE1.exe, 00000000.00000002.871799609.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\ProgramData\Windows\csrss.exe

Code function: GetLocaleInfoA,

2_2_0055F513

Source: C:\ProgramData\Windows\csrss.exe

Code function: 2_2_00573480 cpuid

2_2_00573480

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

Code function: 0_2_0054E1CE GetSystemTimeAsFileTime,__aulldiv,

0_2_0054E1CE

Source: C:\ProgramData\Windows\csrss.exe

Code function: 2_2_00560999 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

2_2_00560999

Source: C:\Users\user\Desktop\yjOapKcgE1.exe

0_2_00449089

Source: C:\ProgramData\Windows\csrss.exe

Code function: 2_2_004176EB _memset,GetUserNameW,

2_2_004176EB

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Exploitation for Privilege Escalation1	Disable or Modify Tools1	Input Capture1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel22	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Defacement1
Default Accounts	Command and Scripting Interpreter2	Application Shimming1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Registry Run Keys / Startup Folder1	Application Shimming1	Obfuscated Files or Information3	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Multi-hop Proxy1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection2	Software Packing13	NTDS	System Information Discovery45	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	DLL Side-Loading1	LSA Secrets	Security Software Discovery131	SSH	Keylogging	Data Transfer Size Limits	Proxy2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Process Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection2	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yjOapKcgE1.exe	67%	Virustotal		Browse
yjOapKcgE1.exe	69%	Metadefender		Browse
yjOapKcgE1.exe	87%	ReversingLabs	Win32.Ransomware.AvaddonCrypt
yjOapKcgE1.exe	100%	Avira	TR/Crypt.XPACK.Gen2

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Windows\csrss.exe	100%	Avira	TR/Crypt.XPACK.Gen2
C:\ProgramData\Windows\csrss.exe	67%	Virustotal		Browse
C:\ProgramData\Windows\csrss.exe	69%	Metadefender		Browse
C:\ProgramData\Windows\csrss.exe	87%	ReversingLabs	Win32.Ransomware.AvaddonCrypt

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.csrss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
0.2.yjOapKcgE1.exe.400000.0.unpack	100%	Avira	TR/Crypt.FKM.Gen	Download File
4.2.csrss.exe.2480000.2.unpack	100%	Avira	TR/Crypt.FKM.Gen	Download File
2.2.csrss.exe.400000.0.unpack	100%	Avira	TR/Crypt.FKM.Gen	Download File
2.2.csrss.exe.2480000.2.unpack	100%	Avira	TR/Crypt.FKM.Gen	Download File
0.2.yjOapKcgE1.exe.2270000.2.unpack	100%	Avira	TR/Crypt.FKM.Gen	Download File
2.0.csrss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
0.0.yjOapKcgE1.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
4.2.csrss.exe.400000.0.unpack	100%	Avira	TR/Crypt.FKM.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com///whatismyipaddress.com/ip/Click	yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	false		high
https://www.torproject.org/	yjOapKcgE1.exe, yjOapKcgE1.exe, 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, csrss.exe, csrss.exe, 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp	false		high
http://whatismyipaddress.com/	yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	false		high
http://whatsmyip.net/	csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	false		high
http://a4ad4ip2xzclh6fd.onionreg.phpprog.phperr.phpcmd.phpsys.phpshd.phpmail.php?&v=b=i=k=ss=e=c=f=s	yjOapKcgE1.exe, 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.440528103.00000000005E5000.00000040.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html.	yjOapKcgE1.exe, 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp	false		high
http://www.openssl.org/support/faq.html	yjOapKcgE1.exe, csrss.exe, csrss.exe, 00000004.00000002.439611508.0000000000400000.00000040.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
154.35.32.5	unknown	United States	14987	RETHEMHOSTINGUS	false
76.73.17.194	unknown	United States	25921	LUS-FIBER-LCGUS	false
193.23.244.244	unknown	Germany	50472	CHAOS-ASDE	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492525
Start date:	28.09.2021
Start time:	19:35:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	yjOapKcgE1 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@3/3@0/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 57% Number of executed functions: 103 Number of non-executed functions: 263
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.42.73.29, 52.182.143.212, 13.89.179.12, 20.189.173.22, 20.82.210.154, 8.248.141.254, 67.26.75.254, 8.238.85.126, 8.248.133.254, 8.241.126.121, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 23.211.4.86 Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, onedsblobprdwus17.westus.cloudapp.azure.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, onedsblobprdcus15.centralus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, onedsblobprdeus15.eastus.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:36:56	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime Subsystem "C:\ProgramData\Windows\csrss.exe"
19:37:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Client Server Runtime Subsystem "C:\ProgramData\Windows\csrss.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
154.35.32.5	IEsSSwba4T.exe	Get hash	malicious	Browse
	NtA6ABwq75.exe	Get hash	malicious	Browse
	OR1kcoDd2F.exe	Get hash	malicious	Browse
	y2N49ht6t4.exe	Get hash	malicious	Browse
	2te6IkdbJu.exe	Get hash	malicious	Browse
	fu3fXqZvuo.exe	Get hash	malicious	Browse
	jTI7J7BCUj.exe	Get hash	malicious	Browse
	75dZK4LPMP.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Encoder.10507.20567.exe	Get hash	malicious	Browse
	437#U0435.js	Get hash	malicious	Browse
	437#U0435.js	Get hash	malicious	Browse
	437#U0435.js	Get hash	malicious	Browse
	1.12.2018.js	Get hash	malicious	Browse
	1.12.2018.js	Get hash	malicious	Browse
	1.12.2018.js	Get hash	malicious	Browse
	1.12.2018.js	Get hash	malicious	Browse
	1.12.2018.js	Get hash	malicious	Browse
	1.12.2018.js	Get hash	malicious	Browse
	1.12.2018.js	Get hash	malicious	Browse
	1.12.2018.js	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RETHEMHOSTINGUS	IEsSSwba4T.exe	Get hash	malicious	Browse	154.35.32.5
	NtA6ABwq75.exe	Get hash	malicious	Browse	154.35.32.5
	OR1kcoDd2F.exe	Get hash	malicious	Browse	154.35.32.5
	y2N49ht6t4.exe	Get hash	malicious	Browse	154.35.32.5
	Cx1HKT0xhO.exe	Get hash	malicious	Browse	154.35.175.225
	ac1khvFT2V.exe	Get hash	malicious	Browse	154.35.175.225
	re.a1rmv4l	Get hash	malicious	Browse	149.9.143.167
	2te6IkdbJu.exe	Get hash	malicious	Browse	154.35.32.5
	fu3fXqZvuo.exe	Get hash	malicious	Browse	154.35.32.5
	jTI7J7BCUj.exe	Get hash	malicious	Browse	154.35.32.5
	75dZK4LPMP.exe	Get hash	malicious	Browse	154.35.32.5
	e4phNkmjAJ	Get hash	malicious	Browse	154.35.8.244
	oEF7GAiRIg	Get hash	malicious	Browse	154.35.8.254
	SecuriteInfo.com.W32.MSIL_Kryptik.EWM.genEldorado.30775.exe	Get hash	malicious	Browse	154.35.175.225
	97238623.exe	Get hash	malicious	Browse	154.35.175.225
	FB11.exe	Get hash	malicious	Browse	154.35.175.225
	HUahIwV82u.exe	Get hash	malicious	Browse	154.35.175.225
	6d0000.exe	Get hash	malicious	Browse	154.35.175.225
	osiris.exe	Get hash	malicious	Browse	154.35.175.225
	6729001591617.exe	Get hash	malicious	Browse	154.35.175.225

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
1be3ecebe5aa9d3654e6e703d81f6928	OR1kcoDd2F.exe	Get hash	malicious	Browse	193.23.244.244
	i0DixfP527.exe	Get hash	malicious	Browse	193.23.244.244
	zjnO2flTJj.exe	Get hash	malicious	Browse	193.23.244.244
	fu3fXqZvuo.exe	Get hash	malicious	Browse	193.23.244.244
	-2019.xls.js	Get hash	malicious	Browse	193.23.244.244
	-2019.xls.js	Get hash	malicious	Browse	193.23.244.244
	0-10-2019.js	Get hash	malicious	Browse	193.23.244.244
	2c.exe	Get hash	malicious	Browse	193.23.244.244
	Uy5w2nr1M7.exe	Get hash	malicious	Browse	193.23.244.244
	9.03.docx.js	Get hash	malicious	Browse	193.23.244.244
	9.03.docx.js	Get hash	malicious	Browse	193.23.244.244
	8.29.docx.js	Get hash	malicious	Browse	193.23.244.244
	8.29.docx.js	Get hash	malicious	Browse	193.23.244.244
	8.19.docx.js	Get hash	malicious	Browse	193.23.244.244
	8.19.docx.js	Get hash	malicious	Browse	193.23.244.244
	8.20.docx.js	Get hash	malicious	Browse	193.23.244.244
	0812.docx.js	Get hash	malicious	Browse	193.23.244.244
	08-06.doc.js	Get hash	malicious	Browse	193.23.244.244
	0807.docx.js	Get hash	malicious	Browse	193.23.244.244
	0807.docx.js	Get hash	malicious	Browse	193.23.244.244

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Windows\csrss.exe Download File
Process:	C:\Users\user\Desktop\yjOapKcgE1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1244429
Entropy (8bit):	7.173731916265485
Encrypted:	false
SSDEEP:	24576:XHtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY0Dy0:XHtV7GwBSTc8An/4YF0
MD5:	1D46AFB839B846EDE01CB925470F0488
SHA1:	8CFFC99CDA16D5D6B5192C62FEFAE6C0AC89B33D
SHA-256:	D158534622B057B387A617EBE2931FEF6D5C7D386B6DFBEB652C4781846F87C1
SHA-512:	888862EF478C79823A56AF36F303E5A5686CE31BFDCB4E9B630E8BEA791F10BF52F22B7FDB24BE4B01B6087292467B45EBEB52D4F954B482F24094AF14F64F10
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Virustotal, Detection: 67%, Browse Antivirus: Metadefender, Detection: 69%, Browse Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.>.X.m.X.m.X.m...m.X.m.X.m.Y.m..Qm.X.m.X.m.X.m..Fm.X.m..Cm.X.mRich.X.m................PE..L....Zv\.................2..........`8.......P....@........................... .............................................[..x...................................................................................P...............................text...<1.......2.................. ..`.rdata...+...P...,...6..............@..@.data...X............b..............@....rsrc................d..............@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6893A5D897\state.tmp Download File
Process:	C:\Users\user\Desktop\yjOapKcgE1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	199
Entropy (8bit):	4.78811407542215
Encrypted:	false
SSDEEP:	6:SbdWwxXN51+3tnXr87+QVe2vwR/EtbWCd8D5Hu:bwxXnc3tXr87HVBvwNi2Hu
MD5:	EE3B9638644A5EE616E2216088445594
SHA1:	E36AC55FE4BFCCF53CA10A36A53CA916ACD64EBB
SHA-256:	9FFE9AF033FBE8847C4992D95ADE7F8EDADF6124A7356E98E9A3CFFA455A6212
SHA-512:	F244B2DE284D60E17F83F3EA1652DFDFF1446C5181A53F9C13B4D445B7743133945A24EC06F2F7AA9E78C66D87DE83857D61FDF799DCC96FA716DC0B41503F34
Malicious:	false
Reputation:	low
Preview:	# Tor state file last generated on 2021-09-28 19:36:53 local time..# Other times below are in UTC..# You do not need to edit this file.....TorVersion Tor 0.2.5.10..LastWritten 2021-09-29 02:36:53..

C:\Users\user\AppData\Local\Temp\6893A5~1\state (copy) Download File
Process:	C:\Users\user\Desktop\yjOapKcgE1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	199
Entropy (8bit):	4.78811407542215
Encrypted:	false
SSDEEP:	6:SbdWwxXN51+3tnXr87+QVe2vwR/EtbWCd8D5Hu:bwxXnc3tXr87HVBvwNi2Hu
MD5:	EE3B9638644A5EE616E2216088445594
SHA1:	E36AC55FE4BFCCF53CA10A36A53CA916ACD64EBB
SHA-256:	9FFE9AF033FBE8847C4992D95ADE7F8EDADF6124A7356E98E9A3CFFA455A6212
SHA-512:	F244B2DE284D60E17F83F3EA1652DFDFF1446C5181A53F9C13B4D445B7743133945A24EC06F2F7AA9E78C66D87DE83857D61FDF799DCC96FA716DC0B41503F34
Malicious:	false
Reputation:	low
Preview:	# Tor state file last generated on 2021-09-28 19:36:53 local time..# Other times below are in UTC..# You do not need to edit this file.....TorVersion Tor 0.2.5.10..LastWritten 2021-09-29 02:36:53..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.173731916265485
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yjOapKcgE1.exe
File size:	1244429
MD5:	1d46afb839b846ede01cb925470f0488
SHA1:	8cffc99cda16d5d6b5192c62fefae6c0ac89b33d
SHA256:	d158534622b057b387a617ebe2931fef6d5c7d386b6dfbeb652c4781846f87c1
SHA512:	888862ef478c79823a56af36f303e5a5686ce31bfdcb4e9b630e8bea791f10bf52f22b7fdb24be4b01b6087292467b45ebeb52d4f954b482f24094af14f64f10
SSDEEP:	24576:XHtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY0Dy0:XHtV7GwBSTc8An/4YF0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.>.X.m.X.m.X.m...m.X.m.X.m.Y.m..Qm.X.m.X.m.X.m..Fm.X.m..Cm.X.mRich.X.m................PE..L....Zv\.................2.........

File Icon


Icon Hash:	f8e0e4e8ecccc870

Static PE Info

General
Entrypoint:	0x513860
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5C765ADF [Wed Feb 27 09:39:43 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b90027f65707ca9644c551e337fa02ad

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 18h
push edi
mov dword ptr [ebp-08h], 00000000h
mov dword ptr [ebp-04h], 00000000h
push 000014E8h
mov eax, dword ptr [00518214h]
push eax
call dword ptr [005154C4h]
test eax, eax
je 00007F626CB71EA9h
xor eax, eax
jmp 00007F626CB720C0h
mov dword ptr [ebp-04h], 00000001h
jmp 00007F626CB71EABh
mov ecx, dword ptr [ebp-04h]
add ecx, 01h
mov dword ptr [ebp-04h], ecx
cmp dword ptr [ebp-04h], 0000008Fh
jnc 00007F626CB71EAFh
push 0051809Ch
call dword ptr [005155A0h]
jmp 00007F626CB71E83h
push 005180B4h
call dword ptr [005155A0h]
push 005180CCh
call dword ptr [005154C0h]
mov dword ptr [ebp-0Ch], 00000001h
mov edx, dword ptr [ebp-0Ch]
push edx
call dword ptr [00515458h]
mov dword ptr [0051825Ch], 00000000h
jmp 00007F626CB71EAFh
mov eax, dword ptr [0051825Ch]
add eax, 01h
mov dword ptr [0051825Ch], eax
cmp dword ptr [0051825Ch], 423AB7DBh
jnc 00007F626CB71EA4h
jmp 00007F626CB71E87h
mov edi, edi
mov edi, edi
mov edx, dword ptr [ebp+08h]
mov edi, edi
mov dword ptr [0051821Ch], edx
mov dword ptr [005181FCh], ebp
mov dword ptr [ebp-04h], 00000000h
jmp 00007F626CB71EA2h
jmp 00007F626CB71EA2h

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x115bd4	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x119000	0x18ad8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12f000	0xd08	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x115000	0x5bc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11313c	0x113200	False	0.805441773626	data	7.1245745803	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x115000	0x2b2e	0x2c00	False	0.416725852273	data	5.57043666657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x118000	0x358	0x200	False	0.640625	data	4.12281643222	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x119000	0xeead8	0x18c00	False	0.767617582071	data	7.1377470027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0x119410	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States
MUI	0x11c230	0xe0	data	English	United States
RT_ICON	0x11c310	0x668	data	English	United States
RT_ICON	0x11c978	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2291109880, next used block 28872	English	United States
RT_ICON	0x11cc60	0x1e8	data	English	United States
RT_ICON	0x11ce48	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x11cf70	0xea8	data	English	United States
RT_ICON	0x11de18	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15066613, next used block 15000828	English	United States
RT_ICON	0x11e6c0	0x6c8	data	English	United States
RT_ICON	0x11ed88	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x11f2f0	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x12ccc8	0x25a8	data	English	United States
RT_ICON	0x12f270	0x10a8	data	English	United States
RT_ICON	0x130318	0x988	data	English	United States
RT_ICON	0x130ca0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_RCDATA	0x1315e8	0x4ec	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States
RT_GROUP_ICON	0x131108	0xbc	data	English	United States
RT_VERSION	0x1311c8	0x41c	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetStringTypeW, GetSystemDefaultLCID, GetSystemTimeAsFileTime, GetThreadLocale, GetThreadPriority, GetTickCount, GetUserDefaultUILanguage, GetVersionExA, GetVersionExW, GlobalAddAtomW, GlobalAlloc, GlobalDeleteAtom, GlobalFindAtomW, GlobalFlags, GlobalFree, GlobalHandle, GlobalLock, GlobalReAlloc, GlobalUnlock, Heap32ListNext, HeapAlloc, HeapCreate, HeapFree, HeapReAlloc, HeapSize, HeapValidate, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedExchange, InterlockedIncrement, IsDebuggerPresent, IsValidCodePage, LCMapStringA, LCMapStringW, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, LoadResource, LocalAlloc, LocalFree, LocalReAlloc, LocalSize, LockResource, MapViewOfFile, MultiByteToWideChar, OpenEventW, OpenMutexW, OpenSemaphoreA, GetStringTypeExW, OutputDebugStringA, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseMutex, ReplaceFileA, RtlUnwind, SetComputerNameExA, SetConsoleCtrlHandler, SetConsoleMode, SetConsoleOutputCP, SetConsoleTextAttribute, SetErrorMode, SetEvent, SetFilePointer, SetHandleCount, SetLastError, SetStdHandle, SetThreadLocale, SetUnhandledExceptionFilter, SetVolumeMountPointW, SizeofResource, Sleep, SystemTimeToFileTime, TerminateProcess, TerminateThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnmapViewOfFile, VerLanguageNameA, VirtualAlloc, VirtualFree, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte, WriteConsoleA, WriteConsoleW, WriteFile, WritePrivateProfileStringW, _lwrite, lstrcmpA, lstrcmpW, lstrlenA, lstrlenW, GetStringTypeA, GetStdHandle, GetStartupInfoW, GetStartupInfoA, GetShortPathNameW, GetProcessHeaps, GetProcessHeap, GetProcAddress, GetOEMCP, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameW, GetModuleFileNameA, GetLocaleInfoW, GetLocaleInfoA, GetLocalTime, GetLastError, GetFileType, GetExitCodeThread, GetEnvironmentStringsW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetConsoleScreenBufferInfo, GetConsoleOutputCP, GetConsoleMode, GetConsoleFontSize, GetConsoleCP, GetComputerNameW, GetCommandLineW, GetCPInfo, GetACP, FreeLibrary, FreeEnvironmentStringsW, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumResourceLanguagesW, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateMutexW, CreateMutexA, CreateFileW, CreateFileMappingW, CreateFileA, CreateEventW, ConvertDefaultLocale, OpenThread, CloseHandle
USER32.dll	GrayStringW, IsIconic, IsWindow, IsWindowEnabled, IsWindowVisible, LoadBitmapW, LoadCursorW, LoadIconW, LoadMenuW, LoadStringW, MapWindowPoints, MessageBoxA, MessageBoxW, ModifyMenuW, MsgWaitForMultipleObjectsEx, NotifyWinEvent, PeekMessageW, PostMessageW, PostQuitMessage, PostThreadMessageA, PostThreadMessageW, PtInRect, RegisterClassW, RegisterWindowMessageW, ReleaseDC, RemovePropW, SendMessageA, SendMessageW, SetCursor, SetForegroundWindow, SetMenu, SetMenuItemBitmaps, SetMessageQueue, SetPropW, SetWindowLongW, SetWindowPos, SetWindowTextW, SetWindowsHookExW, ShowWindow, SystemParametersInfoA, TabbedTextOutW, TranslateMessage, UnhookWinEvent, UnhookWindowsHookEx, UnregisterClassW, UnregisterDeviceNotification, ValidateRect, WinHelpW, WindowFromDC, LoadCursorFromFileA, GetClipboardData, InSendMessage, IsMenu, DestroyIcon, CharLowerW, GetMenuContextHelpId, VkKeyScanA, CountClipboardFormats, IsCharAlphaA, IsCharAlphaNumericA, GetProcessWindowStation, IsWindowUnicode, GetKeyboardLayout, VkKeyScanW, GetKBCodePage, GetClipboardOwner, GetAsyncKeyState, DestroyCursor, CloseClipboard, PaintDesktop, GetInputState, GetCursor, CloseDesktop, ReleaseCapture, EnumClipboardFormats, GetWindowContextHelpId, GetWindowTextLengthA, GetClipboardViewer, GetThreadDesktop, IsCharAlphaW, AnyPopup, CharUpperW, IsCharLowerW, IsClipboardFormatAvailable, GetQueueStatus, CloseWindow, GetDialogBaseUnits, OemKeyScan, CharNextA, LoadIconA, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindow, GetTopWindow, GetSystemMetrics, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollPos, GetPropW, GetParent, GetMessageW, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMenuState, GetMenuItemID, GetMenuItemCount, GetMenuCheckMarkDimensions, GetMenu, GetLastActivePopup, GetKeyState, GetForegroundWindow, GetFocus, GetDlgItem, GetDlgCtrlID, GetDC, GetCursorPos, GetClientRect, GetClassLongW, GetClassInfoW, GetClassInfoExW, GetCapture, GetActiveWindow, EnableWindow, EnableMenuItem, EmptyClipboard, DrawTextW, DrawTextExW, DispatchMessageW, DestroyWindow, DestroyMenu, DefWindowProcW, DefWindowProcA, DdeQueryConvInfo, CreateWindowExW, CreateDialogParamW, CopyRect, ClientToScreen, CheckMenuItem, CharToOemW, CharNextW, CharLowerA, CallWindowProcW, CallNextHookEx, AdjustWindowRectEx, GetClassNameW
GDI32.dll	CreateSolidBrush, SaveDC, FlattenPath, GdiGetBatchLimit, AbortDoc, GetStockObject, GetLayout, GetBkColor, GdiFlush, CreateHalftonePalette, GetSystemPaletteUse, GetObjectType, DeleteObject, AddFontResourceW, EngQueryLocalTime, GetPolyFillMode, GetGraphicsMode, AbortPath, DeleteColorSpace, CreateCompatibleDC, UnrealizeObject, GetDCPenColor, UpdateColors, CreatePatternBrush, StrokePath, SwapBuffers, GetTextCharset, XLATEOBJ_cGetPalette, XFORMOBJ_iGetXform, StartDocW, SetWindowExtEx, SetTextColor, GetTextColor, GetICMProfileW, GetCharABCWidthsA, GdiStartDocEMF, GdiDllInitialize, GetColorSpace, CopyMetaFileW, EngLoadModule, DPtoLP, EngReleaseSemaphore
ADVAPI32.dll	RegSetValueExA, RegQueryValueW, RegQueryValueExW, RegQueryValueExA, RegOpenKeyW, RegOpenKeyExW, RegOpenKeyExA, RegEnumKeyW, RegDeleteKeyW, RegCreateKeyExW, RegCreateKeyExA, RegCloseKey, RegSetValueExW
SHLWAPI.dll	PathFindFileNameW, PathFindExtensionW

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	Wextract
FileVersion	8.00.7600.16385 (win7_rtm.090713-1255)
CompanyName	Microsoft Corporation
ProductName	Windows Internet Explorer
ProductVersion	8.00.7600.16385
FileDescription	Win32 Cabinet Self-Extractor
OriginalFilename	WEXTRACT.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 19:36:55.357321024 CEST	49776	443	192.168.2.6	193.23.244.244
Sep 28, 2021 19:36:55.357357025 CEST	443	49776	193.23.244.244	192.168.2.6
Sep 28, 2021 19:36:55.357475996 CEST	49776	443	192.168.2.6	193.23.244.244
Sep 28, 2021 19:36:55.380817890 CEST	49776	443	192.168.2.6	193.23.244.244
Sep 28, 2021 19:36:55.380861044 CEST	443	49776	193.23.244.244	192.168.2.6
Sep 28, 2021 19:36:55.517328978 CEST	443	49776	193.23.244.244	192.168.2.6
Sep 28, 2021 19:36:55.517474890 CEST	49776	443	192.168.2.6	193.23.244.244
Sep 28, 2021 19:36:55.521334887 CEST	49776	443	192.168.2.6	193.23.244.244
Sep 28, 2021 19:36:55.521356106 CEST	443	49776	193.23.244.244	192.168.2.6
Sep 28, 2021 19:36:55.521645069 CEST	443	49776	193.23.244.244	192.168.2.6
Sep 28, 2021 19:36:55.522882938 CEST	49776	443	192.168.2.6	193.23.244.244
Sep 28, 2021 19:36:55.523219109 CEST	443	49776	193.23.244.244	192.168.2.6
Sep 28, 2021 19:36:55.523308992 CEST	443	49776	193.23.244.244	192.168.2.6
Sep 28, 2021 19:36:55.523346901 CEST	49776	443	192.168.2.6	193.23.244.244
Sep 28, 2021 19:36:55.523384094 CEST	49776	443	192.168.2.6	193.23.244.244
Sep 28, 2021 19:36:55.523889065 CEST	49777	9090	192.168.2.6	76.73.17.194
Sep 28, 2021 19:36:58.528290033 CEST	49777	9090	192.168.2.6	76.73.17.194
Sep 28, 2021 19:37:04.528808117 CEST	49777	9090	192.168.2.6	76.73.17.194
Sep 28, 2021 19:38:56.398449898 CEST	49871	443	192.168.2.6	154.35.32.5
Sep 28, 2021 19:38:56.398531914 CEST	443	49871	154.35.32.5	192.168.2.6
Sep 28, 2021 19:38:56.398713112 CEST	49871	443	192.168.2.6	154.35.32.5
Sep 28, 2021 19:38:56.413693905 CEST	49871	443	192.168.2.6	154.35.32.5
Sep 28, 2021 19:38:56.413769960 CEST	443	49871	154.35.32.5	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 19:36:40.049989939 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:40.068977118 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:40.551513910 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:40.568737030 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:41.016571999 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:41.037360907 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:41.473045111 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:41.491592884 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:42.030776024 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:42.048513889 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:43.130347013 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:43.149195910 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:43.674254894 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:43.693381071 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:44.272819042 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:44.289680004 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:44.823151112 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:44.843667984 CEST	53	52811	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:45.745742083 CEST	55299	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:45.771522045 CEST	53	55299	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:46.364577055 CEST	63745	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:46.383964062 CEST	53	63745	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:46.803879023 CEST	50055	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:46.823764086 CEST	53	50055	8.8.8.8	192.168.2.6
Sep 28, 2021 19:36:47.351910114 CEST	61374	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:36:47.381592035 CEST	53	61374	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:15.210397005 CEST	50339	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:15.239068031 CEST	53	50339	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:30.382486105 CEST	63307	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:30.402235031 CEST	53	63307	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:49.207776070 CEST	49694	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:49.251084089 CEST	53	49694	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:50.255167007 CEST	54982	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:50.300405979 CEST	53	54982	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:50.934642076 CEST	50010	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:50.954363108 CEST	53	50010	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:51.362317085 CEST	63718	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:51.411315918 CEST	53	63718	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:51.869534969 CEST	62116	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:51.894839048 CEST	53	62116	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:52.372323990 CEST	63816	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:52.391957998 CEST	53	63816	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:53.087584972 CEST	55014	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:53.107959986 CEST	53	55014	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:53.964301109 CEST	62208	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:53.983670950 CEST	53	62208	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:54.206104994 CEST	57574	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:54.239914894 CEST	53	57574	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:55.510869026 CEST	51818	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:55.530311108 CEST	53	51818	8.8.8.8	192.168.2.6
Sep 28, 2021 19:37:56.074932098 CEST	56628	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:37:56.092611074 CEST	53	56628	8.8.8.8	192.168.2.6
Sep 28, 2021 19:38:08.271339893 CEST	60778	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:38:08.292476892 CEST	53	60778	8.8.8.8	192.168.2.6
Sep 28, 2021 19:38:09.981698036 CEST	53799	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:38:10.019514084 CEST	53	53799	8.8.8.8	192.168.2.6
Sep 28, 2021 19:38:49.667186022 CEST	54683	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:38:49.694897890 CEST	53	54683	8.8.8.8	192.168.2.6
Sep 28, 2021 19:38:51.571297884 CEST	59329	53	192.168.2.6	8.8.8.8
Sep 28, 2021 19:38:51.600497007 CEST	53	59329	8.8.8.8	192.168.2.6

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: yjOapKcgE1.exe PID: 6320 Parent PID: 6552

General

Start time:	19:36:46
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\yjOapKcgE1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\yjOapKcgE1.exe'
Imagebase:	0x400000
File size:	1244429 bytes
MD5 hash:	1D46AFB839B846EDE01CB925470F0488
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: csrss.exe PID: 5888 Parent PID: 3440

General

Start time:	19:37:06
Start date:	28/09/2021
Path:	C:\ProgramData\Windows\csrss.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Windows\csrss.exe'
Imagebase:	0x400000
File size:	1244429 bytes
MD5 hash:	1D46AFB839B846EDE01CB925470F0488
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 67%, Virustotal, Browse Detection: 69%, Metadefender, Browse Detection: 87%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: csrss.exe PID: 5636 Parent PID: 3440

General

Start time:	19:37:14
Start date:	28/09/2021
Path:	C:\ProgramData\Windows\csrss.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Windows\csrss.exe'
Imagebase:	0x400000
File size:	1244429 bytes
MD5 hash:	1D46AFB839B846EDE01CB925470F0488
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: yjOapKcgE1.exe PID: 6320 Parent PID: 6552 yjOapKcgE1.exeCOMMON

Executed Functions

Function 0041A13C, Relevance: 329.4, APIs: 94, Strings: 94, Instructions: 392libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,004123B2), ref: 0041A14A
GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0041A162
GetProcAddress.KERNEL32(00000000,GetSystemInfo), ref: 0041A16F
GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsW), ref: 0041A17C
GetProcAddress.KERNEL32(00000000,GetVolumeInformationW), ref: 0041A189
GetProcAddress.KERNEL32(00000000,GetDriveTypeW), ref: 0041A196
GetProcAddress.KERNEL32(00000000,GetSystemDirectoryW), ref: 0041A1A3
GetProcAddress.KERNEL32(00000000,GetWindowsDirectoryA), ref: 0041A1B0
GetProcAddress.KERNEL32(00000000,GetWindowsDirectoryW), ref: 0041A1BD
GetProcAddress.KERNEL32(00000000,GetTempPathW), ref: 0041A1CA
GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 0041A1D7
GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 0041A1E4
GetProcAddress.KERNEL32(00000000,FindClose), ref: 0041A1F1
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 0041A1FE
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 0041A20B
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 0041A218
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 0041A225
GetProcAddress.KERNEL32(00000000,SetFileAttributesW), ref: 0041A232
GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 0041A23F
GetProcAddress.KERNEL32(00000000,SetFilePointer), ref: 0041A24C
GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 0041A259
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 0041A266
GetProcAddress.KERNEL32(00000000,CreateDirectoryW), ref: 0041A273
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0041A280
GetProcAddress.KERNEL32(00000000,CopyFileW), ref: 0041A28D
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 0041A29A
GetProcAddress.KERNEL32(00000000,ExitProcess), ref: 0041A2A7
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0041A2B4
GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 0041A2C1
GetProcAddress.KERNEL32(00000000,GetModuleFileNameA), ref: 0041A2CE
GetProcAddress.KERNEL32(00000000,Sleep), ref: 0041A2DB
GetProcAddress.KERNEL32(00000000,DeviceIoControl), ref: 0041A2E8
GetProcAddress.KERNEL32(00000000,GetShortPathNameW), ref: 0041A2F5
GetProcAddress.KERNEL32(00000000,WideCharToMultiByte), ref: 0041A302
GetProcAddress.KERNEL32(00000000,GetVersionExW), ref: 0041A30F
GetProcAddress.KERNEL32(00000000,SetErrorMode), ref: 0041A31C
GetProcAddress.KERNEL32(00000000,CreatePipe), ref: 0041A329
GetProcAddress.KERNEL32(00000000,SetHandleInformation), ref: 0041A336
GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0041A343
GetProcAddress.KERNEL32(00000000,WaitForSingleObject), ref: 0041A350
GetProcAddress.KERNEL32(00000000,GetExitCodeProcess), ref: 0041A35D
GetProcAddress.KERNEL32(00000000,PeekNamedPipe), ref: 0041A36A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041A377
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041A384
LoadLibraryA.KERNEL32(advapi32.dll,?,?,?,004123B2), ref: 0041A390
GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 0041A39E
GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 0041A3AB
GetProcAddress.KERNEL32(00000000,RegSetValueExW), ref: 0041A3B8
GetProcAddress.KERNEL32(00000000,RegCreateKeyExW), ref: 0041A3C5
GetProcAddress.KERNEL32(00000000,RegDeleteValueW), ref: 0041A3D2
GetProcAddress.KERNEL32(00000000,RegEnumKeyW), ref: 0041A3DF
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0041A3EC
GetProcAddress.KERNEL32(00000000,RegQueryInfoKeyW), ref: 0041A3F9
GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 0041A406
LoadLibraryA.KERNEL32(shell32.dll,?,?,?,004123B2), ref: 0041A412
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0041A420
GetProcAddress.KERNEL32(00000000,ShellExecuteW), ref: 0041A42D
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0041A43A
LoadLibraryA.KERNELBASE(ole32.dll,?,?,?,004123B2), ref: 0041A446
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 0041A454
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 0041A461
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 0041A46E
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 0041A47B
GetProcAddress.KERNEL32(00000000,CoSetProxyBlanket), ref: 0041A488
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 0041A495
LoadLibraryA.KERNEL32(oleaut32.dll,?,?,?,004123B2), ref: 0041A4A1
GetProcAddress.KERNEL32(00000000,VariantClear), ref: 0041A4AD
LoadLibraryA.KERNEL32(user32.dll,?,?,?,004123B2), ref: 0041A4B9
GetProcAddress.KERNEL32(00000000,GetDesktopWindow), ref: 0041A4C7
GetProcAddress.KERNEL32(00000000,GetWindowRect), ref: 0041A4D4
GetProcAddress.KERNEL32(00000000,GetDC), ref: 0041A4E1
GetProcAddress.KERNEL32(00000000,DrawTextW), ref: 0041A4EE
GetProcAddress.KERNEL32(00000000,SystemParametersInfoW), ref: 0041A4FB
GetProcAddress.KERNEL32(00000000,CharUpperW), ref: 0041A508
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 0041A515
LoadLibraryA.KERNEL32(gdi32.dll,?,?,?,004123B2), ref: 0041A521
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0041A533
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0041A540
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041A54D
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0041A55A
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0041A567
GetProcAddress.KERNEL32(00000000,CreateBrushIndirect), ref: 0041A574
GetProcAddress.KERNEL32(00000000,SetTextColor), ref: 0041A581
GetProcAddress.KERNEL32(00000000,SetBkColor), ref: 0041A58E
GetProcAddress.KERNEL32(00000000,GetCurrentObject), ref: 0041A59B
GetProcAddress.KERNEL32(00000000,GetObjectA), ref: 0041A5A8
GetProcAddress.KERNEL32(00000000,CreateFontIndirectA), ref: 0041A5B5
GetProcAddress.KERNEL32(00000000,CreateDIBSection), ref: 0041A5C2
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0041A5CF
GetProcAddress.KERNEL32(00000000,ExtFloodFill), ref: 0041A5DC
LoadLibraryA.KERNELBASE(netapi32.dll,?,?,?,004123B2), ref: 0041A5E8
GetProcAddress.KERNELBASE(00000000,NetServerGetInfo), ref: 0041A5F6
GetProcAddress.KERNELBASE(00000000,NetApiBufferFree), ref: 0041A603
GetProcAddress.KERNEL32(00000000,NetWkstaGetInfo), ref: 0041A610

Strings

GetDriveTypeW, xrefs: 0041A18B
SetErrorMode, xrefs: 0041A311
NetApiBufferFree, xrefs: 0041A5F8
FindNextFileW, xrefs: 0041A1D9
MoveFileW, xrefs: 0041A260
RegEnumKeyW, xrefs: 0041A3D4
GetLastError, xrefs: 0041A2A9
DrawTextW, xrefs: 0041A4E3
Wow64DisableWow64FsRedirection, xrefs: 0041A36C
GetDC, xrefs: 0041A4D6
CreateCompatibleBitmap, xrefs: 0041A535
gdi32.dll, xrefs: 0041A51C
netapi32.dll, xrefs: 0041A5E3
WriteFile, xrefs: 0041A20D
Wow64RevertWow64FsRedirection, xrefs: 0041A379
RegQueryInfoKeyW, xrefs: 0041A3EE
CoInitializeEx, xrefs: 0041A44E
Sleep, xrefs: 0041A2D0
SetHandleInformation, xrefs: 0041A32B
VariantClear, xrefs: 0041A4A7
BitBlt, xrefs: 0041A5C4
CharUpperW, xrefs: 0041A4FD
shell32.dll, xrefs: 0041A40D
CreateCompatibleDC, xrefs: 0041A52D
DeleteDC, xrefs: 0041A55C
CreateFontIndirectA, xrefs: 0041A5AA
GetSystemDirectoryW, xrefs: 0041A198
RegOpenKeyExW, xrefs: 0041A398
SHGetKnownFolderPath, xrefs: 0041A42F
ShellExecuteW, xrefs: 0041A422
CloseHandle, xrefs: 0041A21A
PeekNamedPipe, xrefs: 0041A35F
GetCurrentThreadId, xrefs: 0041A28F
GetWindowsDirectoryW, xrefs: 0041A1B2
RegDeleteValueW, xrefs: 0041A3C7
SelectObject, xrefs: 0041A542
ole32.dll, xrefs: 0041A441
RegQueryValueExW, xrefs: 0041A3A0
SHGetFolderPathW, xrefs: 0041A41A
GetDesktopWindow, xrefs: 0041A4C1
SetFileAttributesW, xrefs: 0041A227
GetUserNameW, xrefs: 0041A3FB
SetFilePointer, xrefs: 0041A241
SetTextColor, xrefs: 0041A576
DeleteFileW, xrefs: 0041A275
CreateBrushIndirect, xrefs: 0041A569
CreateDirectoryW, xrefs: 0041A268
WaitForSingleObject, xrefs: 0041A345
GetVersionExW, xrefs: 0041A304
RegSetValueExW, xrefs: 0041A3AD
CoInitializeSecurity, xrefs: 0041A470
GetFileSize, xrefs: 0041A24E
GetExitCodeProcess, xrefs: 0041A352
kernel32.dll, xrefs: 0041A145
CreateProcessW, xrefs: 0041A338
CoUninitialize, xrefs: 0041A456
GetVolumeInformationW, xrefs: 0041A17E
WideCharToMultiByte, xrefs: 0041A2F7
ExtFloodFill, xrefs: 0041A5D1
CoSetProxyBlanket, xrefs: 0041A47D
GetLogicalDriveStringsW, xrefs: 0041A171
RegCloseKey, xrefs: 0041A3E1
GetWindowsDirectoryA, xrefs: 0041A1A5
FindClose, xrefs: 0041A1E6
GetComputerNameW, xrefs: 0041A15C
ReadFile, xrefs: 0041A200
oleaut32.dll, xrefs: 0041A49C
SetBkColor, xrefs: 0041A583
user32.dll, xrefs: 0041A4B4
GetFileAttributesW, xrefs: 0041A234
DeleteObject, xrefs: 0041A54F
GetForegroundWindow, xrefs: 0041A50A
DeviceIoControl, xrefs: 0041A2DD
CreatePipe, xrefs: 0041A31E
CreateFileW, xrefs: 0041A1F3
GetWindowRect, xrefs: 0041A4C9
NetWkstaGetInfo, xrefs: 0041A605
RegCreateKeyExW, xrefs: 0041A3BA
CoCreateInstance, xrefs: 0041A463
GetShortPathNameW, xrefs: 0041A2EA
GetCurrentObject, xrefs: 0041A590
GetModuleFileNameA, xrefs: 0041A2C3
SystemParametersInfoW, xrefs: 0041A4F0
CreateDIBSection, xrefs: 0041A5B7
GetModuleFileNameW, xrefs: 0041A2B6
GetSystemInfo, xrefs: 0041A164
advapi32.dll, xrefs: 0041A38B
FindFirstFileW, xrefs: 0041A1CC
CoTaskMemFree, xrefs: 0041A48A
ExitProcess, xrefs: 0041A29C
GetObjectA, xrefs: 0041A59D
GetTempPathW, xrefs: 0041A1BF
CopyFileW, xrefs: 0041A282
NetServerGetInfo, xrefs: 0041A5F0

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: BitBlt$CharUpperW$CloseHandle$CoCreateInstance$CoInitializeEx$CoInitializeSecurity$CoSetProxyBlanket$CoTaskMemFree$CoUninitialize$CopyFileW$CreateBrushIndirect$CreateCompatibleBitmap$CreateCompatibleDC$CreateDIBSection$CreateDirectoryW$CreateFileW$CreateFontIndirectA$CreatePipe$CreateProcessW$DeleteDC$DeleteFileW$DeleteObject$DeviceIoControl$DrawTextW$ExitProcess$ExtFloodFill$FindClose$FindFirstFileW$FindNextFileW$GetComputerNameW$GetCurrentObject$GetCurrentThreadId$GetDC$GetDesktopWindow$GetDriveTypeW$GetExitCodeProcess$GetFileAttributesW$GetFileSize$GetForegroundWindow$GetLastError$GetLogicalDriveStringsW$GetModuleFileNameA$GetModuleFileNameW$GetObjectA$GetShortPathNameW$GetSystemDirectoryW$GetSystemInfo$GetTempPathW$GetUserNameW$GetVersionExW$GetVolumeInformationW$GetWindowRect$GetWindowsDirectoryA$GetWindowsDirectoryW$MoveFileW$NetApiBufferFree$NetServerGetInfo$NetWkstaGetInfo$PeekNamedPipe$ReadFile$RegCloseKey$RegCreateKeyExW$RegDeleteValueW$RegEnumKeyW$RegOpenKeyExW$RegQueryInfoKeyW$RegQueryValueExW$RegSetValueExW$SHGetFolderPathW$SHGetKnownFolderPath$SelectObject$SetBkColor$SetErrorMode$SetFileAttributesW$SetFilePointer$SetHandleInformation$SetTextColor$ShellExecuteW$Sleep$SystemParametersInfoW$VariantClear$WaitForSingleObject$WideCharToMultiByte$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$WriteFile$advapi32.dll$gdi32.dll$kernel32.dll$netapi32.dll$ole32.dll$oleaut32.dll$shell32.dll$user32.dll
API String ID: 2238633743-160047495
Opcode ID: 92d82e14e39e8ab5a07b569c061adb14ebd62f70d39669f16754e19e700200b9
Instruction ID: bacac2941af320af69a4f4bfd5fca98cd5f2bcaf782328d8fd34d87f4f724ada
Opcode Fuzzy Hash: 92d82e14e39e8ab5a07b569c061adb14ebd62f70d39669f16754e19e700200b9
Instruction Fuzzy Hash: 1AC15971D81719798B107B7AAD49E3BBEFDFDA5B90310042BA204D36A1DAFC8405EF64

Uniqueness

Uniqueness Score: -1.00%

Function 00449089, Relevance: 142.3, APIs: 51, Strings: 30, Instructions: 576libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 004490D1
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004490E2
LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004490EC
LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004490F6
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 00449119
GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 00449124
NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 00449143
NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 0044917F
FreeLibrary.KERNEL32(00000000), ref: 004491AF
GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 004491C3
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 004491D0
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 004491DD
FreeLibrary.KERNEL32(00000000), ref: 004492B5
LoadLibraryA.KERNEL32(USER32.DLL), ref: 004492D6
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 004492E9
GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 004492F5
GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00449301
FreeLibrary.KERNEL32(?), ref: 004493A6
GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 004493C1
GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 004493CB
GetProcAddress.KERNEL32(?,Heap32First), ref: 004493D6
GetProcAddress.KERNEL32(?,Heap32Next), ref: 004493E1
GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 004493EC
GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 004493F7
GetProcAddress.KERNEL32(?,Process32First), ref: 00449402
GetProcAddress.KERNEL32(?,Process32Next), ref: 0044940D
GetProcAddress.KERNEL32(?,Thread32First), ref: 00449418
GetProcAddress.KERNEL32(?,Thread32Next), ref: 00449423
GetProcAddress.KERNEL32(?,Module32First), ref: 0044942E
GetProcAddress.KERNEL32(?,Module32Next), ref: 00449439
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 004494AC
_memset.LIBCMT ref: 004494C4
GetTickCount.KERNEL32 ref: 004494DB
Heap32ListFirst.KERNEL32(?,?), ref: 004494E7
_memset.LIBCMT ref: 0044952E
Heap32First.KERNEL32(00000024,?,?), ref: 0044954D
Heap32Next.KERNEL32(?), ref: 00449588
GetTickCount.KERNEL32 ref: 00449595
Heap32ListNext.KERNEL32(?,?), ref: 004495D1
GetTickCount.KERNEL32 ref: 004495DE
GetTickCount.KERNEL32 ref: 00449601
Process32First.KERNEL32(?,00000128), ref: 00449610
GetTickCount.KERNEL32 ref: 00449654
GetTickCount.KERNEL32 ref: 00449670
GetTickCount.KERNEL32 ref: 004496C3
GetTickCount.KERNEL32 ref: 004496DC

Strings

Process32Next, xrefs: 00449407
GetCursorInfo, xrefs: 004492ED
*, xrefs: 004494F7
GetQueueStatus, xrefs: 004492F9
LanmanWorkstation, xrefs: 0044913D
CryptGenRandom, xrefs: 004491C8
Process32First, xrefs: 004493FC
Heap32ListNext, xrefs: 004493F1
Heap32Next, xrefs: 004493DB
CryptReleaseContext, xrefs: 004491D5
GetForegroundWindow, xrefs: 004492E3
NETAPI32.DLL, xrefs: 004490F1
Thread32Next, xrefs: 0044941D
Thread32First, xrefs: 00449412
NetApiBufferFree, xrefs: 0044911E
Heap32ListFirst, xrefs: 004493E6
CloseToolhelp32Snapshot, xrefs: 004493C5
CryptAcquireContextW, xrefs: 004491BB
Heap32First, xrefs: 004493D0
CreateToolhelp32Snapshot, xrefs: 004493BB
Module32Next, xrefs: 00449433
$, xrefs: 00449536
Module32First, xrefs: 00449428
KERNEL32.DLL, xrefs: 004490E7
ADVAPI32.DLL, xrefs: 004490D7
NetStatisticsGet, xrefs: 00449113
USER32.DLL, xrefs: 004492D1
P, xrefs: 00449554
Intel Hardware Cryptographic Service Provider, xrefs: 00449257
LanmanServer, xrefs: 00449179

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$CountTick$Library$Heap32Load$FirstFree$ListNextStatistics_memset$CreateProcess32SnapshotToolhelp32Version
String ID: $$*$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$P$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 2059593966-1350268427
Opcode ID: 75904a724c125e5e191004c2e1ab3c6912cf1613b9c86ed762dac43a56054074
Instruction ID: a597fa4a12bf090581903b27f185ab35ef79f39b3aa834aa655541eba6c9e9e5
Opcode Fuzzy Hash: 75904a724c125e5e191004c2e1ab3c6912cf1613b9c86ed762dac43a56054074
Instruction Fuzzy Hash: 7F223C71D00219AAEF21AFA4DC4ABEEBBB8BF08701F14046BE514B2191EB795D44DF19

Uniqueness

Uniqueness Score: -1.00%

Function 00413375, Relevance: 31.9, APIs: 13, Strings: 5, Instructions: 395registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041337A

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

_memset.LIBCMT ref: 004133C1
RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000009,00000000,00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\,?,?,?,?,?,?), ref: 004133FC

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

RegQueryInfoKeyW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,?), ref: 0041343F
_memset.LIBCMT ref: 00413477
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 0041349C
RegOpenKeyExW.KERNELBASE(?,?,00000000,00000001,?), ref: 00413546
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000400,00000000,DisplayName), ref: 00413592
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000001,00000000,SystemComponent,00000001,00000000,00000001,?), ref: 00413617
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000400,00000000,ParentKeyName,?), ref: 004136DC
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,?,00000001,00000000,WindowsInstaller,00000001,00000000,00000001), ref: 00413759
RegCloseKey.KERNELBASE(?,00000001,00000000,00000001,?), ref: 004137C8
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004137F8

Strings

SystemComponent, xrefs: 004135D3
ParentKeyName, xrefs: 00413699
DisplayName, xrefs: 00413556
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 004133C9, 004134AE
WindowsInstaller, xrefs: 00413715

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Query$Value$EnumH_prologOpen_memset$CloseInfochar_traits
String ID: DisplayName$ParentKeyName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$SystemComponent$WindowsInstaller
API String ID: 4159870004-324101830
Opcode ID: f1ed0192631a74c81f30a353a96ea63dfc8912ae271063c2fb677cbef23d7cc8
Instruction ID: d4295fe83490042f031972ce58116618a2231b9145636ace1f7a0842c2dc708e
Opcode Fuzzy Hash: f1ed0192631a74c81f30a353a96ea63dfc8912ae271063c2fb677cbef23d7cc8
Instruction Fuzzy Hash: 6CE14CB1C0125DEEEB15DBA4CC95BEEBBB8EF14308F10806AE605B3191DB745E48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00409519, Relevance: 21.6, APIs: 2, Strings: 10, Instructions: 590COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040951E

Part of subcall function 00565D10: CloseHandle.KERNEL32(?,?,?,30B20E82,0000001B,00000000,0000000F), ref: 00565D9B
Part of subcall function 00565D10: ResumeThread.KERNELBASE(?,?,?,30B20E82,0000001B,00000000,0000000F), ref: 00565DA9

Part of subcall function 005659F0: GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A54
Part of subcall function 005659F0: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A57
Part of subcall function 005659F0: GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A80
Part of subcall function 005659F0: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A83

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

Part of subcall function 0040C59E: std::_String_base::_Xlen.LIBCPMT ref: 0040C5D7

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 0041596F: GetFileAttributesW.KERNELBASE(00000000,?,0040964B,00000001,00000000,00000001,00000001,00000001,00000001,00000000,00000000,000000FF), ref: 00415976
Part of subcall function 0041596F: CreateDirectoryW.KERNELBASE(00000000,00000000,?), ref: 0041598E

Part of subcall function 0041596F: SetFileAttributesW.KERNELBASE(00000000,?,00000006), ref: 004159A4

GetLastError.KERNEL32(can not create dir,00000001,00000000,00000001,00000000,00000001,00000001,00000001,00000001,00000001,00000001,00000000,000000FF), ref: 004097A0

Part of subcall function 0040A9FC: __EH_prolog.LIBCMT ref: 0040AA01

Part of subcall function 0040A521: __EH_prolog.LIBCMT ref: 0040A526
Part of subcall function 0040A521: CharUpperW.USER32(?,00000001,00000000,00000001,00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000001,0058B70C,?,?,00000001,00000000,0040A88D,?,?,?), ref: 0040A5F1

Strings

\\?\, xrefs: 00409660
can not copy file, xrefs: 0040997C
can not create dir, xrefs: 0040978F
csrss.exe, xrefs: 004097E8
xVersion, xrefs: 00409B7A
can not add to autorun, xrefs: 00409B40
Windows, xrefs: 00409580, 00409653
2, xrefs: 00409C71
can not save value (mark), xrefs: 00409C12
4.0.0.1, xrefs: 00409B6D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Heap$AttributesFileFreeProcess$CharCloseCreateDirectoryErrorHandleLastResumeString_base::_ThreadUpperXlenchar_traitsstd::_
String ID: 2$4.0.0.1$Windows$\\?\$can not add to autorun$can not copy file$can not create dir$can not save value (mark)$csrss.exe$xVersion
API String ID: 3195406988-3918288975
Opcode ID: 26d7ec1f360d4c8b9104ba789b58be56ba6a680c2d8c07e6bd88f60d9b943e27
Instruction ID: 587602f448ab1763f55615f9f0946f5e97d92d50c7651121d965df57157c839a
Opcode Fuzzy Hash: 26d7ec1f360d4c8b9104ba789b58be56ba6a680c2d8c07e6bd88f60d9b943e27
Instruction Fuzzy Hash: 40329F72C05298EADB11EBE5C845BDEBF78AF15318F1041AAF505732C2DB781B48CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00405D99, Relevance: 12.7, APIs: 1, Strings: 7, Instructions: 713sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F08B: __EH_prolog.LIBCMT ref: 0040F090

Part of subcall function 0040F169: __EH_prolog.LIBCMT ref: 0040F16E

Part of subcall function 004076C2: __EH_prolog.LIBCMT ref: 004076C7

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Part of subcall function 0040CE76: __EH_prolog.LIBCMT ref: 0040CE7B

Part of subcall function 00409024: __EH_prolog.LIBCMT ref: 00409029

Part of subcall function 00408946: __EH_prolog.LIBCMT ref: 0040894B

Sleep.KERNEL32(0000001E,?,00000000,?,?,?,?,00000001,00000000,00000001,00000000,?,xmode), ref: 004067C2

Strings

xstate, xrefs: 00405F5D, 00406232, 00406435
&, xrefs: 00406727
xcnt, xrefs: 0040600F, 00406333, 00406568
xsys, xrefs: 004066F3
#, xrefs: 0040668C
xmode, xrefs: 004065C6
%, xrefs: 00406712

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Sleep_malloc
String ID: #$%$&$xcnt$xmode$xstate$xsys
API String ID: 1973873821-4248995162
Opcode ID: 2f194b15327ec9c46c4cd51348ea4eda2d42d90fa4aedf8bee62eed35864d5be
Instruction ID: 36cb1b60db995d1c3402be5ba9ee1ecdbbf8caa4cc1d1825f51cca90febd4169
Opcode Fuzzy Hash: 2f194b15327ec9c46c4cd51348ea4eda2d42d90fa4aedf8bee62eed35864d5be
Instruction Fuzzy Hash: 1542DC710083809ED721EB65C845BDFBBD8AF95708F04492EF689632C2DB785649CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00417EB5, Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 381COMMON

Download Yara Rule

APIs

Part of subcall function 004168F0: InterlockedDecrement.KERNEL32(00000008), ref: 004168FB
Part of subcall function 004168F0: SysFreeString.OLEAUT32(00000000), ref: 00416910

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

VariantClear.OLEAUT32(?), ref: 00418178
VariantClear.OLEAUT32(?), ref: 004181F1

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00418070
Version, xrefs: 00418115
ROOT\CIMV2, xrefs: 00417FA7
CSDVersion, xrefs: 00418185
WQL, xrefs: 00418089

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ClearVariant$DecrementFreeInterlockedStringchar_traits
String ID: CSDVersion$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$Version$WQL
API String ID: 854514482-660681872
Opcode ID: 1e154e81584faa433478f183e32f02f9e840c43d828fae02e0617c71c15f41db
Instruction ID: 0d4ba4a92494e6567f7d71d29297227958e69ea3da1ef6f26de091432bf87960
Opcode Fuzzy Hash: 1e154e81584faa433478f183e32f02f9e840c43d828fae02e0617c71c15f41db
Instruction Fuzzy Hash: 2FD14A71A00219AFCB11EBA5C885AEEB778FF45308F10446EF505B7251DB786D86CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00416D6D, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

_memset.LIBCMT ref: 00416E00
FindFirstFileW.KERNELBASE(?,?,00000001,00000000,00000001,00000001,00000001,00000000,000000FF), ref: 00416E99
FindNextFileW.KERNELBASE(?,00000010,?,0058B6A8), ref: 00417028
FindNextFileW.KERNELBASE(?,00000010,?,0058B6A8), ref: 004171AE
FindClose.KERNELBASE(?), ref: 004171BF

Strings

\\?\, xrefs: 00416E08
@, xrefs: 0041712E

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$File$Next$CloseFirst_malloc_memset
String ID: @$\\?\
API String ID: 570807038-1420128806
Opcode ID: 20da6630c5232dc220c4186638c641df04404d7417db757284ea30e3209874b9
Instruction ID: 9b24118c42bf724cda5b84ebfaa015a66517b757526d0c1c6ee7df496abc514b
Opcode Fuzzy Hash: 20da6630c5232dc220c4186638c641df04404d7417db757284ea30e3209874b9
Instruction Fuzzy Hash: 72E17172D04218ABDF21EBA1CD46BDEBB78AF04314F1041AAEA15B3191DB785F85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041D211, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 433COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?), ref: 0041D383
CharUpperW.USER32(?), ref: 0041D399

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Strings

TBB, xrefs: 0041D3BD
PST, xrefs: 0041D4DF
THUNDERBIRD, xrefs: 0041D580
OST, xrefs: 0041D548

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CharUpper$_malloc
String ID: OST$PST$TBB$THUNDERBIRD
API String ID: 3834236186-1104251276
Opcode ID: a9dfd6b172183a3fba5f0750cb391f30620e8541ed31e32062a321e71b4c6ee4
Instruction ID: 4559aa5724d87ca400415edd28439ac067b0fee18038d07b16f6bfa98ed25a3b
Opcode Fuzzy Hash: a9dfd6b172183a3fba5f0750cb391f30620e8541ed31e32062a321e71b4c6ee4
Instruction Fuzzy Hash: F4F167B2D083519BC710EF69898169FFBE1BF99704F504D2EE59983250EB38D884CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00416AEC, Relevance: 9.2, APIs: 6, Instructions: 218COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416B15
_memset.LIBCMT ref: 00416B2F

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

GetLogicalDriveStringsW.KERNELBASE(00000400,?,?,?,?,?,?,?,?), ref: 00416B4D
GetSystemDirectoryW.KERNEL32(?,00000400), ref: 00416B70

Part of subcall function 00418A23: __EH_prolog.LIBCMT ref: 00418A28

GetDriveTypeW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,005E3970,000000FF), ref: 00416BC0

Part of subcall function 00417871: DeviceIoControl.KERNEL32(00000000,002D0800,00000000,00000000,00000000,00000000,?,00000000), ref: 00417965
Part of subcall function 00417871: CloseHandle.KERNEL32(00000000), ref: 00417970

GetDriveTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,005E3970,000000FF), ref: 00416CAE

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Drive$H_prologType_memset$CloseControlDeviceDirectoryHandleLogicalStringsSystem
String ID:
API String ID: 653048085-0
Opcode ID: 5a74b144c0bdfd6486515b6af61d040d517ecdcdab6187388787fa632d9f45ed
Instruction ID: f42da7431cee3868c2a19145b3ed7ba8a389a6dc5d9546ccc49d3724ea6c418b
Opcode Fuzzy Hash: 5a74b144c0bdfd6486515b6af61d040d517ecdcdab6187388787fa632d9f45ed
Instruction Fuzzy Hash: A6716072D0011D9ACF21EBE5DC859EEB779EF44304F01406BE945B3151DB78AE89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA8F, Relevance: 3.1, APIs: 2, Instructions: 149COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AA94
GetSystemInfo.KERNELBASE(?,005F9E10,?,00000000,00409248,?,?,00000001,00000000,00000000,00000000,000000FF,00000001,00000000,00000001,00000001), ref: 0040AAF1

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologInfoSystem
String ID:
API String ID: 3096475795-0
Opcode ID: 944275ac92ae5064598e7b452a67e3f552dd002411b683962557baac9ba433a6
Instruction ID: 561f6cd7d887d5d1339e4d391f552f8b4037ce96ac8277e9bf04622d113154f5
Opcode Fuzzy Hash: 944275ac92ae5064598e7b452a67e3f552dd002411b683962557baac9ba433a6
Instruction Fuzzy Hash: F9516E72804258EEDB00EBE5CD85BDEBBB8AF04318F14455EF509B72C2DA786B48C765

Uniqueness

Uniqueness Score: -1.00%

Function 0051A61C, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 43COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0051A689

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

_abort.LIBCMT ref: 0051A67C

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

Strings

Assertion %s failed in %s at %s:%u, xrefs: 0051A650
util.c, xrefs: 0051A636
%s. (Stack trace not available), xrefs: 0051A668
size < SIZE_T_CEILING, xrefs: 0051A64B
tor_malloc_, xrefs: 0051A646

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_strrchr$_abort_malloc_memset_raise
String ID: %s. (Stack trace not available)$Assertion %s failed in %s at %s:%u$size < SIZE_T_CEILING$tor_malloc_$util.c
API String ID: 3673156449-1576514588
Opcode ID: 877cfc45dc3c92a485c231ea042544276ff25cebc4176bc6fa8608f5d5168fd3
Instruction ID: c9546bc45469d870608cc1ceee0cce39ad4f6af0585207e15caba24584b182a2
Opcode Fuzzy Hash: 877cfc45dc3c92a485c231ea042544276ff25cebc4176bc6fa8608f5d5168fd3
Instruction Fuzzy Hash: C9F0E9617653026AF232316A5C57FEA1E4C7BE4B55F100433B90CBA2D2E9E09DC504B5

Uniqueness

Uniqueness Score: -1.00%

Function 00415A00, Relevance: 12.1, APIs: 8, Instructions: 122fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041556B: CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004155CF

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

SetFileAttributesW.KERNELBASE(00000000,0000000F,00000080,00000001,00000000,00000000,00000000,000000FF), ref: 00415A6F
CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0000000F), ref: 00415A89
GetLastError.KERNEL32 ref: 00415AA7
GetLastError.KERNEL32 ref: 00415B4B

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: File$CreateErrorLast$Attributeschar_traits
String ID:
API String ID: 3854950049-0
Opcode ID: b51e8706428069ce970d567471c1fb3578d2747c0055290d84f583d3561fed58
Instruction ID: 0aab119e5ad1309dbe9eb126ddda58a7f82948a9dee96526adf5e42ff56a3ea0
Opcode Fuzzy Hash: b51e8706428069ce970d567471c1fb3578d2747c0055290d84f583d3561fed58
Instruction Fuzzy Hash: 63417E72900249EFDF10AFA4DCC5AEE7BB8EF54398F10052AF551A3290D7395E84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A521, Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 258COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A526

Part of subcall function 0041313E: __EH_prolog.LIBCMT ref: 00413143

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

CharUpperW.USER32(?,00000001,00000000,00000001,00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000001,0058B70C,?,?,00000001,00000000,0040A88D,?,?,?), ref: 0040A5F1

Strings

\\?\, xrefs: 0040A5F7
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040A599
AVAST, xrefs: 0040A684
Client Server Runtime Subsystem, xrefs: 0040A739

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$CharUpperchar_traits
String ID: AVAST$Client Server Runtime Subsystem$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$\\?\
API String ID: 2864591093-1697372643
Opcode ID: 54dbeaddf326a1768eca5de1c47990598ef5887ae4db4d14351903cfc6525848
Instruction ID: c6b3f9f02a38d750fe8605fb091f497de25cb0b821efcebcb881a12b36a1f2ee
Opcode Fuzzy Hash: 54dbeaddf326a1768eca5de1c47990598ef5887ae4db4d14351903cfc6525848
Instruction Fuzzy Hash: 5DA17032C05288EEDF01EBF4C845BCDBBB49F15318F1481AAE605771C2DAB81B49D766

Uniqueness

Uniqueness Score: -1.00%

Function 00566E53, Relevance: 10.6, APIs: 7, Instructions: 71threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00566E84
__calloc_crt.LIBCMT ref: 00566E90
__getptd.LIBCMT ref: 00566E9D
__initptd.LIBCMT ref: 00566EA6
CreateThread.KERNELBASE(?,?,00566DD0,00000000,?,?), ref: 00566ED4
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00566EDE
__dosmaperr.LIBCMT ref: 00566EF6

Part of subcall function 0054FF67: __getptd_noexit.LIBCMT ref: 0054FF67

Part of subcall function 0054DCE9: __decode_pointer.LIBCMT ref: 0054DCF4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
String ID:
API String ID: 3358092440-0
Opcode ID: 8e8ac53a5d3a03c8ee3b1f1786c9bef82525a6d3b35524dd09ea0be8eb28980e
Instruction ID: b411b64c96bfdf496679c08ed4ee92551e68e9020df60553250cf9b660e30627
Opcode Fuzzy Hash: 8e8ac53a5d3a03c8ee3b1f1786c9bef82525a6d3b35524dd09ea0be8eb28980e
Instruction Fuzzy Hash: 1D11BF72501206AFDB10BFA8DC8A89F7FA8FF84324B20403AF91493191EB72DD559B60

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB82, Relevance: 9.1, APIs: 6, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000001,?,00000010,?,00000000,?,0041AA04,?,?,?,?,005F9E10,?), ref: 0041ABBE
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,?,00000007,?,0041AA04,?,?,?,?,005F9E10,?), ref: 0041ABF8
RegCloseKey.KERNELBASE(?,?,0041AA04,?,?,?,?,005F9E10,?,?,004091A2,?,00000000,?,005F9E10,00000001), ref: 0041AC0D
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000007,?,0041AA04,?,?,?,?,005F9E10,?), ref: 0041AC4A
RegCloseKey.ADVAPI32(?,?,0041AA04,?,?,?,?,005F9E10,?,?,004091A2,?,00000000,?,005F9E10,00000001), ref: 0041AC5F
RegCloseKey.ADVAPI32(?,?,?,0041AA04,?,?,?,?,005F9E10,?,?,004091A2,?,00000000,?,005F9E10), ref: 0041ACC5

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Close$QueryValue$Open
String ID:
API String ID: 4117052246-0
Opcode ID: 70a0974806a73ffb224f902ab8304f4d88fc92c7b710db27d7d51a816c72c51c
Instruction ID: 05bbb73e4a224557291e9c41d201345eb6dd911abf7cd99cb31bbd14388a45c6
Opcode Fuzzy Hash: 70a0974806a73ffb224f902ab8304f4d88fc92c7b710db27d7d51a816c72c51c
Instruction Fuzzy Hash: BE416F72901109EFDB04DFA4CD859EDBBB9FF04304F10406AF502A72A0D775AE54DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004111E4, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004111E9

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 004115C5: __EH_prolog.LIBCMT ref: 004115CA
Part of subcall function 004115C5: CreateDirectoryW.KERNELBASE(00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000001,00000001,?,?,00000000,00411276,?), ref: 004116B1
Part of subcall function 004115C5: GetLastError.KERNEL32(?,?,00000000,00411276,?,00000001,00000000), ref: 004116BB
Part of subcall function 004115C5: GetFileAttributesW.KERNEL32(00000000,?,?,00000000,00411276,?,00000001,00000000), ref: 004116D5

Strings

--DataDirectory, xrefs: 00411355
--SOCKSPort, xrefs: 00411300
--bridge, xrefs: 004113BB
--ignore-missing-torrc, xrefs: 004112D3

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$AttributesCreateDirectoryErrorFileLastchar_traits
String ID: --DataDirectory$--SOCKSPort$--bridge$--ignore-missing-torrc
API String ID: 3466364229-2885400816
Opcode ID: 83d04b7570980dc56848c08dde38ebf3dc8d70482de82f7e8164def69007d05f
Instruction ID: 1a46922c2742f45d4a1e7175345dba749d7ad9fe6b86a33151203023ffeff536
Opcode Fuzzy Hash: 83d04b7570980dc56848c08dde38ebf3dc8d70482de82f7e8164def69007d05f
Instruction Fuzzy Hash: 93717271904148EEEB14EBA5C886ADDBFBCAF14308F10446EE101B32D2DB795E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041556B, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004155CF

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

GetFileSize.KERNEL32(000000FF,00000000,00000001,00000000,00000001,00000001), ref: 00415625
ReadFile.KERNELBASE(000000FF,00000000,00000001,0000000F,00000000,00000000,00000000,00000000,00000001), ref: 00415663
FindCloseChangeNotification.KERNELBASE(000000FF,00000001,00000000,00000000,00000000,000000FF,0058B4A1), ref: 004156C5

Strings

\\?\, xrefs: 0041558D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: File$ChangeCloseCreateFindH_prologNotificationReadSizechar_traits
String ID: \\?\
API String ID: 714258387-4282027825
Opcode ID: 6d40234cbf27d303b640a75679a385cfd0b77bde9c40111d14b8ced243f75175
Instruction ID: e7a8a6b27b571dc67b324a34b3fca17927c06e69b36893c63c46179c53c7dde1
Opcode Fuzzy Hash: 6d40234cbf27d303b640a75679a385cfd0b77bde9c40111d14b8ced243f75175
Instruction Fuzzy Hash: 29412B72A00208ABDF10EFA5CC95FEE7BB8EF84714F10446AF515B7191EB789A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004115C5, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004115CA

Part of subcall function 00417980: _memset.LIBCMT ref: 004179A5
Part of subcall function 00417980: GetTempPathW.KERNEL32(00000400,?), ref: 004179CA

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

CreateDirectoryW.KERNELBASE(00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000001,00000001,?,?,00000000,00411276,?), ref: 004116B1
GetLastError.KERNEL32(?,?,00000000,00411276,?,00000001,00000000), ref: 004116BB
GetFileAttributesW.KERNEL32(00000000,?,?,00000000,00411276,?,00000001,00000000), ref: 004116D5

Strings

a4ad4ip2xzclh6fd.onion, xrefs: 004115DE

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$AttributesCreateDirectoryErrorFileLastPathTemp_memsetchar_traits
String ID: a4ad4ip2xzclh6fd.onion
API String ID: 3145127264-1920382520
Opcode ID: 2c06c830d6489c43a3cab0a5162e7833bcb87630fa74bb8b1816656e4832cb55
Instruction ID: d1a6285b658dc726bfc8ea858675a62124a6a1473bd0398269db1e722f49b7b9
Opcode Fuzzy Hash: 2c06c830d6489c43a3cab0a5162e7833bcb87630fa74bb8b1816656e4832cb55
Instruction Fuzzy Hash: A441A172900118EBDB10EBE5CC85ADEBB78AF14318F14456AF605B3181DB786E49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0054FB25, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0054FB43

Part of subcall function 00556112: __mtinitlocknum.LIBCMT ref: 00556128
Part of subcall function 00556112: __amsg_exit.LIBCMT ref: 00556134
Part of subcall function 00556112: RtlEnterCriticalSection.NTDLL(?), ref: 0055613C

___sbh_find_block.LIBCMT ref: 0054FB4E
___sbh_free_block.LIBCMT ref: 0054FB5D
RtlFreeHeap.NTDLL(00000000,?,005DAA68,0000000C,005506B1,00000000,?,00550A15,?,00000001,?,?,0055609C,00000018,005DAC78,0000000C), ref: 0054FB8D
GetLastError.KERNEL32(?,00550A15,?,00000001,?,?,0055609C,00000018,005DAC78,0000000C,0055612D,?,?,?,0055076B,0000000D), ref: 0054FB9E

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: f8bc6710369c74b31ce2a4bac9a73dff4b03522297202a4cf09614b6160071ee
Instruction ID: bf5ded5c3a2da6e79cff59dd4495d3ffc7fdc02111ce33b4bf9a0fdaa98ac906
Opcode Fuzzy Hash: f8bc6710369c74b31ce2a4bac9a73dff4b03522297202a4cf09614b6160071ee
Instruction Fuzzy Hash: 89014F31C05607EAEB206BB8EC1EB9E3F64FF8672AF144526F800AA1C1DE749544DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2FA, Relevance: 6.1, APIs: 4, Instructions: 119fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0041B351
GetFileSize.KERNEL32(000000FF,00000000,00000001,00000001), ref: 0041B398
CloseHandle.KERNEL32(000000FF,?), ref: 0041B41B

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: File$CloseCreateH_prologHandleSize
String ID:
API String ID: 2041516235-0
Opcode ID: a2297133f8a700c8c89f3915ee06872202faf7072e35fc491a89bd0f43149e17
Instruction ID: 786b0256b83315f1475c7869818d8c2c104baf1054248f497883fa4ac06ae10a
Opcode Fuzzy Hash: a2297133f8a700c8c89f3915ee06872202faf7072e35fc491a89bd0f43149e17
Instruction Fuzzy Hash: 3F413D71900209AFDF11EFA5CC85BDE7BA8EF04314F10852AFA24B7190D778A954DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417DC2, Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNELBASE(00000000,00000000,00000000), ref: 00417DEC
GetShortPathNameW.KERNELBASE(00000000,00000000,00000000), ref: 00417E3C
WideCharToMultiByte.KERNEL32(00000001,00000400,000000FF,00000000,00000000,00000000,00000000,00000000,?,004129A4,?,00000000,00000001,00000000,DELETE SHADOWS ALL,00000001), ref: 00417E52
WideCharToMultiByte.KERNEL32(00000001,00000400,000000FF,00000000,00000000,00000000,00000000,00000000,?,004129A4,?,00000000,00000001,00000000,DELETE SHADOWS ALL,00000001), ref: 00417E73

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiNamePathShortWide$char_traits
String ID:
API String ID: 896575834-0
Opcode ID: e135d788e474df31e1c57a4011849e15d003a8935aa70c6e9bccd1363d8efd53
Instruction ID: 2516f9eb414e66aa3397a4191322c914b30e326e0606e902c51f80397a0fb5ff
Opcode Fuzzy Hash: e135d788e474df31e1c57a4011849e15d003a8935aa70c6e9bccd1363d8efd53
Instruction Fuzzy Hash: 95217372901218BEDB14AFA1CC4EEEF7F7CEF45368F10442AF905B6191DA755A40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00412398, Relevance: 6.1, APIs: 4, Instructions: 51threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A13C: LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,004123B2), ref: 0041A14A
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0041A162
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetSystemInfo), ref: 0041A16F
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsW), ref: 0041A17C
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetVolumeInformationW), ref: 0041A189
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetDriveTypeW), ref: 0041A196
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetSystemDirectoryW), ref: 0041A1A3
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetWindowsDirectoryA), ref: 0041A1B0
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetWindowsDirectoryW), ref: 0041A1BD
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetTempPathW), ref: 0041A1CA
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 0041A1D7
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 0041A1E4
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,FindClose), ref: 0041A1F1
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 0041A1FE
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,ReadFile), ref: 0041A20B
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,WriteFile), ref: 0041A218
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 0041A225
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,SetFileAttributesW), ref: 0041A232
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 0041A23F
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,SetFilePointer), ref: 0041A24C
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 0041A259
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 0041A266
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,CreateDirectoryW), ref: 0041A273

__time64.LIBCMT ref: 004123B4

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00402500,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,000000FF), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

GetCurrentThreadId.KERNEL32 ref: 004123BF
_clock.LIBCMT ref: 004123C7

Part of subcall function 0054E1CE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,00415DDD), ref: 0054E1DA
Part of subcall function 0054E1CE: __aulldiv.LIBCMT ref: 0054E20B

Part of subcall function 0054E24C: __getptd.LIBCMT ref: 0054E251

SetErrorMode.KERNELBASE(00000001), ref: 004123D9

Part of subcall function 00405774: __EH_prolog.LIBCMT ref: 00405779

Part of subcall function 004059A7: __set_invalid_parameter_handler.LIBCMT ref: 004059D5

Part of subcall function 00401837: CloseHandle.KERNEL32(00000000), ref: 00401843

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$Time$FileSystem__aulldiv$CloseCurrentErrorH_prologHandleLibraryLoadModeThread__getptd__set_invalid_parameter_handler__time64_clockchar_traits
String ID:
API String ID: 1316367552-0
Opcode ID: 7ae90501ebc4f8e8f30ed314218e20ef70a2406a0c56788136171bddb6041881
Instruction ID: 5c3d0786dcd94a95d7e0ca10f54f622b99982f843032d36679869d025159e9ec
Opcode Fuzzy Hash: 7ae90501ebc4f8e8f30ed314218e20ef70a2406a0c56788136171bddb6041881
Instruction Fuzzy Hash: 0A0180729002189ADB10B7B69C4BBDE7768EF84318F04047AB105F7182EE789E48DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAFE, Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000002,00000000,00000010,?,?,0041AAD7,?,?,?,0041A9C1,?,?,00000000), ref: 0041AB25
RegSetValueExW.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000002,?,?,00000000,?,0041AAD7,?,?,?,0041A9C1,?), ref: 0041AB58
RegCloseKey.ADVAPI32(00000000,00000000,?,0041AAD7,?,?,?,0041A9C1,?,?,00000000,004092D3,00000000,00000000,005F9E10,00000001), ref: 0041AB69
RegCloseKey.KERNELBASE(00000000,00000000,?,0041AAD7,?,?,?,0041A9C1,?,?,00000000,004092D3,00000000,00000000,005F9E10,00000001), ref: 0041AB71

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Close$OpenValue
String ID:
API String ID: 3951040859-0
Opcode ID: 54db5b6233abcd7aebf5067445b4886aa1183ea0a7fdf2183ab9cefb13210893
Instruction ID: 34e01c710422cddb010ed9259fc3e71d7c5131b5d01a9a33387dd7b106ecfd65
Opcode Fuzzy Hash: 54db5b6233abcd7aebf5067445b4886aa1183ea0a7fdf2183ab9cefb13210893
Instruction Fuzzy Hash: CA01C071102300BBEB109FA0CE8AFAA7BACAF04304F100426B601E6591E7B8EA14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00417A57, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 281COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417A77
GetVersionExW.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,000000FF), ref: 00417A8C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

;1;, xrefs: 00417ABC

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Version_memsetchar_traits
String ID: ;1;
API String ID: 4115988072-2687057397
Opcode ID: 14b61e89ace4a1bf9e7eff78ee1f249c17c4dc64c0f808f3b1c2965c3f62389b
Instruction ID: fbc56275ef2a6ad554cba52adb2cdc2ed0b0cb946d4e2025abe141d0f83204ae
Opcode Fuzzy Hash: 14b61e89ace4a1bf9e7eff78ee1f249c17c4dc64c0f808f3b1c2965c3f62389b
Instruction Fuzzy Hash: A991D0B2C04118AADF10EBE5DC46DDF777CAF45308F1145AAB605B3141EA386F89CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00405774, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405779

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 00415DB8: __time64.LIBCMT ref: 00415DC4
Part of subcall function 00415DB8: GetCurrentThreadId.KERNEL32 ref: 00415DD0
Part of subcall function 00415DB8: _clock.LIBCMT ref: 00415DD8
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415DE8
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415DF2
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415E01

Part of subcall function 004159AD: _memset.LIBCMT ref: 004159D3
Part of subcall function 004159AD: GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004159E9

Strings

SOFTWARE\System32\Configuration\, xrefs: 004057D5
System32, xrefs: 004057C4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _rand$CurrentFileH_prologModuleNameThread__time64_clock_memsetchar_traits
String ID: SOFTWARE\System32\Configuration\$System32
API String ID: 4028515199-2374638423
Opcode ID: 0172d415223262f0b1cbe45c2cf82b73420ba24dda29488ff8c686f69a74bb27
Instruction ID: ec9e56347f24a9c4ea9333d2ef5e8eb2c87eb8a43977d495f5293648e166acf5
Opcode Fuzzy Hash: 0172d415223262f0b1cbe45c2cf82b73420ba24dda29488ff8c686f69a74bb27
Instruction Fuzzy Hash: 7051A471901344EEDB04EFA5C9857DDBFB8BF45308F10819AE504BB282DBB85B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409D6F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409D74

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

xVersion, xrefs: 00409DBD
4.0.0.1, xrefs: 00409E8B

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologchar_traits
String ID: 4.0.0.1$xVersion
API String ID: 734123105-1157460051
Opcode ID: 5d1bdd9e6c6916d8918a5efbb60d2dd90ad4e89ce6bce4c6c202477c868e83b2
Instruction ID: 32757e5fe67e3a3f74283ce48273cfcda8d6186f51c80ec08af5dda560e04205
Opcode Fuzzy Hash: 5d1bdd9e6c6916d8918a5efbb60d2dd90ad4e89ce6bce4c6c202477c868e83b2
Instruction Fuzzy Hash: FA317272C04248EEDB01EBA5C895ADEBBBCEF54318F10816EE515B72C2DA741F44C765

Uniqueness

Uniqueness Score: -1.00%

Function 00405A1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405A28
Sleep.KERNEL32(00004E20,?,?,?,?,?,?,004059E3,?,?,?,?,?,?,?,0056F72C), ref: 00405A4D

Part of subcall function 004044A4: __EH_prolog.LIBCMT ref: 004044A9

Part of subcall function 004044FD: __EH_prolog.LIBCMT ref: 00404502

Part of subcall function 00404578: __EH_prolog.LIBCMT ref: 0040457D

Part of subcall function 0040222A: __EH_prolog.LIBCMT ref: 0040222F

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

std exception: , xrefs: 00405A77

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Sleepchar_traits
String ID: std exception:
API String ID: 1343582179-192970234
Opcode ID: d52bccff6709471c8c39ad6f1fe467123d30bb37dec71b6b10945557a209ee5a
Instruction ID: 5dbf755479c88b1a7103e6d148b6f3558c22e7a4e2a641d07a7910b253ff8f15
Opcode Fuzzy Hash: d52bccff6709471c8c39ad6f1fe467123d30bb37dec71b6b10945557a209ee5a
Instruction Fuzzy Hash: 07216DB2801148BADB10FBA2DC1AEDF7E6CEF95314F10846EF905B7192DA785B04C765

Uniqueness

Uniqueness Score: -1.00%

Function 00565D10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,30B20E82,0000001B,00000000,0000000F), ref: 00565D9B
ResumeThread.KERNELBASE(?,?,?,30B20E82,0000001B,00000000,0000000F), ref: 00565DA9

Part of subcall function 00404466: __EH_prolog.LIBCMT ref: 0040446B
Part of subcall function 00404466: __CxxThrowException@8.LIBCMT ref: 0040449E

Strings

,_X, xrefs: 00565D6D, 00565D71

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseException@8H_prologHandleResumeThreadThrow
String ID: ,_X
API String ID: 305045544-2525363915
Opcode ID: f7407945fc1146dcebf09d9d72daf3b287b41a5d04e22db4bc92658b2b71bfa8
Instruction ID: 7da7a442a679d23e0f139116aba8cb02582e47617d037f2eae67dd5f3e5e47e2
Opcode Fuzzy Hash: f7407945fc1146dcebf09d9d72daf3b287b41a5d04e22db4bc92658b2b71bfa8
Instruction Fuzzy Hash: 92118EB16447019FD300DF68CC85B56BBE8FF88724F540A2DFA59A72D0E774A904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005198FE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNELBASE(00001300,00000000,00000000,00000400,00000000,00000000,00000000,00000000,?,?,005036E6,00000000), ref: 00519924
LocalFree.KERNEL32(00000000,?,005036E6,00000000), ref: 0051994D

Strings

<unformattable error>, xrefs: 00519938

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FormatFreeLocalMessage
String ID: <unformattable error>
API String ID: 1427518018-1798847607
Opcode ID: 9b194513c7d34e142c419afab315d958d121a8fbc2702baed99e67904cb7a375
Instruction ID: ecf96324091e50f6cc3d64c67e726d816cc333c234da7b06191f12646664e4d0
Opcode Fuzzy Hash: 9b194513c7d34e142c419afab315d958d121a8fbc2702baed99e67904cb7a375
Instruction Fuzzy Hash: 8AF05471502225FBDB219B929D19DDE7F39FB81F61F204056FA05B5140D6304F44EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0051869A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 005186E5: _vwprintf.LIBCMT ref: 005186EF

_abort.LIBCMT ref: 005186DB

Strings

compat.c, xrefs: 005186C8
tor_asprintf, xrefs: 005186BE

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _abort_vwprintf
String ID: compat.c$tor_asprintf
API String ID: 4233853164-2677870121
Opcode ID: a03e9e0d94a096926dc831e935f2570e4794f5c9482fa548d1e233bb11bc2dd6
Instruction ID: fadafcaa48bf7083b93e84692499a71288c94c27a24677b5f98bcd0c605584d9
Opcode Fuzzy Hash: a03e9e0d94a096926dc831e935f2570e4794f5c9482fa548d1e233bb11bc2dd6
Instruction Fuzzy Hash: CEE04FA27453826BFE3135D99C8AAAB6A8DBBE0351F44083AF90492182FA7184945666

Uniqueness

Uniqueness Score: -1.00%

Function 0041730F, Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417344
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417362
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417382

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FolderPath$_memset
String ID:
API String ID: 3393382086-0
Opcode ID: 1e69431a5f520d9351b9834158e3e0f8fc8fba4d5d46b794e6891ab280a1aec8
Instruction ID: 486add32d1bd1975be3852fe7ddbfa561011ec75baf33ba7af5d0a6af7282b7d
Opcode Fuzzy Hash: 1e69431a5f520d9351b9834158e3e0f8fc8fba4d5d46b794e6891ab280a1aec8
Instruction Fuzzy Hash: E9214F7190020EAADB10EFA4DC85AEE77BCEB04308F008466F915A7191E678AE49DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041774D, Relevance: 4.5, APIs: 3, Instructions: 41COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417773
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0041778A
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004177B5

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: DirectoryInformationSystemVolume_memset
String ID:
API String ID: 785281299-0
Opcode ID: bad934b292ef8e7dbace70f4a1860d99254efede735c54babced6f8f1428d2a5
Instruction ID: 6a02b3b11f271934ad5a11fa5909a96e5994bf352c919e94de401f9ef6c16c0e
Opcode Fuzzy Hash: bad934b292ef8e7dbace70f4a1860d99254efede735c54babced6f8f1428d2a5
Instruction Fuzzy Hash: B6F068B6902328A7DB10DBA49C4DEDB7BBCEF09750F1044A2B919E3142F174DB44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041596F, Relevance: 4.5, APIs: 3, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000,?,0040964B,00000001,00000000,00000001,00000001,00000001,00000001,00000000,00000000,000000FF), ref: 00415976
CreateDirectoryW.KERNELBASE(00000000,00000000,?), ref: 0041598E
SetFileAttributesW.KERNELBASE(00000000,?,00000006), ref: 004159A4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: AttributesFile$CreateDirectory
String ID:
API String ID: 1875963930-0
Opcode ID: 5f9b2b74aaf9f8661979ec36e7f0f6d34efbbb09a0fac0d2fdea7c06a4d3c971
Instruction ID: a87f67fb4d136739fb94b7c2a6d2cc6e3adc10a95ca1a0015dc824d9d6746be5
Opcode Fuzzy Hash: 5f9b2b74aaf9f8661979ec36e7f0f6d34efbbb09a0fac0d2fdea7c06a4d3c971
Instruction Fuzzy Hash: 0BE08C74500B00AAE9203B750C8ABDF228D1F623AEF840562F811E29E1C73C404B976E

Uniqueness

Uniqueness Score: -1.00%

Function 00566D8F, Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00566D9B

Part of subcall function 005506C0: __getptd_noexit.LIBCMT ref: 005506C3
Part of subcall function 005506C0: __amsg_exit.LIBCMT ref: 005506D0

__endthreadex.LIBCMT ref: 00566DAB

Part of subcall function 00566D52: __IsNonwritableInCurrentImage.LIBCMT ref: 00566D65
Part of subcall function 00566D52: __getptd_noexit.LIBCMT ref: 00566D75
Part of subcall function 00566D52: __freeptd.LIBCMT ref: 00566D7F
Part of subcall function 00566D52: RtlExitUserThread.NTDLL(?,?,00566DB0,00000000), ref: 00566D88
Part of subcall function 00566D52: __XcptFilter.LIBCMT ref: 00566DBC

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
String ID:
API String ID: 1003287236-0
Opcode ID: d5ffaa2fac93b57a93795acfc15131be6656510bd2281e27697c5d96fa6a6ef3
Instruction ID: f7c7618201d0fe9112ace75dfba656db385953faac180528d5aae010a4362146
Opcode Fuzzy Hash: d5ffaa2fac93b57a93795acfc15131be6656510bd2281e27697c5d96fa6a6ef3
Instruction Fuzzy Hash: 3DE08CB0900A01EFEB08BBA0C85AF2D3B75BF84312F20004AF4025B2B2CA359904EF20

Uniqueness

Uniqueness Score: -1.00%

Function 004076C2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004076C7

Part of subcall function 00408F74: __EH_prolog.LIBCMT ref: 00408F79
Part of subcall function 00408F74: _swscanf.LIBCMT ref: 00408FD0

Strings

xmail, xrefs: 004076DB

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_swscanf
String ID: xmail
API String ID: 3564940915-2145529671
Opcode ID: 4f87d951f23788018796392ce3220adaf4d3ad1dfbc8285a11d092daa1ff59b8
Instruction ID: 43db2cbb4ee7d3465fea96ed397aaa94fdab7b8e7bc123b9de1572122abec5e1
Opcode Fuzzy Hash: 4f87d951f23788018796392ce3220adaf4d3ad1dfbc8285a11d092daa1ff59b8
Instruction Fuzzy Hash: 20117C76C05258AEDB14EFD0D891AEEBB78BF00344F10442FB61177281DB781B04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00419109, Relevance: 3.2, APIs: 2, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041910E

Part of subcall function 0040C1A0: __EH_prolog.LIBCMT ref: 0040C1A5
Part of subcall function 0040C1A0: __CxxThrowException@8.LIBCMT ref: 0040C1DF

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Exception@8Throw
String ID:
API String ID: 1007369359-0
Opcode ID: 96a93bbead7e1a2c0a8ecbf46d7943b4fb7bc5442bd4f40755a02dc8d52a9684
Instruction ID: 5f96b7ceea658c4bb8258cbca563ec11ecf50b986cc0ac0dd273bb72d418f151
Opcode Fuzzy Hash: 96a93bbead7e1a2c0a8ecbf46d7943b4fb7bc5442bd4f40755a02dc8d52a9684
Instruction Fuzzy Hash: 7051B371E00206AFDB18DFA8C5969EEB7B4FF44314F108A2AE516A7244D774FE81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00404333, Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404338
char_traits.LIBCPMT ref: 004043E2

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologchar_traits
String ID:
API String ID: 734123105-0
Opcode ID: 9fe3726bf9e4694d79bc00958c42f1e123686dac2412f5a930b296b65873facc
Instruction ID: 8d1a93c7576940589c551fde110e179b4815740f83984529980f2f229e890f3d
Opcode Fuzzy Hash: 9fe3726bf9e4694d79bc00958c42f1e123686dac2412f5a930b296b65873facc
Instruction Fuzzy Hash: 6621D7B2A00606ABDB14DF54C8427ADB779FB84314F20852BFA15B71C1D775AA508BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00408F74, Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408F79
_swscanf.LIBCMT ref: 00408FD0

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog_swscanf
String ID:
API String ID: 2233257175-0
Opcode ID: be05636047aca3cc67ee055530737c99365bd5c052e30f0268a8add6fb499b4c
Instruction ID: 1b3fb9d94e572ac1d1f71da2ec0990b4464615d01ca8e9d3a80bb870dab937f5
Opcode Fuzzy Hash: be05636047aca3cc67ee055530737c99365bd5c052e30f0268a8add6fb499b4c
Instruction Fuzzy Hash: 4E110372900204EADB10EFA5CC46ADEBB78FF95304F01843AF515B7182DB389B49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 005186E5, Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_vwprintf.LIBCMT ref: 005186EF

Part of subcall function 005544F9: __vscwprintf_helper.LIBCMT ref: 0055450B

_vswprintf_s.LIBCMT ref: 0051871D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __vscwprintf_helper_vswprintf_s_vwprintf
String ID:
API String ID: 2695537769-0
Opcode ID: 0daa1fd4c098459b4f408f9414360299b54e3937e1178db900116bea13cd5fa9
Instruction ID: 1febc336b014a45a518a8c729338373fc5da47dbd3fc1c71bfd6ee5d10d712b4
Opcode Fuzzy Hash: 0daa1fd4c098459b4f408f9414360299b54e3937e1178db900116bea13cd5fa9
Instruction Fuzzy Hash: 60018636204205ABEB215E68DC85ABE3FA5FB85775F204615FD148B2D1DA329C508661

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA75, Relevance: 3.0, APIs: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(?,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000010,005F9E10,?,00000000,?,0041A9C1,?), ref: 0041AAAC
RegCloseKey.KERNELBASE(?,?,0041A9C1,?,?,00000000,004092D3,00000000,00000000,005F9E10,00000001,00000000,00000000,00000000,000000FF,?), ref: 0041AAC0

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseCreate
String ID:
API String ID: 2932200918-0
Opcode ID: 721548b904ae38c2eda97d21fab090d208ccff6c6c037bfc24f6d8730fa34cea
Instruction ID: e06671b557e2a2f2ebfef59082521ff48af3e6aa48c7270dbe69357e82c6aabb
Opcode Fuzzy Hash: 721548b904ae38c2eda97d21fab090d208ccff6c6c037bfc24f6d8730fa34cea
Instruction Fuzzy Hash: 66017872502218BBCB15DF95CD85DEEBFACFF097A0B000016F20992900DB74AA58DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0054DE73, Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0054DE8D

Part of subcall function 00550067: __FF_MSGBANNER.LIBCMT ref: 0055008A
Part of subcall function 00550067: __NMSG_WRITE.LIBCMT ref: 00550091
Part of subcall function 00550067: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 005500DE

__CxxThrowException@8.LIBCMT ref: 0054DED2

Part of subcall function 004013FE: std::exception::exception.LIBCMT ref: 00401408

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::exception::exception
String ID:
API String ID: 1264268182-0
Opcode ID: 5a1795058fbbde9789b3ebc8326d92d53e8ff1044d9779e218a809fb76ceb7d3
Instruction ID: 565fc9974d5014638a71431470cb794f2ddb56495d34e2352ec415018ae93e94
Opcode Fuzzy Hash: 5a1795058fbbde9789b3ebc8326d92d53e8ff1044d9779e218a809fb76ceb7d3
Instruction Fuzzy Hash: 10F0E2B060020AA2DB147225DC0A9A93F7EBBA1B1CB10046AFD11AA4E1DF35CA18D2A0

Uniqueness

Uniqueness Score: -1.00%

Function 00417586, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004175A8
GetComputerNameW.KERNEL32(?,0000001F), ref: 004175B8

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ComputerName_memset
String ID:
API String ID: 3916078576-0
Opcode ID: 80e4779d4dbadc57e74c8b7681c8bc27818bb066017de2862e565dcc729fb472
Instruction ID: 53be73b2022dcef53dd9e3a6ea5f9e2cdb0c15e2704be187ceb0c4e4132ea9f3
Opcode Fuzzy Hash: 80e4779d4dbadc57e74c8b7681c8bc27818bb066017de2862e565dcc729fb472
Instruction Fuzzy Hash: 45F0ACB2A04209BADB10EBE59D46BDE77BCAF04744F500427BA05F3181F778AB099799

Uniqueness

Uniqueness Score: -1.00%

Function 00410E22, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00410E58
__CxxThrowException@8.LIBCMT ref: 00410E6D

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: fe1d180a71101f9363456a1891c510dc053974c7aa1eed5771f9eeebd0b06d94
Instruction ID: af954e29b6e7b37d86362f6153bd817e3dfba04166bf2fc9542d15b48c144e04
Opcode Fuzzy Hash: fe1d180a71101f9363456a1891c510dc053974c7aa1eed5771f9eeebd0b06d94
Instruction Fuzzy Hash: CAE0EC7160020A56DF08E6A48816EDF776C7B50714F100D2BB522E10C0EBF0C6444654

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1E5, Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0040C219
__CxxThrowException@8.LIBCMT ref: 0040C22E

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 057f9e7f23dfaf7df146edbed34f3231d7f91f71a9c2d23802e91ca734f95b31
Instruction ID: 1e786ff32a706d71bb93b9777ae8945b6294f6fae5cba156e19412261f3738b5
Opcode Fuzzy Hash: 057f9e7f23dfaf7df146edbed34f3231d7f91f71a9c2d23802e91ca734f95b31
Instruction Fuzzy Hash: 0BE0E57161010A96DB0CFFA4881AAEF7B6C7B55724F200A6FA522E50C2EFB0C2044668

Uniqueness

Uniqueness Score: -1.00%

Function 004045D1, Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00404605
__CxxThrowException@8.LIBCMT ref: 0040461A

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 53b1dc5701418bafbf763e37fc10552d44ab5db2e8efd13f4327db61efe2cd30
Instruction ID: 20232956a6b99d748db08d7f9cf1190c62a20fe799faf3d30ea36266f11d2de3
Opcode Fuzzy Hash: 53b1dc5701418bafbf763e37fc10552d44ab5db2e8efd13f4327db61efe2cd30
Instruction Fuzzy Hash: 2BE0E5B1610109BBDB0CEF65C85AEDE3B6CBB90714F208A2BB522D50C0EBB0D3448B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC23, Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0040CC57
__CxxThrowException@8.LIBCMT ref: 0040CC6C

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 380c5ecdb00b5bb7e080f89e9611a0c7984a3a96a3ee3d0f281f4d4a9ae677c9
Instruction ID: 258259aaca9fe79d7c0d7c2ee0749d093ede97d746ffdf145bfa5bd479fb77b4
Opcode Fuzzy Hash: 380c5ecdb00b5bb7e080f89e9611a0c7984a3a96a3ee3d0f281f4d4a9ae677c9
Instruction Fuzzy Hash: 3EE0EC7150010A96DB58EBA4C846ADF776C7B51714F100A3BA531E10C1EBB086084654

Uniqueness

Uniqueness Score: -1.00%

Function 00410431, Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410436

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

Part of subcall function 0040B9A5: __EH_prolog.LIBCMT ref: 0040B9AA

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0041B8A0: SetEvent.KERNEL32(00000000,005A7DBC,0041D220,00000000), ref: 0041B96F

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Event_malloc
String ID:
API String ID: 3703941353-0
Opcode ID: 319f4ac730a7474832f77707fb47acb86c816d479ef318fecd4a617674acff00
Instruction ID: 4f1803c315171745e62bb66377c53cfda7b226bcf10c8c21e668976c4e189cbd
Opcode Fuzzy Hash: 319f4ac730a7474832f77707fb47acb86c816d479ef318fecd4a617674acff00
Instruction Fuzzy Hash: 80D15B71E00219DFDF11EBA4C885BDDBBB5BF44304F1081AAE609B7281DB78AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041313E, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413143

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

Part of subcall function 00413375: __EH_prolog.LIBCMT ref: 0041337A
Part of subcall function 00413375: _memset.LIBCMT ref: 004133C1
Part of subcall function 00413375: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000009,00000000,00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\,?,?,?,?,?,?), ref: 004133FC
Part of subcall function 00413375: RegQueryInfoKeyW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,?), ref: 0041343F
Part of subcall function 00413375: _memset.LIBCMT ref: 00413477

Part of subcall function 00413375: RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 0041349C
Part of subcall function 00413375: RegOpenKeyExW.KERNELBASE(?,?,00000000,00000001,?), ref: 00413546
Part of subcall function 00413375: RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004137F8

Part of subcall function 0040B9A5: __EH_prolog.LIBCMT ref: 0040B9AA

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$EnumOpen_memset$InfoQuery
String ID:
API String ID: 295484707-0
Opcode ID: 9f2ae7713be6bd52ff3b729c587a370070ba349f366bce689e6dbafd11423db2
Instruction ID: 91099fabbb33d52fac9549c6185710e85fab29ee83057c0d0ac6e5c64980472e
Opcode Fuzzy Hash: 9f2ae7713be6bd52ff3b729c587a370070ba349f366bce689e6dbafd11423db2
Instruction Fuzzy Hash: 80711872D00219EFDF11EFE5D8869EEBB75FF48314F10442AE514B7291CB74AA418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415EE8, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415F0E

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: fa5a7ea425e5f6848c80b27a5f791679fd5ab81268c12a2b5eae67f5209a47d2
Instruction ID: 518b356d437bb01518504eacacfcb107a34d11f0a451d61f64e4885d6bfc53f2
Opcode Fuzzy Hash: fa5a7ea425e5f6848c80b27a5f791679fd5ab81268c12a2b5eae67f5209a47d2
Instruction Fuzzy Hash: DA219D725087019BD320CE19D8814DFBBE8ABC5364F540A2FF599D7281E734DA49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9A5, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B9AA

Part of subcall function 0040C1A0: __EH_prolog.LIBCMT ref: 0040C1A5
Part of subcall function 0040C1A0: __CxxThrowException@8.LIBCMT ref: 0040C1DF

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Exception@8Throw
String ID:
API String ID: 1007369359-0
Opcode ID: 7c568e68ac0393e2582fe43e94c8f393730bb4da606d7079ce83b3685485a5a9
Instruction ID: 9959add38b86d5413294cedc82398807e02d53a3b728b44d80071cfa62a61ed4
Opcode Fuzzy Hash: 7c568e68ac0393e2582fe43e94c8f393730bb4da606d7079ce83b3685485a5a9
Instruction Fuzzy Hash: F9219276A00209DFCB14EF65E8829DEBBB5FF54314F10852EE515BB291D738AA048F94

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAE5, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CAEA

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 10ed5766138615e17fc7b0a033f5b7dba2437986ceca74f3b7a7e82d8947a33d
Instruction ID: 02eb48b1aebdd9ab1a5a8039a285f5aef52ed4836c691a9b8fc23167743dc6af
Opcode Fuzzy Hash: 10ed5766138615e17fc7b0a033f5b7dba2437986ceca74f3b7a7e82d8947a33d
Instruction Fuzzy Hash: AF21CF71A00205EBDB14DF54D882AAEB3B9FF84314F10862BF816A76D1D774BA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C696, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0040C6A1

Part of subcall function 0054D747: __EH_prolog3.LIBCMT ref: 0054D74E
Part of subcall function 0054D747: __CxxThrowException@8.LIBCMT ref: 0054D779

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8H_prolog3String_base::_ThrowXlenstd::_
String ID:
API String ID: 1675473389-0
Opcode ID: f311abe2ec454463713cf8cf46a2e3ace6cd92813cc103683f7d89e7c807831d
Instruction ID: ebe626ccf97099ec7101e52d60da850e40cea3bc0601a03915bb4cb2d3f9d9a4
Opcode Fuzzy Hash: f311abe2ec454463713cf8cf46a2e3ace6cd92813cc103683f7d89e7c807831d
Instruction Fuzzy Hash: 51F0B472A14600D7CA32677599C5A6F25E68FE5318F212F3FF142E71D1D93A8880C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00403FAE, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00403FBB

Part of subcall function 0054D747: __EH_prolog3.LIBCMT ref: 0054D74E
Part of subcall function 0054D747: __CxxThrowException@8.LIBCMT ref: 0054D779

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8H_prolog3String_base::_ThrowXlenstd::_
String ID:
API String ID: 1675473389-0
Opcode ID: 1a652359715be6c0c558522674a3079e317311e1e4116ad103add53191ea2367
Instruction ID: fa82dc54d6f614bd2e4a01b00f32a98e3b992e3b2e1873613d21b74b43ad3a59
Opcode Fuzzy Hash: 1a652359715be6c0c558522674a3079e317311e1e4116ad103add53191ea2367
Instruction Fuzzy Hash: B6F02B31B086026DDA31AD29880593F5DBEDFD1726F000E3FF843A22C0DA388A41919E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D237, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040C59E: std::_String_base::_Xlen.LIBCPMT ref: 0040C5D7

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologString_base::_Xlenstd::_
String ID:
API String ID: 1284085515-0
Opcode ID: eb15caf02080a61599776ce3cde4ce954d5b81f59155ba7d853cafd8bee046c8
Instruction ID: f9f1b1ebb67037732cbafc9c0749b3d727ef3ee1ed2533cf40be6703eefe4ed4
Opcode Fuzzy Hash: eb15caf02080a61599776ce3cde4ce954d5b81f59155ba7d853cafd8bee046c8
Instruction Fuzzy Hash: 27F03076D00219EBCF10AFA5DC4ABCD7B64EB04369F108925F911771D1CB74A9048B58

Uniqueness

Uniqueness Score: -1.00%

Function 004059A7, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__set_invalid_parameter_handler.LIBCMT ref: 004059D5

Part of subcall function 0054DCC2: __decode_pointer.LIBCMT ref: 0054DCCE
Part of subcall function 0054DCC2: __encode_pointer.LIBCMT ref: 0054DCD8

Part of subcall function 00405A1A: __EH_prolog.LIBCMT ref: 00405A28
Part of subcall function 00405A1A: Sleep.KERNEL32(00004E20,?,?,?,?,?,?,004059E3,?,?,?,?,?,?,?,0056F72C), ref: 00405A4D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologSleep__decode_pointer__encode_pointer__set_invalid_parameter_handler
String ID:
API String ID: 2508137788-0
Opcode ID: 0641b074fce6a2b0ee1698a3f85e40de4f73c89eb6bc9fe567af7da94ebcde58
Instruction ID: 2655be3c0ed29cf41e2688e1e3052b7afd55770afc8c3a742de88b6b50e2a825
Opcode Fuzzy Hash: 0641b074fce6a2b0ee1698a3f85e40de4f73c89eb6bc9fe567af7da94ebcde58
Instruction Fuzzy Hash: E0F0A772600644FFD7149B85DC47F5BBF78F741B74F20432AF111622C0D7B829008AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040E29A, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E29F

Part of subcall function 0040E381: __EH_prolog.LIBCMT ref: 0040E386

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b3866d022df64740f9f7fde34bf01da4151c7fa18b0520fca3b170c2d6bb5a8f
Instruction ID: f9e9abc66905167dd1fab472f6d0e45803168efe40b2a7551e02ae939a62dcf2
Opcode Fuzzy Hash: b3866d022df64740f9f7fde34bf01da4151c7fa18b0520fca3b170c2d6bb5a8f
Instruction Fuzzy Hash: 7DF08C71900208EFDB20EF49D80679E7BB8FF40364F10882BF815AA281D7749A10CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C22, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

char_traits.LIBCPMT ref: 00403C47

Part of subcall function 00401444: _memcpy_s.LIBCMT ref: 00401453

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memcpy_schar_traits
String ID:
API String ID: 2582611847-0
Opcode ID: 24f9ad2d0121c9475975a4f033ae030e52aeb1bacd6347e8172ff35c8a3cf1ad
Instruction ID: d979953b4f333d11f47aff7552824f12985599e48f46c2a42506dcb5c58222dd
Opcode Fuzzy Hash: 24f9ad2d0121c9475975a4f033ae030e52aeb1bacd6347e8172ff35c8a3cf1ad
Instruction Fuzzy Hash: 58E037325083506EE734AE058805B5BBBEC9B95B15F048C2FF094621D2C779A598979A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F393, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F398

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4ca94030091c474476d208ad4c72edff3e24c4a963bca676efc705f2fabbea7f
Instruction ID: 30c736633fc7e46df1d0969e21789a79b255cf1855b799af1fabb956e3dc02d9
Opcode Fuzzy Hash: 4ca94030091c474476d208ad4c72edff3e24c4a963bca676efc705f2fabbea7f
Instruction Fuzzy Hash: 94E04F72A01604EFD704EF54D45AB9EBFB8FB90715F10842AF006AB181D7759A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0054DB38, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00550C74: __lock.LIBCMT ref: 00550C76

__onexit_nolock.LIBCMT ref: 0054DB50

Part of subcall function 0054DA4D: __decode_pointer.LIBCMT ref: 0054DA5C
Part of subcall function 0054DA4D: __decode_pointer.LIBCMT ref: 0054DA6C
Part of subcall function 0054DA4D: __msize.LIBCMT ref: 0054DA8A
Part of subcall function 0054DA4D: __realloc_crt.LIBCMT ref: 0054DAAE
Part of subcall function 0054DA4D: __realloc_crt.LIBCMT ref: 0054DAC4
Part of subcall function 0054DA4D: __encode_pointer.LIBCMT ref: 0054DAD6
Part of subcall function 0054DA4D: __encode_pointer.LIBCMT ref: 0054DAE4
Part of subcall function 0054DA4D: __encode_pointer.LIBCMT ref: 0054DAEF

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
String ID:
API String ID: 1316407801-0
Opcode ID: 6f4441e52b001283acaea012c7725850ce13c5480be60702df0439ab426c3b6f
Instruction ID: 33646886e64101b3b276851e4b06652598524b7677974fdd541f40e460260374
Opcode Fuzzy Hash: 6f4441e52b001283acaea012c7725850ce13c5480be60702df0439ab426c3b6f
Instruction Fuzzy Hash: A4D01735801706EACF10BBA8CC1AB9D7E70BFC0721F608246B420661D2CA345A05AB12

Uniqueness

Uniqueness Score: -1.00%

Function 0055042E, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 00550430

Part of subcall function 005503BC: TlsGetValue.KERNEL32(00000000,?,00550435,00000000,0055A730,005FBAD8,00000000,00000314,?,00551241,005FBAD8,Microsoft Visual C++ Runtime Library,00012010), ref: 005503CE
Part of subcall function 005503BC: TlsGetValue.KERNEL32(00000005,?,00550435,00000000,0055A730,005FBAD8,00000000,00000314,?,00551241,005FBAD8,Microsoft Visual C++ Runtime Library,00012010), ref: 005503E5
Part of subcall function 005503BC: RtlEncodePointer.NTDLL(00000000,?,00550435,00000000,0055A730,005FBAD8,00000000,00000314,?,00551241,005FBAD8,Microsoft Visual C++ Runtime Library,00012010), ref: 00550423

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 3cfd599afd38eee8888886d7a578a4c47cb66464c24c6369f169ed3aa6175e7a
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0041157E, Relevance: 1.3, APIs: 1, Instructions: 13sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000064,?,0040655D), ref: 0041158D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9254955b657605e693925e8519a4b8be658952cf262bbd7a24f5800b2c47c18f
Instruction ID: 1e1e7f373e087356d51bde45ebff31da7e8cb85ae8d516c98bfcb5c53de357a8
Opcode Fuzzy Hash: 9254955b657605e693925e8519a4b8be658952cf262bbd7a24f5800b2c47c18f
Instruction Fuzzy Hash: 8BC01236C8A2257A991077A86A00BF992032B99728B0500239B4B67272824D49C5A2EF

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 005664B0, Relevance: 24.3, APIs: 16, Instructions: 292memorytimesleepCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(0000001F,30B20E82,?,00000000,?,30B20E82), ref: 0056651B
TlsGetValue.KERNEL32(0000001F,?,00000000,?,30B20E82), ref: 00566530
TlsGetValue.KERNEL32(0000001F,?,00000000,?,30B20E82), ref: 0056654B
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0056658A
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,30B20E82), ref: 005665BD
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,00000000), ref: 00566643
CloseHandle.KERNEL32(00000000), ref: 00566675

Part of subcall function 00566170: GetTickCount.KERNEL32 ref: 00566173

Sleep.KERNEL32(00000000), ref: 00566692
CloseHandle.KERNEL32(00000000), ref: 005666CE
TlsGetValue.KERNEL32(0000001F), ref: 005666F4
ResetEvent.KERNEL32(?), ref: 005666FE
__CxxThrowException@8.LIBCMT ref: 00566714
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005667B6
HeapFree.KERNEL32(00000000), ref: 005667BD
GetProcessHeap.KERNEL32(00000000,30B20E82), ref: 005667E8
HeapFree.KERNEL32(00000000), ref: 005667EF

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: HeapValue$CloseFreeHandleProcessTimerWaitable$CountCreateEventException@8MultipleObjectsResetSleepThrowTickWait
String ID:
API String ID: 1683310691-0
Opcode ID: 67bd55b8ae9d709f9a216ae00e8c6b60c24bb9c474dc7e88b9f9bcf85f11a5cb
Instruction ID: 2cd54254ab7b6d072c1bb2c1f53f84d4ec0b5434b6c0e328f96405479c59a320
Opcode Fuzzy Hash: 67bd55b8ae9d709f9a216ae00e8c6b60c24bb9c474dc7e88b9f9bcf85f11a5cb
Instruction Fuzzy Hash: 24A1AD715083419FD720DF28D884B6BBBE4FB95720F504A2DF9A597290DB34E809CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00412699, Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 364COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041269E
Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,?,:,00000000,00407EC1,?,00000001,00000000,00000001,00000000,00000000,00000000,000000FF,00000001,00000000), ref: 00412718
GetFileAttributesW.KERNEL32(?,00000001), ref: 004127B0

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Wow64RevertWow64FsRedirection.KERNEL32(?,00000001,00000000,DELETE SHADOWS ALL,00000001,00000000,00000001,00000001,00000000,00000001,00000001,00000001,00000000,00000000,000000FF), ref: 0041297B
Wow64RevertWow64FsRedirection.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,000000FF,?,?,?,00000001,00000000,000000FF), ref: 00412A73
Wow64RevertWow64FsRedirection.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,000000FF,?,?,?,00000001,00000000,000000FF), ref: 00412AA5
Wow64RevertWow64FsRedirection.KERNEL32(?,00000001,00000000,00000001,00000001,00000001,00000000,000000FF,?,?,?,00000001,00000000,000000FF,?,00000001), ref: 00412AF6

Strings

diskshadow.exe, xrefs: 0041271A
.txt, xrefs: 0041285C
:, xrefs: 004126AE
DELETE SHADOWS ALL, xrefs: 00412938
/s , xrefs: 004129E4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Wow64$Redirection$Revert$AttributesDisableFileH_prologchar_traits
String ID: .txt$/s $:$DELETE SHADOWS ALL$diskshadow.exe
API String ID: 3878854675-4290892364
Opcode ID: 08a490ab6cf7a51d658958e35a710b2ae38e31294577d71b67f08ea6aa997fb9
Instruction ID: eb20628e44a71d6262471ce2307eb7456b8d22ad60ded70e6ca3b2f03cf534ac
Opcode Fuzzy Hash: 08a490ab6cf7a51d658958e35a710b2ae38e31294577d71b67f08ea6aa997fb9
Instruction Fuzzy Hash: FBD19E72C05158EEDF21EBE5CD45BDEBBB8AF15308F1041AAE509B31C1DA781B48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC3A, Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 439COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AC3F
_memset.LIBCMT ref: 0040ACCD

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

SystemParametersInfoW.USER32(00000073,00000400,?,00000000), ref: 0040B0EB
SystemParametersInfoW.USER32(00000014,00000000,00000000,00000001), ref: 0040B1D6

Part of subcall function 004173ED: _memset.LIBCMT ref: 00417422
Part of subcall function 004173ED: SHGetFolderPathW.SHELL32(00000000,-00000027,00000000,00000000,?,00000001,00000001), ref: 00417444

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040125E: WriteFile.KERNEL32(00000000,?,0000000E,?,00000000), ref: 004012F7
Part of subcall function 0040125E: WriteFile.KERNEL32(0000000E,?,00000028,0000000E,00000000), ref: 0040131C
Part of subcall function 0040125E: SelectObject.GDI32(?,00000000), ref: 00401367

Strings

SOFTWARE\System32\Configuration\, xrefs: 0040ACD5
.bmp, xrefs: 0040AF39, 0040B01F, 0040B16C
xwp, xrefs: 0040AD66, 0040B104
, xrefs: 0040B1C6

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FileH_prologInfoParametersSystemWrite_memset$FolderObjectPathSelectchar_traits
String ID: $.bmp$SOFTWARE\System32\Configuration\$xwp
API String ID: 1684669956-3536616090
Opcode ID: 22c7ad6f174576e8e17baabf09bd3703044f683369cc8937850168740aaccbfb
Instruction ID: ea2d104fb3d057ef4773ddf2c08714b7c15dcd8f97292598f6c4aa44048e41ad
Opcode Fuzzy Hash: 22c7ad6f174576e8e17baabf09bd3703044f683369cc8937850168740aaccbfb
Instruction Fuzzy Hash: AA027031C05298EDEF11E7E4CD51BDEBB789F15308F1441EAA644732C2DAB41B88DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004182F7, Relevance: 7.9, APIs: 5, Instructions: 431COMMON

Download Yara Rule

APIs

Part of subcall function 0041730F: _memset.LIBCMT ref: 00417344
Part of subcall function 0041730F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417362
Part of subcall function 0041730F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417382

Part of subcall function 004176EB: _memset.LIBCMT ref: 00417718
Part of subcall function 004176EB: GetUserNameW.ADVAPI32(?,00000100), ref: 0041772B

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

CharUpperW.USER32(?,?,?,?,?,?,?,?), ref: 00418357
CharUpperW.USER32(?,?,?,?,?,?,?), ref: 00418372
CharUpperW.USER32(?,?,?,?,?,?,?), ref: 00418384
CharUpperW.USER32(?), ref: 00418464
CharUpperW.USER32(?), ref: 004186C7

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CharUpper$FolderH_prologPath_memset$NameUser
String ID:
API String ID: 1619233672-0
Opcode ID: e7116b87b3ebeb0290a4f467564f6ec62c2cee854041e6c82780f6ce90fca630
Instruction ID: 109392aa3e972eedc48bd76bff15fc6c31196fd4980e196cf2f8a5fa7cf2885e
Opcode Fuzzy Hash: e7116b87b3ebeb0290a4f467564f6ec62c2cee854041e6c82780f6ce90fca630
Instruction Fuzzy Hash: BEF15B72E0011DEBCF10EBE5CC81EDEB779AF04304F1545AAE605B7191DA74AA89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00478E5B, Relevance: 6.9, Strings: 5, Instructions: 617COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00478FEE
invalid window size, xrefs: 00478FDF
unknown header flags set, xrefs: 00479038
unknown compression method, xrefs: 00478F85
header crc mismatch, xrefs: 0047941C

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
API String ID: 0-3633268661
Opcode ID: a72e7d3d0a8bf3f004394b15520fa28b7b16c887502224bd066dcfce93b05c38
Instruction ID: d2c643883f9eb644185f8c1f5ee734e90dcbb764bc4bf71b6f01768b4aa7ecd9
Opcode Fuzzy Hash: a72e7d3d0a8bf3f004394b15520fa28b7b16c887502224bd066dcfce93b05c38
Instruction Fuzzy Hash: 63427C70A00706EFDB18CF69C4846EEBBB1FF44310F14856AD819A7781D778AD91CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412CBF, Relevance: 4.9, APIs: 3, Instructions: 383COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412CC4

Part of subcall function 00416AEC: _memset.LIBCMT ref: 00416B15
Part of subcall function 00416AEC: _memset.LIBCMT ref: 00416B2F
Part of subcall function 00416AEC: GetLogicalDriveStringsW.KERNELBASE(00000400,?,?,?,?,?,?,?,?), ref: 00416B4D
Part of subcall function 00416AEC: GetSystemDirectoryW.KERNEL32(?,00000400), ref: 00416B70
Part of subcall function 00416AEC: GetDriveTypeW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,005E3970,000000FF), ref: 00416BC0

Part of subcall function 00417A57: _memset.LIBCMT ref: 00417A77
Part of subcall function 00417A57: GetVersionExW.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,000000FF), ref: 00417A8C

_memset.LIBCMT ref: 00412E57
GetVolumeInformationW.KERNEL32(00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00000000), ref: 00412E77

Part of subcall function 00413C04: __EH_prolog.LIBCMT ref: 00413C09

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset$DriveH_prolog$DirectoryInformationLogicalStringsSystemTypeVersionVolume
String ID:
API String ID: 1804617432-0
Opcode ID: d811ec67129f5ef18e7bd4fb35823daf67637123e44244c7286ff83078bcb5a4
Instruction ID: 59243abd87ad9f9cf0269d561cc11687296d6e1658f4ea7958c637af73bfe8f3
Opcode Fuzzy Hash: d811ec67129f5ef18e7bd4fb35823daf67637123e44244c7286ff83078bcb5a4
Instruction Fuzzy Hash: B4E17132D04258AEDF10EBE5C946BDDBB78AF05318F1441AEF604B72C2DAB45B88C765

Uniqueness

Uniqueness Score: -1.00%

Function 00448BF0, Relevance: 4.7, APIs: 3, Instructions: 153COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004582C7
_memset.LIBCMT ref: 004582E5
_memset.LIBCMT ref: 00458331

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 89b36884e8d1f7ac5e5449d3bf0fbd83243a622ffe2d222e6e639864f38d61d1
Instruction ID: fb0ea552cd85c5a4c801c9363c1bedc20809e0040a08a13546034bb5484a119d
Opcode Fuzzy Hash: 89b36884e8d1f7ac5e5449d3bf0fbd83243a622ffe2d222e6e639864f38d61d1
Instruction Fuzzy Hash: 3B4195112192C25FD71A4E3D4C91B69BFD8DFB6200B18099FECC3DB387D550989AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00458591, Relevance: 4.6, APIs: 3, Instructions: 144COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004585B1
_memset.LIBCMT ref: 004585CF
_memset.LIBCMT ref: 0045861B

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: b37f7d96bc58ae7a905d9e265940c3532d72ea1f89e471dea74f2de615cf2855
Instruction ID: bfe3be8c5bce3426b285d5b31b542fc0799723fe8b0018f7e0bbd50b46c790ec
Opcode Fuzzy Hash: b37f7d96bc58ae7a905d9e265940c3532d72ea1f89e471dea74f2de615cf2855
Instruction Fuzzy Hash: 024134256046E29FD7260A3E0C9477ABFD4AB6B201F44079EECD7DBB83C900545AC7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0046216A, Relevance: 4.1, Strings: 3, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00462366
.\crypto\x509v3\v3_purp.c, xrefs: 0046217A
@, xrefs: 004621BD

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: $.\crypto\x509v3\v3_purp.c$@
API String ID: 0-251467842
Opcode ID: 661eb593b592ccfa3997d9ed7892f71df3a6895a6959ab642feb122fc9c869fa
Instruction ID: 005f6de0a7956343939a4d2e3d4ce35a3c6ec22750c648d71d3e0f586d9ed783
Opcode Fuzzy Hash: 661eb593b592ccfa3997d9ed7892f71df3a6895a6959ab642feb122fc9c869fa
Instruction Fuzzy Hash: 01B14971504B01ABEB289F31DA865273B94BF00315F21065FEC468A2D6FBBDD984CA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00414D81, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00414E7C

Part of subcall function 00414CAE: std::_String_base::_Xlen.LIBCPMT ref: 00414CB8

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-, xrefs: 00414D8F

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: String_base::_Xlen_memsetstd::_
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-
API String ID: 2465204403-2282835185
Opcode ID: 8e8769ba2ad92f0522e47340e70b1a59a28df5309f8fe2531ea75bcfc0ce2e76
Instruction ID: 1fa34e9190d4d6a8b85858f3eec67977704ab06fbf782a2c12ccb8e5fb0259e8
Opcode Fuzzy Hash: 8e8769ba2ad92f0522e47340e70b1a59a28df5309f8fe2531ea75bcfc0ce2e76
Instruction Fuzzy Hash: D251F5368043899FDF029FA4D4927DE7F71EF56314F1454AAED902B283C2748A5ACBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00572886, Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9eeb1095f889b965f76998606b45a97925364bbee6a79ba02ed24bb9b00f12
Instruction ID: cdc1896378831801be8d6a9d8a40097d8d08b2d1ceabc0375aa7ce4c6de6d526
Opcode Fuzzy Hash: 9e9eeb1095f889b965f76998606b45a97925364bbee6a79ba02ed24bb9b00f12
Instruction Fuzzy Hash: 9122CFB6504B168FC724CF19D08055AFBE1FF88324F158A6EE9ADA7B11C730BA55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00574D00, Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
Instruction ID: 05d082330c416e67c06a532964af8df8e1104b9eb0c871c855bdc4d54a32604c
Opcode Fuzzy Hash: 91ba71904dea84e20fa54172000c9738ff60065219db22b0a49b9952a31d8242
Instruction Fuzzy Hash: CDF1B571344B058FC758DE5DDDA1B16F7E5AB88318F19C728919ACBB64E378F8068B80

Uniqueness

Uniqueness Score: -1.00%

Function 00424930, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 4bb6e4a5bae5fbea36243f88b626e7e2f7be78de07ada13b5596d2a9617da61e
Instruction ID: c37233cad7faa07e62e5665bcf5d1bd3ff26459e9d039efe905bfd0896a6fd81
Opcode Fuzzy Hash: 4bb6e4a5bae5fbea36243f88b626e7e2f7be78de07ada13b5596d2a9617da61e
Instruction Fuzzy Hash: 41F19071A00259DBDF14DFA8D880BEEB7B1FF84304F54816EE91567381DB38AA05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00578600, Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57fde94f15b622cd52f9ad5ec85213dc827fa5506cf6152e4be89987de972d3
Instruction ID: 44fe4d7762bfcffc3539358784639cabd5a300863ffb8c5ba2be91c560c7a031
Opcode Fuzzy Hash: a57fde94f15b622cd52f9ad5ec85213dc827fa5506cf6152e4be89987de972d3
Instruction Fuzzy Hash: 46029D711187058FC756EE0CE49036AF7E1FFC8304F198A2CD68987B64E739A9198F82

Uniqueness

Uniqueness Score: -1.00%

Function 00578217, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
Instruction ID: 5bf2aacac7be869c333d8dde42ea6cd90b5cb0387fb57bf3b5f531598773b102
Opcode Fuzzy Hash: a34512ff72d5238815f0e29e494786616004433761634013c39009702cee8180
Instruction Fuzzy Hash: 908137B2A047019FC328CF19D88566AF7E1FFD8210F15892DE99E93B41D770F8558B92

Uniqueness

Uniqueness Score: -1.00%

Function 00572EF9, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
Instruction ID: 12151ca62e7c6b55b3c4975a039a68f46369af239810fe7434ef19f48a772595
Opcode Fuzzy Hash: 3d5cdb525d0acefe293bc2cb43d2c02f70863ca624e14ca51f49ae32e7611bbb
Instruction Fuzzy Hash: C4815975A107669BD714CF2ED8C045AFBF1FB08310B518A2AD89983B40D334F665EF90

Uniqueness

Uniqueness Score: -1.00%

Function 0047C295, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e353cf2de158e223e82830bf10023796e246ab3d56ab2630fbff098918b43137
Instruction ID: 11eb26e7250be6730b46849921fe2902f06ad9d3e1310433efbc845796e0b21a
Opcode Fuzzy Hash: e353cf2de158e223e82830bf10023796e246ab3d56ab2630fbff098918b43137
Instruction Fuzzy Hash: BA71C7327206525BC759CF6DFCC0506B393E7E9311B09CA26DE18C7225C634A936DEC4

Uniqueness

Uniqueness Score: -1.00%

Function 005702E0, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
Instruction ID: f25087647205fea9895b07576d3bddf69590697fe83031a81ccf00b57819d7c6
Opcode Fuzzy Hash: e99aa2f60f3c65b998b8173ecf6d62a85e0283f60168b484be672eab7d553dce
Instruction Fuzzy Hash: 35618C3391262B9BDB61DF59D84527AB3A2EFC4360F6B8A358C0427642C734F9119AC4

Uniqueness

Uniqueness Score: -1.00%

Function 005700E0, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
Instruction ID: 0984b8161398e19e49f47afe8284af4c8df0488a418e4c93c39213aa032b3bc4
Opcode Fuzzy Hash: 213e8dd87d5c2f66bb6fb1c01bf5d713fa88062fa37de47d36406d71930442ef
Instruction Fuzzy Hash: CB51FD229257B946EBC3DA3D88504AEBBE0BE49206B460557DCD0B3181C72EDE4DB7E4

Uniqueness

Uniqueness Score: -1.00%

Function 0043C84C, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 213fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043C851

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

GetFileAttributesW.KERNEL32(?), ref: 0043C8AB
GetFileSize.KERNEL32(00000000,?), ref: 0043C94A
GetLastError.KERNEL32 ref: 0043C957
CloseHandle.KERNEL32(00000000), ref: 0043C962
CloseHandle.KERNEL32(00000000), ref: 0043C99A
_memset.LIBCMT ref: 0043C9B6
ReadFile.KERNEL32(00000000,?,00000180,?,00000000), ref: 0043C9CC
CloseHandle.KERNEL32(00000000), ref: 0043C9D7
SetFilePointer.KERNEL32(00000000,00000000,?,00000000), ref: 0043C9F0
GetLastError.KERNEL32 ref: 0043C9FB
CloseHandle.KERNEL32(00000000), ref: 0043CA06
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0043CA2E
CloseHandle.KERNEL32(00000000), ref: 0043CA39
CloseHandle.KERNEL32(00000000), ref: 0043CA54

Strings

), xrefs: 0043CAD4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$File$ErrorH_prologLast$AttributesPointerReadSizeWrite_memset
String ID: )
API String ID: 3973834473-2427484129
Opcode ID: 25cf6cbfa5e7000b9cdb7a4ad2c242e1312e583dbd2e70d1e707f7015e0fb059
Instruction ID: d86afcddf224de715b64fb0d097e12e09088ca8226632790daa91c47d1e60e76
Opcode Fuzzy Hash: 25cf6cbfa5e7000b9cdb7a4ad2c242e1312e583dbd2e70d1e707f7015e0fb059
Instruction Fuzzy Hash: CB812972900109AFDB10EF95DC88AEE7BB8EF59355F108127F912E6290D7388A05DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00464E56, Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 177COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00464E87
_strncmp.LIBCMT ref: 00464E91

Strings

email, xrefs: 00464E81, 00464E86, 00464E8F
name=, xrefs: 00464FF6
otherName, xrefs: 00464FA6, 00464FAB, 00464FB4
URI, xrefs: 00464EB4, 00464EB9, 00464EC2
DNS, xrefs: 00464EE6, 00464EEB, 00464EF4
RID, xrefs: 00464F18, 00464F1D, 00464F26
dirName, xrefs: 00464F76, 00464F7B, 00464F84

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen_strncmp
String ID: DNS$RID$URI$dirName$email$name=$otherName
API String ID: 2202561641-2414469469
Opcode ID: d4c798feb67e8e171a2110804c8bfb5eedde4d2f72c7a83a25b310b54edd5caf
Instruction ID: b78a378e1baf6c4c504430db170020feeaf468c11968fdc5fa2dd46a593218b0
Opcode Fuzzy Hash: d4c798feb67e8e171a2110804c8bfb5eedde4d2f72c7a83a25b310b54edd5caf
Instruction Fuzzy Hash: AA41B2A2B0420176FB2425361D4BFBB189CAFE5798F04003BFE0596393FA9CDD1141AB

Uniqueness

Uniqueness Score: -1.00%

Function 004470DF, Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 372COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00447161
_strlen.LIBCMT ref: 00447174
_strncmp.LIBCMT ref: 0044718B

Part of subcall function 00442E77: _memset.LIBCMT ref: 00442F21

_strlen.LIBCMT ref: 00447301
_strncmp.LIBCMT ref: 00447319
_strncmp.LIBCMT ref: 00447334
_strncmp.LIBCMT ref: 00447353

Strings

-----END , xrefs: 00447264, 00447313, 004473DF
-----BEGIN , xrefs: 0044715B
, xrefs: 00447490
-----, xrefs: 00447185, 0044734D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strncmp$_strlen$_memset
String ID: $-----$-----BEGIN $-----END
API String ID: 3307949942-103151745
Opcode ID: d4f0f87b4a875b9e1db68d1b59b5a6be520b82236a491c77a74f2374fc574313
Instruction ID: 68d906ac22bb1c510aae4a2992be23cc80169ffd0a5e8d6deb13f0f331bf455e
Opcode Fuzzy Hash: d4f0f87b4a875b9e1db68d1b59b5a6be520b82236a491c77a74f2374fc574313
Instruction Fuzzy Hash: 85D1E5729042199FFB10DB65DC46BEEBBA8BF05314F1440A7E904E7341D7B8AE428F95

Uniqueness

Uniqueness Score: -1.00%

Function 0043E3C5, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 248fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043E3CA

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 0040C59E: std::_String_base::_Xlen.LIBCPMT ref: 0040C5D7

CloseHandle.KERNEL32(00000000), ref: 0043E5B5
SetFilePointer.KERNEL32(00000000,00000000,?,00000002), ref: 0043E5C8
GetLastError.KERNEL32 ref: 0043E5D3
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0043E613
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043E649
WriteFile.KERNEL32(?,?,?,00000010,00000000,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 0043E66B
CloseHandle.KERNEL32(?,?,?,00000010,00000000,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 0043E67E

Strings

\\?\, xrefs: 0043E3F6
xfs, xrefs: 0043E50D
System32, xrefs: 0043E3E0

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseFileH_prologHandle$Write$ErrorLastPointerString_base::_Xlenchar_traitsstd::_
String ID: System32$\\?\$xfs
API String ID: 2254306598-4026912830
Opcode ID: 6041ae23d692728760dae180d03013702ba6cbc2e52736d2b1b3b6af9e78de10
Instruction ID: e99958a17dd88888d43cb370334b0c3b739fd8003d81b11e667aa285451e6f5d
Opcode Fuzzy Hash: 6041ae23d692728760dae180d03013702ba6cbc2e52736d2b1b3b6af9e78de10
Instruction Fuzzy Hash: B5915E72C01158EAEB11EBE5CC85BEEBB78AF14308F10416AF605B31C1DB786E45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004010C0, Relevance: 21.1, APIs: 14, Instructions: 140COMMON

Download Yara Rule

APIs

CreateBrushIndirect.GDI32(?), ref: 004010DE
SelectObject.GDI32(?,00000000), ref: 004010F6
SetTextColor.GDI32(?,?), ref: 00401109
SetBkColor.GDI32(?,?), ref: 0040111A
GetCurrentObject.GDI32(?,00000006), ref: 0040112A
GetObjectA.GDI32(00000000,0000003C,?), ref: 0040113B
CreateFontIndirectA.GDI32(?), ref: 0040116A
SelectObject.GDI32(?,00000000), ref: 0040117F
ExtFloodFill.GDI32(?,0000000A,0000000A,00000000,00000001), ref: 0040119A

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Object$ColorCreateIndirectSelect$BrushCurrentFillFloodFontText
String ID:
API String ID: 266581519-0
Opcode ID: 27919169faca80b3a2421dc4aad2742cb67f0a1d7a9bc6fce87c40cd47c06310
Instruction ID: cb2928647d5e5b084fae410b9476be5b3ce0d3ddcf91737b4fcd8eadec313a17
Opcode Fuzzy Hash: 27919169faca80b3a2421dc4aad2742cb67f0a1d7a9bc6fce87c40cd47c06310
Instruction Fuzzy Hash: 6B519E71A01604AFCB209FA5DE89AAFBBF5FF18300B10493AE156E36B0D7759944EB14

Uniqueness

Uniqueness Score: -1.00%

Function 00442D0C, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69registrywindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,?,00442DE5,%s(%d): OpenSSL internal error, assertion failed: %s,00000000,00000000,00000000,0045297C,.\crypto\evp\encode.c,00000106,n < (int)sizeof(ctx->enc_data),00000000,00000009,?,00447399), ref: 00442D1C
GetFileType.KERNEL32(00000000,?,00442DE5,%s(%d): OpenSSL internal error, assertion failed: %s,00000000,00000000,00000000,0045297C,.\crypto\evp\encode.c,00000106,n < (int)sizeof(ctx->enc_data),00000000,00000009,?,00447399), ref: 00442D29
_vfwprintf.LIBCMT ref: 00442D43

Part of subcall function 00567254: _vfprintf_helper.LIBCMT ref: 00567269

_vswprintf_s.LIBCMT ref: 00442D60
GetVersion.KERNEL32 ref: 00442D6B
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00442D88
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00442DA7
DeregisterEventSource.ADVAPI32(00000000), ref: 00442DAE
MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00442DC6

Strings

OpenSSL: FATAL, xrefs: 00442DB9
OPENSSL, xrefs: 00442D82

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportTypeVersion_vfprintf_helper_vfwprintf_vswprintf_s
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 2784530605-1348657634
Opcode ID: 2fa2f78871bbfc5e383d5ba53f754f3bd1b728412eb0606d2d05de42c0c2c419
Instruction ID: 081da415c426728d9e484bbdbff8f544250c6c135639d6f74ebb7fd81c512227
Opcode Fuzzy Hash: 2fa2f78871bbfc5e383d5ba53f754f3bd1b728412eb0606d2d05de42c0c2c419
Instruction Fuzzy Hash: 3F1189B590010AFFFB105BA0DD8AEEF3B6CEF14344F504462BE06EA151E6B4CE489B65

Uniqueness

Uniqueness Score: -1.00%

Function 00442C21, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,00442D7D), ref: 00442C3B
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00442C4B
GetDesktopWindow.USER32 ref: 00442C75
GetProcessWindowStation.USER32(?,00442D7D), ref: 00442C7B
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,}-D,?,00442D7D), ref: 00442C97
GetLastError.KERNEL32(?,00442D7D), ref: 00442C9D
GetUserObjectInformationW.USER32(?,00000002,?,?,}-D,?,00442D7D), ref: 00442CD0

Strings

}-D, xrefs: 00442C8E, 00442CA8, 00442CC5, 00442CDB, 00442C91, 00442CC8
Service-0x, xrefs: 00442CE9
_OPENSSL_isservice, xrefs: 00442C45

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation
String ID: Service-0x$_OPENSSL_isservice$}-D
API String ID: 1233653401-1763662804
Opcode ID: 044548695dfde92be9c0b1b67f6933fb0010ccc06a824ed04a81a3399f5a5f1f
Instruction ID: 90e27dce9e3e598a8946960dc31d0c0fa163b790677d759ef6d87efc965c5bd3
Opcode Fuzzy Hash: 044548695dfde92be9c0b1b67f6933fb0010ccc06a824ed04a81a3399f5a5f1f
Instruction Fuzzy Hash: FB212C71900115ABEB209FB4EECDD6F7B68EF50760B600622F912E31D0DB789D08DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004025B7, Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 391COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004025BC

Part of subcall function 004044FD: __EH_prolog.LIBCMT ref: 00404502

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

Part of subcall function 004037A3: __EH_prolog.LIBCMT ref: 004037A8

Part of subcall function 00403A3D: __EH_prolog.LIBCMT ref: 00403A42

__time64.LIBCMT ref: 00402993

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00402500,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,000000FF), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

Part of subcall function 00401753: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401795

Part of subcall function 004017D3: SetEvent.KERNEL32(00000000), ref: 004017FC

Strings

http://, xrefs: 004025CE
a4ad4ip2xzclh6fd.onion, xrefs: 004025DE
si=, xrefs: 0040291F
ss=, xrefs: 004028A1
nocache=, xrefs: 00402981
$, xrefs: 004029D4
sys.php, xrefs: 00402613

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Time$EventFileObjectSingleSystemWait__aulldiv__time64char_traits
String ID: $$a4ad4ip2xzclh6fd.onion$http://$nocache=$si=$ss=$sys.php
API String ID: 1184885706-1653676470
Opcode ID: a3eca810b24606a48cff8c291f223fcbfc38c635c6c76b79ae81e0d55be95fb5
Instruction ID: 8f9c5f3a442758c46362d9acf0a37c0915c81e44f6b3f0cb2be9765408e8bc22
Opcode Fuzzy Hash: a3eca810b24606a48cff8c291f223fcbfc38c635c6c76b79ae81e0d55be95fb5
Instruction Fuzzy Hash: 0EE14F72804148AADB11EBE5CD45EDEBFBC9F55308F1444ABB105B3182DA782B49CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004588A7, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.\crypto\rsa\rsa_sign.c, xrefs: 00458914
signature has problems, re-make with post SSLeay045, xrefs: 00458A49
$, xrefs: 00458942
r, xrefs: 00458AC0

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: $$.\crypto\rsa\rsa_sign.c$r$signature has problems, re-make with post SSLeay045
API String ID: 0-3932272389
Opcode ID: 9cee7f6924c0e42f567bf297d5185315972e9af0590defd7a3261e503e8cdcb9
Instruction ID: 57c3a256a0a8d8f602899cb85bdd0d7c9ac89ebe6fd26e40c970d2823ce7ccf1
Opcode Fuzzy Hash: 9cee7f6924c0e42f567bf297d5185315972e9af0590defd7a3261e503e8cdcb9
Instruction Fuzzy Hash: 0F81E6B1A00205ABEF209F50DC42BAA3B65AB40716F24402FFE057A293DF79DD99C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0054ED60, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0054EDC2
_memcpy_s.LIBCMT ref: 0054EE37
__fileno.LIBCMT ref: 0054EE97
__read.LIBCMT ref: 0054EE9E
__filbuf.LIBCMT ref: 0054EEC2
_memset.LIBCMT ref: 0054EF08
_memset.LIBCMT ref: 0054EF33

Part of subcall function 0054FF67: __getptd_noexit.LIBCMT ref: 0054FF67

Strings

xA, xrefs: 0054ED62

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID: xA
API String ID: 3886058894-523113891
Opcode ID: ddbbc90c298e81cfd40a96bf3bb769cf9fcdb21783f1a759126f90aa7d1d60c5
Instruction ID: ce0be708df054fd9d996d2221db7150d8a6e4b22e8c1de8ee31d6f45daf096a3
Opcode Fuzzy Hash: ddbbc90c298e81cfd40a96bf3bb769cf9fcdb21783f1a759126f90aa7d1d60c5
Instruction Fuzzy Hash: 5651D571D00205FBCB209FA98C4A9DEBF79FF81328F248629F82592191D7319E55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00446EE1, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 169COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00446F0A
_strlen.LIBCMT ref: 00446F63

Strings

.\crypto\pem\pem_lib.c, xrefs: 00446FA2
A, xrefs: 00446FBA
-----END , xrefs: 00447062
-----BEGIN , xrefs: 00446F15
-----, xrefs: 00446F49, 0044708F
0, xrefs: 00446EFD

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: -----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c$0$A
API String ID: 4218353326-1484664486
Opcode ID: c54f8c28fbf46b4c695c685535716a847136e90e81c358e55b6680420ee53856
Instruction ID: 10c964d9c1fd5f20201c78becf7ed2f34fe693b66f196c5b2a1906d6283caf75
Opcode Fuzzy Hash: c54f8c28fbf46b4c695c685535716a847136e90e81c358e55b6680420ee53856
Instruction Fuzzy Hash: 0451D172D01109ABEF319E91EC86ADF7B31FF14314F14002BF905B7252E7399A558B89

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF55, Relevance: 13.5, APIs: 9, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000064,0000000A,?,0041256E,00000001,00000000,00000001,00000001,00000000,00000001,00000001,00000001,00000000,?,?), ref: 0040EF5E
WaitForSingleObject.KERNEL32(?,00000064), ref: 0040EF75
GetExitCodeProcess.KERNEL32(?,?), ref: 0040EF8E
CloseHandle.KERNEL32(?), ref: 0040EF97
CloseHandle.KERNEL32(?), ref: 0040EFA0
CloseHandle.KERNEL32(?), ref: 0040EFA9
CloseHandle.KERNEL32(?), ref: 0040EFB2
CloseHandle.KERNEL32(?), ref: 0040EFBB
CloseHandle.KERNEL32(?), ref: 0040EFC4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 1413499271-0
Opcode ID: 11a78e4d5158f6a7ce3c1d1d0008077a3acdad2f58e612fd3e1ab6737d76aae7
Instruction ID: 1a7b6388a68a6c66e229ff2c90b1005e0736e51d642092370e30e843855d1687
Opcode Fuzzy Hash: 11a78e4d5158f6a7ce3c1d1d0008077a3acdad2f58e612fd3e1ab6737d76aae7
Instruction Fuzzy Hash: 5DF0EC32100610FFCB212B6AED0D96ABBB2FF15341B104839F282D1870CB7AA865EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00404922, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404927

Part of subcall function 004013FE: std::exception::exception.LIBCMT ref: 00401408

Part of subcall function 00404B4D: __EH_prolog.LIBCMT ref: 00404B52

Part of subcall function 004015CC: __EH_prolog.LIBCMT ref: 004015D1

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Strings

JN@, xrefs: 0040495E
ZN@, xrefs: 00404987
Q, xrefs: 004049B5
d:\lib\boost\boost/exception/detail/exception_ptr.hpp, xrefs: 004049AE
class boost::shared_ptr<class boost::exception_detail::clone_base const > __cdecl boost::exception_detail::get_bad_alloc<0x2a>(void), xrefs: 004049A7
1K@, xrefs: 00404980

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: 1K@$JN@$Q$ZN@$class boost::shared_ptr<class boost::exception_detail::clone_base const > __cdecl boost::exception_detail::get_bad_alloc<0x2a>(void)$d:\lib\boost\boost/exception/detail/exception_ptr.hpp
API String ID: 1953324306-1971412266
Opcode ID: 64d5c81fea3df5e6e9cbd1fa74b9c218bda937203b71a7bf51023c98fb0cab32
Instruction ID: 556f1a4663a661cdb5037758c4166df09fd6ebc24d394409512187fc279e5f23
Opcode Fuzzy Hash: 64d5c81fea3df5e6e9cbd1fa74b9c218bda937203b71a7bf51023c98fb0cab32
Instruction Fuzzy Hash: 4F31AEB0D0025C9EDB00EFA5DA45A9EBFF8BF89708F10452EE505B7292D7785A08CF58

Uniqueness

Uniqueness Score: -1.00%

Function 005662C0, Relevance: 12.2, APIs: 8, Instructions: 166timeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 005662DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005663C8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005663F1
__allrem.LIBCMT ref: 005663FC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00566425
__allrem.LIBCMT ref: 00566430
SystemTimeToFileTime.KERNEL32(0000003C,?,00000000,?,0000003C,00000000,?,?,000F4240,00000000,03938700,00000000,D693A400,00000000), ref: 00566444

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Time__allrem$CountFileSystemTick
String ID:
API String ID: 3237787003-0
Opcode ID: 9fba2008b28a4ddf3d72260adfed5dd395d679eb2f10fb30ca5cda1aad023ad6
Instruction ID: 6578d70a8a4ba742683499db86eb7916dfae07eed39cb48b9f16f03c5eccd327
Opcode Fuzzy Hash: 9fba2008b28a4ddf3d72260adfed5dd395d679eb2f10fb30ca5cda1aad023ad6
Instruction Fuzzy Hash: 3A51A375618301ABDB14DF68CC55B5BBBE8FFC8714F44891DF89993241E630E90887DA

Uniqueness

Uniqueness Score: -1.00%

Function 00446D33, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00446D66
_strncmp.LIBCMT ref: 00446D9D
_strncmp.LIBCMT ref: 00446DD0

Strings

Proc-Type: , xrefs: 00446D60
DEK-Info: , xrefs: 00446DCA
ENCRYPTED, xrefs: 00446D97

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strncmp
String ID: DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-6740250
Opcode ID: 428e638b07598b49c8b0bddcad3fdeb25954751c413cc9d6f0b0833305a20b5b
Instruction ID: 8e55f00f323fdf2c9eb043f37b00154d44d353ad8e0105cf418df0ce075554db
Opcode Fuzzy Hash: 428e638b07598b49c8b0bddcad3fdeb25954751c413cc9d6f0b0833305a20b5b
Instruction Fuzzy Hash: AF315C96F842512AFB300D249C03FA76B895B57B50F260427FDC9DA3C7E59C8843829F

Uniqueness

Uniqueness Score: -1.00%

Function 00566810, Relevance: 10.6, APIs: 7, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00566870

Part of subcall function 0040C3BF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,30B20E82,00000000,0056623E,00000000,Function_0000543E,00000000,?,00000000,?,30B20E82), ref: 0040C3D5
Part of subcall function 0040C3BF: __aulldvrm.LIBCMT ref: 0040C3EF

Part of subcall function 005664B0: TlsGetValue.KERNEL32(0000001F,30B20E82,?,00000000,?,30B20E82), ref: 0056651B
Part of subcall function 005664B0: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0056658A
Part of subcall function 005664B0: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,30B20E82), ref: 005665BD

GetProcessHeap.KERNEL32(00000000,30B20E82), ref: 005668C2
HeapFree.KERNEL32(00000000), ref: 005668C9
GetProcessHeap.KERNEL32(00000000,?), ref: 005668F8
HeapFree.KERNEL32(00000000), ref: 005668FF
GetProcessHeap.KERNEL32(00000000,30B20E82), ref: 0056692A
HeapFree.KERNEL32(00000000), ref: 00566931

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess$TimeTimerWaitable$CountCreateFileSystemTickValue__aulldvrm
String ID:
API String ID: 1408098572-0
Opcode ID: cc5fedbabb31b28c2ca728c7d1e21b9c4408306e138cee80ac173350e8343230
Instruction ID: dafe924ed4e6829a89867113e96577ea01725d83eec9d734693f282a9c2c1fd9
Opcode Fuzzy Hash: cc5fedbabb31b28c2ca728c7d1e21b9c4408306e138cee80ac173350e8343230
Instruction Fuzzy Hash: C3419C71504701DFC311DF69C849B1BBBE8FF99B21F104619FE659B290EB34A805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 0054E9FD: __lock_file.LIBCMT ref: 0054EA0C
Part of subcall function 0054E9FD: __fseeki64_nolock.LIBCMT ref: 0054EA22

__CxxThrowException@8.LIBCMT ref: 0041EE53

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__fread_nolock.LIBCMT ref: 0041EE73
__CxxThrowException@8.LIBCMT ref: 0041EF08

Strings

0S@, xrefs: 0041EE4B, 0041EF00
fread failed, xrefs: 0041EE90
fseek failed, xrefs: 0041EDD4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise__fread_nolock__fseeki64_nolock__lock_file
String ID: 0S@$fread failed$fseek failed
API String ID: 155043550-2636199986
Opcode ID: bb9ab8f3c24609269f7b61de8a820f24caf4380d3a056c0a4b22ae2e8d5120e6
Instruction ID: 6512d2ea6c3e0be8499484533a74d961527ab8381335e49317cf94d030a52996
Opcode Fuzzy Hash: bb9ab8f3c24609269f7b61de8a820f24caf4380d3a056c0a4b22ae2e8d5120e6
Instruction Fuzzy Hash: B4416D71508380AFD320DF28C895B9BBFE8BBC5714F108A1EF99953381DB749508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0051A73B, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 0051A7A0

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

_abort.LIBCMT ref: 0051A796

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

Strings

Assertion %s failed in %s at %s:%u, xrefs: 0051A76A
util.c, xrefs: 0051A750
%s. (Stack trace not available), xrefs: 0051A782
tor_strdup_, xrefs: 0051A760

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_strrchr$__strdup_abort_memset_raise
String ID: %s. (Stack trace not available)$Assertion %s failed in %s at %s:%u$tor_strdup_$util.c
API String ID: 1130199685-452765626
Opcode ID: 4d62e9397b2d6eace2f3ff1a71d5e913e2e370dbff2cd101f4b7008bccce4358
Instruction ID: ee0a0514cdf59298e86bc62bba52ad9fa11838c2dda069b8063c928518ee2e7e
Opcode Fuzzy Hash: 4d62e9397b2d6eace2f3ff1a71d5e913e2e370dbff2cd101f4b7008bccce4358
Instruction Fuzzy Hash: AAF0B43578030366EA3172598C57FEA3E58BB90B55F004433B8087A1D2E9E09DC488A1

Uniqueness

Uniqueness Score: -1.00%

Function 0041622B, Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0041626E
char_traits.LIBCPMT ref: 004162CF
char_traits.LIBCPMT ref: 00416302

Part of subcall function 0054D77F: __EH_prolog3.LIBCMT ref: 0054D786
Part of subcall function 0054D77F: __CxxThrowException@8.LIBCMT ref: 0054D7B1

char_traits.LIBCPMT ref: 0041633A
char_traits.LIBCPMT ref: 0041639D
char_traits.LIBCPMT ref: 004163C4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: char_traits$Exception@8H_prolog3String_base::_ThrowXlenstd::_
String ID:
API String ID: 2564386642-0
Opcode ID: cfab53fd6eed041c61932e5cfe5864c8537f3bd9c1c1f43b8ddb3041f6714478
Instruction ID: b127e8b80108d8e01e7f5fc49996468e73efeb6103b6ca1e5c2aeaf77bd9b715
Opcode Fuzzy Hash: cfab53fd6eed041c61932e5cfe5864c8537f3bd9c1c1f43b8ddb3041f6714478
Instruction Fuzzy Hash: 5051A430600109EFDF08DF68CAD49ED7B36FF41304761865AE8669B295C738EAD1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDE2, Relevance: 9.1, APIs: 6, Instructions: 139pipefileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040EDE7
CreatePipe.KERNEL32(0000006A,0000006E,?,00000000,?,0000000A,00412505,00000000), ref: 0040EE16
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0040EE37
CreatePipe.KERNEL32(00000062,00000066,0000000C,00000000), ref: 0040EE53
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0040EE67
WriteFile.KERNEL32(?,00000005,?,00000001,00000000,00000001,00000001), ref: 0040EF3C

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateHandleInformationPipe$FileH_prologWrite
String ID:
API String ID: 2102612192-0
Opcode ID: 91972c508a1d4e2e668531c55fabc4341b0565fc86b43b0b81d2453905f52ead
Instruction ID: 15c25fa288d4fa7eaa407231ef27f0fbd6049eb036c2f67e736d502ec8c93d61
Opcode Fuzzy Hash: 91972c508a1d4e2e668531c55fabc4341b0565fc86b43b0b81d2453905f52ead
Instruction Fuzzy Hash: 1D416FB160121AFFDB10DFA2CC85EEB7BA8FF00754F00452AF605E6590D778AA54CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402345, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 209COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040234A

Part of subcall function 004035BB: __EH_prolog.LIBCMT ref: 004035C9

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 004044A4: __EH_prolog.LIBCMT ref: 004044A9

Part of subcall function 004044FD: __EH_prolog.LIBCMT ref: 00404502

Part of subcall function 00403D6E: std::_String_base::_Xlen.LIBCPMT ref: 00403DB0
Part of subcall function 00403D6E: char_traits.LIBCPMT ref: 00403DFF

__time64.LIBCMT ref: 004024FB

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00402500,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,000000FF), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

Part of subcall function 00403464: __EH_prolog.LIBCMT ref: 00403469

Strings

cmd.php, xrefs: 00402361
ss=, xrefs: 004024A2
nocache=, xrefs: 00402515

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Timechar_traits$FileString_base::_SystemXlen__aulldiv__time64std::_
String ID: cmd.php$nocache=$ss=
API String ID: 2888217454-720201988
Opcode ID: 931384a80f8b6979c9fe41e3d013a4fa23ca22929fb31dd16847349a16df9d8d
Instruction ID: 6e1bade44ae61f5f78b3181872667207ff046071c1d23ddd4836f373e37b3662
Opcode Fuzzy Hash: 931384a80f8b6979c9fe41e3d013a4fa23ca22929fb31dd16847349a16df9d8d
Instruction Fuzzy Hash: D47161B280414CADDB01EBA9CD85FDEBBBCAF55318F10856AF519B31C2EA785B048735

Uniqueness

Uniqueness Score: -1.00%

Function 0044AE6C, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0044AF1F
_strlen.LIBCMT ref: 0044AF69

Strings

0123456789abcdef, xrefs: 0044AF12
, xrefs: 0044AED2
0123456789ABCDEF, xrefs: 0044AF0B

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __aulldvrm_strlen
String ID: $0123456789ABCDEF$0123456789abcdef
API String ID: 3342006076-30751140
Opcode ID: b714573ec4735076e5cb78a3a19d2f293bff47700db70292d24b4950ace964b2
Instruction ID: e017f94bc3a0c0d56c76a1903fc000ef272743eb45575cecec5cdac03f946bba
Opcode Fuzzy Hash: b714573ec4735076e5cb78a3a19d2f293bff47700db70292d24b4950ace964b2
Instruction Fuzzy Hash: DE6105B2840219AFEF118F98C8456EE7FA1FF04314F14405AFD1522251D379CD65EB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00412B3A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412B3F
Wow64DisableWow64FsRedirection.KERNEL32(?,00000001,00000000,00000001,00000001), ref: 00412BEB
Wow64RevertWow64FsRedirection.KERNEL32(?,00000001,00000000,00000001,?,?,00000000,?,0058B4A1,00000001,00000000,00000001,00000001), ref: 00412C5B
Wow64RevertWow64FsRedirection.KERNEL32(?,?,00000000,000000FF,00000001,00000000,00000001,?,?,00000000,?,0058B4A1,00000001,00000000,00000001,00000001), ref: 00412CB1

Strings

vssadmin.exe, xrefs: 00412B6A

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Wow64$Redirection$Revert$DisableH_prolog
String ID: vssadmin.exe
API String ID: 722956765-3807567552
Opcode ID: 68304a40d0d687dbf1a1e2987be276608ea91d7ddf8cb7bf35c86ba7b9a74f67
Instruction ID: 4ccba1dcea65961d0a419760c623f626740b73e815ac4e1e8c8cd2a2ec710b34
Opcode Fuzzy Hash: 68304a40d0d687dbf1a1e2987be276608ea91d7ddf8cb7bf35c86ba7b9a74f67
Instruction Fuzzy Hash: 7C41B831C05248EEDB11EBD5CD95BDE7B78AF01304F0440AAE605B71D1DAB81B49DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0044228B, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0044235A

Strings

lib(%lu), xrefs: 004422D4
func(%lu), xrefs: 004422F1
reason(%lu), xrefs: 0044230C
error:%08lX:%s:%s:%s, xrefs: 00442346

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 4218353326-2416195885
Opcode ID: 239aa662e5c7c7f81236870da117fb584e4a8f7f60f1b366dd315517d7d93674
Instruction ID: 46d7c0f529ebec5fc9296ad5e0ea697b58c007e75b3403b49ba046460fbb526f
Opcode Fuzzy Hash: 239aa662e5c7c7f81236870da117fb584e4a8f7f60f1b366dd315517d7d93674
Instruction Fuzzy Hash: 2731DB71E4021966FB149E758C51BBF77B8EB50704F80047EF904E7241EABCDA448674

Uniqueness

Uniqueness Score: -1.00%

Function 00438130, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004381E4

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 00438275

Strings

0S@, xrefs: 004381DC, 0043826D
offset >= size(), xrefs: 00438165
sizeof(T) + offset >= size(), xrefs: 004381FD

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: 76d22197f8f1be86f642433a77e1599d9b7dc6f5bef001e70b741241d1ffa31e
Instruction ID: 46e276d9a87a296cf6eeb419578cb076841a1868696cabdee64cb6c908e67191
Opcode Fuzzy Hash: 76d22197f8f1be86f642433a77e1599d9b7dc6f5bef001e70b741241d1ffa31e
Instruction Fuzzy Hash: DE314C745483819ED320DF28C891B9BFFE8BB89714F404A5EF5D957291DBB88508CB52

Uniqueness

Uniqueness Score: -1.00%

Function 004382B0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00438364

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 004383F5

Strings

0S@, xrefs: 0043835C, 004383ED
offset >= size(), xrefs: 004382E5
sizeof(T) + offset >= size(), xrefs: 0043837D

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: eb294432eec869582c96ae95fdaceec1120cc9b6e937a1ee0e486e614ee772cb
Instruction ID: 6d91e256974b8dcb517d51428854d3028a00b52da7e97cb4ae8f869577cdea60
Opcode Fuzzy Hash: eb294432eec869582c96ae95fdaceec1120cc9b6e937a1ee0e486e614ee772cb
Instruction Fuzzy Hash: 67315A745483819ED320DF28C891B9BFFE8BB89714F404A2EF5D857391DBB88508CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004363E0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00436490

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 0043651A

Strings

0S@, xrefs: 00436488, 00436512
offset >= size(), xrefs: 00436417
sizeof(T) + offset >= size(), xrefs: 004364A5

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: 3b65d9c1a517f8c2f56c0d485025321c8c2cf343d9a70a954c6139b6fc16d6af
Instruction ID: 6a69611470a68836b11ebf833c384f4d280d8b69a84ce9d194fd603d058e2eeb
Opcode Fuzzy Hash: 3b65d9c1a517f8c2f56c0d485025321c8c2cf343d9a70a954c6139b6fc16d6af
Instruction Fuzzy Hash: 68313071548380AFD320DF29C891B9BBFE8BB89714F504E6EF5A953392D77885088F52

Uniqueness

Uniqueness Score: -1.00%

Function 00436550, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00436600

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 0043668A

Strings

0S@, xrefs: 004365F8, 00436682
offset >= size(), xrefs: 00436587
sizeof(T) + offset >= size(), xrefs: 00436615

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: 93cc79265aa28e012d0f3270d8add916774b581c9457e24d35de10eedf47ca39
Instruction ID: 749cda136084e3386de053d3baaaf8dafa97d9124d384e09314f3f03dccf005b
Opcode Fuzzy Hash: 93cc79265aa28e012d0f3270d8add916774b581c9457e24d35de10eedf47ca39
Instruction Fuzzy Hash: AE313071548380AED320DF29C891B9BBFE8BB89714F504A5EF59953392D77885088F52

Uniqueness

Uniqueness Score: -1.00%

Function 0047E300, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0047E328
_strlen.LIBCMT ref: 0047E331
_strlen.LIBCMT ref: 0047E33F
_strlen.LIBCMT ref: 0047E34E

Strings

application/octet-stream, xrefs: 0047E310

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: application/octet-stream
API String ID: 4218353326-3754511218
Opcode ID: 38d6a259b765b00e438d073e447a0c2780e1237b2b0bc2fba2759a19c25cea22
Instruction ID: 819206aa19badfe8cd35c443030323387b492a08affb3a1f9d99af8acb32de32
Opcode Fuzzy Hash: 38d6a259b765b00e438d073e447a0c2780e1237b2b0bc2fba2759a19c25cea22
Instruction Fuzzy Hash: 0B017532600205AEDF109E6AD8858DD7B99FB49374720C56BF90C8B211EB35EA418B68

Uniqueness

Uniqueness Score: -1.00%

Function 004467E1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00446845

Strings

Enter PEM pass phrase:, xrefs: 004467F1
phrase is too short, needs to be at least %d chars, xrefs: 00446806

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID: Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 2102423945-1714539199
Opcode ID: ff5228973f1df071bb79e0ac479e961c08d9ba868773ce56bcaf20a84ca9af06
Instruction ID: 15fc0edd1b763ec741fde534aa7debd128a1eb7acebe05d30fb01b6dd2aa3cbf
Opcode Fuzzy Hash: ff5228973f1df071bb79e0ac479e961c08d9ba868773ce56bcaf20a84ca9af06
Instruction Fuzzy Hash: 17F0E9E2E0124235F62032216D07F6E1F451FA2B39F29413BF614692C3EBBD9455815F

Uniqueness

Uniqueness Score: -1.00%

Function 0055473B, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00554747

Part of subcall function 005506C0: __getptd_noexit.LIBCMT ref: 005506C3
Part of subcall function 005506C0: __amsg_exit.LIBCMT ref: 005506D0

__amsg_exit.LIBCMT ref: 00554767
__lock.LIBCMT ref: 00554777
InterlockedDecrement.KERNEL32(?), ref: 00554794
InterlockedIncrement.KERNEL32(02501650), ref: 005547BF

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 1d18f245bef30b82bf259b8bbf15ccc16c60415c1b4876277a58103e5b9db1ba
Instruction ID: a4731c43682fbb5342983a930bae79807f4d8c5ffba83d1b89793a5c2c295d98
Opcode Fuzzy Hash: 1d18f245bef30b82bf259b8bbf15ccc16c60415c1b4876277a58103e5b9db1ba
Instruction Fuzzy Hash: 12010831910B12DBC714AB29945974E7FA0FF4A71AF504007EC006BA80D734698ADFC1

Uniqueness

Uniqueness Score: -1.00%

Function 0043C386, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 372COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043C38B
_memset.LIBCMT ref: 0043C4F8

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

.crypted000078, xrefs: 0043C76F
.crypted000007, xrefs: 0043C5F9

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog_memsetchar_traits
String ID: .crypted000007$.crypted000078
API String ID: 3116118327-2968946936
Opcode ID: 3f60b25d863a52e47b93abe8b7757422b97dadb0454855d5823a85d925f6992f
Instruction ID: faaba5355088225e506e3f089ae0e869886d76a973abe880ff9b96a94e0ce210
Opcode Fuzzy Hash: 3f60b25d863a52e47b93abe8b7757422b97dadb0454855d5823a85d925f6992f
Instruction Fuzzy Hash: 72E17131C04298EEDF11DBE4CC45BDEBFB4AF15308F14409AE548B7282DAB55B48DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00408BFD, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408C02

Part of subcall function 00416AEC: _memset.LIBCMT ref: 00416B15
Part of subcall function 00416AEC: _memset.LIBCMT ref: 00416B2F
Part of subcall function 00416AEC: GetLogicalDriveStringsW.KERNELBASE(00000400,?,?,?,?,?,?,?,?), ref: 00416B4D
Part of subcall function 00416AEC: GetSystemDirectoryW.KERNEL32(?,00000400), ref: 00416B70
Part of subcall function 00416AEC: GetDriveTypeW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,005E3970,000000FF), ref: 00416BC0

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

Part of subcall function 0040B9A5: __EH_prolog.LIBCMT ref: 0040B9AA

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

.txt, xrefs: 00408CFD
README, xrefs: 00408C73
desktop.ini|boot.ini|Bootfont.bin|ntuser.ini|NTUSER.DAT|IconCache.db, xrefs: 00408E47

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Drive_memset$DirectoryLogicalStringsSystemTypechar_traits
String ID: .txt$README$desktop.ini|boot.ini|Bootfont.bin|ntuser.ini|NTUSER.DAT|IconCache.db
API String ID: 3389905180-1123676370
Opcode ID: bf568e0f45823ad28eb768e7f5ebab349bd5af7dbc55e264e1c14d5b7214c47c
Instruction ID: f5b8e4be503b413b12a18bccb2c0c28a31fe104d716199d5117416a0b5f0b484
Opcode Fuzzy Hash: bf568e0f45823ad28eb768e7f5ebab349bd5af7dbc55e264e1c14d5b7214c47c
Instruction Fuzzy Hash: 0DA15272D00158EADB14EBE5CC46BDEBB78AF15304F1041AEE605B31C1DB745B49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042C2C0, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 275COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042C41E

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Part of subcall function 00403EB1: char_traits.LIBCPMT ref: 00403F09

__CxxThrowException@8.LIBCMT ref: 0042C58E

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Strings

psub->level == 1, xrefs: 0042C54F
psub->level != 0, xrefs: 0042C3DF

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise_mallocchar_traits
String ID: psub->level != 0$psub->level == 1
API String ID: 4075437076-1149983645
Opcode ID: a1f8823423b76139365c70a42533f53875c7a7310418e1d481f8b8c5d5e89de8
Instruction ID: 2da6aa2f2b8edcfce805cbf9cb174ec2ba475a0fe1852fafc901a76399be1828
Opcode Fuzzy Hash: a1f8823423b76139365c70a42533f53875c7a7310418e1d481f8b8c5d5e89de8
Instruction Fuzzy Hash: 23A18BB16083419FD314DF68C881B6FBBE4BF88714F548A2EF19987391DB78D8488B56

Uniqueness

Uniqueness Score: -1.00%

Function 0042A940, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 275COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042AA9E

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Part of subcall function 00403EB1: char_traits.LIBCPMT ref: 00403F09

__CxxThrowException@8.LIBCMT ref: 0042AC0E

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Strings

psub->level == 1, xrefs: 0042ABCF
psub->level != 0, xrefs: 0042AA5F

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise_mallocchar_traits
String ID: psub->level != 0$psub->level == 1
API String ID: 4075437076-1149983645
Opcode ID: d37520e209a915776020066c24d60167f466468bc73c846373d5bf880159a753
Instruction ID: 07a5e00d6a81709442b3b23f1e22a4e61dfbab3ec7fa3b6cc4424dcd9a6206ae
Opcode Fuzzy Hash: d37520e209a915776020066c24d60167f466468bc73c846373d5bf880159a753
Instruction Fuzzy Hash: 61A17DB16083419FD310DF68C881B6BBBE5BF88714F548A2EF59987391DB78D804CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004067CA, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 270COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004067CF

Part of subcall function 0043D3FC: __EH_prolog.LIBCMT ref: 0043D401

Part of subcall function 00411787: __EH_prolog.LIBCMT ref: 0041178C

Part of subcall function 0040F08B: __EH_prolog.LIBCMT ref: 0040F090

Part of subcall function 0043C284: __EH_prolog.LIBCMT ref: 0043C289

Part of subcall function 00408F74: __EH_prolog.LIBCMT ref: 00408F79
Part of subcall function 00408F74: _swscanf.LIBCMT ref: 00408FD0

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 0040F169: __EH_prolog.LIBCMT ref: 0040F16E

Strings

PUBLIC KEY, xrefs: 00406A47
(, xrefs: 0040686E
xcnt, xrefs: 004068D0

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_swscanfchar_traits
String ID: ($PUBLIC KEY$xcnt
API String ID: 25352567-1755998082
Opcode ID: d9ccfb5f3e87f83e1256901359db3b9bd3a1c9e5195f861499a97fc66afd5aaf
Instruction ID: 9fa70eb9369410540a189eed0041eaf06646cd4c34a9a52b19605b19913ae9b8
Opcode Fuzzy Hash: d9ccfb5f3e87f83e1256901359db3b9bd3a1c9e5195f861499a97fc66afd5aaf
Instruction Fuzzy Hash: 82C15971D01259DEDB10EBA5C985BDDBBB4AF15308F1040AEE40973282DB786F89CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00406E76, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406E7B

Part of subcall function 00402345: __EH_prolog.LIBCMT ref: 0040234A

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

open, xrefs: 00407128
exe, xrefs: 00407030

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$char_traits
String ID: exe$open
API String ID: 4022946289-3420628079
Opcode ID: c491a582acdb11ecd643ece57129a3f245bab5ef1df620a8b256ed162d348846
Instruction ID: 48eeab99b258b9f057517c983029490e0a9ddfb58e4b6b1f3454af51e0286733
Opcode Fuzzy Hash: c491a582acdb11ecd643ece57129a3f245bab5ef1df620a8b256ed162d348846
Instruction Fuzzy Hash: 48A14072C04248EEEB11EBE5CD56BDEBB789F15308F10416EE605B31C2DAB41B49CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00428F00, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

Part of subcall function 00430BF0: __CxxThrowException@8.LIBCMT ref: 00430CDE

__CxxThrowException@8.LIBCMT ref: 00429062

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Part of subcall function 00403EB1: char_traits.LIBCPMT ref: 00403F09

__CxxThrowException@8.LIBCMT ref: 004291D2

Part of subcall function 0054DE73: _malloc.LIBCMT ref: 0054DE8D

Strings

psub->level == 1, xrefs: 0042918B
psub->level != 0, xrefs: 0042901B

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise_mallocchar_traits
String ID: psub->level != 0$psub->level == 1
API String ID: 4075437076-1149983645
Opcode ID: 257ae95d6c8871567ad93ca7681ff1e16304ada7a1ad29461f08f5ce3f792d8f
Instruction ID: 9e4306dd14cd1c5ed1f5bfad7f2f97567613ed522252f3c62463f177691a0248
Opcode Fuzzy Hash: 257ae95d6c8871567ad93ca7681ff1e16304ada7a1ad29461f08f5ce3f792d8f
Instruction Fuzzy Hash: B3A17CB12083419FD310DF69C885B6BFBE4BB88718F548A2EF19997391D778D808CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0043AAF4, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

_swscanf.LIBCMT ref: 0043ABEE

Strings

X-Senderinfo:, xrefs: 0043ACC0
X-Mozilla-Status2:, xrefs: 0043AB4B
X-Spam:, xrefs: 0043AC41

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _swscanf
String ID: X-Mozilla-Status2:$X-Senderinfo:$X-Spam:
API String ID: 2748852333-2458561703
Opcode ID: 3286b999fca5f457ba7199e5bdb497be9c509ed331112e0a783f2987a6f1b9a7
Instruction ID: b4f22cf20949498218c427472debb4354a2a61e2774513d394e3b13e8dbf5497
Opcode Fuzzy Hash: 3286b999fca5f457ba7199e5bdb497be9c509ed331112e0a783f2987a6f1b9a7
Instruction Fuzzy Hash: 7B519072A442524BDB248E28848013EFB92BB5A310F283567E5D6CB381D63DED75D78B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A868, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A86D

Part of subcall function 0040A521: __EH_prolog.LIBCMT ref: 0040A526
Part of subcall function 0040A521: CharUpperW.USER32(?,00000001,00000000,00000001,00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000001,0058B70C,?,?,00000001,00000000,0040A88D,?,?,?), ref: 0040A5F1

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 0041730F: _memset.LIBCMT ref: 00417344
Part of subcall function 0041730F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417362
Part of subcall function 0041730F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417382

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Strings

csrss.lnk, xrefs: 0040A93F
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040A8A2
Client Server Runtime Subsystem, xrefs: 0040A8EC

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$FolderPath$CharUpper_memsetchar_traits
String ID: Client Server Runtime Subsystem$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$csrss.lnk
API String ID: 607052096-2561886397
Opcode ID: 3031a25f38ead78e4b8ae03d81a7599a44be3b2be6a6b1e206abff0a3597b60d
Instruction ID: f7e8c759a3bad84c1825ee53de4ff65dddbbce709ac82106c9d062987b5aad50
Opcode Fuzzy Hash: 3031a25f38ead78e4b8ae03d81a7599a44be3b2be6a6b1e206abff0a3597b60d
Instruction Fuzzy Hash: 5B416671904288EEEB01EBE4C945BDDBFB89F14318F14409AF504771C2DBB81B45CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00448E2F, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00448E6A

Strings

ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 00448E76
J,E, xrefs: 00448E8C, 00448E38
.\crypto\evp\digest.c, xrefs: 00448E80

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID: .\crypto\evp\digest.c$J,E$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 2102423945-656294654
Opcode ID: 0d695aa8206444d3044274a1686bec789e26a2cdb3ab1e1df748a066dfc0c3c9
Instruction ID: c034934d4394ba3a20f14b823e5cf544756ad994e1e96b1beeccb319cc1157ed
Opcode Fuzzy Hash: 0d695aa8206444d3044274a1686bec789e26a2cdb3ab1e1df748a066dfc0c3c9
Instruction Fuzzy Hash: DF014475204201EFE7159F58DC46D4AB7E1FF48711B30845EF58997261DB71EC50CA19

Uniqueness

Uniqueness Score: -1.00%

Function 00444132, Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004441BD
_memset.LIBCMT ref: 0044432F
_memset.LIBCMT ref: 00444399
_memset.LIBCMT ref: 00444406

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 41335975437410f4bba3b6dfc626544de9b1e3f0cca6acbd8da1f6ad226e8076
Instruction ID: 1f3d775a62c58edd051b4423f6a3c272465de6fd9fd5299b98ec7723d5d8adfc
Opcode Fuzzy Hash: 41335975437410f4bba3b6dfc626544de9b1e3f0cca6acbd8da1f6ad226e8076
Instruction Fuzzy Hash: 48D18A7190020AEFEF15DF94DC46EAE7BB9FF58308F00441AF805A2251E735AA25DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410FF9, Relevance: 6.1, APIs: 4, Instructions: 131sleepthreadCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00411040

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00402500,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,000000FF), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

GetCurrentThreadId.KERNEL32 ref: 0041104E
_clock.LIBCMT ref: 00411056

Part of subcall function 0054E1CE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,00415DDD), ref: 0054E1DA
Part of subcall function 0054E1CE: __aulldiv.LIBCMT ref: 0054E20B

Part of subcall function 0054E24C: __getptd.LIBCMT ref: 0054E251

Part of subcall function 00401753: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401795

Part of subcall function 004017D3: SetEvent.KERNEL32(00000000), ref: 004017FC

Part of subcall function 00415DB8: __time64.LIBCMT ref: 00415DC4
Part of subcall function 00415DB8: GetCurrentThreadId.KERNEL32 ref: 00415DD0
Part of subcall function 00415DB8: _clock.LIBCMT ref: 00415DD8
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415DE8
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415DF2
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415E01

Sleep.KERNEL32(?,?,?,?,?,?,005833F5,000000FF), ref: 004110A3

Part of subcall function 0041B9C0: SetEvent.KERNEL32(00000000), ref: 0041BA54

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Time$_rand$CurrentEventFileSystemThread__aulldiv__time64_clock$ObjectSingleSleepWait__getptd
String ID:
API String ID: 53558384-0
Opcode ID: 60cdadf83c0b2319f1cf185b28c912726e4e334fd1df23913504049570366e8e
Instruction ID: df804daaf32dacb13e8f474498bd7c0cae830441e241280a68581f249b38c574
Opcode Fuzzy Hash: 60cdadf83c0b2319f1cf185b28c912726e4e334fd1df23913504049570366e8e
Instruction Fuzzy Hash: 34518F715083849FD710EF65C882A9BBBE8FF88314F404D2EF19993691DB78E948CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0043CFC9, Relevance: 6.0, APIs: 4, Instructions: 48threadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043CFCE
__time64.LIBCMT ref: 0043CFF9

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00402500,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,000000FF), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

GetCurrentThreadId.KERNEL32 ref: 0043D005
_clock.LIBCMT ref: 0043D00D

Part of subcall function 0054E1CE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,00415DDD), ref: 0054E1DA
Part of subcall function 0054E1CE: __aulldiv.LIBCMT ref: 0054E20B

Part of subcall function 0054E24C: __getptd.LIBCMT ref: 0054E251

Part of subcall function 00401753: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401795

Part of subcall function 004151EA: _clock.LIBCMT ref: 00415208
Part of subcall function 004151EA: __time64.LIBCMT ref: 00415225
Part of subcall function 004151EA: GetCurrentThreadId.KERNEL32 ref: 00415246
Part of subcall function 004151EA: __time64.LIBCMT ref: 00415252
Part of subcall function 004151EA: _rand.LIBCMT ref: 0041525D
Part of subcall function 004151EA: _clock.LIBCMT ref: 00415264
Part of subcall function 004151EA: __time64.LIBCMT ref: 004152A2
Part of subcall function 004151EA: _rand.LIBCMT ref: 004152B3
Part of subcall function 004151EA: _clock.LIBCMT ref: 004152BA
Part of subcall function 004151EA: _rand.LIBCMT ref: 00415304
Part of subcall function 004151EA: _clock.LIBCMT ref: 00415327
Part of subcall function 004151EA: __time64.LIBCMT ref: 00415332

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __time64_clock$Time$_rand$CurrentFileSystemThread__aulldiv$H_prologObjectSingleWait__getptd
String ID:
API String ID: 3219639982-0
Opcode ID: 77faa84ee0ce2ea3cfa8871812e3354c126b5bddc729492d50cd1d988f20f4ac
Instruction ID: a6fe61b89251fb400d2645bb3e06cf06d61dfeb1e0e7e126b811986bee65e68c
Opcode Fuzzy Hash: 77faa84ee0ce2ea3cfa8871812e3354c126b5bddc729492d50cd1d988f20f4ac
Instruction Fuzzy Hash: F0016DB29017019FD710EF78D44A79ABBE8FF98324F10892EE045E7681EB74A540CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00554EA7, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00554EB3

Part of subcall function 005506C0: __getptd_noexit.LIBCMT ref: 005506C3
Part of subcall function 005506C0: __amsg_exit.LIBCMT ref: 005506D0

__getptd.LIBCMT ref: 00554ECA
__amsg_exit.LIBCMT ref: 00554ED8
__lock.LIBCMT ref: 00554EE8

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 333aabb8e14340d2b4da8bc2d76f44cf5eeaf94bd8862e41314a76933975be15
Instruction ID: 59301ca28b2bc509f3e7f17e34993b46df74066356ad74a22aa3f14521b3a6e4
Opcode Fuzzy Hash: 333aabb8e14340d2b4da8bc2d76f44cf5eeaf94bd8862e41314a76933975be15
Instruction Fuzzy Hash: CCF06231545B05CAD720FB78842B74E7E947B80726F50850BAC505B2D2CB34A898DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00440755, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 004407AB

Strings

.\crypto\rand\md_rand.c, xrefs: 00440787, 00440795, 004407CC, 004407DC, 004407F5, 00440896, 004409B6, 004409D6, 00440A28
6\R, xrefs: 00440782, 004407B5, 004407E7, 00440888, 004409C8, 00440A1A

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memcmp
String ID: .\crypto\rand\md_rand.c$6\R
API String ID: 2931989736-969700016
Opcode ID: 3f2c1eaffbf314081993ffa67122e7365e96b2036ddf2993f35fd6a314eeb438
Instruction ID: e0095b0bab842c99e95501cf8e874bb4247bef20fdd8f361168434af491a5a16
Opcode Fuzzy Hash: 3f2c1eaffbf314081993ffa67122e7365e96b2036ddf2993f35fd6a314eeb438
Instruction Fuzzy Hash: 6B812371A443056BE310DF18DD82B6B77E8AF84710F14483AFA84D7282E678D919CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00420BF0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00420CAC

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Part of subcall function 0041F960: std::tr1::_Xweak.LIBCPMT ref: 0041F9A0

Strings

index >= m_child_blocks.size(), xrefs: 00420C39
0S@, xrefs: 00420CA4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrowXweakstd::tr1::_
String ID: 0S@$index >= m_child_blocks.size()
API String ID: 1280563452-377766800
Opcode ID: e1acf7e5332d2f0ce9fdc6b27ac666fc95a14ac589ce62ca243f95c15f6879df
Instruction ID: ff0eb4cbc80f7bfd4d47f48d5f64024d2e78c3e0a4e51640bf927f014b17a595
Opcode Fuzzy Hash: e1acf7e5332d2f0ce9fdc6b27ac666fc95a14ac589ce62ca243f95c15f6879df
Instruction Fuzzy Hash: 52816A722047419FC324EF68D480A9BF7E5FF88304F908E1EE59A93651DB74B809CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00412217, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041221C

Part of subcall function 0040F1FC: __EH_prolog.LIBCMT ref: 0040F201

Strings

Watcher: , xrefs: 00412271
Walker: , xrefs: 004122ED

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID: Walker: $Watcher:
API String ID: 3519838083-2016308921
Opcode ID: cd57fe09c6261fcdc514e45f4de84a4b73a8590b7829b6c4d3e7a22be0f24da6
Instruction ID: 04b706f4096d630356abd72cb09eca4239d2138f626fcce1dfc104e7f70d174a
Opcode Fuzzy Hash: cd57fe09c6261fcdc514e45f4de84a4b73a8590b7829b6c4d3e7a22be0f24da6
Instruction Fuzzy Hash: D0417273A4020DAADB00EEE9DD46EDDBBB9BB44714F10006BB610F7181DB75AA458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A350, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A355

Part of subcall function 0040D308: __EH_prolog.LIBCMT ref: 0040D30D

Part of subcall function 0040C3BF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,30B20E82,00000000,0056623E,00000000,Function_0000543E,00000000,?,00000000,?,30B20E82), ref: 0040C3D5
Part of subcall function 0040C3BF: __aulldvrm.LIBCMT ref: 0040C3EF

Part of subcall function 00566810: GetTickCount.KERNEL32 ref: 00566870
Part of subcall function 00566810: GetProcessHeap.KERNEL32(00000000,30B20E82), ref: 005668C2
Part of subcall function 00566810: HeapFree.KERNEL32(00000000), ref: 005668C9

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 005659F0: GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A54
Part of subcall function 005659F0: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A57
Part of subcall function 005659F0: GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A80
Part of subcall function 005659F0: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A83

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040A3E4
Client Server Runtime Subsystem, xrefs: 0040A435

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess$H_prologTime$CountFileSystemTick__aulldvrmchar_traits
String ID: Client Server Runtime Subsystem$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
API String ID: 480152762-2461271356
Opcode ID: 916b375b9b386a94e436f0995029f3a5005c97a6873950cecd7e5d04124e064a
Instruction ID: d25dd386754db96cd6c3d5f0210ecd887fc46f93821635a3e1d0017623949947
Opcode Fuzzy Hash: 916b375b9b386a94e436f0995029f3a5005c97a6873950cecd7e5d04124e064a
Instruction Fuzzy Hash: F651A372C0124CEEDF11EBA4C845BDEBB78AF15318F14819EB505B7292EB741B48CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004565AB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004565CA

Strings

fullname, xrefs: 004565BD
relativename, xrefs: 004565ED

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strncmp
String ID: fullname$relativename
API String ID: 909875538-2357537195
Opcode ID: 43abc07f17d234295c1406124d9e36af1bca176004f134c4454e0f5d3b9f9717
Instruction ID: ecf6641b05d4b7162b85ffbb1f016f35498996223a5d274ba887c786a6b8c605
Opcode Fuzzy Hash: 43abc07f17d234295c1406124d9e36af1bca176004f134c4454e0f5d3b9f9717
Instruction Fuzzy Hash: E5412571204701ABE7106F65D856B2AB691AF4032AF66442FFC059B393EFBDDC098A4D

Uniqueness

Uniqueness Score: -1.00%

Function 0045ABCA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

.\crypto\objects\obj_lib.c, xrefs: 0045AC17, 0045AC6D, 0045ACA5

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: .\crypto\objects\obj_lib.c
API String ID: 0-1655395264
Opcode ID: 68800310bebf6c42bde45a643dc0a0b6cbc0381970a908136d3754d7cd6672f7
Instruction ID: 552c611eb4ed508bbb995f243fa095f59a5f613c4a3367c9d29e2a2932b812ab
Opcode Fuzzy Hash: 68800310bebf6c42bde45a643dc0a0b6cbc0381970a908136d3754d7cd6672f7
Instruction Fuzzy Hash: 9641A031A00305BFEB119F66D941B5EBBA0BF00756F20416BFD00DB282EB78D964C799

Uniqueness

Uniqueness Score: -1.00%

Function 0041245D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412462

Part of subcall function 0040ED6B: _memset.LIBCMT ref: 0040ED87

Part of subcall function 00416A0E: _memset.LIBCMT ref: 00416A33
Part of subcall function 00416A0E: GetSystemDirectoryW.KERNEL32(?,00000400), ref: 00416A59

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040EDE2: __EH_prolog.LIBCMT ref: 0040EDE7
Part of subcall function 0040EDE2: CreatePipe.KERNEL32(0000006A,0000006E,?,00000000,?,0000000A,00412505,00000000), ref: 0040EE16

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

chcpexit, xrefs: 0041248F
cmd.exe, xrefs: 004124B1

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_memset$CreateDirectoryPipeSystemchar_traits
String ID: chcpexit$cmd.exe
API String ID: 2427169262-1388658100
Opcode ID: 00b227d022f3e7f27cbf410eb44faeb61faef081ebb27449d9b5c5e4b36293c1
Instruction ID: 63b562a0dd8427dc209ff34a47a2bc89f6e18bdf1fbd8d982a3f85f4d0a02f9f
Opcode Fuzzy Hash: 00b227d022f3e7f27cbf410eb44faeb61faef081ebb27449d9b5c5e4b36293c1
Instruction Fuzzy Hash: FC41B572D00158AEDB10EBA5CC45BDE7BBCAF05318F0045AAB619B31C1DBB45B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0045E1DD, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0045E278

Part of subcall function 0044B8A8: _strlen.LIBCMT ref: 0044B8CB

Strings

TYPE=, xrefs: 0045E24F
NULL, xrefs: 0045E225

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: NULL$TYPE=
API String ID: 4218353326-4174652433
Opcode ID: 0e6aca92415e20bf399652352feb6c1a5b5480e06b9d5cd5e87a30172c175eb1
Instruction ID: 26939b3cd2a51b56b38c6d44e302372e8c1c58737200646770cd5565e89ce19a
Opcode Fuzzy Hash: 0e6aca92415e20bf399652352feb6c1a5b5480e06b9d5cd5e87a30172c175eb1
Instruction Fuzzy Hash: 7D310B33A40304BAEB3859A2DC07FAE375C9B00766F10417BFE15991C2EA789B498649

Uniqueness

Uniqueness Score: -1.00%

Function 004330C0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00433167

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

row >= size(), xrefs: 004330FD
0S@, xrefs: 0043315F

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$row >= size()
API String ID: 3976011213-1828103634
Opcode ID: c59da69bc2e171eef05c326254220807be30d69e74427c53564f886f1d61f2dc
Instruction ID: 7cbc7ab5c2936355f0e25abfeb09d299af85da8b24004c045c3116447035ce51
Opcode Fuzzy Hash: c59da69bc2e171eef05c326254220807be30d69e74427c53564f886f1d61f2dc
Instruction Fuzzy Hash: B5414A716087509FD314DF69C880B2BFBE6BBC9715F408A2EF48587390DB78E9048B65

Uniqueness

Uniqueness Score: -1.00%

Function 00440DEB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00440E3A

Strings

.\crypto\rand\md_rand.c, xrefs: 00440E08, 00440E28, 00440E57, 00440E76, 00440E8E, 00440EB6, 00440F0B
6\R, xrefs: 00440E1A, 00440E44, 00440E68, 00440E7D, 00440EA5, 00440EF7

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memcmp
String ID: .\crypto\rand\md_rand.c$6\R
API String ID: 2931989736-969700016
Opcode ID: ca99d54163b7e5a45e7d59a2af0d9bc35e6e4b30742d0bb969ce7eca9ccfd907
Instruction ID: df83739ef1de0bdaf0812ac97141f5726d41ffc7f24f8d8d5d39b354f05593e0
Opcode Fuzzy Hash: ca99d54163b7e5a45e7d59a2af0d9bc35e6e4b30742d0bb969ce7eca9ccfd907
Instruction Fuzzy Hash: BF31383078130966F2309794AD46F3737589B90F10F000926BF58EA6C2D6FD9E39D79A

Uniqueness

Uniqueness Score: -1.00%

Function 00432F50, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00432FF8

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

row >= size(), xrefs: 00432F8E
0S@, xrefs: 00432FF0

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$row >= size()
API String ID: 3976011213-1828103634
Opcode ID: 5898352adb01dbc37da5de3f9eff9fec7f729818d3b7077e13d63a6e81cd2839
Instruction ID: a0755e84b5ca7e0056079d898d7c8ecdcf672faf31af2216b752b01aa87180d0
Opcode Fuzzy Hash: 5898352adb01dbc37da5de3f9eff9fec7f729818d3b7077e13d63a6e81cd2839
Instruction Fuzzy Hash: 5B416B716087409BC314DF69C885B6BFBE9BBD8714F108A2EF48987390DB78E904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00442577, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004425D0

Strings

.\crypto\err\err.c, xrefs: 0044258A, 004425E0
P, xrefs: 00442592

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: .\crypto\err\err.c$P
API String ID: 4218353326-1804422389
Opcode ID: 642be3abe7ba952aca4a9dd95fc3dd3015989d8161fb086d280a0e7d7cb921b3
Instruction ID: 42912dd6532e52857ecd4aeca8e755e73f575d732ab2e1bd905664f92ed93f29
Opcode Fuzzy Hash: 642be3abe7ba952aca4a9dd95fc3dd3015989d8161fb086d280a0e7d7cb921b3
Instruction Fuzzy Hash: CD31D871900205ABEB10DF99D981BAEB7A4EF04718F64445BF504E7381EBB89A40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00420F10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00420FB0

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

0S@, xrefs: 00420FA8
index > 0, xrefs: 00420F44

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$index > 0
API String ID: 3976011213-894382809
Opcode ID: 5b5289dfdcf463b86ff2638c259421173119b349290d1ceecd7150599e90590a
Instruction ID: 2059d3d9538208efe3307b6e2567f9c44a16b29837dac52301ba7e4413873e0d
Opcode Fuzzy Hash: 5b5289dfdcf463b86ff2638c259421173119b349290d1ceecd7150599e90590a
Instruction Fuzzy Hash: 933169712083809FC311DF19C891B5BFBE5BBD5724F408A2EF4A553391D7789908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004209F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00420A9E

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

0S@, xrefs: 00420A96
offset >= size(), xrefs: 00420A37

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$offset >= size()
API String ID: 3976011213-2175775595
Opcode ID: f7eb190bf03319729d881fcfa6ddd1ebda0e98298f10e7a07b40ba795b64a947
Instruction ID: d3b3d97530c9e75ff42b21831b395de75290847bf617acef4cfb67e31f7ea0ee
Opcode Fuzzy Hash: f7eb190bf03319729d881fcfa6ddd1ebda0e98298f10e7a07b40ba795b64a947
Instruction Fuzzy Hash: A3218E71248345AFD300DF59C890A5BFBE8FB99760F404A2EF59493381DB78D904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00436320, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00436377

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 004363C6

Strings

PiB, xrefs: 00436367, 004363B6

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: PiB
API String ID: 3476068407-3205498864
Opcode ID: 39d2b4ea2b7b87fbc3175235e3b78f364f7daa92e6b083b126ce367b0bce2ed2
Instruction ID: c9e4170fe6454b2deeb442f2eb8c322739948b6013e3cb14590d1bf497e8299b
Opcode Fuzzy Hash: 39d2b4ea2b7b87fbc3175235e3b78f364f7daa92e6b083b126ce367b0bce2ed2
Instruction Fuzzy Hash: C82184712002028F8310DF59C8C0C6EBBE5BFC9314B058A5EE9488B3A5DB70E90ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0046500C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 0046507E

Strings

OF, xrefs: 0046503E
.\crypto\x509v3\v3_alt.c, xrefs: 00465069

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strncpy
String ID: .\crypto\x509v3\v3_alt.c$OF
API String ID: 2961919466-118201736
Opcode ID: a42d24625fd01fb331462a042eff0d61d58f03b981d86373eadb4b6964303a76
Instruction ID: f139488f5c50dfe4c9585bf350698dfc706f07a941de3c9a062d3f8d2c621b80
Opcode Fuzzy Hash: a42d24625fd01fb331462a042eff0d61d58f03b981d86373eadb4b6964303a76
Instruction Fuzzy Hash: 1F112571509712AFDB11AF68DC46B5ABBD8FF08354F40802AF80897252EB75EC10C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 0042CAB0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042CB02

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 0042CB46

Strings

PiB, xrefs: 0042CAF5, 0042CB39

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: PiB
API String ID: 3476068407-3205498864
Opcode ID: 9748ff926cae1b1e26082c19f2d874fafc50dbde1e7d5267a8cfe3b00e1f3ee1
Instruction ID: 8ac66654b1a3cc9e00f6af658c8be0f0a1764a661f293eb42dabd9a5936a68dc
Opcode Fuzzy Hash: 9748ff926cae1b1e26082c19f2d874fafc50dbde1e7d5267a8cfe3b00e1f3ee1
Instruction Fuzzy Hash: 32118E792002029BC320EF19C8C1CAEF7E4FFD9714B404959F5449B3A1EB70E946C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFCD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53filepipeCOMMON

Download Yara Rule

APIs

PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,p@,00000000,00000001,?,0040EF70), ref: 0040EFEC
ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000102,?,0040EF70), ref: 0040F013

Strings

p@, xrefs: 0040EFDC, 0040EFFC, 0040EFDF

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FileNamedPeekPipeRead
String ID: p@
API String ID: 327342812-1482256116
Opcode ID: e863d6940344f07fe5e87380b982f0cdc9e0bc68511cfa642bf798dad228194a
Instruction ID: c9665e138dbd7d267d66197b32280cee37dddce7f3bb8f1b203877ba24e16af4
Opcode Fuzzy Hash: e863d6940344f07fe5e87380b982f0cdc9e0bc68511cfa642bf798dad228194a
Instruction Fuzzy Hash: 94017172901208BFDB219FA1DC85DEFBBBCFB51384B20047BF401A2652D635AE45EB24

Uniqueness

Uniqueness Score: -1.00%

Function 00404C10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404C15

Part of subcall function 00404749: __EH_prolog.LIBCMT ref: 0040474E

Strings

oH@, xrefs: 00404C51
:N@, xrefs: 00404C4B

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID: :N@$oH@
API String ID: 3519838083-3732481758
Opcode ID: 8243164c156a0d8c227b62e4f85dfc2805968c4ff98b441a3da74958de1e8bec
Instruction ID: c94c80212a349cf45fb97de1f887cd9e762c3fab49d5b52a8a0e46deab61e7f8
Opcode Fuzzy Hash: 8243164c156a0d8c227b62e4f85dfc2805968c4ff98b441a3da74958de1e8bec
Instruction Fuzzy Hash: F5F08CB15016009AC718EF59D40565EBFE4BF84714B00082FF605A7681EBB4AA40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00404749, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040474E

Strings

H@, xrefs: 0040478B
2N@, xrefs: 00404785

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID: H@$2N@
API String ID: 3519838083-1473922170
Opcode ID: b7dbabe3c05d673c4642c1d707b09f8428ede20a9d0b9fe04d84824a9d1d8b96
Instruction ID: d1bfba15fc914394738cffe3de8867397a6dbe086f57aabf61115400917e4379
Opcode Fuzzy Hash: b7dbabe3c05d673c4642c1d707b09f8428ede20a9d0b9fe04d84824a9d1d8b96
Instruction Fuzzy Hash: A9F05EB2A006159BC724AF68940665EFBE4FB85754B00482FE501E7240EBB4AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005188C9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 005188CD
_strrchr.LIBCMT ref: 005188D7

Strings

util.c, xrefs: 005188CC, 005188D4

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strrchr
String ID: util.c
API String ID: 3213747228-1042335965
Opcode ID: e2479a7f8100cdd015d1917fc2ee7a54e3376adfd63e937479ff20a354463359
Instruction ID: b15c382e42ffcba1610f7e7304f986b30cb7ac5b49e89901e7f26086c74c095f
Opcode Fuzzy Hash: e2479a7f8100cdd015d1917fc2ee7a54e3376adfd63e937479ff20a354463359
Instruction Fuzzy Hash: 7ED01D3260472225F97071293C45AF75D9DABC5790B4D0866FE54E6187EA09CC9240E5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C1A5

Part of subcall function 0040148F: __EH_prolog.LIBCMT ref: 00401494

__CxxThrowException@8.LIBCMT ref: 0040C1DF

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

vector<T> too long, xrefs: 0040C1B2

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: vector<T> too long
API String ID: 1193697898-3788999226
Opcode ID: 1c287bcadb19f7fb3cbe583b1f2ceeed1d7d396fe0b0494dc6d57f8cdf1d9d8d
Instruction ID: 14690c6792836f8e578b184e8e39d66fb179264ca3931cf97176258ea88dd3f8
Opcode Fuzzy Hash: 1c287bcadb19f7fb3cbe583b1f2ceeed1d7d396fe0b0494dc6d57f8cdf1d9d8d
Instruction Fuzzy Hash: F4E04F71C111099AEB04FBE4C55BADD7BBC7B14309F10842AF601B61A6EB785B0CCB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDA8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CDAD
__CxxThrowException@8.LIBCMT ref: 0040CDE8

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

<@, xrefs: 0040CDCD, 0040CDD3

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8H_prologRaiseThrow
String ID: <@
API String ID: 1681477883-3776883955
Opcode ID: 3e7848c5d8ccd68897fd3dc0c60ec9100719e256370e1b5a6b56709aa303a610
Instruction ID: 765d0385263d2f8915f5dac21231178825b7ccea4e3d6ea80912860e1f5a9d32
Opcode Fuzzy Hash: 3e7848c5d8ccd68897fd3dc0c60ec9100719e256370e1b5a6b56709aa303a610
Instruction Fuzzy Hash: 5AE0B675D01119A6DF50BBA5880ABCD7A7CBB10308F408862B648F2082EE7896994B59

Uniqueness

Uniqueness Score: -1.00%

Function 00410E73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410E78

Part of subcall function 0040148F: __EH_prolog.LIBCMT ref: 00401494

__CxxThrowException@8.LIBCMT ref: 00410EB2

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

deque<T> too long, xrefs: 00410E85

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: deque<T> too long
API String ID: 1193697898-309773918
Opcode ID: a05541004ef29bb8772b11375c364d60027a38f8da324c2018db6ef0476ed302
Instruction ID: 3d844b7491a3e5a869290e68ab56627180a9a4cf341f9215d91d1ebeaf02d25e
Opcode Fuzzy Hash: a05541004ef29bb8772b11375c364d60027a38f8da324c2018db6ef0476ed302
Instruction Fuzzy Hash: A4E04F718501099AD704FBD0C85ABDD7FBC7B14304F04042AFA00B6096EBB45608CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00486957, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00002726,00486BD1,00000000,00000000,00000005,00000000,?,0047F8D3,00000000,00000000,000003E8,00000000,?,?,?,0047E0B9), ref: 00486966
Sleep.KERNEL32(bP@,00486BD1,00000000,00000000,00000005,00000000,?,0047F8D3,00000000,00000000,000003E8,00000000,?,?,?,0047E0B9), ref: 00486971

Strings

bP@, xrefs: 00486957, 00486970

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastSleep
String ID: bP@
API String ID: 1458359878-2020989592
Opcode ID: 62998d30e1319c0fe576a722794b8ff953c98b9cc67cee6049a1788114206973
Instruction ID: b81ff277d398858d1eb431061022ebe339a1f9c4cc82e9d96002f5d1c79792e9
Opcode Fuzzy Hash: 62998d30e1319c0fe576a722794b8ff953c98b9cc67cee6049a1788114206973
Instruction Fuzzy Hash: 21C012B0700202979E002B748C0C61E32E86BA4762B814F45FA24D80D0DB38D404AB14

Uniqueness

Uniqueness Score: -1.00%

Function 00566720, Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 005667B6
HeapFree.KERNEL32(00000000), ref: 005667BD
GetProcessHeap.KERNEL32(00000000,30B20E82), ref: 005667E8
HeapFree.KERNEL32(00000000), ref: 005667EF

Part of subcall function 005664B0: TlsGetValue.KERNEL32(0000001F,30B20E82,?,00000000,?,30B20E82), ref: 0056651B
Part of subcall function 005664B0: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0056658A
Part of subcall function 005664B0: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,30B20E82), ref: 005665BD

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcessTimerWaitable$CreateValue
String ID:
API String ID: 3072597929-0
Opcode ID: 48636be8f4a94227aa95b884e29699227c58c3142cc1972680ad1cf019b1f752
Instruction ID: 73aa6a0a45b03615fab9055cd7e970b15851b9833d1b9bcae778440813fc0569
Opcode Fuzzy Hash: 48636be8f4a94227aa95b884e29699227c58c3142cc1972680ad1cf019b1f752
Instruction Fuzzy Hash: 54219C716046019FD710DF68C885B1BBBE8FB89725F008629FA558B290EB34A809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040F042, Relevance: 5.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,0040EEFE,00000001,00000001), ref: 0040F04A
CloseHandle.KERNEL32(?,0040EEFE,00000001,00000001), ref: 0040F05C
CloseHandle.KERNEL32(?,0040EEFE,00000001,00000001), ref: 0040F06E
CloseHandle.KERNEL32(?,0040EEFE,00000001,00000001), ref: 0040F080

Memory Dump Source

Source File: 00000000.00000002.870192658.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.870917215.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.870993450.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000000.00000002.871019225.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 751f47e8ec7c1f8cd04c87943f27f8ee9a87f0f2da027f6d3e018a656329ce2f
Instruction ID: df87bf9c783cc774c7383b0d216860b11489985fe752ad8cd4369dc9f9f655d5
Opcode Fuzzy Hash: 751f47e8ec7c1f8cd04c87943f27f8ee9a87f0f2da027f6d3e018a656329ce2f
Instruction Fuzzy Hash: 1BF07431600B44AFD7309B2AC848B2773E8BF11786F044839A482D6A90C77DE408DB24

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exe PID: 5888 Parent PID: 3440 csrss.exeCOMMON

Executed Functions

Function 00405D99, Relevance: 12.7, APIs: 1, Strings: 7, Instructions: 713sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F08B: __EH_prolog.LIBCMT ref: 0040F090

Part of subcall function 0040F169: __EH_prolog.LIBCMT ref: 0040F16E

Part of subcall function 004076C2: __EH_prolog.LIBCMT ref: 004076C7

Part of subcall function 0054D747: _malloc.LIBCMT ref: 0054DE8D

Part of subcall function 0040CE76: __EH_prolog.LIBCMT ref: 0040CE7B

Part of subcall function 00409024: __EH_prolog.LIBCMT ref: 00409029

Part of subcall function 00408946: __EH_prolog.LIBCMT ref: 0040894B

Sleep.KERNEL32(0000001E,?,00000000,?,?,?,?,00000001,00000000,00000001,00000000,?,xmode), ref: 004067C2

Strings

xstate, xrefs: 00405F5D, 00406232, 00406435
&, xrefs: 00406727
xsys, xrefs: 004066F3
xmode, xrefs: 004065C6
%, xrefs: 00406712
xcnt, xrefs: 0040600F, 00406333, 00406568
#, xrefs: 0040668C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Sleep_malloc
String ID: #$%$&$xcnt$xmode$xstate$xsys
API String ID: 1973873821-4248995162
Opcode ID: af6c99ec79c96001511c8b97c2e864d241a9c751a53860d1b4e56bb570d2e2ae
Instruction ID: 36cb1b60db995d1c3402be5ba9ee1ecdbbf8caa4cc1d1825f51cca90febd4169
Opcode Fuzzy Hash: af6c99ec79c96001511c8b97c2e864d241a9c751a53860d1b4e56bb570d2e2ae
Instruction Fuzzy Hash: 1542DC710083809ED721EB65C845BDFBBD8AF95708F04492EF689632C2DB785649CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00416D6D, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0054D747: _malloc.LIBCMT ref: 0054DE8D

_memset.LIBCMT ref: 00416E00
FindFirstFileW.KERNELBASE(?,?,00000001,00000000,00000001,00000001,00000001,00000000,000000FF), ref: 00416E99
FindNextFileW.KERNELBASE(?,00000010,?,0058B6A8), ref: 00417028
FindNextFileW.KERNELBASE(?,00000010,?,0058B6A8), ref: 004171AE
FindClose.KERNELBASE(?), ref: 004171BF

Strings

@, xrefs: 0041712E
\\?\, xrefs: 00416E08

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Find$File$Next$CloseFirst_malloc_memset
String ID: @$\\?\
API String ID: 570807038-1420128806
Opcode ID: 98acee6eec996a9a9e9d96c193f96fbc91e61079d2326705ba184a9bbcf8db5f
Instruction ID: 9b24118c42bf724cda5b84ebfaa015a66517b757526d0c1c6ee7df496abc514b
Opcode Fuzzy Hash: 98acee6eec996a9a9e9d96c193f96fbc91e61079d2326705ba184a9bbcf8db5f
Instruction Fuzzy Hash: 72E17172D04218ABDF21EBA1CD46BDEBB78AF04314F1041AAEA15B3191DB785F85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00525289, Relevance: 4.5, APIs: 3, Instructions: 26encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(005FF4BC,00000000,00000000,00000001,F0000000,005252FD,005223F9,?,00000100,?,005223F9,?,00493D75,00000000,00000000,?), ref: 005252A1
GetLastError.KERNEL32(?,005223F9,?,00493D75,00000000,00000000,?,?,0050371C), ref: 005252AB
CryptGenRandom.ADVAPI32(00000020,0050371C,005252FD,005223F9,?,00000100,?,005223F9,?,00493D75,00000000,00000000,?,?,0050371C), ref: 005252D2

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Crypt$AcquireContextErrorLastRandom
String ID:
API String ID: 738925053-0
Opcode ID: 630d012bbbcadce043b989311e2f47e3c5d882948e08b29fb0170b4ca4bb444e
Instruction ID: c97a939c6065c9c5e9c4aeca9096ee48a0eac218a918b9349758b5d699524cff
Opcode Fuzzy Hash: 630d012bbbcadce043b989311e2f47e3c5d882948e08b29fb0170b4ca4bb444e
Instruction Fuzzy Hash: DFE09231190213EAEF205B30BC4CB2B3A51BB11B01F101619FA01E40F0E7B54448BB00

Uniqueness

Uniqueness Score: -1.00%

Function 0041A13C, Relevance: 329.4, APIs: 94, Strings: 94, Instructions: 392libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,004123B2), ref: 0041A14A
GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0041A162
GetProcAddress.KERNEL32(00000000,GetSystemInfo), ref: 0041A16F
GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsW), ref: 0041A17C
GetProcAddress.KERNEL32(00000000,GetVolumeInformationW), ref: 0041A189
GetProcAddress.KERNEL32(00000000,GetDriveTypeW), ref: 0041A196
GetProcAddress.KERNEL32(00000000,GetSystemDirectoryW), ref: 0041A1A3
GetProcAddress.KERNEL32(00000000,GetWindowsDirectoryA), ref: 0041A1B0
GetProcAddress.KERNEL32(00000000,GetWindowsDirectoryW), ref: 0041A1BD
GetProcAddress.KERNEL32(00000000,GetTempPathW), ref: 0041A1CA
GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 0041A1D7
GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 0041A1E4
GetProcAddress.KERNEL32(00000000,FindClose), ref: 0041A1F1
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 0041A1FE
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 0041A20B
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 0041A218
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 0041A225
GetProcAddress.KERNEL32(00000000,SetFileAttributesW), ref: 0041A232
GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 0041A23F
GetProcAddress.KERNEL32(00000000,SetFilePointer), ref: 0041A24C
GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 0041A259
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 0041A266
GetProcAddress.KERNEL32(00000000,CreateDirectoryW), ref: 0041A273
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0041A280
GetProcAddress.KERNEL32(00000000,CopyFileW), ref: 0041A28D
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 0041A29A
GetProcAddress.KERNEL32(00000000,ExitProcess), ref: 0041A2A7
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0041A2B4
GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 0041A2C1
GetProcAddress.KERNEL32(00000000,GetModuleFileNameA), ref: 0041A2CE
GetProcAddress.KERNEL32(00000000,Sleep), ref: 0041A2DB
GetProcAddress.KERNEL32(00000000,DeviceIoControl), ref: 0041A2E8
GetProcAddress.KERNEL32(00000000,GetShortPathNameW), ref: 0041A2F5
GetProcAddress.KERNEL32(00000000,WideCharToMultiByte), ref: 0041A302
GetProcAddress.KERNEL32(00000000,GetVersionExW), ref: 0041A30F
GetProcAddress.KERNEL32(00000000,SetErrorMode), ref: 0041A31C
GetProcAddress.KERNEL32(00000000,CreatePipe), ref: 0041A329
GetProcAddress.KERNEL32(00000000,SetHandleInformation), ref: 0041A336
GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0041A343
GetProcAddress.KERNEL32(00000000,WaitForSingleObject), ref: 0041A350
GetProcAddress.KERNEL32(00000000,GetExitCodeProcess), ref: 0041A35D
GetProcAddress.KERNEL32(00000000,PeekNamedPipe), ref: 0041A36A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0041A377
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0041A384
LoadLibraryA.KERNEL32(advapi32.dll,?,?,?,004123B2), ref: 0041A390
GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 0041A39E
GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 0041A3AB
GetProcAddress.KERNEL32(00000000,RegSetValueExW), ref: 0041A3B8
GetProcAddress.KERNEL32(00000000,RegCreateKeyExW), ref: 0041A3C5
GetProcAddress.KERNEL32(00000000,RegDeleteValueW), ref: 0041A3D2
GetProcAddress.KERNEL32(00000000,RegEnumKeyW), ref: 0041A3DF
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 0041A3EC
GetProcAddress.KERNEL32(00000000,RegQueryInfoKeyW), ref: 0041A3F9
GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 0041A406
LoadLibraryA.KERNEL32(shell32.dll,?,?,?,004123B2), ref: 0041A412
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0041A420
GetProcAddress.KERNEL32(00000000,ShellExecuteW), ref: 0041A42D
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0041A43A
LoadLibraryA.KERNELBASE(ole32.dll,?,?,?,004123B2), ref: 0041A446
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 0041A454
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 0041A461
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 0041A46E
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 0041A47B
GetProcAddress.KERNEL32(00000000,CoSetProxyBlanket), ref: 0041A488
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 0041A495
LoadLibraryA.KERNEL32(oleaut32.dll,?,?,?,004123B2), ref: 0041A4A1
GetProcAddress.KERNEL32(00000000,VariantClear), ref: 0041A4AD
LoadLibraryA.KERNEL32(user32.dll,?,?,?,004123B2), ref: 0041A4B9
GetProcAddress.KERNEL32(00000000,GetDesktopWindow), ref: 0041A4C7
GetProcAddress.KERNEL32(00000000,GetWindowRect), ref: 0041A4D4
GetProcAddress.KERNEL32(00000000,GetDC), ref: 0041A4E1
GetProcAddress.KERNEL32(00000000,DrawTextW), ref: 0041A4EE
GetProcAddress.KERNEL32(00000000,SystemParametersInfoW), ref: 0041A4FB
GetProcAddress.KERNEL32(00000000,CharUpperW), ref: 0041A508
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 0041A515
LoadLibraryA.KERNEL32(gdi32.dll,?,?,?,004123B2), ref: 0041A521
GetProcAddress.KERNEL32(00000000,CreateCompatibleDC), ref: 0041A533
GetProcAddress.KERNEL32(00000000,CreateCompatibleBitmap), ref: 0041A540
GetProcAddress.KERNEL32(00000000,SelectObject), ref: 0041A54D
GetProcAddress.KERNEL32(00000000,DeleteObject), ref: 0041A55A
GetProcAddress.KERNEL32(00000000,DeleteDC), ref: 0041A567
GetProcAddress.KERNEL32(00000000,CreateBrushIndirect), ref: 0041A574
GetProcAddress.KERNEL32(00000000,SetTextColor), ref: 0041A581
GetProcAddress.KERNEL32(00000000,SetBkColor), ref: 0041A58E
GetProcAddress.KERNEL32(00000000,GetCurrentObject), ref: 0041A59B
GetProcAddress.KERNEL32(00000000,GetObjectA), ref: 0041A5A8
GetProcAddress.KERNEL32(00000000,CreateFontIndirectA), ref: 0041A5B5
GetProcAddress.KERNEL32(00000000,CreateDIBSection), ref: 0041A5C2
GetProcAddress.KERNEL32(00000000,BitBlt), ref: 0041A5CF
GetProcAddress.KERNEL32(00000000,ExtFloodFill), ref: 0041A5DC
LoadLibraryA.KERNELBASE(netapi32.dll,?,?,?,004123B2), ref: 0041A5E8
GetProcAddress.KERNELBASE(00000000,NetServerGetInfo), ref: 0041A5F6
GetProcAddress.KERNELBASE(00000000,NetApiBufferFree), ref: 0041A603
GetProcAddress.KERNEL32(00000000,NetWkstaGetInfo), ref: 0041A610

Strings

WaitForSingleObject, xrefs: 0041A345
GetDesktopWindow, xrefs: 0041A4C1
CreateBrushIndirect, xrefs: 0041A569
CreateDIBSection, xrefs: 0041A5B7
GetModuleFileNameW, xrefs: 0041A2B6
DeviceIoControl, xrefs: 0041A2DD
DeleteDC, xrefs: 0041A55C
FindFirstFileW, xrefs: 0041A1CC
Wow64DisableWow64FsRedirection, xrefs: 0041A36C
Sleep, xrefs: 0041A2D0
VariantClear, xrefs: 0041A4A7
MoveFileW, xrefs: 0041A260
RegSetValueExW, xrefs: 0041A3AD
CoSetProxyBlanket, xrefs: 0041A47D
SetTextColor, xrefs: 0041A576
RegDeleteValueW, xrefs: 0041A3C7
ExtFloodFill, xrefs: 0041A5D1
NetApiBufferFree, xrefs: 0041A5F8
CoCreateInstance, xrefs: 0041A463
ole32.dll, xrefs: 0041A441
DrawTextW, xrefs: 0041A4E3
GetSystemInfo, xrefs: 0041A164
RegQueryInfoKeyW, xrefs: 0041A3EE
SelectObject, xrefs: 0041A542
GetLastError, xrefs: 0041A2A9
RegQueryValueExW, xrefs: 0041A3A0
GetDriveTypeW, xrefs: 0041A18B
GetComputerNameW, xrefs: 0041A15C
RegOpenKeyExW, xrefs: 0041A398
FindClose, xrefs: 0041A1E6
RegCloseKey, xrefs: 0041A3E1
GetUserNameW, xrefs: 0041A3FB
CreateCompatibleBitmap, xrefs: 0041A535
GetSystemDirectoryW, xrefs: 0041A198
gdi32.dll, xrefs: 0041A51C
GetExitCodeProcess, xrefs: 0041A352
CreateFileW, xrefs: 0041A1F3
WideCharToMultiByte, xrefs: 0041A2F7
SetErrorMode, xrefs: 0041A311
SetHandleInformation, xrefs: 0041A32B
SystemParametersInfoW, xrefs: 0041A4F0
SHGetKnownFolderPath, xrefs: 0041A42F
GetCurrentObject, xrefs: 0041A590
DeleteFileW, xrefs: 0041A275
CreatePipe, xrefs: 0041A31E
CoTaskMemFree, xrefs: 0041A48A
GetFileAttributesW, xrefs: 0041A234
GetForegroundWindow, xrefs: 0041A50A
RegEnumKeyW, xrefs: 0041A3D4
CoInitializeSecurity, xrefs: 0041A470
WriteFile, xrefs: 0041A20D
CopyFileW, xrefs: 0041A282
SetFilePointer, xrefs: 0041A241
GetLogicalDriveStringsW, xrefs: 0041A171
GetWindowsDirectoryW, xrefs: 0041A1B2
BitBlt, xrefs: 0041A5C4
GetObjectA, xrefs: 0041A59D
SetFileAttributesW, xrefs: 0041A227
CloseHandle, xrefs: 0041A21A
advapi32.dll, xrefs: 0041A38B
GetWindowRect, xrefs: 0041A4C9
CreateCompatibleDC, xrefs: 0041A52D
netapi32.dll, xrefs: 0041A5E3
GetFileSize, xrefs: 0041A24E
GetCurrentThreadId, xrefs: 0041A28F
GetDC, xrefs: 0041A4D6
CoInitializeEx, xrefs: 0041A44E
GetModuleFileNameA, xrefs: 0041A2C3
GetVolumeInformationW, xrefs: 0041A17E
GetVersionExW, xrefs: 0041A304
PeekNamedPipe, xrefs: 0041A35F
GetTempPathW, xrefs: 0041A1BF
FindNextFileW, xrefs: 0041A1D9
user32.dll, xrefs: 0041A4B4
CreateDirectoryW, xrefs: 0041A268
GetShortPathNameW, xrefs: 0041A2EA
GetWindowsDirectoryA, xrefs: 0041A1A5
ExitProcess, xrefs: 0041A29C
SHGetFolderPathW, xrefs: 0041A41A
CharUpperW, xrefs: 0041A4FD
CreateFontIndirectA, xrefs: 0041A5AA
Wow64RevertWow64FsRedirection, xrefs: 0041A379
DeleteObject, xrefs: 0041A54F
oleaut32.dll, xrefs: 0041A49C
CreateProcessW, xrefs: 0041A338
ShellExecuteW, xrefs: 0041A422
ReadFile, xrefs: 0041A200
SetBkColor, xrefs: 0041A583
kernel32.dll, xrefs: 0041A145
shell32.dll, xrefs: 0041A40D
CoUninitialize, xrefs: 0041A456
RegCreateKeyExW, xrefs: 0041A3BA
NetServerGetInfo, xrefs: 0041A5F0
NetWkstaGetInfo, xrefs: 0041A605

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: BitBlt$CharUpperW$CloseHandle$CoCreateInstance$CoInitializeEx$CoInitializeSecurity$CoSetProxyBlanket$CoTaskMemFree$CoUninitialize$CopyFileW$CreateBrushIndirect$CreateCompatibleBitmap$CreateCompatibleDC$CreateDIBSection$CreateDirectoryW$CreateFileW$CreateFontIndirectA$CreatePipe$CreateProcessW$DeleteDC$DeleteFileW$DeleteObject$DeviceIoControl$DrawTextW$ExitProcess$ExtFloodFill$FindClose$FindFirstFileW$FindNextFileW$GetComputerNameW$GetCurrentObject$GetCurrentThreadId$GetDC$GetDesktopWindow$GetDriveTypeW$GetExitCodeProcess$GetFileAttributesW$GetFileSize$GetForegroundWindow$GetLastError$GetLogicalDriveStringsW$GetModuleFileNameA$GetModuleFileNameW$GetObjectA$GetShortPathNameW$GetSystemDirectoryW$GetSystemInfo$GetTempPathW$GetUserNameW$GetVersionExW$GetVolumeInformationW$GetWindowRect$GetWindowsDirectoryA$GetWindowsDirectoryW$MoveFileW$NetApiBufferFree$NetServerGetInfo$NetWkstaGetInfo$PeekNamedPipe$ReadFile$RegCloseKey$RegCreateKeyExW$RegDeleteValueW$RegEnumKeyW$RegOpenKeyExW$RegQueryInfoKeyW$RegQueryValueExW$RegSetValueExW$SHGetFolderPathW$SHGetKnownFolderPath$SelectObject$SetBkColor$SetErrorMode$SetFileAttributesW$SetFilePointer$SetHandleInformation$SetTextColor$ShellExecuteW$Sleep$SystemParametersInfoW$VariantClear$WaitForSingleObject$WideCharToMultiByte$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$WriteFile$advapi32.dll$gdi32.dll$kernel32.dll$netapi32.dll$ole32.dll$oleaut32.dll$shell32.dll$user32.dll
API String ID: 2238633743-160047495
Opcode ID: 92d82e14e39e8ab5a07b569c061adb14ebd62f70d39669f16754e19e700200b9
Instruction ID: bacac2941af320af69a4f4bfd5fca98cd5f2bcaf782328d8fd34d87f4f724ada
Opcode Fuzzy Hash: 92d82e14e39e8ab5a07b569c061adb14ebd62f70d39669f16754e19e700200b9
Instruction Fuzzy Hash: 1AC15971D81719798B107B7AAD49E3BBEFDFDA5B90310042BA204D36A1DAFC8405EF64

Uniqueness

Uniqueness Score: -1.00%

Function 00449089, Relevance: 144.1, APIs: 52, Strings: 30, Instructions: 576libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 004490D1
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 004490E2
LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004490EC
LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 004490F6
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 00449119
GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 00449124
NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 00449143
NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 0044917F
FreeLibrary.KERNEL32(00000000), ref: 004491AF
GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 004491C3
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 004491D0
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 004491DD
FreeLibrary.KERNEL32(00000000), ref: 004492B5
LoadLibraryA.KERNEL32(USER32.DLL), ref: 004492D6
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 004492E9
GetProcAddress.KERNEL32(005223F9,GetCursorInfo), ref: 004492F5
GetProcAddress.KERNEL32(005223F9,GetQueueStatus), ref: 00449301
FreeLibrary.KERNEL32(005223F9), ref: 004493A6
GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 004493C1
GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 004493CB
GetProcAddress.KERNEL32(?,Heap32First), ref: 004493D6
GetProcAddress.KERNEL32(?,Heap32Next), ref: 004493E1
GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 004493EC
GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 004493F7
GetProcAddress.KERNEL32(?,Process32First), ref: 00449402
GetProcAddress.KERNEL32(?,Process32Next), ref: 0044940D
GetProcAddress.KERNEL32(?,Thread32First), ref: 00449418
GetProcAddress.KERNEL32(?,Thread32Next), ref: 00449423
GetProcAddress.KERNEL32(?,Module32First), ref: 0044942E
GetProcAddress.KERNEL32(?,Module32Next), ref: 00449439
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 004494AC
_memset.LIBCMT ref: 004494C4
GetTickCount.KERNEL32 ref: 004494DB
Heap32ListFirst.KERNEL32(?,?), ref: 004494E7
_memset.LIBCMT ref: 0044952E
Heap32First.KERNEL32(00000024,?,?), ref: 0044954D
Heap32Next.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00449588
GetTickCount.KERNEL32 ref: 00449595
Heap32ListNext.KERNEL32(?,?), ref: 004495D1
GetTickCount.KERNEL32 ref: 004495DE
GetTickCount.KERNEL32 ref: 00449601
Process32First.KERNEL32(?,00000128), ref: 00449610
GetTickCount.KERNEL32 ref: 00449654
GetTickCount.KERNEL32 ref: 00449670
Thread32Next.KERNEL32(?,?,?,?,?,?,?,?,0050371C), ref: 004496B6
GetTickCount.KERNEL32 ref: 004496C3
GetTickCount.KERNEL32 ref: 004496DC

Strings

GetCursorInfo, xrefs: 004492ED
LanmanWorkstation, xrefs: 0044913D
GetForegroundWindow, xrefs: 004492E3
Intel Hardware Cryptographic Service Provider, xrefs: 00449257
Heap32ListNext, xrefs: 004493F1
ADVAPI32.DLL, xrefs: 004490D7
GetQueueStatus, xrefs: 004492F9
Heap32ListFirst, xrefs: 004493E6
Process32Next, xrefs: 00449407
LanmanServer, xrefs: 00449179
USER32.DLL, xrefs: 004492D1
KERNEL32.DLL, xrefs: 004490E7
CreateToolhelp32Snapshot, xrefs: 004493BB
Thread32First, xrefs: 00449412
NetApiBufferFree, xrefs: 0044911E
Heap32Next, xrefs: 004493DB
Heap32First, xrefs: 004493D0
Thread32Next, xrefs: 0044941D
CryptReleaseContext, xrefs: 004491D5
Module32First, xrefs: 00449428
CloseToolhelp32Snapshot, xrefs: 004493C5
P, xrefs: 00449554
Module32Next, xrefs: 00449433
Process32First, xrefs: 004493FC
NETAPI32.DLL, xrefs: 004490F1
*, xrefs: 004494F7
$, xrefs: 00449536
CryptAcquireContextW, xrefs: 004491BB
NetStatisticsGet, xrefs: 00449113
CryptGenRandom, xrefs: 004491C8

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$CountTick$Library$Heap32Load$FirstFreeNext$ListStatistics_memset$CreateProcess32SnapshotThread32Toolhelp32Version
String ID: $$*$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$P$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 2433720521-1350268427
Opcode ID: b7fa122a4be735a3caced3de6003707d5f059b6d1ecbba9eebbf8d0dac50a3ab
Instruction ID: a597fa4a12bf090581903b27f185ab35ef79f39b3aa834aa655541eba6c9e9e5
Opcode Fuzzy Hash: b7fa122a4be735a3caced3de6003707d5f059b6d1ecbba9eebbf8d0dac50a3ab
Instruction Fuzzy Hash: 7F223C71D00219AAEF21AFA4DC4ABEEBBB8BF08701F14046BE514B2191EB795D44DF19

Uniqueness

Uniqueness Score: -1.00%

Function 004495B2, Relevance: 19.7, APIs: 13, Instructions: 162memorythreadCOMMON

Download Yara Rule

APIs

Heap32ListNext.KERNEL32(?,?), ref: 004495D1
GetTickCount.KERNEL32 ref: 004495DE
GetTickCount.KERNEL32 ref: 00449601
Process32First.KERNEL32(?,00000128), ref: 00449610
GetTickCount.KERNEL32 ref: 00449654
GetTickCount.KERNEL32 ref: 00449670
Thread32Next.KERNEL32(?,?,?,?,?,?,?,?,0050371C), ref: 004496B6
GetTickCount.KERNEL32 ref: 004496C3
GetTickCount.KERNEL32 ref: 004496DC
GetTickCount.KERNEL32 ref: 0044972F
CloseHandle.KERNEL32(?), ref: 00449746
FreeLibrary.KERNEL32(?), ref: 0044974D
GlobalMemoryStatus.KERNEL32(?), ref: 0044975F
GetCurrentProcessId.KERNEL32(00000000,?,?,0050371C), ref: 00449783

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CountTick$Next$CloseCurrentFirstFreeGlobalHandleHeap32LibraryListMemoryProcessProcess32StatusThread32
String ID:
API String ID: 1071621230-0
Opcode ID: a1c0b86f4b7103e88aef94650fc727431207be6cea0405d03f1b4f70a9cb3dd6
Instruction ID: 8d85ac953cd6445dab28d3fccd7cfbeaca7f123bf3d085413ecd1b8e6b1165e8
Opcode Fuzzy Hash: a1c0b86f4b7103e88aef94650fc727431207be6cea0405d03f1b4f70a9cb3dd6
Instruction Fuzzy Hash: A651F971D00219DBEF20AFA0DC89BEEBBB8BF04305F1405A6E554B2191EB399D88DF55

Uniqueness

Uniqueness Score: -1.00%

Function 004BC85C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004BC880
SHGetSpecialFolderLocation.SHELL32(00000000,0000001A,?,?,00493F49,?), ref: 004BC8A2

Strings

C:\Users\user\AppData\Roaming\tor, xrefs: 004BC890, 004BC8B1, 004BC8B6, 004BC8DD, 004BC921
\tor, xrefs: 004BC927

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FolderLocationSpecial_memset
String ID: C:\Users\user\AppData\Roaming\tor$\tor
API String ID: 2494379704-2277798446
Opcode ID: be1c6d0e63d0c66bcc27b071d8a352d34c751a18683e72ca8202c0258c371bbf
Instruction ID: aa61b6df43bf6174afcfaa8a99a4d21979bfe03b25cd0e0d530e401f64bcd10e
Opcode Fuzzy Hash: be1c6d0e63d0c66bcc27b071d8a352d34c751a18683e72ca8202c0258c371bbf
Instruction Fuzzy Hash: A1212C75704204ABEB109B95DC84BEABBBDEF95304F000066F905E3251D7B8DA89DF71

Uniqueness

Uniqueness Score: -1.00%

Function 00566E53, Relevance: 10.6, APIs: 7, Instructions: 71threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00566E84
__calloc_crt.LIBCMT ref: 00566E90
__getptd.LIBCMT ref: 00566E9D
__initptd.LIBCMT ref: 00566EA6
CreateThread.KERNELBASE(?,?,00566DD0,00000000,?,?), ref: 00566ED4
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00566EDE
__dosmaperr.LIBCMT ref: 00566EF6

Part of subcall function 0054FF67: __getptd_noexit.LIBCMT ref: 0054FF67

Part of subcall function 0054DCE9: __decode_pointer.LIBCMT ref: 0054DCF4

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
String ID:
API String ID: 3358092440-0
Opcode ID: a066a7af5224819440a3e94bf3109f6399fddce9b1035a8e208e6801cf9a516c
Instruction ID: b411b64c96bfdf496679c08ed4ee92551e68e9020df60553250cf9b660e30627
Opcode Fuzzy Hash: a066a7af5224819440a3e94bf3109f6399fddce9b1035a8e208e6801cf9a516c
Instruction Fuzzy Hash: 1D11BF72501206AFDB10BFA8DC8A89F7FA8FF84324B20403AF91493191EB72DD559B60

Uniqueness

Uniqueness Score: -1.00%

Function 00416AEC, Relevance: 9.2, APIs: 6, Instructions: 218COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416B15
_memset.LIBCMT ref: 00416B2F

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

GetLogicalDriveStringsW.KERNELBASE(00000400,?,?,?,?,?,?,?,?), ref: 00416B4D
GetSystemDirectoryW.KERNEL32(?,00000400), ref: 00416B70

Part of subcall function 00418A23: __EH_prolog.LIBCMT ref: 00418A28

GetDriveTypeW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,005E3970,000000FF), ref: 00416BC0

Part of subcall function 00417871: DeviceIoControl.KERNEL32(00000000,002D0800,00000000,00000000,00000000,00000000,?,00000000), ref: 00417965
Part of subcall function 00417871: CloseHandle.KERNEL32(00000000), ref: 00417970

GetDriveTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,005E3970,000000FF), ref: 00416CAE

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Drive$H_prologType_memset$CloseControlDeviceDirectoryHandleLogicalStringsSystem
String ID:
API String ID: 653048085-0
Opcode ID: 5a74b144c0bdfd6486515b6af61d040d517ecdcdab6187388787fa632d9f45ed
Instruction ID: f42da7431cee3868c2a19145b3ed7ba8a389a6dc5d9546ccc49d3724ea6c418b
Opcode Fuzzy Hash: 5a74b144c0bdfd6486515b6af61d040d517ecdcdab6187388787fa632d9f45ed
Instruction Fuzzy Hash: A6716072D0011D9ACF21EBE5DC859EEB779EF44304F01406BE945B3151DB78AE89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB82, Relevance: 9.1, APIs: 6, Instructions: 133registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000001,?,00000010,?,00000000,?,0041AA04,?,?,?,?,005F9E10,?), ref: 0041ABBE
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,?,00000007,?,0041AA04,?,?,?,?,005F9E10,?), ref: 0041ABF8
RegCloseKey.KERNELBASE(?,?,0041AA04,?,?,?,?,005F9E10,?,?,004091A2,?,00000000,?,005F9E10,00000001), ref: 0041AC0D
RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,?,00000007,?,0041AA04,?,?,?,?,005F9E10,?), ref: 0041AC4A
RegCloseKey.ADVAPI32(?,?,0041AA04,?,?,?,?,005F9E10,?,?,004091A2,?,00000000,?,005F9E10,00000001), ref: 0041AC5F
RegCloseKey.KERNELBASE(?,?,?,0041AA04,?,?,?,?,005F9E10,?,?,004091A2,?,00000000,?,005F9E10), ref: 0041ACC5

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Close$QueryValue$Open
String ID:
API String ID: 4117052246-0
Opcode ID: 70a0974806a73ffb224f902ab8304f4d88fc92c7b710db27d7d51a816c72c51c
Instruction ID: 05bbb73e4a224557291e9c41d201345eb6dd911abf7cd99cb31bbd14388a45c6
Opcode Fuzzy Hash: 70a0974806a73ffb224f902ab8304f4d88fc92c7b710db27d7d51a816c72c51c
Instruction Fuzzy Hash: BE416F72901109EFDB04DFA4CD859EDBBB9FF04304F10406AF502A72A0D775AE54DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004111E4, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004111E9

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 004115C5: __EH_prolog.LIBCMT ref: 004115CA
Part of subcall function 004115C5: CreateDirectoryW.KERNELBASE(00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000001,00000001,?,?,00000000,00411276,?), ref: 004116B1
Part of subcall function 004115C5: GetLastError.KERNEL32(?,?,00000000,00411276,?,00000001,00000000), ref: 004116BB
Part of subcall function 004115C5: GetFileAttributesW.KERNELBASE(00000000,?,?,00000000,00411276,?,00000001,00000000), ref: 004116D5

Strings

--bridge, xrefs: 004113BB
--SOCKSPort, xrefs: 00411300
--ignore-missing-torrc, xrefs: 004112D3
--DataDirectory, xrefs: 00411355

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$AttributesCreateDirectoryErrorFileLastchar_traits
String ID: --DataDirectory$--SOCKSPort$--bridge$--ignore-missing-torrc
API String ID: 3466364229-2885400816
Opcode ID: 83d04b7570980dc56848c08dde38ebf3dc8d70482de82f7e8164def69007d05f
Instruction ID: 1a46922c2742f45d4a1e7175345dba749d7ad9fe6b86a33151203023ffeff536
Opcode Fuzzy Hash: 83d04b7570980dc56848c08dde38ebf3dc8d70482de82f7e8164def69007d05f
Instruction Fuzzy Hash: 93717271904148EEEB14EBA5C886ADDBFBCAF14308F10446EE101B32D2DB795E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004115C5, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004115CA

Part of subcall function 00415E12: _sprintf.LIBCMT ref: 00415EC6

Part of subcall function 00417980: _memset.LIBCMT ref: 004179A5
Part of subcall function 00417980: GetTempPathW.KERNEL32(00000400,?), ref: 004179CA

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

CreateDirectoryW.KERNELBASE(00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000001,00000001,?,?,00000000,00411276,?), ref: 004116B1
GetLastError.KERNEL32(?,?,00000000,00411276,?,00000001,00000000), ref: 004116BB
GetFileAttributesW.KERNELBASE(00000000,?,?,00000000,00411276,?,00000001,00000000), ref: 004116D5

Strings

a4ad4ip2xzclh6fd.onion, xrefs: 004115DE

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$AttributesCreateDirectoryErrorFileLastPathTemp_memset_sprintfchar_traits
String ID: a4ad4ip2xzclh6fd.onion
API String ID: 3723910461-1920382520
Opcode ID: 7d71376e1f8e4ace106f233001d45f24754f9421fdacafa689286b743a37223a
Instruction ID: d1a6285b658dc726bfc8ea858675a62124a6a1473bd0398269db1e722f49b7b9
Opcode Fuzzy Hash: 7d71376e1f8e4ace106f233001d45f24754f9421fdacafa689286b743a37223a
Instruction Fuzzy Hash: A441A172900118EBDB10EBE5CC85ADEBB78AF14318F14456AF605B3181DB786E49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0054FB25, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0054FB43

Part of subcall function 00556112: __mtinitlocknum.LIBCMT ref: 00556128
Part of subcall function 00556112: __amsg_exit.LIBCMT ref: 00556134
Part of subcall function 00556112: RtlEnterCriticalSection.NTDLL(?), ref: 0055613C

___sbh_find_block.LIBCMT ref: 0054FB4E
___sbh_free_block.LIBCMT ref: 0054FB5D
RtlFreeHeap.NTDLL(00000000,?,005DAA68,0000000C,005506B1,00000000,?,00550A15,?,00000001,?,?,0055609C,00000018,005DAC78,0000000C), ref: 0054FB8D
GetLastError.KERNEL32(?,00550A15,?,00000001,?,?,0055609C,00000018,005DAC78,0000000C,0055612D,?,?,?,0055076B,0000000D), ref: 0054FB9E

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: f8bc6710369c74b31ce2a4bac9a73dff4b03522297202a4cf09614b6160071ee
Instruction ID: bf5ded5c3a2da6e79cff59dd4495d3ffc7fdc02111ce33b4bf9a0fdaa98ac906
Opcode Fuzzy Hash: f8bc6710369c74b31ce2a4bac9a73dff4b03522297202a4cf09614b6160071ee
Instruction Fuzzy Hash: 89014F31C05607EAEB206BB8EC1EB9E3F64FF8672AF144526F800AA1C1DE749544DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2FA, Relevance: 6.1, APIs: 4, Instructions: 119fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0041B351
GetFileSize.KERNEL32(000000FF,00000000,00000001,00000001), ref: 0041B398
CloseHandle.KERNEL32(000000FF,?), ref: 0041B41B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: File$CloseCreateH_prologHandleSize
String ID:
API String ID: 2041516235-0
Opcode ID: 9a4ec5831ac35c61399bea046fd17de03a456eaf9e376cfee3212383931a810a
Instruction ID: 786b0256b83315f1475c7869818d8c2c104baf1054248f497883fa4ac06ae10a
Opcode Fuzzy Hash: 9a4ec5831ac35c61399bea046fd17de03a456eaf9e376cfee3212383931a810a
Instruction Fuzzy Hash: 3F413D71900209AFDF11EFA5CC85BDE7BA8EF04314F10852AFA24B7190D778A954DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417DC2, Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNELBASE(00000000,00000000,00000000), ref: 00417DEC
GetShortPathNameW.KERNELBASE(00000000,00000000,00000000), ref: 00417E3C
WideCharToMultiByte.KERNEL32(00000001,00000400,000000FF,00000000,00000000,00000000,00000000,00000000,?,004129A4,?,00000000,00000001,00000000,DELETE SHADOWS ALL,00000001), ref: 00417E52
WideCharToMultiByte.KERNEL32(00000001,00000400,000000FF,00000000,00000000,00000000,00000000,00000000,?,004129A4,?,00000000,00000001,00000000,DELETE SHADOWS ALL,00000001), ref: 00417E73

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiNamePathShortWide$char_traits
String ID:
API String ID: 896575834-0
Opcode ID: e135d788e474df31e1c57a4011849e15d003a8935aa70c6e9bccd1363d8efd53
Instruction ID: 2516f9eb414e66aa3397a4191322c914b30e326e0606e902c51f80397a0fb5ff
Opcode Fuzzy Hash: e135d788e474df31e1c57a4011849e15d003a8935aa70c6e9bccd1363d8efd53
Instruction Fuzzy Hash: 95217372901218BEDB14AFA1CC4EEEF7F7CEF45368F10442AF905B6191DA755A40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00412398, Relevance: 6.1, APIs: 4, Instructions: 51threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A13C: LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,004123B2), ref: 0041A14A
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0041A162
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetSystemInfo), ref: 0041A16F
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsW), ref: 0041A17C
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetVolumeInformationW), ref: 0041A189
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetDriveTypeW), ref: 0041A196
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetSystemDirectoryW), ref: 0041A1A3
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetWindowsDirectoryA), ref: 0041A1B0
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetWindowsDirectoryW), ref: 0041A1BD
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetTempPathW), ref: 0041A1CA
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 0041A1D7
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 0041A1E4
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,FindClose), ref: 0041A1F1
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 0041A1FE
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,ReadFile), ref: 0041A20B
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,WriteFile), ref: 0041A218
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 0041A225
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,SetFileAttributesW), ref: 0041A232
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 0041A23F
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,SetFilePointer), ref: 0041A24C
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 0041A259
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 0041A266
Part of subcall function 0041A13C: GetProcAddress.KERNEL32(00000000,CreateDirectoryW), ref: 0041A273

__time64.LIBCMT ref: 004123B4

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00486601,00000008,?,?,?,?,?), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

GetCurrentThreadId.KERNEL32 ref: 004123BF
_clock.LIBCMT ref: 004123C7

Part of subcall function 0054E1CE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,00415DDD), ref: 0054E1DA
Part of subcall function 0054E1CE: __aulldiv.LIBCMT ref: 0054E20B

Part of subcall function 0054E24C: __getptd.LIBCMT ref: 0054E251

SetErrorMode.KERNELBASE(00000001), ref: 004123D9

Part of subcall function 004059A7: __set_invalid_parameter_handler.LIBCMT ref: 004059D5

Part of subcall function 00401837: CloseHandle.KERNEL32(00000000), ref: 00401843

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$Time$FileSystem__aulldiv$CloseCurrentErrorHandleLibraryLoadModeThread__getptd__set_invalid_parameter_handler__time64_clockchar_traits
String ID:
API String ID: 1831159218-0
Opcode ID: 747005446d92a27801d7fcced0a0df1884df2695be6219da56a8f1fc250814f3
Instruction ID: 5c3d0786dcd94a95d7e0ca10f54f622b99982f843032d36679869d025159e9ec
Opcode Fuzzy Hash: 747005446d92a27801d7fcced0a0df1884df2695be6219da56a8f1fc250814f3
Instruction Fuzzy Hash: 0A0180729002189ADB10B7B69C4BBDE7768EF84318F04047AB105F7182EE789E48DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040934F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409354

Part of subcall function 00408F74: __EH_prolog.LIBCMT ref: 00408F79
Part of subcall function 00408F74: _swscanf.LIBCMT ref: 00408FD0

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

xmode, xrefs: 0040937A
xpk, xrefs: 00409402

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_swscanfchar_traits
String ID: xmode$xpk
API String ID: 25352567-3644361171
Opcode ID: 6a1a41dd85f65d6007ea82dcbea8be0e723280a6a9a082a22ae9c1e9aca944e7
Instruction ID: be9824b17ce19a0544218ec90855fe4653963837ab81eeb15d96f4668ad3588a
Opcode Fuzzy Hash: 6a1a41dd85f65d6007ea82dcbea8be0e723280a6a9a082a22ae9c1e9aca944e7
Instruction Fuzzy Hash: 3951C632C09248EEDF00EBE4C891ADEBF78AF15318F24816EE505772C2DA781B49C765

Uniqueness

Uniqueness Score: -1.00%

Function 00409D6F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409D74

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

4.0.0.1, xrefs: 00409E8B
xVersion, xrefs: 00409DBD

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologchar_traits
String ID: 4.0.0.1$xVersion
API String ID: 734123105-1157460051
Opcode ID: 7804a2c443c614f4f432c834cc6701fbfd2b3cebda9269945320b556b172e0ee
Instruction ID: 32757e5fe67e3a3f74283ce48273cfcda8d6186f51c80ec08af5dda560e04205
Opcode Fuzzy Hash: 7804a2c443c614f4f432c834cc6701fbfd2b3cebda9269945320b556b172e0ee
Instruction Fuzzy Hash: FA317272C04248EEDB01EBA5C895ADEBBBCEF54318F10816EE515B72C2DA741F44C765

Uniqueness

Uniqueness Score: -1.00%

Function 00405A1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405A28
Sleep.KERNEL32(00004E20,?,?,?,?,?,?,004059E3,?,?,?,?,?,?,?,0056F72C), ref: 00405A4D

Part of subcall function 004044A4: __EH_prolog.LIBCMT ref: 004044A9

Part of subcall function 004044FD: __EH_prolog.LIBCMT ref: 00404502

Part of subcall function 00404578: __EH_prolog.LIBCMT ref: 0040457D

Part of subcall function 0040222A: __EH_prolog.LIBCMT ref: 0040222F

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

std exception: , xrefs: 00405A77

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Sleepchar_traits
String ID: std exception:
API String ID: 1343582179-192970234
Opcode ID: dee13fa63c8bbf969846ba230aeaed2c20c3805cee5ef06f57ead953ab0f6d56
Instruction ID: 5dbf755479c88b1a7103e6d148b6f3558c22e7a4e2a641d07a7910b253ff8f15
Opcode Fuzzy Hash: dee13fa63c8bbf969846ba230aeaed2c20c3805cee5ef06f57ead953ab0f6d56
Instruction Fuzzy Hash: 07216DB2801148BADB10FBA2DC1AEDF7E6CEF95314F10846EF905B7192DA785B04C765

Uniqueness

Uniqueness Score: -1.00%

Function 00565D10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,0BA3A0FA,0000001B,00000000,0000000F), ref: 00565D9B
ResumeThread.KERNELBASE(?,?,?,0BA3A0FA,0000001B,00000000,0000000F), ref: 00565DA9

Part of subcall function 00404466: __EH_prolog.LIBCMT ref: 0040446B
Part of subcall function 00404466: __CxxThrowException@8.LIBCMT ref: 0040449E

Strings

,_X, xrefs: 00565D6D, 00565D71

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseException@8H_prologHandleResumeThreadThrow
String ID: ,_X
API String ID: 305045544-2525363915
Opcode ID: f7407945fc1146dcebf09d9d72daf3b287b41a5d04e22db4bc92658b2b71bfa8
Instruction ID: 7da7a442a679d23e0f139116aba8cb02582e47617d037f2eae67dd5f3e5e47e2
Opcode Fuzzy Hash: f7407945fc1146dcebf09d9d72daf3b287b41a5d04e22db4bc92658b2b71bfa8
Instruction Fuzzy Hash: 92118EB16447019FD300DF68CC85B56BBE8FF88724F540A2DFA59A72D0E774A904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0051869A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 005186E5: _vwprintf.LIBCMT ref: 005186EF

_abort.LIBCMT ref: 005186DB

Strings

tor_asprintf, xrefs: 005186BE
compat.c, xrefs: 005186C8

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _abort_vwprintf
String ID: compat.c$tor_asprintf
API String ID: 4233853164-2677870121
Opcode ID: a03e9e0d94a096926dc831e935f2570e4794f5c9482fa548d1e233bb11bc2dd6
Instruction ID: fadafcaa48bf7083b93e84692499a71288c94c27a24677b5f98bcd0c605584d9
Opcode Fuzzy Hash: a03e9e0d94a096926dc831e935f2570e4794f5c9482fa548d1e233bb11bc2dd6
Instruction Fuzzy Hash: CEE04FA27453826BFE3135D99C8AAAB6A8DBBE0351F44083AF90492182FA7184945666

Uniqueness

Uniqueness Score: -1.00%

Function 007E3D80, Relevance: 4.7, APIs: 3, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 007E3DC5
VirtualProtect.KERNELBASE(?,?,00000000,?,?,?,?), ref: 007E3E79
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 007E3ED2

Memory Dump Source

Source File: 00000002.00000002.417148157.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID: Virtual$Alloc$Protect
String ID:
API String ID: 655996629-0
Opcode ID: 906e68909d15a4fb586f7e88fc43e186f601afe9a98fa1fb1e7fddc7105f0e08
Instruction ID: ecf168ae13ec177412f1bb3c6c2f9467f7cf7e6bdb49846c71861437c552f32c
Opcode Fuzzy Hash: 906e68909d15a4fb586f7e88fc43e186f601afe9a98fa1fb1e7fddc7105f0e08
Instruction Fuzzy Hash: 9CA1B9B5A01109DFCB08CF99D495EAEB7B5BF4C314F208159E909AB342D775EE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041730F, Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417344
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417362
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417382

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FolderPath$_memset
String ID:
API String ID: 3393382086-0
Opcode ID: 1e69431a5f520d9351b9834158e3e0f8fc8fba4d5d46b794e6891ab280a1aec8
Instruction ID: 486add32d1bd1975be3852fe7ddbfa561011ec75baf33ba7af5d0a6af7282b7d
Opcode Fuzzy Hash: 1e69431a5f520d9351b9834158e3e0f8fc8fba4d5d46b794e6891ab280a1aec8
Instruction Fuzzy Hash: E9214F7190020EAADB10EFA4DC85AEE77BCEB04308F008466F915A7191E678AE49DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00566D8F, Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00566D9B

Part of subcall function 005506C0: __getptd_noexit.LIBCMT ref: 005506C3
Part of subcall function 005506C0: __amsg_exit.LIBCMT ref: 005506D0

__endthreadex.LIBCMT ref: 00566DAB

Part of subcall function 00566D52: __IsNonwritableInCurrentImage.LIBCMT ref: 00566D65
Part of subcall function 00566D52: __getptd_noexit.LIBCMT ref: 00566D75
Part of subcall function 00566D52: __freeptd.LIBCMT ref: 00566D7F
Part of subcall function 00566D52: RtlExitUserThread.NTDLL(?,?,00566DB0,00000000), ref: 00566D88
Part of subcall function 00566D52: __XcptFilter.LIBCMT ref: 00566DBC

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
String ID:
API String ID: 1003287236-0
Opcode ID: d5ffaa2fac93b57a93795acfc15131be6656510bd2281e27697c5d96fa6a6ef3
Instruction ID: f7c7618201d0fe9112ace75dfba656db385953faac180528d5aae010a4362146
Opcode Fuzzy Hash: d5ffaa2fac93b57a93795acfc15131be6656510bd2281e27697c5d96fa6a6ef3
Instruction Fuzzy Hash: 3DE08CB0900A01EFEB08BBA0C85AF2D3B75BF84312F20004AF4025B2B2CA359904EF20

Uniqueness

Uniqueness Score: -1.00%

Function 00409024, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409029

Part of subcall function 00408F74: __EH_prolog.LIBCMT ref: 00408F79
Part of subcall function 00408F74: _swscanf.LIBCMT ref: 00408FD0

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

xstate, xrefs: 0040903C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_swscanfchar_traits
String ID: xstate
API String ID: 25352567-855772137
Opcode ID: 365de51d0537bda756363e7c1d1c93ef73aa071f66380438a6e284809805ab2a
Instruction ID: c50855399fdc458b1c81fac5968d24b34a594ec8a79ea7de3d84a08ada846b0c
Opcode Fuzzy Hash: 365de51d0537bda756363e7c1d1c93ef73aa071f66380438a6e284809805ab2a
Instruction Fuzzy Hash: F211A532C04148AEDB04EFA4C851BEE7BB4EF15314F10842EE511B71C2DB795A48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004076C2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004076C7

Part of subcall function 00408F74: __EH_prolog.LIBCMT ref: 00408F79
Part of subcall function 00408F74: _swscanf.LIBCMT ref: 00408FD0

Strings

xmail, xrefs: 004076DB

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_swscanf
String ID: xmail
API String ID: 3564940915-2145529671
Opcode ID: 01e0b262b0e7e15e8449a7f768722ba72c603a9b381fac80ac87558231376547
Instruction ID: 43db2cbb4ee7d3465fea96ed397aaa94fdab7b8e7bc123b9de1572122abec5e1
Opcode Fuzzy Hash: 01e0b262b0e7e15e8449a7f768722ba72c603a9b381fac80ac87558231376547
Instruction Fuzzy Hash: 20117C76C05258AEDB14EFD0D891AEEBB78BF00344F10442FB61177281DB781B04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00408F74, Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408F79
_swscanf.LIBCMT ref: 00408FD0

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog_swscanf
String ID:
API String ID: 2233257175-0
Opcode ID: 34ab3dfda97ec85efaf30c2e936dd0b0fc5ceecd7112c8962a3042989125fd3a
Instruction ID: 1b3fb9d94e572ac1d1f71da2ec0990b4464615d01ca8e9d3a80bb870dab937f5
Opcode Fuzzy Hash: 34ab3dfda97ec85efaf30c2e936dd0b0fc5ceecd7112c8962a3042989125fd3a
Instruction Fuzzy Hash: 4E110372900204EADB10EFA5CC46ADEBB78FF95304F01843AF515B7182DB389B49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 005186E5, Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_vwprintf.LIBCMT ref: 005186EF

Part of subcall function 005544F9: __vscwprintf_helper.LIBCMT ref: 0055450B

_vswprintf_s.LIBCMT ref: 0051871D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __vscwprintf_helper_vswprintf_s_vwprintf
String ID:
API String ID: 2695537769-0
Opcode ID: 2f13ee121352c9bc67a5d03bdb7e0e0be7abf28ee7e86339e733b8fc4ddd553c
Instruction ID: 1febc336b014a45a518a8c729338373fc5da47dbd3fc1c71bfd6ee5d10d712b4
Opcode Fuzzy Hash: 2f13ee121352c9bc67a5d03bdb7e0e0be7abf28ee7e86339e733b8fc4ddd553c
Instruction Fuzzy Hash: 60018636204205ABEB215E68DC85ABE3FA5FB85775F204615FD148B2D1DA329C508661

Uniqueness

Uniqueness Score: -1.00%

Function 007E3830, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 007E389C

Strings

VirtualAlloc, xrefs: 007E3881, 007E3884

Memory Dump Source

Source File: 00000002.00000002.417148157.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: ea834c74fc57b1eb379842a09c45168dceb37f59ab5946c3ea9aff66bb75d60b
Instruction ID: 5c797519e89640c905bb416ff23f97472101e3ddc379c1a877170092d5732882
Opcode Fuzzy Hash: ea834c74fc57b1eb379842a09c45168dceb37f59ab5946c3ea9aff66bb75d60b
Instruction Fuzzy Hash: 6101ED60D082C9EAEB01D7E8C409BFFBFB55F15704F1440D8EA846B282D6BE575887B6

Uniqueness

Uniqueness Score: -1.00%

Function 005610AE, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 005610C6

Part of subcall function 00556112: __mtinitlocknum.LIBCMT ref: 00556128
Part of subcall function 00556112: __amsg_exit.LIBCMT ref: 00556134
Part of subcall function 00556112: RtlEnterCriticalSection.NTDLL(?), ref: 0055613C

__tzset_nolock.LIBCMT ref: 005610D7

Part of subcall function 00560999: __lock.LIBCMT ref: 005609BB
Part of subcall function 00560999: __get_daylight.LIBCMT ref: 005609D0
Part of subcall function 00560999: __invoke_watson.LIBCMT ref: 005609DF
Part of subcall function 00560999: __get_daylight.LIBCMT ref: 005609EB
Part of subcall function 00560999: __invoke_watson.LIBCMT ref: 005609FA
Part of subcall function 00560999: __get_daylight.LIBCMT ref: 00560A06
Part of subcall function 00560999: __invoke_watson.LIBCMT ref: 00560A15
Part of subcall function 00560999: ____lc_codepage_func.LIBCMT ref: 00560A1D
Part of subcall function 00560999: __getenv_helper_nolock.LIBCMT ref: 00560A3F
Part of subcall function 00560999: _strlen.LIBCMT ref: 00560A7D
Part of subcall function 00560999: __malloc_crt.LIBCMT ref: 00560A84
Part of subcall function 00560999: _strlen.LIBCMT ref: 00560A9A

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __get_daylight__invoke_watson$__lock_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock
String ID:
API String ID: 4157481694-0
Opcode ID: e718e0990a72662fd71036fd2f88ab3c14e25633bf80e9aff6b717b52fafee22
Instruction ID: ac009bf0eb951d686ccb9b87b3adff1ea133665fc900cf716fcce39c03418bed
Opcode Fuzzy Hash: e718e0990a72662fd71036fd2f88ab3c14e25633bf80e9aff6b717b52fafee22
Instruction Fuzzy Hash: 9CE02630441B1A9FCA6167A05B0F27D3DE07758B32F108016F801530C28A301184D609

Uniqueness

Uniqueness Score: -1.00%

Function 00550C5C, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 00550C64

Part of subcall function 00550C31: GetModuleHandleW.KERNEL32(mscoree.dll,?,00550C69,?,?,005500A0,000000FF,0000001E,?,00550A15,?,00000001,?,?,0055609C,00000018), ref: 00550C3B
Part of subcall function 00550C31: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00550C4B

ExitProcess.KERNEL32 ref: 00550C6D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 15e7393eec1aeecc5b8b6fe4803cf79eab12e2e03f0255d3ea68c0e263a5f6ed
Instruction ID: 77c8b401220811efde7c0be1f4f6a82ededcaa8a2773919b3b974dd104ee9db5
Opcode Fuzzy Hash: 15e7393eec1aeecc5b8b6fe4803cf79eab12e2e03f0255d3ea68c0e263a5f6ed
Instruction Fuzzy Hash: AEB04831000109BB8B012B12DD0E88A7E6AEA813A1B145121BE080A0A19AB2AD96AA80

Uniqueness

Uniqueness Score: -1.00%

Function 00410431, Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410436

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

Part of subcall function 0040B9A5: __EH_prolog.LIBCMT ref: 0040B9AA

Part of subcall function 0054D747: _malloc.LIBCMT ref: 0054DE8D

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0041B8A0: SetEvent.KERNEL32(00000000,005A7DBC,0041D220,00000000), ref: 0041B96F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Event_malloc
String ID:
API String ID: 3703941353-0
Opcode ID: 358d111a78703d5dd4bebeae89dabf3ac9c545e93544820423c77c5b922ebfb2
Instruction ID: 4f1803c315171745e62bb66377c53cfda7b226bcf10c8c21e668976c4e189cbd
Opcode Fuzzy Hash: 358d111a78703d5dd4bebeae89dabf3ac9c545e93544820423c77c5b922ebfb2
Instruction Fuzzy Hash: 80D15B71E00219DFDF11EBA4C885BDDBBB5BF44304F1081AAE609B7281DB78AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 007E3B00, Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 007E3B58

Memory Dump Source

Source File: 00000002.00000002.417148157.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a2c2d76fb87602c03bfdf45c71e65d7c2dc1016122473ecb74e563991d5f964e
Instruction ID: 71825688ac80a766dc42c5d2069c8ff87c22492cdbd4866ae6910c9f96ac9e10
Opcode Fuzzy Hash: a2c2d76fb87602c03bfdf45c71e65d7c2dc1016122473ecb74e563991d5f964e
Instruction Fuzzy Hash: 9F31A8B5A01109DFCB04CF99C884AADB7B5FF8C314F24C299D819AB355D735AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004059A7, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__set_invalid_parameter_handler.LIBCMT ref: 004059D5

Part of subcall function 0054DCC2: __decode_pointer.LIBCMT ref: 0054DCCE
Part of subcall function 0054DCC2: __encode_pointer.LIBCMT ref: 0054DCD8

Part of subcall function 00405A1A: __EH_prolog.LIBCMT ref: 00405A28
Part of subcall function 00405A1A: Sleep.KERNEL32(00004E20,?,?,?,?,?,?,004059E3,?,?,?,?,?,?,?,0056F72C), ref: 00405A4D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologSleep__decode_pointer__encode_pointer__set_invalid_parameter_handler
String ID:
API String ID: 2508137788-0
Opcode ID: 0641b074fce6a2b0ee1698a3f85e40de4f73c89eb6bc9fe567af7da94ebcde58
Instruction ID: 2655be3c0ed29cf41e2688e1e3052b7afd55770afc8c3a742de88b6b50e2a825
Opcode Fuzzy Hash: 0641b074fce6a2b0ee1698a3f85e40de4f73c89eb6bc9fe567af7da94ebcde58
Instruction Fuzzy Hash: E0F0A772600644FFD7149B85DC47F5BBF78F741B74F20432AF111622C0D7B829008AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040F393, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F398

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4ca94030091c474476d208ad4c72edff3e24c4a963bca676efc705f2fabbea7f
Instruction ID: 30c736633fc7e46df1d0969e21789a79b255cf1855b799af1fabb956e3dc02d9
Opcode Fuzzy Hash: 4ca94030091c474476d208ad4c72edff3e24c4a963bca676efc705f2fabbea7f
Instruction Fuzzy Hash: 94E04F72A01604EFD704EF54D45AB9EBFB8FB90715F10842AF006AB181D7759A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0054DB38, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00550C74: __lock.LIBCMT ref: 00550C76

__onexit_nolock.LIBCMT ref: 0054DB50

Part of subcall function 0054DA4D: __decode_pointer.LIBCMT ref: 0054DA5C
Part of subcall function 0054DA4D: __decode_pointer.LIBCMT ref: 0054DA6C
Part of subcall function 0054DA4D: __msize.LIBCMT ref: 0054DA8A
Part of subcall function 0054DA4D: __realloc_crt.LIBCMT ref: 0054DAAE
Part of subcall function 0054DA4D: __realloc_crt.LIBCMT ref: 0054DAC4
Part of subcall function 0054DA4D: __encode_pointer.LIBCMT ref: 0054DAD6
Part of subcall function 0054DA4D: __encode_pointer.LIBCMT ref: 0054DAE4
Part of subcall function 0054DA4D: __encode_pointer.LIBCMT ref: 0054DAEF

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
String ID:
API String ID: 1316407801-0
Opcode ID: 6f4441e52b001283acaea012c7725850ce13c5480be60702df0439ab426c3b6f
Instruction ID: 33646886e64101b3b276851e4b06652598524b7677974fdd541f40e460260374
Opcode Fuzzy Hash: 6f4441e52b001283acaea012c7725850ce13c5480be60702df0439ab426c3b6f
Instruction Fuzzy Hash: A4D01735801706EACF10BBA8CC1AB9D7E70BFC0721F608246B420661D2CA345A05AB12

Uniqueness

Uniqueness Score: -1.00%

Function 00550E78, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00550E84

Part of subcall function 00550D4C: __lock.LIBCMT ref: 00550D5A
Part of subcall function 00550D4C: __decode_pointer.LIBCMT ref: 00550D91
Part of subcall function 00550D4C: __decode_pointer.LIBCMT ref: 00550DA6
Part of subcall function 00550D4C: __decode_pointer.LIBCMT ref: 00550DD0
Part of subcall function 00550D4C: __decode_pointer.LIBCMT ref: 00550DE6
Part of subcall function 00550D4C: __decode_pointer.LIBCMT ref: 00550DF3
Part of subcall function 00550D4C: __initterm.LIBCMT ref: 00550E22
Part of subcall function 00550D4C: __initterm.LIBCMT ref: 00550E32

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 589a4d7c78c2c0ca12d45939106cafee6af12cd5c9081e1df6a78787f36c86d6
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 8AB0123258030C33DAA12583EC07F063F2D97C0B60F241021FE0C1D1E1A9F3B96980C9

Uniqueness

Uniqueness Score: -1.00%

Function 0055042E, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 00550430

Part of subcall function 005503BC: TlsGetValue.KERNEL32(00000000,?,00550435,00000000,0055A730,005FBAD8,00000000,00000314,?,00551241,005FBAD8,Microsoft Visual C++ Runtime Library,00012010), ref: 005503CE
Part of subcall function 005503BC: TlsGetValue.KERNEL32(00000005,?,00550435,00000000,0055A730,005FBAD8,00000000,00000314,?,00551241,005FBAD8,Microsoft Visual C++ Runtime Library,00012010), ref: 005503E5
Part of subcall function 005503BC: RtlEncodePointer.NTDLL(00000000,?,00550435,00000000,0055A730,005FBAD8,00000000,00000314,?,00551241,005FBAD8,Microsoft Visual C++ Runtime Library,00012010), ref: 00550423

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 3cfd599afd38eee8888886d7a578a4c47cb66464c24c6369f169ed3aa6175e7a
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0041157E, Relevance: 1.3, APIs: 1, Instructions: 13sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000064,?,0040655D), ref: 0041158D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9254955b657605e693925e8519a4b8be658952cf262bbd7a24f5800b2c47c18f
Instruction ID: 1e1e7f373e087356d51bde45ebff31da7e8cb85ae8d516c98bfcb5c53de357a8
Opcode Fuzzy Hash: 9254955b657605e693925e8519a4b8be658952cf262bbd7a24f5800b2c47c18f
Instruction Fuzzy Hash: 8BC01236C8A2257A991077A86A00BF992032B99728B0500239B4B67272824D49C5A2EF

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00413375, Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 395registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041337A

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

_memset.LIBCMT ref: 004133C1

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

RegQueryInfoKeyW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,?), ref: 0041343F
_memset.LIBCMT ref: 00413477
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 0041349C
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000400,00000000,DisplayName), ref: 00413592
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000001,00000000,SystemComponent,00000001,00000000,00000001,?), ref: 00413617
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000400,00000000,ParentKeyName,?), ref: 004136DC
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000001,00000000,WindowsInstaller,00000001,00000000,00000001), ref: 00413759
RegCloseKey.ADVAPI32(?,00000001,00000000,00000001,?), ref: 004137C8
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004137F8

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 004133C9, 004134AE
ParentKeyName, xrefs: 00413699
WindowsInstaller, xrefs: 00413715
SystemComponent, xrefs: 004135D3
DisplayName, xrefs: 00413556

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Query$Value$EnumH_prolog_memset$CloseInfochar_traits
String ID: DisplayName$ParentKeyName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$SystemComponent$WindowsInstaller
API String ID: 3832380495-324101830
Opcode ID: c994cd10f743ed0bf3a3674ccd8dc276d520dba53dc9d759c0d7a9866bd3e89e
Instruction ID: d4295fe83490042f031972ce58116618a2231b9145636ace1f7a0842c2dc708e
Opcode Fuzzy Hash: c994cd10f743ed0bf3a3674ccd8dc276d520dba53dc9d759c0d7a9866bd3e89e
Instruction Fuzzy Hash: 6CE14CB1C0125DEEEB15DBA4CC95BEEBBB8EF14308F10806AE605B3191DB745E48CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00412699, Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 364COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041269E
Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,?,:,00000000,00407EC1,?,00000001,00000000,00000001,00000000,00000000,00000000,000000FF,00000001,00000000), ref: 00412718
GetFileAttributesW.KERNEL32(?,00000001), ref: 004127B0

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Wow64RevertWow64FsRedirection.KERNEL32(?,00000001,00000000,DELETE SHADOWS ALL,00000001,00000000,00000001,00000001,00000000,00000001,00000001,00000001,00000000,00000000,000000FF), ref: 0041297B
Wow64RevertWow64FsRedirection.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,000000FF,?,?,?,00000001,00000000,000000FF), ref: 00412A73
Wow64RevertWow64FsRedirection.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,000000FF,?,?,?,00000001,00000000,000000FF), ref: 00412AA5
Wow64RevertWow64FsRedirection.KERNEL32(?,00000001,00000000,00000001,00000001,00000001,00000000,000000FF,?,?,?,00000001,00000000,000000FF,?,00000001), ref: 00412AF6

Strings

diskshadow.exe, xrefs: 0041271A
:, xrefs: 004126AE
DELETE SHADOWS ALL, xrefs: 00412938
/s , xrefs: 004129E4
.txt, xrefs: 0041285C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Wow64$Redirection$Revert$AttributesDisableFileH_prologchar_traits
String ID: .txt$/s $:$DELETE SHADOWS ALL$diskshadow.exe
API String ID: 3878854675-4290892364
Opcode ID: 67bdc1420be8fb3f5f5def0cc5db33473ec690582eaca87c0f2fc5c7ccfbc0d8
Instruction ID: eb20628e44a71d6262471ce2307eb7456b8d22ad60ded70e6ca3b2f03cf534ac
Opcode Fuzzy Hash: 67bdc1420be8fb3f5f5def0cc5db33473ec690582eaca87c0f2fc5c7ccfbc0d8
Instruction Fuzzy Hash: FBD19E72C05158EEDF21EBE5CD45BDEBBB8AF15308F1041AAE509B31C1DA781B48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041B9C0, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 463COMMON

Download Yara Rule

APIs

Part of subcall function 00401753: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401795

SetEvent.KERNEL32(00000000), ref: 0041BA54
SetEvent.KERNEL32(00000000), ref: 0041BB11
std::_String_base::_Xlen.LIBCPMT ref: 0041BB50
std::_String_base::_Xlen.LIBCPMT ref: 0041BB65
_sprintf.LIBCMT ref: 0041BD12

Part of subcall function 00401803: CloseHandle.KERNEL32(00000000,?,00401790), ref: 00401829

Strings

%04hX, xrefs: 0041BD0C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: EventString_base::_Xlenstd::_$CloseHandleObjectSingleWait_sprintf
String ID: %04hX
API String ID: 2196345542-3571374829
Opcode ID: 5c89809830b12b8f0099051af528f5bf939ce5e826ac1a388f7a03c630a0e858
Instruction ID: 41b12a0cf49f4616d151eb86862fd1ee50e2bf1ed828b6bcb8ca11b1e9172660
Opcode Fuzzy Hash: 5c89809830b12b8f0099051af528f5bf939ce5e826ac1a388f7a03c630a0e858
Instruction Fuzzy Hash: EA128B709083818BD720DF24C884B9FBBE4EFD5318F14492EF48997251D7789984CBAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC3A, Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 439COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AC3F
_memset.LIBCMT ref: 0040ACCD

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

SystemParametersInfoW.USER32(00000073,00000400,?,00000000), ref: 0040B0EB
SystemParametersInfoW.USER32(00000014,00000000,00000000,00000001), ref: 0040B1D6

Part of subcall function 004173ED: _memset.LIBCMT ref: 00417422
Part of subcall function 004173ED: SHGetFolderPathW.SHELL32(00000000,-00000027,00000000,00000000,?,00000001,00000001), ref: 00417444

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040125E: WriteFile.KERNEL32(00000000,?,0000000E,?,00000000), ref: 004012F7
Part of subcall function 0040125E: WriteFile.KERNEL32(0000000E,?,00000028,0000000E,00000000), ref: 0040131C
Part of subcall function 0040125E: SelectObject.GDI32(?,00000000), ref: 00401367

Strings

SOFTWARE\System32\Configuration\, xrefs: 0040ACD5
xwp, xrefs: 0040AD66, 0040B104
.bmp, xrefs: 0040AF39, 0040B01F, 0040B16C
, xrefs: 0040B1C6

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FileH_prologInfoParametersSystemWrite_memset$FolderObjectPathSelectchar_traits
String ID: $.bmp$SOFTWARE\System32\Configuration\$xwp
API String ID: 1684669956-3536616090
Opcode ID: 848bba960412116f72208544829351c08a143b58e31cf9132130929a698ac43a
Instruction ID: ea2d104fb3d057ef4773ddf2c08714b7c15dcd8f97292598f6c4aa44048e41ad
Opcode Fuzzy Hash: 848bba960412116f72208544829351c08a143b58e31cf9132130929a698ac43a
Instruction Fuzzy Hash: AA027031C05298EDEF11E7E4CD51BDEBB789F15308F1441EAA644732C2DAB41B88DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00417EB5, Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 381COMMON

Download Yara Rule

APIs

Part of subcall function 004168F0: InterlockedDecrement.KERNEL32(00000008), ref: 004168FB
Part of subcall function 004168F0: SysFreeString.OLEAUT32(00000000), ref: 00416910

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

VariantClear.OLEAUT32(?), ref: 00418178
VariantClear.OLEAUT32(?), ref: 004181F1

Strings

Version, xrefs: 00418115
WQL, xrefs: 00418089
ROOT\CIMV2, xrefs: 00417FA7
CSDVersion, xrefs: 00418185
SELECT * FROM Win32_OperatingSystem, xrefs: 00418070

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ClearVariant$DecrementFreeInterlockedStringchar_traits
String ID: CSDVersion$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$Version$WQL
API String ID: 854514482-660681872
Opcode ID: 20681ec481773f5aebe48167c5dfeb4adeae2cad9f2f0a7e5f99eca7cd61c6f0
Instruction ID: 0d4ba4a92494e6567f7d71d29297227958e69ea3da1ef6f26de091432bf87960
Opcode Fuzzy Hash: 20681ec481773f5aebe48167c5dfeb4adeae2cad9f2f0a7e5f99eca7cd61c6f0
Instruction Fuzzy Hash: 2FD14A71A00219AFCB11EBA5C885AEEB778FF45308F10446EF505B7251DB786D86CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004078E6, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 00407A56
GetForegroundWindow.USER32(?,?,?,0058B6AC,00000000,00000001,00000000,Delete Shadows /All /Quiet,00000001,00000000,runas), ref: 00407A92
ShellExecuteW.SHELL32(00000000), ref: 00407A99
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 00407AAB

Strings

runas, xrefs: 004079BE
Delete Shadows /All /Quiet, xrefs: 004079F6
vssadmin.exe, xrefs: 0040792E

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Wow64$Redirection$DisableExecuteForegroundRevertShellWindow
String ID: Delete Shadows /All /Quiet$runas$vssadmin.exe
API String ID: 3404452980-349064788
Opcode ID: 99f915df0c2d5bf28b6f00a361582fdbde5056a91aa7136b90a6368abbef93e4
Instruction ID: 8d93e387e0fae6ca0db0a68fcd661efb44618e5671b6f893523fab0f071b7a02
Opcode Fuzzy Hash: 99f915df0c2d5bf28b6f00a361582fdbde5056a91aa7136b90a6368abbef93e4
Instruction Fuzzy Hash: 8C51A57140C3809FD720EF54D945BEFBBE8AB95304F00492EF68563181DB785A48CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 0041D211, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 433COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?), ref: 0041D383
CharUpperW.USER32(?), ref: 0041D399

Part of subcall function 0054D747: _malloc.LIBCMT ref: 0054DE8D

Strings

PST, xrefs: 0041D4DF
THUNDERBIRD, xrefs: 0041D580
OST, xrefs: 0041D548
TBB, xrefs: 0041D3BD

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CharUpper$_malloc
String ID: OST$PST$TBB$THUNDERBIRD
API String ID: 3834236186-1104251276
Opcode ID: 65dab73c79d3e8bb6b703306090fef1594e51bc21c973767546928e31102a216
Instruction ID: 4559aa5724d87ca400415edd28439ac067b0fee18038d07b16f6bfa98ed25a3b
Opcode Fuzzy Hash: 65dab73c79d3e8bb6b703306090fef1594e51bc21c973767546928e31102a216
Instruction Fuzzy Hash: F4F167B2D083519BC710EF69898169FFBE1BF99704F504D2EE59983250EB38D884CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 004182F7, Relevance: 7.9, APIs: 5, Instructions: 431COMMON

Download Yara Rule

APIs

Part of subcall function 0041730F: _memset.LIBCMT ref: 00417344
Part of subcall function 0041730F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417362
Part of subcall function 0041730F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417382

Part of subcall function 004176EB: _memset.LIBCMT ref: 00417718
Part of subcall function 004176EB: GetUserNameW.ADVAPI32(?,00000100), ref: 0041772B

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

CharUpperW.USER32(?,?,?,?,?,?,?,?), ref: 00418357
CharUpperW.USER32(?,?,?,?,?,?,?), ref: 00418372
CharUpperW.USER32(?,?,?,?,?,?,?), ref: 00418384
CharUpperW.USER32(?), ref: 00418464
CharUpperW.USER32(?), ref: 004186C7

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CharUpper$FolderH_prologPath_memset$NameUser
String ID:
API String ID: 1619233672-0
Opcode ID: b9e04876a15cc6c6c09a2f73b870fbd54f265c6b0b4bca902187b5cb7ec13d4e
Instruction ID: 109392aa3e972eedc48bd76bff15fc6c31196fd4980e196cf2f8a5fa7cf2885e
Opcode Fuzzy Hash: b9e04876a15cc6c6c09a2f73b870fbd54f265c6b0b4bca902187b5cb7ec13d4e
Instruction Fuzzy Hash: BEF15B72E0011DEBCF10EBE5CC81EDEB779AF04304F1545AAE605B7191DA74AA89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00573480, Relevance: 7.6, Strings: 6, Instructions: 119COMMON

Download Yara Rule

Strings

enti, xrefs: 005734D5
cAMD, xrefs: 005734E0
ntel, xrefs: 005734BD
Genu, xrefs: 005734A7
Auth, xrefs: 005734CA
ineI, xrefs: 005734B2

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Auth$Genu$cAMD$enti$ineI$ntel
API String ID: 0-1714976780
Opcode ID: 5f5d6626ad0f6917a330496c5e5681d55bc31fb8fcfe0306b7157049ee0a44b3
Instruction ID: b90488bf4887df16878bcbdfdea9e80e562ab8d1643fb42648f82a620ad2ce78
Opcode Fuzzy Hash: 5f5d6626ad0f6917a330496c5e5681d55bc31fb8fcfe0306b7157049ee0a44b3
Instruction Fuzzy Hash: 123136B7A544560AFB3C5878A84537C2A43A391330F3ACB39E13EC75C6E869CE853251

Uniqueness

Uniqueness Score: -1.00%

Function 0054FAAD, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00558F37
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00558F4C
UnhandledExceptionFilter.KERNEL32(00584D64), ref: 00558F57
GetCurrentProcess.KERNEL32(C0000409), ref: 00558F73
TerminateProcess.KERNEL32(00000000), ref: 00558F7A

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1ab62c1d734e77d8af7f17c51248cc83ac5a27fcb26f8b4f9b57e0c248fdbada
Instruction ID: b23c08b2b5cc46790e2e8f28179459ea33d630a830ce086fb644a94d8e35b95e
Opcode Fuzzy Hash: 1ab62c1d734e77d8af7f17c51248cc83ac5a27fcb26f8b4f9b57e0c248fdbada
Instruction Fuzzy Hash: 4221C375404209DFD704DF54EE89A653FA8BB68305F10502AE908DB362E7B959ACEF05

Uniqueness

Uniqueness Score: -1.00%

Function 00417871, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

DeviceIoControl.KERNEL32(00000000,002D0800,00000000,00000000,00000000,00000000,?,00000000), ref: 00417965
CloseHandle.KERNEL32(00000000), ref: 00417970

Strings

\\.\, xrefs: 004178A0

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseControlDeviceH_prologHandlechar_traits
String ID: \\.\
API String ID: 2013144937-2900601889
Opcode ID: 43d026b29dee3126b877abea94ba280e67e0c101f112331ce7ada17de2780d19
Instruction ID: 1e114ae5bfca693dd2b34835efcb708121145fca56ab3a518302ca0ce83292e9
Opcode Fuzzy Hash: 43d026b29dee3126b877abea94ba280e67e0c101f112331ce7ada17de2780d19
Instruction Fuzzy Hash: CE212D72900218AAEB10BBE2CC56FDE7B7CEF44708F11446AF600B7091DB756E49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004176EB, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417718
GetUserNameW.ADVAPI32(?,00000100), ref: 0041772B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: NameUser_memset
String ID:
API String ID: 344792196-0
Opcode ID: 1cb9a0489a861359fa240250722f1297f4b7a0beafdd4f41152b45d8ea94e115
Instruction ID: c4ef00176d5bfe39b57aebba389287216fe53bc601421715ba5bb381f7fa1742
Opcode Fuzzy Hash: 1cb9a0489a861359fa240250722f1297f4b7a0beafdd4f41152b45d8ea94e115
Instruction Fuzzy Hash: 2FF03EF5904319A6DB10F7959D49BDA77FCAF04704F0040B7B915F3182F6749B448B95

Uniqueness

Uniqueness Score: -1.00%

Function 00503457, Relevance: 50.8, APIs: 14, Strings: 15, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051D072: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0051D08E
Part of subcall function 0051D072: _strlen.LIBCMT ref: 0051D09D
Part of subcall function 0051D072: LoadLibraryA.KERNEL32(?,?,00503F54,?,00495670), ref: 0051D0D5

GetProcAddress.KERNEL32(00000000,ChangeServiceConfig2A), ref: 00503487
GetProcAddress.KERNEL32(00000000,CloseServiceHandle), ref: 0050349C
GetProcAddress.KERNEL32(00000000,ControlService), ref: 005034B1
GetProcAddress.KERNEL32(00000000,CreateServiceA), ref: 005034C6
GetProcAddress.KERNEL32(00000000,DeleteService), ref: 005034DB
GetProcAddress.KERNEL32(00000000,OpenSCManagerA), ref: 005034F0
GetProcAddress.KERNEL32(00000000,OpenServiceA), ref: 00503501
GetProcAddress.KERNEL32(00000000,QueryServiceStatus), ref: 00503512
GetProcAddress.KERNEL32(00000000,RegisterServiceCtrlHandlerA), ref: 00503523
GetProcAddress.KERNEL32(00000000,SetServiceStatus), ref: 00503534
GetProcAddress.KERNEL32(00000000,StartServiceCtrlDispatcherA), ref: 00503545
GetProcAddress.KERNEL32(00000000,StartServiceA), ref: 00503556
GetProcAddress.KERNEL32(00000000,LookupAccountNameA), ref: 00503567
_printf.LIBCMT ref: 00503572

Strings

CreateServiceA, xrefs: 005034BB
ControlService, xrefs: 005034A6
StartServiceA, xrefs: 0050354B
QueryServiceStatus, xrefs: 00503507
Unable to load library support for NT services: exiting., xrefs: 0050356D
CloseServiceHandle, xrefs: 00503491
RegisterServiceCtrlHandlerA, xrefs: 00503518
OpenSCManagerA, xrefs: 005034E5
DeleteService, xrefs: 005034D0
OpenServiceA, xrefs: 005034F6
StartServiceCtrlDispatcherA, xrefs: 0050353A
advapi32.dll, xrefs: 00503466
ChangeServiceConfig2A, xrefs: 00503481
SetServiceStatus, xrefs: 00503529
LookupAccountNameA, xrefs: 0050355C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem_printf_strlen
String ID: ChangeServiceConfig2A$CloseServiceHandle$ControlService$CreateServiceA$DeleteService$LookupAccountNameA$OpenSCManagerA$OpenServiceA$QueryServiceStatus$RegisterServiceCtrlHandlerA$SetServiceStatus$StartServiceA$StartServiceCtrlDispatcherA$Unable to load library support for NT services: exiting.$advapi32.dll
API String ID: 1229158046-3403914846
Opcode ID: fcd132c4b1a723cc9f4e16e1dc74d72bae8e1c988227c661280ea6a077068e2a
Instruction ID: 2250327c4de0fc95442629a973c54717c85b1a5455b5dad3a9ce45858a6db75d
Opcode Fuzzy Hash: fcd132c4b1a723cc9f4e16e1dc74d72bae8e1c988227c661280ea6a077068e2a
Instruction Fuzzy Hash: 2C21A170A81316ADEB10ABBA5D4EF1B6EFD7B51F40F44182E6800E31F5EAB4D7418960

Uniqueness

Uniqueness Score: -1.00%

Function 0043C84C, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 213fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043C851

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

GetFileAttributesW.KERNEL32(?), ref: 0043C8AB
GetFileSize.KERNEL32(00000000,?), ref: 0043C94A
GetLastError.KERNEL32 ref: 0043C957
CloseHandle.KERNEL32(00000000), ref: 0043C962
CloseHandle.KERNEL32(00000000), ref: 0043C99A
_memset.LIBCMT ref: 0043C9B6
ReadFile.KERNEL32(00000000,?,00000180,?,00000000), ref: 0043C9CC
CloseHandle.KERNEL32(00000000), ref: 0043C9D7
SetFilePointer.KERNEL32(00000000,00000000,?,00000000), ref: 0043C9F0
GetLastError.KERNEL32 ref: 0043C9FB
CloseHandle.KERNEL32(00000000), ref: 0043CA06
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0043CA2E
CloseHandle.KERNEL32(00000000), ref: 0043CA39
CloseHandle.KERNEL32(00000000), ref: 0043CA54

Strings

), xrefs: 0043CAD4

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$File$ErrorH_prologLast$AttributesPointerReadSizeWrite_memset
String ID: )
API String ID: 3973834473-2427484129
Opcode ID: 73309a5547a42db8b09fd744e7f98353607d71ca0ecf473a0ea1e6a11aea4b39
Instruction ID: d86afcddf224de715b64fb0d097e12e09088ca8226632790daa91c47d1e60e76
Opcode Fuzzy Hash: 73309a5547a42db8b09fd744e7f98353607d71ca0ecf473a0ea1e6a11aea4b39
Instruction Fuzzy Hash: CB812972900109AFDB10EF95DC88AEE7BB8EF59355F108127F912E6290D7388A05DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00464E56, Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 177COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00464E87
_strncmp.LIBCMT ref: 00464E91

Strings

name=, xrefs: 00464FF6
dirName, xrefs: 00464F76, 00464F7B, 00464F84
DNS, xrefs: 00464EE6, 00464EEB, 00464EF4
otherName, xrefs: 00464FA6, 00464FAB, 00464FB4
RID, xrefs: 00464F18, 00464F1D, 00464F26
URI, xrefs: 00464EB4, 00464EB9, 00464EC2
email, xrefs: 00464E81, 00464E86, 00464E8F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen_strncmp
String ID: DNS$RID$URI$dirName$email$name=$otherName
API String ID: 2202561641-2414469469
Opcode ID: a6140192b23a084a11ce558522277dfa7bf93799c7840efbc577d31504862ff0
Instruction ID: b78a378e1baf6c4c504430db170020feeaf468c11968fdc5fa2dd46a593218b0
Opcode Fuzzy Hash: a6140192b23a084a11ce558522277dfa7bf93799c7840efbc577d31504862ff0
Instruction Fuzzy Hash: AA41B2A2B0420176FB2425361D4BFBB189CAFE5798F04003BFE0596393FA9CDD1141AB

Uniqueness

Uniqueness Score: -1.00%

Function 005664B0, Relevance: 24.3, APIs: 16, Instructions: 292memorytimesleepCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,0BA3A0FA,?,00000000,?,0BA3A0FA), ref: 0056651B
TlsGetValue.KERNEL32(00000000,?,00000000,?,0BA3A0FA), ref: 00566530
TlsGetValue.KERNEL32(00000000,?,00000000,?,0BA3A0FA), ref: 0056654B
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0056658A
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0BA3A0FA), ref: 005665BD
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,00000000), ref: 00566643
CloseHandle.KERNEL32(00000000), ref: 00566675

Part of subcall function 00566170: GetTickCount.KERNEL32 ref: 00566173

Sleep.KERNEL32(00000000), ref: 00566692
CloseHandle.KERNEL32(00000000), ref: 005666CE
TlsGetValue.KERNEL32(00000000), ref: 005666F4
ResetEvent.KERNEL32(?), ref: 005666FE
__CxxThrowException@8.LIBCMT ref: 00566714
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005667B6
HeapFree.KERNEL32(00000000), ref: 005667BD
GetProcessHeap.KERNEL32(00000000,0BA3A0FA), ref: 005667E8
HeapFree.KERNEL32(00000000), ref: 005667EF

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: HeapValue$CloseFreeHandleProcessTimerWaitable$CountCreateEventException@8MultipleObjectsResetSleepThrowTickWait
String ID:
API String ID: 1683310691-0
Opcode ID: 67bd55b8ae9d709f9a216ae00e8c6b60c24bb9c474dc7e88b9f9bcf85f11a5cb
Instruction ID: 2cd54254ab7b6d072c1bb2c1f53f84d4ec0b5434b6c0e328f96405479c59a320
Opcode Fuzzy Hash: 67bd55b8ae9d709f9a216ae00e8c6b60c24bb9c474dc7e88b9f9bcf85f11a5cb
Instruction Fuzzy Hash: 24A1AD715083419FD720DF28D884B6BBBE4FB95720F504A2DF9A597290DB34E809CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004470DF, Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 372COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00447161
_strlen.LIBCMT ref: 00447174
_strncmp.LIBCMT ref: 0044718B

Part of subcall function 00442E77: _memset.LIBCMT ref: 00442F21

_strlen.LIBCMT ref: 00447301
_strncmp.LIBCMT ref: 00447319
_strncmp.LIBCMT ref: 00447334
_strncmp.LIBCMT ref: 00447353

Strings

-----BEGIN , xrefs: 0044715B
, xrefs: 00447490
-----, xrefs: 00447185, 0044734D
-----END , xrefs: 00447264, 00447313, 004473DF

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strncmp$_strlen$_memset
String ID: $-----$-----BEGIN $-----END
API String ID: 3307949942-103151745
Opcode ID: 367196cc5049621469c044e3f074266c8fd94ace1e58814f7b7a400088260ee3
Instruction ID: 68d906ac22bb1c510aae4a2992be23cc80169ffd0a5e8d6deb13f0f331bf455e
Opcode Fuzzy Hash: 367196cc5049621469c044e3f074266c8fd94ace1e58814f7b7a400088260ee3
Instruction Fuzzy Hash: 85D1E5729042199FFB10DB65DC46BEEBBA8BF05314F1440A7E904E7341D7B8AE428F95

Uniqueness

Uniqueness Score: -1.00%

Function 0043E3C5, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 248fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043E3CA

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 0040C59E: std::_String_base::_Xlen.LIBCPMT ref: 0040C5D7

CloseHandle.KERNEL32(00000000), ref: 0043E5B5
SetFilePointer.KERNEL32(00000000,00000000,?,00000002), ref: 0043E5C8
GetLastError.KERNEL32 ref: 0043E5D3
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0043E613
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043E649
WriteFile.KERNEL32(?,?,?,00000010,00000000,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 0043E66B
CloseHandle.KERNEL32(?,?,?,00000010,00000000,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 0043E67E

Strings

xfs, xrefs: 0043E50D
System32, xrefs: 0043E3E0
\\?\, xrefs: 0043E3F6

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseFileH_prologHandle$Write$ErrorLastPointerString_base::_Xlenchar_traitsstd::_
String ID: System32$\\?\$xfs
API String ID: 2254306598-4026912830
Opcode ID: e4af4db55d32971ef5fc34c1239d924e6218afabcfbd374c0e031fcf3666727f
Instruction ID: e99958a17dd88888d43cb370334b0c3b739fd8003d81b11e667aa285451e6f5d
Opcode Fuzzy Hash: e4af4db55d32971ef5fc34c1239d924e6218afabcfbd374c0e031fcf3666727f
Instruction Fuzzy Hash: B5915E72C01158EAEB11EBE5CC85BEEBB78AF14308F10416AF605B31C1DB786E45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004010C0, Relevance: 21.1, APIs: 14, Instructions: 140COMMON

Download Yara Rule

APIs

CreateBrushIndirect.GDI32(?), ref: 004010DE
SelectObject.GDI32(?,00000000), ref: 004010F6
SetTextColor.GDI32(?,?), ref: 00401109
SetBkColor.GDI32(?,?), ref: 0040111A
GetCurrentObject.GDI32(?,00000006), ref: 0040112A
GetObjectA.GDI32(00000000,0000003C,?), ref: 0040113B
CreateFontIndirectA.GDI32(?), ref: 0040116A
SelectObject.GDI32(?,00000000), ref: 0040117F
ExtFloodFill.GDI32(?,0000000A,0000000A,00000000,00000001), ref: 0040119A

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Object$ColorCreateIndirectSelect$BrushCurrentFillFloodFontText
String ID:
API String ID: 266581519-0
Opcode ID: 27919169faca80b3a2421dc4aad2742cb67f0a1d7a9bc6fce87c40cd47c06310
Instruction ID: cb2928647d5e5b084fae410b9476be5b3ce0d3ddcf91737b4fcd8eadec313a17
Opcode Fuzzy Hash: 27919169faca80b3a2421dc4aad2742cb67f0a1d7a9bc6fce87c40cd47c06310
Instruction Fuzzy Hash: 6B519E71A01604AFCB209FA5DE89AAFBBF5FF18300B10493AE156E36B0D7759944EB14

Uniqueness

Uniqueness Score: -1.00%

Function 004151EA, Relevance: 21.1, APIs: 14, Instructions: 108threadCOMMON

Download Yara Rule

APIs

_clock.LIBCMT ref: 00415208

Part of subcall function 0054E1CE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,00415DDD), ref: 0054E1DA
Part of subcall function 0054E1CE: __aulldiv.LIBCMT ref: 0054E20B

__time64.LIBCMT ref: 00415225
GetCurrentThreadId.KERNEL32 ref: 00415246
__time64.LIBCMT ref: 00415252
_rand.LIBCMT ref: 0041525D
_clock.LIBCMT ref: 00415264
__time64.LIBCMT ref: 004152A2
_rand.LIBCMT ref: 004152B3
_clock.LIBCMT ref: 004152BA
_rand.LIBCMT ref: 004152D7

Part of subcall function 0054E25E: __getptd.LIBCMT ref: 0054E25E

_clock.LIBCMT ref: 004152DE

Part of subcall function 0054E24C: __getptd.LIBCMT ref: 0054E251

_rand.LIBCMT ref: 00415304
_clock.LIBCMT ref: 00415327
__time64.LIBCMT ref: 00415332

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _clock$__time64_rand$Time__getptd$CurrentFileSystemThread__aulldiv
String ID:
API String ID: 2092124624-0
Opcode ID: a5c7fc1c5b10bc697effd582ebebbcb828ab21779a6bfa39342b552a5cd6c346
Instruction ID: 211e199c7c6cc6570195a589b5ea7baf256e9a5a026e54cc8862e527917e7951
Opcode Fuzzy Hash: a5c7fc1c5b10bc697effd582ebebbcb828ab21779a6bfa39342b552a5cd6c346
Instruction Fuzzy Hash: E931C6729442059BE716EF74EE8A7EF3FA6FBC0318F14641AE810D7252D67896408F64

Uniqueness

Uniqueness Score: -1.00%

Function 0045360E, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0045361F
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,00000000,00000000,00000000), ref: 00453643
GetLastError.KERNEL32 ref: 0045364C
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000), ref: 00453666
GetLastError.KERNEL32 ref: 0045366F
MultiByteToWideChar.KERNEL32(0000FDE9,?,?,00000000,?,?), ref: 00453699
_strlen.LIBCMT ref: 004536A8
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,?,00000008), ref: 004536B6
GetLastError.KERNEL32 ref: 004536F7

Strings

fopen(', xrefs: 0045371B
',', xrefs: 00453713

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast$_strlen
String ID: ','$fopen('
API String ID: 2212137536-1411224933
Opcode ID: 85c6caa5f794a183243539b09a8e7931e54a74b6843b56a11e63a9017add8c4d
Instruction ID: 76c15c076d6399f0c202390bc8b74d3f8a4a9a7373f1879b5e9525d3b5d5f585
Opcode Fuzzy Hash: 85c6caa5f794a183243539b09a8e7931e54a74b6843b56a11e63a9017add8c4d
Instruction Fuzzy Hash: 2A41E572A00205BFEF116FA4DC06FAE3B69EB45792F104027FD00DA292DB758E099B55

Uniqueness

Uniqueness Score: -1.00%

Function 00449F37, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 145COMMON

Download Yara Rule

Strings

6\R, xrefs: 00449F56, 00449FBB
id=, xrefs: 0044A092
OPENSSL_ENGINES, xrefs: 00449FF4
w:\openssl\bin/lib/users, xrefs: 0044A005, 0044A03D
.\crypto\user\eng_list.c, xrefs: 00449F5B, 00449F69, 00449FC9
LIST_ADD, xrefs: 0044A053
dynamic, xrefs: 00449FDE, 00449FE3, 0044A00A
LOAD, xrefs: 0044A065
DIR_LOAD, xrefs: 0044A02D
DIR_ADD, xrefs: 0044A03E

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: .\crypto\user\eng_list.c$6\R$DIR_ADD$DIR_LOAD$LIST_ADD$LOAD$OPENSSL_userS$dynamic$id=$w:\openssl\bin/lib/users
API String ID: 0-1679621125
Opcode ID: 3b512580c8aee55c9d49b5285af38d08aafa548252c2c53c3e179cbf86bc3199
Instruction ID: 4d9dcfd4b467d51150193ea0a33c0d70a6255f1690b96ec25ef72cd521640784
Opcode Fuzzy Hash: 3b512580c8aee55c9d49b5285af38d08aafa548252c2c53c3e179cbf86bc3199
Instruction Fuzzy Hash: 6A31F8367887226AF63429656C03B3B27849B42F75F18001FFD05EA6C2EE9DDC4551AE

Uniqueness

Uniqueness Score: -1.00%

Function 00442D0C, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69registrywindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,?,00442DE5,%s(%d): OpenSSL internal error, assertion failed: %s,00000000,00000000,00000000,0045297C,.\crypto\evp\encode.c,00000106,n < (int)sizeof(ctx->enc_data),00000000,00000009,?,00447399), ref: 00442D1C
GetFileType.KERNEL32(00000000,?,00442DE5,%s(%d): OpenSSL internal error, assertion failed: %s,00000000,00000000,00000000,0045297C,.\crypto\evp\encode.c,00000106,n < (int)sizeof(ctx->enc_data),00000000,00000009,?,00447399), ref: 00442D29
_vfwprintf.LIBCMT ref: 00442D43

Part of subcall function 00567254: _vfprintf_helper.LIBCMT ref: 00567269

_vswprintf_s.LIBCMT ref: 00442D60
GetVersion.KERNEL32 ref: 00442D6B
RegisterEventSourceA.ADVAPI32(00000000,OPENSSL), ref: 00442D88
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00442DA7
DeregisterEventSource.ADVAPI32(00000000), ref: 00442DAE
MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00442DC6

Strings

OpenSSL: FATAL, xrefs: 00442DB9
OPENSSL, xrefs: 00442D82

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportTypeVersion_vfprintf_helper_vfwprintf_vswprintf_s
String ID: OPENSSL$OpenSSL: FATAL
API String ID: 2784530605-1348657634
Opcode ID: 2fa2f78871bbfc5e383d5ba53f754f3bd1b728412eb0606d2d05de42c0c2c419
Instruction ID: 081da415c426728d9e484bbdbff8f544250c6c135639d6f74ebb7fd81c512227
Opcode Fuzzy Hash: 2fa2f78871bbfc5e383d5ba53f754f3bd1b728412eb0606d2d05de42c0c2c419
Instruction Fuzzy Hash: 3F1189B590010AFFFB105BA0DD8AEEF3B6CEF14344F504462BE06EA151E6B4CE489B65

Uniqueness

Uniqueness Score: -1.00%

Function 00442C21, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,00442D7D), ref: 00442C3B
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00442C4B
GetDesktopWindow.USER32 ref: 00442C75
GetProcessWindowStation.USER32(?,00442D7D), ref: 00442C7B
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,}-D,?,00442D7D), ref: 00442C97
GetLastError.KERNEL32(?,00442D7D), ref: 00442C9D
GetUserObjectInformationW.USER32(?,00000002,?,?,}-D,?,00442D7D), ref: 00442CD0

Strings

Service-0x, xrefs: 00442CE9
_OPENSSL_isservice, xrefs: 00442C45
}-D, xrefs: 00442C8E, 00442CA8, 00442CC5, 00442CDB, 00442C91, 00442CC8

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: InformationObjectUserWindow$AddressDesktopErrorHandleLastModuleProcProcessStation
String ID: Service-0x$_OPENSSL_isservice$}-D
API String ID: 1233653401-1763662804
Opcode ID: 044548695dfde92be9c0b1b67f6933fb0010ccc06a824ed04a81a3399f5a5f1f
Instruction ID: 90e27dce9e3e598a8946960dc31d0c0fa163b790677d759ef6d87efc965c5bd3
Opcode Fuzzy Hash: 044548695dfde92be9c0b1b67f6933fb0010ccc06a824ed04a81a3399f5a5f1f
Instruction Fuzzy Hash: FB212C71900115ABEB209FB4EECDD6F7B68EF50760B600622F912E31D0DB789D08DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004025B7, Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 391COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004025BC

Part of subcall function 004044FD: __EH_prolog.LIBCMT ref: 00404502

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 00404E62: __EH_prolog.LIBCMT ref: 00404E67

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

Part of subcall function 004037A3: __EH_prolog.LIBCMT ref: 004037A8

Part of subcall function 00403A3D: __EH_prolog.LIBCMT ref: 00403A42

Part of subcall function 004157B5: _sprintf.LIBCMT ref: 004157DC

__time64.LIBCMT ref: 00402993

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00486601,00000008,?,?,?,?,?), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

Part of subcall function 00401753: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401795

Part of subcall function 004017D3: SetEvent.KERNEL32(00000000), ref: 004017FC

Strings

a4ad4ip2xzclh6fd.onion, xrefs: 004025DE
si=, xrefs: 0040291F
sys.php, xrefs: 00402613
$, xrefs: 004029D4
nocache=, xrefs: 00402981
ss=, xrefs: 004028A1
http://, xrefs: 004025CE

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Time$EventFileObjectSingleSystemWait__aulldiv__time64_sprintfchar_traits
String ID: $$a4ad4ip2xzclh6fd.onion$http://$nocache=$si=$ss=$sys.php
API String ID: 2680727248-1653676470
Opcode ID: 64607be8586e74e214ffa42a5b65b36eaade0219621e396a507c308be3f600d8
Instruction ID: 8f9c5f3a442758c46362d9acf0a37c0915c81e44f6b3f0cb2be9765408e8bc22
Opcode Fuzzy Hash: 64607be8586e74e214ffa42a5b65b36eaade0219621e396a507c308be3f600d8
Instruction Fuzzy Hash: 0EE14F72804148AADB11EBE5CD45EDEBFBC9F55308F1444ABB105B3182DA782B49CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0043DE13, Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 313COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043DE18

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

GetFileAttributesW.KERNEL32(?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000001,00000001,00000001,00000001,00000001,00000001), ref: 0043DFD7
GetFileAttributesW.KERNEL32(?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000001,00000000), ref: 0043E184

Part of subcall function 0043E239: _memset.LIBCMT ref: 0043E25E
Part of subcall function 0043E239: ReadFile.KERNEL32(00000000,?,00004000,?,00000000,?,0043E1DB,00000000,?), ref: 0043E2F6

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,\\?\,System32,xfs), ref: 0043E1E2
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,\\?\,System32,xfs), ref: 0043E213

Strings

xfs, xrefs: 0043DE5B, 0043DFEA
System32, xrefs: 0043DE6B, 0043DFFA
\\?\, xrefs: 0043DE7E, 0043E00E
!, xrefs: 0043E1FE

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FileH_prolog$AttributesCloseHandle$Read_memsetchar_traits
String ID: !$System32$\\?\$xfs
API String ID: 961640809-1147826582
Opcode ID: 8b271c801ad971706aca20cc51dc817cdb5fea7a80b09e7c5f44283c55ec937d
Instruction ID: 0a0cdfd5d6819de07df64187ebd58271e7c613518db99d35ae22f22e78518bb9
Opcode Fuzzy Hash: 8b271c801ad971706aca20cc51dc817cdb5fea7a80b09e7c5f44283c55ec937d
Instruction Fuzzy Hash: 14C15C32C01258EADF10EBE5CC46BDEBB78AF15318F1041AAE605B31C1DB781B89CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA8, Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 286COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409FAD

Part of subcall function 0040ED6B: _memset.LIBCMT ref: 0040ED87

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 00403F23: char_traits.LIBCPMT ref: 00403F73

Part of subcall function 00417980: _memset.LIBCMT ref: 004179A5
Part of subcall function 00417980: GetTempPathW.KERNEL32(00000400,?), ref: 004179CA

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-, xrefs: 00409FD0
var w = WScript.CreateObject("WScript.Shell");w.RegWrite ("HK, xrefs: 00409FC3
"', "REG_SZ");, xrefs: 0040A174
Client Server Runtime Subsystem, xrefs: 0040A0C5
", 'cmd.exe /C "start , xrefs: 0040A0D3
.js, xrefs: 0040A1DF
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040A048
wscript.exe, xrefs: 0040A27A

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_memsetchar_traits$PathTemp
String ID: "', "REG_SZ");$", 'cmd.exe /C "start $.js$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-$Client Server Runtime Subsystem$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$var w = WScript.CreateObject("WScript.Shell");w.RegWrite ("HK$wscript.exe
API String ID: 2302042682-804915650
Opcode ID: bcb04285610e7265dcc90d016a47b4b560375d27d144b938c437bea474dcf2a9
Instruction ID: cb572b038c14679db5d5f8de8b3d925e357d69219f12d0f8a2def2aa8b004326
Opcode Fuzzy Hash: bcb04285610e7265dcc90d016a47b4b560375d27d144b938c437bea474dcf2a9
Instruction Fuzzy Hash: 59B13272804258AADB10EBE5CD45BDEBBBCAF55318F1041AEF509B31C2DE781B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040125E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,?,0000000E,?,00000000), ref: 004012F7
WriteFile.KERNEL32(0000000E,?,00000028,0000000E,00000000), ref: 0040131C
SelectObject.GDI32(?,00000000), ref: 00401367
WriteFile.KERNEL32(0000000E,?,?,0000000E,00000000), ref: 004013AA
CloseHandle.KERNEL32(0000000E), ref: 004013BC
DeleteDC.GDI32(?), ref: 004013C5
DeleteObject.GDI32(?), ref: 004013CE
CloseHandle.KERNEL32(?), ref: 004013DB

Strings

6, xrefs: 004012DB

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FileWrite$CloseDeleteHandleObject$Select
String ID: 6
API String ID: 2805705514-498629140
Opcode ID: 461747a1c52f5a28a718727f4ec4e8de462fb8f9b77bbbbb958c405e24c14781
Instruction ID: 12093ef39e47550fffa623ea2a4c578b1d443495a908236ca063faae79e796d4
Opcode Fuzzy Hash: 461747a1c52f5a28a718727f4ec4e8de462fb8f9b77bbbbb958c405e24c14781
Instruction Fuzzy Hash: E5512B72C00218BBDF109F95EC48AAEBFB8FF59740F10806AF905F61A0D7749A44DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00519461, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 97COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00519490
GetVersionExA.KERNEL32(?,00000000,?,00493EF5,?,?,?,?,?,?), ref: 0051949F

Part of subcall function 00518458: _strlen.LIBCMT ref: 00518464

Strings

Unrecognized version of Windows [major=%d,minor=%d], xrefs: 0051951A
[server], xrefs: 00519564
Windows 95, xrefs: 005194DA
Bizarre version of Windows where GetVersionEx doesn't work., xrefs: 005194AC
Very recent version of Windows [major=%d,minor=%d], xrefs: 00519540
Windows 8, xrefs: 00519479, 0051955E
Windows NT 4.0, xrefs: 005194D3

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Version_memset_strlen
String ID: [server]$Bizarre version of Windows where GetVersionEx doesn't work.$Unrecognized version of Windows [major=%d,minor=%d]$Very recent version of Windows [major=%d,minor=%d]$Windows 8$Windows 95$Windows NT 4.0
API String ID: 2146467041-319932797
Opcode ID: 4f02e233ef8117e67a1edc8af71bd5f12ecde90c03c520fc04f1909a7a5077f4
Instruction ID: b77ed1e0b8aa584337f3b9af72753c2afc5ac51f5db56a3bb233bfbe37aefcdc
Opcode Fuzzy Hash: 4f02e233ef8117e67a1edc8af71bd5f12ecde90c03c520fc04f1909a7a5077f4
Instruction Fuzzy Hash: 8A315734F0020147FF39965498B4AFF7FDABF94314F15003AE802A7241E6A49DC98652

Uniqueness

Uniqueness Score: -1.00%

Function 00519E08, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 62COMMON

Download Yara Rule

APIs

_abort.LIBCMT ref: 00519E38

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

_abort.LIBCMT ref: 00519E60
_abort.LIBCMT ref: 00519E8A
_memset.LIBCMT ref: 00519E97

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

Strings

loglevelMin >= loglevelMax, xrefs: 00519E1F
log.c, xrefs: 00519E18
loglevelMin >= LOG_ERR && loglevelMin <= LOG_DEBUG, xrefs: 00519E47
set_log_severity_config, xrefs: 00519E13, 00519E24, 00519E4C, 00519E76
loglevelMax >= LOG_ERR && loglevelMax <= LOG_DEBUG, xrefs: 00519E71

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _abort$ExceptionFilterUnhandled_memset_strrchr$_raise
String ID: log.c$loglevelMax >= LOG_ERR && loglevelMax <= LOG_DEBUG$loglevelMin >= LOG_ERR && loglevelMin <= LOG_DEBUG$loglevelMin >= loglevelMax$set_log_severity_config
API String ID: 3033208963-4189622399
Opcode ID: 704674fc2ef22f9c27233ef7b4dc96094700297d85a610d6d79816b7f47c9036
Instruction ID: 0e0b5aeee5342411c19c894fc86a62ae4b4ef1b7412d13897e7024d8a07be9c7
Opcode Fuzzy Hash: 704674fc2ef22f9c27233ef7b4dc96094700297d85a610d6d79816b7f47c9036
Instruction Fuzzy Hash: FD01E976D002167BFE20B69C8C5B9ED7F4CBBD0714F414923F918A7186DA7099C085E2

Uniqueness

Uniqueness Score: -1.00%

Function 00401D45, Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 396COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D4A

Part of subcall function 004044FD: __EH_prolog.LIBCMT ref: 00404502

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 00404E62: __EH_prolog.LIBCMT ref: 00404E67

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

Part of subcall function 004037A3: __EH_prolog.LIBCMT ref: 004037A8

Part of subcall function 00403A3D: __EH_prolog.LIBCMT ref: 00403A42

Part of subcall function 004157B5: _sprintf.LIBCMT ref: 004157DC

Strings

a4ad4ip2xzclh6fd.onion, xrefs: 00401D7D
st=, xrefs: 00402047
prog.php, xrefs: 00401DAE
ss=, xrefs: 00401F43
http://, xrefs: 00401D66
fl=, xrefs: 004020AC
$, xrefs: 00402177

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_sprintfchar_traits
String ID: $$a4ad4ip2xzclh6fd.onion$fl=$http://$prog.php$ss=$st=
API String ID: 817577393-788720181
Opcode ID: 840c0fdeac7cd70190db4d2fbfa04c106d9f3b8389d673642f1ced6e87955373
Instruction ID: c9c4f1b6150663cd4cd343e5c4f2cf0626663ae0013744ddf8f872a00c9f53b1
Opcode Fuzzy Hash: 840c0fdeac7cd70190db4d2fbfa04c106d9f3b8389d673642f1ced6e87955373
Instruction Fuzzy Hash: 4EE12FB2C0414CEADB51EBA5DD45EDEBBBCAF15309F1080AAF505B3182DA781B08DB75

Uniqueness

Uniqueness Score: -1.00%

Function 004588A7, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

signature has problems, re-make with post SSLeay045, xrefs: 00458A49
.\crypto\rsa\rsa_sign.c, xrefs: 00458914
$, xrefs: 00458942
r, xrefs: 00458AC0

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: $$.\crypto\rsa\rsa_sign.c$r$signature has problems, re-make with post SSLeay045
API String ID: 0-3932272389
Opcode ID: 483aa512a9621aab8e1e3c8f96b2bb51445c353ebfcbde7399e5478e444df55e
Instruction ID: 57c3a256a0a8d8f602899cb85bdd0d7c9ac89ebe6fd26e40c970d2823ce7ccf1
Opcode Fuzzy Hash: 483aa512a9621aab8e1e3c8f96b2bb51445c353ebfcbde7399e5478e444df55e
Instruction Fuzzy Hash: 0F81E6B1A00205ABEF209F50DC42BAA3B65AB40716F24402FFE057A293DF79DD99C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0054ED60, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0054EDC2
_memcpy_s.LIBCMT ref: 0054EE37
__fileno.LIBCMT ref: 0054EE97
__read.LIBCMT ref: 0054EE9E
__filbuf.LIBCMT ref: 0054EEC2
_memset.LIBCMT ref: 0054EF08
_memset.LIBCMT ref: 0054EF33

Part of subcall function 0054FF67: __getptd_noexit.LIBCMT ref: 0054FF67

Strings

xA, xrefs: 0054ED62

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID: xA
API String ID: 3886058894-523113891
Opcode ID: ddbbc90c298e81cfd40a96bf3bb769cf9fcdb21783f1a759126f90aa7d1d60c5
Instruction ID: ce0be708df054fd9d996d2221db7150d8a6e4b22e8c1de8ee31d6f45daf096a3
Opcode Fuzzy Hash: ddbbc90c298e81cfd40a96bf3bb769cf9fcdb21783f1a759126f90aa7d1d60c5
Instruction Fuzzy Hash: 5651D571D00205FBCB209FA98C4A9DEBF79FF81328F248629F82592191D7319E55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00453842, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

_feof.LIBCMT ref: 004538A1
_ftell.LIBCMT ref: 004538CF
_fseek.LIBCMT ref: 004538DC
GetLastError.KERNEL32 ref: 0045397E

Part of subcall function 0054EBD6: _flsall.LIBCMT ref: 0054EBEA

Strings

fopen(', xrefs: 004539A2
',', xrefs: 0045399A

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast_feof_flsall_fseek_ftell
String ID: ','$fopen('
API String ID: 1054197592-1411224933
Opcode ID: c54980988231dc2f73f5c99ddec0cfa6dcce62db9712a615e0bb29d851903e51
Instruction ID: d30217e1e4e500e1dc5d0991fd902317f26c52831babc363f5b9afb1cdc0621f
Opcode Fuzzy Hash: c54980988231dc2f73f5c99ddec0cfa6dcce62db9712a615e0bb29d851903e51
Instruction Fuzzy Hash: 0C5106F13443056ADB24EE649846BAF3794BB44393F14041FFE46962C3DAAC9F0D8619

Uniqueness

Uniqueness Score: -1.00%

Function 00446EE1, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 169COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00446F0A
_strlen.LIBCMT ref: 00446F63

Strings

A, xrefs: 00446FBA
-----BEGIN , xrefs: 00446F15
-----, xrefs: 00446F49, 0044708F
.\crypto\pem\pem_lib.c, xrefs: 00446FA2
-----END , xrefs: 00447062
0, xrefs: 00446EFD

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: -----$-----BEGIN $-----END $.\crypto\pem\pem_lib.c$0$A
API String ID: 4218353326-1484664486
Opcode ID: 01ab6457dc68701ee8a13cc63aaf5942817d8d5500764d53f2c8ceebb5f50569
Instruction ID: 10c964d9c1fd5f20201c78becf7ed2f34fe693b66f196c5b2a1906d6283caf75
Opcode Fuzzy Hash: 01ab6457dc68701ee8a13cc63aaf5942817d8d5500764d53f2c8ceebb5f50569
Instruction Fuzzy Hash: 0451D172D01109ABEF319E91EC86ADF7B31FF14314F14002BF905B7252E7399A558B89

Uniqueness

Uniqueness Score: -1.00%

Function 0051A7B3, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

_abort.LIBCMT ref: 0051A7DF

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

_abort.LIBCMT ref: 0051A805
_strncpy.LIBCMT ref: 0051A81A

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

Strings

util.c, xrefs: 0051A7BF
OpenSSL 1.0.1j 15 Oct 2014, xrefs: 0051A7B8
tor_strndup_, xrefs: 0051A7BA, 0051A7CB, 0051A7F1
n < SIZE_T_CEILING, xrefs: 0051A7EC
OpenSSL , xrefs: 0051A7B9

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_abort_strrchr$_memset_raise_strncpy
String ID: OpenSSL $OpenSSL 1.0.1j 15 Oct 2014$n < SIZE_T_CEILING$tor_strndup_$util.c
API String ID: 1913796773-2079557232
Opcode ID: c53dd8a61bddf86f262a6c980e6c0926cd63b90e68a4650c2142a83e44bc11c6
Instruction ID: dc767932707b5ab2e285a757f2fa2ff3e584d22cf0389a6f4dab459a9eee71af
Opcode Fuzzy Hash: c53dd8a61bddf86f262a6c980e6c0926cd63b90e68a4650c2142a83e44bc11c6
Instruction Fuzzy Hash: BFF0BE7590631276FF2232685C4BAEBAD89BFE1760F440876F808162D7EA650C8085F3

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF55, Relevance: 13.5, APIs: 9, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000064,0000000A,?,0041256E,00000001,00000000,00000001,00000001,00000000,00000001,00000001,00000001,00000000,?,?), ref: 0040EF5E
WaitForSingleObject.KERNEL32(?,00000064), ref: 0040EF75
GetExitCodeProcess.KERNEL32(?,?), ref: 0040EF8E
CloseHandle.KERNEL32(?), ref: 0040EF97
CloseHandle.KERNEL32(?), ref: 0040EFA0
CloseHandle.KERNEL32(?), ref: 0040EFA9
CloseHandle.KERNEL32(?), ref: 0040EFB2
CloseHandle.KERNEL32(?), ref: 0040EFBB
CloseHandle.KERNEL32(?), ref: 0040EFC4

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle$ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 1413499271-0
Opcode ID: 11a78e4d5158f6a7ce3c1d1d0008077a3acdad2f58e612fd3e1ab6737d76aae7
Instruction ID: 1a7b6388a68a6c66e229ff2c90b1005e0736e51d642092370e30e843855d1687
Opcode Fuzzy Hash: 11a78e4d5158f6a7ce3c1d1d0008077a3acdad2f58e612fd3e1ab6737d76aae7
Instruction Fuzzy Hash: 5DF0EC32100610FFCB212B6AED0D96ABBB2FF15341B104839F282D1870CB7AA865EB10

Uniqueness

Uniqueness Score: -1.00%

Function 004874DD, Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 417COMMON

Download Yara Rule

Strings

I64, xrefs: 00487570
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 004874F4
I32, xrefs: 00487556

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: 0123456789abcdefghijklmnopqrstuvwxyz$I32$I64
API String ID: 0-3086653229
Opcode ID: ff8404a96c659dc7b7daedcdf77ad04f799b06dccb3dd0e2e2c37648bb855930
Instruction ID: 5c5b909f03e8d4d8abcaaf83d8c52885caebc486ccc74a4cc37b5724d63ed751
Opcode Fuzzy Hash: ff8404a96c659dc7b7daedcdf77ad04f799b06dccb3dd0e2e2c37648bb855930
Instruction Fuzzy Hash: FDE1E7B19086069FDB10AF6CC8A836E7FA4EB51354F348C67D805DB361E27CDA41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404922, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404927

Part of subcall function 004013FE: std::exception::exception.LIBCMT ref: 00401408

Part of subcall function 00404B4D: __EH_prolog.LIBCMT ref: 00404B52

Part of subcall function 004015CC: __EH_prolog.LIBCMT ref: 004015D1

Part of subcall function 0054D747: _malloc.LIBCMT ref: 0054DE8D

Strings

d:\lib\boost\boost/exception/detail/exception_ptr.hpp, xrefs: 004049AE
ZN@, xrefs: 00404987
1K@, xrefs: 00404980
JN@, xrefs: 0040495E
class boost::shared_ptr<class boost::exception_detail::clone_base const > __cdecl boost::exception_detail::get_bad_alloc<0x2a>(void), xrefs: 004049A7
Q, xrefs: 004049B5

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: 1K@$JN@$Q$ZN@$class boost::shared_ptr<class boost::exception_detail::clone_base const > __cdecl boost::exception_detail::get_bad_alloc<0x2a>(void)$d:\lib\boost\boost/exception/detail/exception_ptr.hpp
API String ID: 1953324306-1971412266
Opcode ID: f1a07679b893a9436718c75be40db7f16e736d0746261df170494f9a8dd3c8b2
Instruction ID: 556f1a4663a661cdb5037758c4166df09fd6ebc24d394409512187fc279e5f23
Opcode Fuzzy Hash: f1a07679b893a9436718c75be40db7f16e736d0746261df170494f9a8dd3c8b2
Instruction Fuzzy Hash: 4F31AEB0D0025C9EDB00EFA5DA45A9EBFF8BF89708F10452EE505B7292D7785A08CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0051A61C, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 43COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0051A689

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

_abort.LIBCMT ref: 0051A67C

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

Strings

util.c, xrefs: 0051A636
Assertion %s failed in %s at %s:%u, xrefs: 0051A650
%s. (Stack trace not available), xrefs: 0051A668
tor_malloc_, xrefs: 0051A646
size < SIZE_T_CEILING, xrefs: 0051A64B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_strrchr$_abort_malloc_memset_raise
String ID: %s. (Stack trace not available)$Assertion %s failed in %s at %s:%u$size < SIZE_T_CEILING$tor_malloc_$util.c
API String ID: 3673156449-1576514588
Opcode ID: 3adb1d16684710e1a7999e755a6cacb0eac9efefa17501cef06e377098ec0c3f
Instruction ID: c9546bc45469d870608cc1ceee0cce39ad4f6af0585207e15caba24584b182a2
Opcode Fuzzy Hash: 3adb1d16684710e1a7999e755a6cacb0eac9efefa17501cef06e377098ec0c3f
Instruction Fuzzy Hash: C9F0E9617653026AF232316A5C57FEA1E4C7BE4B55F100433B90CBA2D2E9E09DC504B5

Uniqueness

Uniqueness Score: -1.00%

Function 0051A6BC, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 0051A727

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

_abort.LIBCMT ref: 0051A71A

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

Strings

util.c, xrefs: 0051A6D4
Assertion %s failed in %s at %s:%u, xrefs: 0051A6EE
%s. (Stack trace not available), xrefs: 0051A706
tor_realloc_, xrefs: 0051A6E4
size < SIZE_T_CEILING, xrefs: 0051A6E9

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_strrchr$_abort_memset_raise_realloc
String ID: %s. (Stack trace not available)$Assertion %s failed in %s at %s:%u$size < SIZE_T_CEILING$tor_realloc_$util.c
API String ID: 782862592-838272493
Opcode ID: 42ba3e1f45cba1b919b55ea7fcc9d903bd81260c7a44286f935e868535c7f58a
Instruction ID: 476a8b551da58c331824f4a0cd17d108eba858259719fc185aff1af3246a7bfa
Opcode Fuzzy Hash: 42ba3e1f45cba1b919b55ea7fcc9d903bd81260c7a44286f935e868535c7f58a
Instruction Fuzzy Hash: C2F02B3135030276EA3136598C17FC93E5CBBD0B61F004423B80C792D1E9F0898449A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A521, Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 258COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A526

Part of subcall function 0041313E: __EH_prolog.LIBCMT ref: 00413143

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

CharUpperW.USER32(?,00000001,00000000,00000001,00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000001,0058B70C,?,?,00000001,00000000,0040A88D,?,?,?), ref: 0040A5F1

Strings

AVAST, xrefs: 0040A684
Client Server Runtime Subsystem, xrefs: 0040A739
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040A599
\\?\, xrefs: 0040A5F7

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$CharUpperchar_traits
String ID: AVAST$Client Server Runtime Subsystem$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$\\?\
API String ID: 2864591093-1697372643
Opcode ID: 7b8cbdfafd49d25e72dfc13a7627ae702604e031bad483e26f287846cfbd2e3b
Instruction ID: c6b3f9f02a38d750fe8605fb091f497de25cb0b821efcebcb881a12b36a1f2ee
Opcode Fuzzy Hash: 7b8cbdfafd49d25e72dfc13a7627ae702604e031bad483e26f287846cfbd2e3b
Instruction Fuzzy Hash: 5DA17032C05288EEDF01EBF4C845BCDBBB49F15318F1481AAE605771C2DAB81B49D766

Uniqueness

Uniqueness Score: -1.00%

Function 00413AAF, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 123COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413AB4

Part of subcall function 00404E62: __EH_prolog.LIBCMT ref: 00404E67

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

value=", xrefs: 00413B45, 00413B4A
input type="text", xrefs: 00413B31
http://whatsmyip.net/, xrefs: 00413AEA
> Address is , xrefs: 00413B22
", xrefs: 00413B75

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$char_traits
String ID: "$> Address is $http://whatsmyip.net/$input type="text"$value="
API String ID: 4022946289-2833924590
Opcode ID: 17047eb220bb4d6a21ff0a99c6122b5a5f487cd65ba1584f70c4351af9fb5257
Instruction ID: 123702b13124baebe7967811f882f5bae73edfa5c2794ed06b6c7ed9e7a9f519
Opcode Fuzzy Hash: 17047eb220bb4d6a21ff0a99c6122b5a5f487cd65ba1584f70c4351af9fb5257
Instruction Fuzzy Hash: 1B419BB1D05158AADB10EFE9CC45AEFBFBCAF45314F10016AB515B7282DB785B04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00446D33, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00446D66
_strncmp.LIBCMT ref: 00446D9D
_strncmp.LIBCMT ref: 00446DD0

Strings

Proc-Type: , xrefs: 00446D60
DEK-Info: , xrefs: 00446DCA
ENCRYPTED, xrefs: 00446D97

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strncmp
String ID: DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 909875538-6740250
Opcode ID: 26c8d7fba85321e34a20b670af76e93fa2ee847c608076523a2151fdc30a33ce
Instruction ID: 8e55f00f323fdf2c9eb043f37b00154d44d353ad8e0105cf418df0ce075554db
Opcode Fuzzy Hash: 26c8d7fba85321e34a20b670af76e93fa2ee847c608076523a2151fdc30a33ce
Instruction Fuzzy Hash: AF315C96F842512AFB300D249C03FA76B895B57B50F260427FDC9DA3C7E59C8843829F

Uniqueness

Uniqueness Score: -1.00%

Function 00566810, Relevance: 10.6, APIs: 7, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00566870

Part of subcall function 0040C3BF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,0BA3A0FA,00000000,0056623E,00000000,Function_0000543E,00000000,?,00000000,?,0BA3A0FA), ref: 0040C3D5
Part of subcall function 0040C3BF: __aulldvrm.LIBCMT ref: 0040C3EF

Part of subcall function 005664B0: TlsGetValue.KERNEL32(00000000,0BA3A0FA,?,00000000,?,0BA3A0FA), ref: 0056651B
Part of subcall function 005664B0: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0056658A
Part of subcall function 005664B0: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0BA3A0FA), ref: 005665BD

GetProcessHeap.KERNEL32(00000000,0BA3A0FA), ref: 005668C2
HeapFree.KERNEL32(00000000), ref: 005668C9
GetProcessHeap.KERNEL32(00000000,?), ref: 005668F8
HeapFree.KERNEL32(00000000), ref: 005668FF
GetProcessHeap.KERNEL32(00000000,0BA3A0FA), ref: 0056692A
HeapFree.KERNEL32(00000000), ref: 00566931

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess$TimeTimerWaitable$CountCreateFileSystemTickValue__aulldvrm
String ID:
API String ID: 1408098572-0
Opcode ID: cc5fedbabb31b28c2ca728c7d1e21b9c4408306e138cee80ac173350e8343230
Instruction ID: dafe924ed4e6829a89867113e96577ea01725d83eec9d734693f282a9c2c1fd9
Opcode Fuzzy Hash: cc5fedbabb31b28c2ca728c7d1e21b9c4408306e138cee80ac173350e8343230
Instruction Fuzzy Hash: C3419C71504701DFC311DF69C849B1BBBE8FF99B21F104619FE659B290EB34A805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 0054E9FD: __lock_file.LIBCMT ref: 0054EA0C
Part of subcall function 0054E9FD: __fseeki64_nolock.LIBCMT ref: 0054EA22

__CxxThrowException@8.LIBCMT ref: 0041EE53

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__fread_nolock.LIBCMT ref: 0041EE73
__CxxThrowException@8.LIBCMT ref: 0041EF08

Strings

fseek failed, xrefs: 0041EDD4
0S@, xrefs: 0041EE4B, 0041EF00
fread failed, xrefs: 0041EE90

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise__fread_nolock__fseeki64_nolock__lock_file
String ID: 0S@$fread failed$fseek failed
API String ID: 155043550-2636199986
Opcode ID: bb9ab8f3c24609269f7b61de8a820f24caf4380d3a056c0a4b22ae2e8d5120e6
Instruction ID: 6512d2ea6c3e0be8499484533a74d961527ab8381335e49317cf94d030a52996
Opcode Fuzzy Hash: bb9ab8f3c24609269f7b61de8a820f24caf4380d3a056c0a4b22ae2e8d5120e6
Instruction Fuzzy Hash: B4416D71508380AFD320DF28C895B9BBFE8BBC5714F108A1EF99953381DB749508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0051E162, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

_abort.LIBCMT ref: 0051E1CB

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

Strings

container.c, xrefs: 0051E188
Assertion %s failed in %s at %s:%u, xrefs: 0051E19F
%s. (Stack trace not available), xrefs: 0051E1B7
size <= MAX_CAPACITY, xrefs: 0051E19A
smartlist_ensure_capacity, xrefs: 0051E195

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_strrchr$_abort_memset_raise
String ID: %s. (Stack trace not available)$Assertion %s failed in %s at %s:%u$container.c$size <= MAX_CAPACITY$smartlist_ensure_capacity
API String ID: 2108949938-3913407206
Opcode ID: 28f0b2ddea45e6995864c7723e1e3dd796922a857527ba23f93fecb0843d44c1
Instruction ID: b6858ee8d57da2f45a3ba912e1b493070db028d9a040f9a5021cb9679dfd6527
Opcode Fuzzy Hash: 28f0b2ddea45e6995864c7723e1e3dd796922a857527ba23f93fecb0843d44c1
Instruction Fuzzy Hash: C901267174060166F731262C9C57AEA2EC8BB84720F500637FC19EE2D2F5E0CCC0C1A5

Uniqueness

Uniqueness Score: -1.00%

Function 00525343, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_abort.LIBCMT ref: 00525373

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

_abort.LIBCMT ref: 00525398

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

Strings

n < INT_MAX, xrefs: 0052535A
crypto.c, xrefs: 00525353
crypto_rand, xrefs: 0052534E, 0052535F, 00525384
generating random data, xrefs: 005253B2

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_abort_strrchr$_memset_raise
String ID: crypto.c$crypto_rand$generating random data$n < INT_MAX
API String ID: 2956894199-1553752955
Opcode ID: 2d80d8f7d75ce8ba025a7e044d22c30b01e4822597bc8d887f206d9bd37c9169
Instruction ID: f6e4bed20e4045f8771274d25940a1449de33206ee8941cf1e2f0c34903d51df
Opcode Fuzzy Hash: 2d80d8f7d75ce8ba025a7e044d22c30b01e4822597bc8d887f206d9bd37c9169
Instruction Fuzzy Hash: FEF0283294C3236AFA3076796C0BA5B5E84BF91771F100D6BB114651C2FE61480044E3

Uniqueness

Uniqueness Score: -1.00%

Function 0051A82B, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

_abort.LIBCMT ref: 0051A85C

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

_abort.LIBCMT ref: 0051A880

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

Strings

util.c, xrefs: 0051A83C
len < SIZE_T_CEILING, xrefs: 0051A843
mem, xrefs: 0051A867
tor_memdup_, xrefs: 0051A837, 0051A848, 0051A86C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_abort_strrchr$_memset_raise
String ID: len < SIZE_T_CEILING$mem$tor_memdup_$util.c
API String ID: 2956894199-1487396451
Opcode ID: 8b94ac40bc1438b298b20b4664d2a2d65ba319070b561c4547c9b68e564a23c5
Instruction ID: 83a67b2eeb3701cb8cfa66ed798d0cd8daff83e85873f09bbd3c50fdd0c94e8b
Opcode Fuzzy Hash: 8b94ac40bc1438b298b20b4664d2a2d65ba319070b561c4547c9b68e564a23c5
Instruction Fuzzy Hash: 9FF0902590221677EF2136AA9C0A9DA7F4ABFD0771F444833FC0C56296E970499089E7

Uniqueness

Uniqueness Score: -1.00%

Function 0051A73B, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 0051A7A0

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

_abort.LIBCMT ref: 0051A796

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

Strings

util.c, xrefs: 0051A750
Assertion %s failed in %s at %s:%u, xrefs: 0051A76A
%s. (Stack trace not available), xrefs: 0051A782
tor_strdup_, xrefs: 0051A760

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_strrchr$__strdup_abort_memset_raise
String ID: %s. (Stack trace not available)$Assertion %s failed in %s at %s:%u$tor_strdup_$util.c
API String ID: 1130199685-452765626
Opcode ID: 513f62dbf68d7688041da2b2cebf6fc666c38d75e42f4aaafad1c5e83137b465
Instruction ID: ee0a0514cdf59298e86bc62bba52ad9fa11838c2dda069b8063c928518ee2e7e
Opcode Fuzzy Hash: 513f62dbf68d7688041da2b2cebf6fc666c38d75e42f4aaafad1c5e83137b465
Instruction Fuzzy Hash: AAF0B43578030366EA3172598C57FEA3E58BB90B55F004433B8087A1D2E9E09DC488A1

Uniqueness

Uniqueness Score: -1.00%

Function 005197E1, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 32COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00000000), ref: 00519846

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

_abort.LIBCMT ref: 0051983C

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

Strings

Assertion %s failed in %s at %s:%u, xrefs: 00519810
%s. (Stack trace not available), xrefs: 00519828
tor_mutex_acquire, xrefs: 00519806
compat.c, xrefs: 005197F6

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_strrchr$CriticalEnterSection_abort_memset_raise
String ID: %s. (Stack trace not available)$Assertion %s failed in %s at %s:%u$compat.c$tor_mutex_acquire
API String ID: 2777071129-1166429265
Opcode ID: cc71dbba9ed4d5862d23c6fc180eb1b70f99dba2f31d0703e84cbed7b48d56d9
Instruction ID: 093fa670b1daa92f0c0e659b94e47625b5c84cb175fe8e5ff04e7315f6ce52af
Opcode Fuzzy Hash: cc71dbba9ed4d5862d23c6fc180eb1b70f99dba2f31d0703e84cbed7b48d56d9
Instruction Fuzzy Hash: AAF0A7317403067BE63177599C1BFDD3E49BB94B55F004073B80C7A2D1EAF05AC589A5

Uniqueness

Uniqueness Score: -1.00%

Function 0041622B, Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0041626E
char_traits.LIBCPMT ref: 004162CF
char_traits.LIBCPMT ref: 00416302

Part of subcall function 0054D77F: __EH_prolog3.LIBCMT ref: 0054D786
Part of subcall function 0054D77F: __CxxThrowException@8.LIBCMT ref: 0054D7B1

char_traits.LIBCPMT ref: 0041633A
char_traits.LIBCPMT ref: 0041639D
char_traits.LIBCPMT ref: 004163C4

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: char_traits$Exception@8H_prolog3String_base::_ThrowXlenstd::_
String ID:
API String ID: 2564386642-0
Opcode ID: cfab53fd6eed041c61932e5cfe5864c8537f3bd9c1c1f43b8ddb3041f6714478
Instruction ID: b127e8b80108d8e01e7f5fc49996468e73efeb6103b6ca1e5c2aeaf77bd9b715
Opcode Fuzzy Hash: cfab53fd6eed041c61932e5cfe5864c8537f3bd9c1c1f43b8ddb3041f6714478
Instruction Fuzzy Hash: 5051A430600109EFDF08DF68CAD49ED7B36FF41304761865AE8669B295C738EAD1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDE2, Relevance: 9.1, APIs: 6, Instructions: 139pipefileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040EDE7
CreatePipe.KERNEL32(0000006A,0000006E,?,00000000,?,0000000A,00412505,00000000), ref: 0040EE16
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0040EE37
CreatePipe.KERNEL32(00000062,00000066,0000000C,00000000), ref: 0040EE53
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0040EE67
WriteFile.KERNEL32(?,00000005,?,00000001,00000000,00000001,00000001), ref: 0040EF3C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CreateHandleInformationPipe$FileH_prologWrite
String ID:
API String ID: 2102612192-0
Opcode ID: 227475cd67dc2eee54580750be929a6c07794e2210760581dc95ef9cca061b5d
Instruction ID: 15c25fa288d4fa7eaa407231ef27f0fbd6049eb036c2f67e736d502ec8c93d61
Opcode Fuzzy Hash: 227475cd67dc2eee54580750be929a6c07794e2210760581dc95ef9cca061b5d
Instruction Fuzzy Hash: 1D416FB160121AFFDB10DFA2CC85EEB7BA8FF00754F00452AF605E6590D778AA54CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00415A00, Relevance: 9.1, APIs: 6, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

GetLastError.KERNEL32 ref: 00415AA7
GetLastError.KERNEL32 ref: 00415B4B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLast$char_traits
String ID:
API String ID: 1005929150-0
Opcode ID: b51e8706428069ce970d567471c1fb3578d2747c0055290d84f583d3561fed58
Instruction ID: 0aab119e5ad1309dbe9eb126ddda58a7f82948a9dee96526adf5e42ff56a3ea0
Opcode Fuzzy Hash: b51e8706428069ce970d567471c1fb3578d2747c0055290d84f583d3561fed58
Instruction Fuzzy Hash: 63417E72900249EFDF10AFA4DCC5AEE7BB8EF54398F10052AF551A3290D7395E84CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00415DB8, Relevance: 9.0, APIs: 6, Instructions: 33threadCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00415DC4

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00486601,00000008,?,?,?,?,?), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

GetCurrentThreadId.KERNEL32 ref: 00415DD0
_clock.LIBCMT ref: 00415DD8

Part of subcall function 0054E1CE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,00415DDD), ref: 0054E1DA
Part of subcall function 0054E1CE: __aulldiv.LIBCMT ref: 0054E20B

Part of subcall function 0054E24C: __getptd.LIBCMT ref: 0054E251

_rand.LIBCMT ref: 00415DE8

Part of subcall function 0054E25E: __getptd.LIBCMT ref: 0054E25E

_rand.LIBCMT ref: 00415DF2
_rand.LIBCMT ref: 00415E01

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Time$_rand$FileSystem__aulldiv__getptd$CurrentThread__time64_clock
String ID:
API String ID: 3302532640-0
Opcode ID: 5e58a1a1c20a8ccb280a2cee5ef72455a7e236e2968a46f08d26b63fb2846860
Instruction ID: c50a83dc4de92e570047b65025167d8abaa303311639d4c37e604189bc58a52c
Opcode Fuzzy Hash: 5e58a1a1c20a8ccb280a2cee5ef72455a7e236e2968a46f08d26b63fb2846860
Instruction Fuzzy Hash: 6CE06D77D4922216D66433B8AC0F79A1A89FFD03A9F294936F854DB282EC79C4058790

Uniqueness

Uniqueness Score: -1.00%

Function 00401A07, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 243sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401A0C

Part of subcall function 004044FD: __EH_prolog.LIBCMT ref: 00404502

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 00404E62: __EH_prolog.LIBCMT ref: 00404E67

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

Part of subcall function 004037A3: __EH_prolog.LIBCMT ref: 004037A8

Part of subcall function 00403A3D: __EH_prolog.LIBCMT ref: 00403A42

Sleep.KERNEL32(00004E20,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000000,005FA140,00000001,00000000,00000001), ref: 00401CED

Strings

a4ad4ip2xzclh6fd.onion, xrefs: 00401A2E
mail.php, xrefs: 00401A61
http://, xrefs: 00401A1E

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Sleepchar_traits
String ID: a4ad4ip2xzclh6fd.onion$http://$mail.php
API String ID: 1343582179-1663724964
Opcode ID: 65dbb1ed31747d230bfc50e31b82184771cd3969da07e198805ee3737194c73c
Instruction ID: 6fe5c21aa17112b7fd66e9d0a5c2eab4b55e6858b7c4520f6143600e8798d319
Opcode Fuzzy Hash: 65dbb1ed31747d230bfc50e31b82184771cd3969da07e198805ee3737194c73c
Instruction Fuzzy Hash: F29155B680014CA9EB11EBA5CD45FDEBBBCAF55308F0040AAF505B3182DA786F49DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00411F32, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 215sleepthreadCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00411F9F

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00486601,00000008,?,?,?,?,?), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

GetCurrentThreadId.KERNEL32 ref: 00411FAD
_clock.LIBCMT ref: 00411FB5

Part of subcall function 0054E1CE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,00415DDD), ref: 0054E1DA
Part of subcall function 0054E1CE: __aulldiv.LIBCMT ref: 0054E20B

Part of subcall function 0054E24C: __getptd.LIBCMT ref: 0054E251

Part of subcall function 00401753: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401795

Part of subcall function 004017D3: SetEvent.KERNEL32(00000000), ref: 004017FC

Part of subcall function 00415DB8: __time64.LIBCMT ref: 00415DC4
Part of subcall function 00415DB8: GetCurrentThreadId.KERNEL32 ref: 00415DD0
Part of subcall function 00415DB8: _clock.LIBCMT ref: 00415DD8
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415DE8
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415DF2
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415E01

Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00411FFC

Part of subcall function 0043EEA5: __EH_prolog.LIBCMT ref: 0043EEAA

Strings

xcnt, xrefs: 0041204E

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Time$_rand$CurrentFileSystemThread__aulldiv__time64_clock$EventH_prologObjectSingleSleepWait__getptd
String ID: xcnt
API String ID: 3228643188-1766379802
Opcode ID: f077b1c3097f48db3a9a3294e77a6f765b42a59f3c824ca022fae6048c140c4d
Instruction ID: bda4bd7c568286f34f396acf20ab7a304e1930d50ee3c1234ec2a81e569cc69e
Opcode Fuzzy Hash: f077b1c3097f48db3a9a3294e77a6f765b42a59f3c824ca022fae6048c140c4d
Instruction Fuzzy Hash: 0781B971409381AFD314EB65C981FDBBBE8BF84308F04492FF58593691DB78A948CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00402345, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 209COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040234A

Part of subcall function 004035BB: __EH_prolog.LIBCMT ref: 004035C9

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 00404E62: __EH_prolog.LIBCMT ref: 00404E67

Part of subcall function 004157B5: _sprintf.LIBCMT ref: 004157DC

Part of subcall function 004044A4: __EH_prolog.LIBCMT ref: 004044A9

Part of subcall function 004044FD: __EH_prolog.LIBCMT ref: 00404502

Part of subcall function 00403D6E: std::_String_base::_Xlen.LIBCPMT ref: 00403DB0
Part of subcall function 00403D6E: char_traits.LIBCPMT ref: 00403DFF

__time64.LIBCMT ref: 004024FB

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00486601,00000008,?,?,?,?,?), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

Part of subcall function 00403464: __EH_prolog.LIBCMT ref: 00403469

Strings

cmd.php, xrefs: 00402361
nocache=, xrefs: 00402515
ss=, xrefs: 004024A2

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Timechar_traits$FileString_base::_SystemXlen__aulldiv__time64_sprintfstd::_
String ID: cmd.php$nocache=$ss=
API String ID: 1170196964-720201988
Opcode ID: 1b6cac6876cd2cdfe5c5d9e3a28d363aec089fa4d41227890b4f29080c52f3c6
Instruction ID: 6e1bade44ae61f5f78b3181872667207ff046071c1d23ddd4836f373e37b3662
Opcode Fuzzy Hash: 1b6cac6876cd2cdfe5c5d9e3a28d363aec089fa4d41227890b4f29080c52f3c6
Instruction Fuzzy Hash: D47161B280414CADDB01EBA9CD85FDEBBBCAF55318F10856AF519B31C2EA785B048735

Uniqueness

Uniqueness Score: -1.00%

Function 0044AE6C, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0044AF1F
_strlen.LIBCMT ref: 0044AF69

Strings

0123456789ABCDEF, xrefs: 0044AF0B
0123456789abcdef, xrefs: 0044AF12
, xrefs: 0044AED2

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __aulldvrm_strlen
String ID: $0123456789ABCDEF$0123456789abcdef
API String ID: 3342006076-30751140
Opcode ID: 6769745ed755000d9ed25fa39db827c3005dd030a5e328c1a663dd847d641aec
Instruction ID: e017f94bc3a0c0d56c76a1903fc000ef272743eb45575cecec5cdac03f946bba
Opcode Fuzzy Hash: 6769745ed755000d9ed25fa39db827c3005dd030a5e328c1a663dd847d641aec
Instruction Fuzzy Hash: DE6105B2840219AFEF118F98C8456EE7FA1FF04314F14405AFD1522251D379CD65EB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004138F8, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004138FD

Part of subcall function 00404E62: __EH_prolog.LIBCMT ref: 00404E67

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

Click for more about , xrefs: 0041398C, 00413991
//whatismyipaddress.com/ip/, xrefs: 00413975, 0041397A
", xrefs: 004139FC
http://whatismyipaddress.com/, xrefs: 0041393A

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$char_traits
String ID: "$//whatismyipaddress.com/ip/$Click for more about $http://whatismyipaddress.com/
API String ID: 4022946289-572685483
Opcode ID: 1568c8f585d03c986410992b4701c6a0ceafdd4865bd6dccc6fa9f76b70c7d06
Instruction ID: c80b40c31615b381057042a4b62fa91017bb12ad5fe1334711bc475d500a4e36
Opcode Fuzzy Hash: 1568c8f585d03c986410992b4701c6a0ceafdd4865bd6dccc6fa9f76b70c7d06
Instruction Fuzzy Hash: FE51CFB2C04159AEDB10EFA4CC94AEEBBBCAF40319F10462AE551B31C2D6785B49CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00412B3A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412B3F
Wow64DisableWow64FsRedirection.KERNEL32(?,00000001,00000000,00000001,00000001), ref: 00412BEB
Wow64RevertWow64FsRedirection.KERNEL32(?,00000001,00000000,00000001,?,?,00000000,?,0058B4A1,00000001,00000000,00000001,00000001), ref: 00412C5B
Wow64RevertWow64FsRedirection.KERNEL32(?,?,00000000,000000FF,00000001,00000000,00000001,?,?,00000000,?,0058B4A1,00000001,00000000,00000001,00000001), ref: 00412CB1

Strings

vssadmin.exe, xrefs: 00412B6A

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Wow64$Redirection$Revert$DisableH_prolog
String ID: vssadmin.exe
API String ID: 722956765-3807567552
Opcode ID: bec583ebb2172ca06a5ed4d53ee7383c5267f276dac2daf34918169a19089a40
Instruction ID: 4ccba1dcea65961d0a419760c623f626740b73e815ac4e1e8c8cd2a2ec710b34
Opcode Fuzzy Hash: bec583ebb2172ca06a5ed4d53ee7383c5267f276dac2daf34918169a19089a40
Instruction Fuzzy Hash: 7C41B831C05248EEDB11EBD5CD95BDE7B78AF01304F0440AAE605B71D1DAB81B49DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0044228B, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0044235A

Strings

func(%lu), xrefs: 004422F1
lib(%lu), xrefs: 004422D4
error:%08lX:%s:%s:%s, xrefs: 00442346
reason(%lu), xrefs: 0044230C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: error:%08lX:%s:%s:%s$func(%lu)$lib(%lu)$reason(%lu)
API String ID: 4218353326-2416195885
Opcode ID: 239aa662e5c7c7f81236870da117fb584e4a8f7f60f1b366dd315517d7d93674
Instruction ID: 46d7c0f529ebec5fc9296ad5e0ea697b58c007e75b3403b49ba046460fbb526f
Opcode Fuzzy Hash: 239aa662e5c7c7f81236870da117fb584e4a8f7f60f1b366dd315517d7d93674
Instruction Fuzzy Hash: 2731DB71E4021966FB149E758C51BBF77B8EB50704F80047EF904E7241EABCDA448674

Uniqueness

Uniqueness Score: -1.00%

Function 00453C8D, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00453CA7
_strlen.LIBCMT ref: 00453D36

Strings

EjD, xrefs: 00453D41, 00453CB4, 00453CA4
EjD, xrefs: 00453C98
PARAMETERS, xrefs: 00453C99

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: EjD$EjD$PARAMETERS
API String ID: 4218353326-2588139412
Opcode ID: bbd310975e7062f90b59f2497fc42f54510e19836404499b9baa996fc738b69e
Instruction ID: 64aad97c6706c627b97539a81212efd81f78ac9768e27fb60cafa0b67feecfdc
Opcode Fuzzy Hash: bbd310975e7062f90b59f2497fc42f54510e19836404499b9baa996fc738b69e
Instruction Fuzzy Hash: 73213D3360020157DF221EA6AC4176F67B59B403ABF24442BFD01D7253EA69CF4D9248

Uniqueness

Uniqueness Score: -1.00%

Function 00437E30, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00437EE4

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 00437F78

Strings

offset >= size(), xrefs: 00437E65
0S@, xrefs: 00437EDC, 00437F70
sizeof(T) + offset >= size(), xrefs: 00437EFD

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: ed0533bb31ecbaf1daab1e5459fc2979dd5418c3890d70315dfeb0d06427c4b2
Instruction ID: 60a53fe4fa3f4435916942f6c52f0f2fe68fb4d51279a2bbd6d274d8a5f1402e
Opcode Fuzzy Hash: ed0533bb31ecbaf1daab1e5459fc2979dd5418c3890d70315dfeb0d06427c4b2
Instruction Fuzzy Hash: 1E311C715483819ED320DF28C491B9BFBE8BB8A714F504A5EF5D853291DB789508CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00438130, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004381E4

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 00438275

Strings

offset >= size(), xrefs: 00438165
0S@, xrefs: 004381DC, 0043826D
sizeof(T) + offset >= size(), xrefs: 004381FD

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: 76d22197f8f1be86f642433a77e1599d9b7dc6f5bef001e70b741241d1ffa31e
Instruction ID: 46e276d9a87a296cf6eeb419578cb076841a1868696cabdee64cb6c908e67191
Opcode Fuzzy Hash: 76d22197f8f1be86f642433a77e1599d9b7dc6f5bef001e70b741241d1ffa31e
Instruction Fuzzy Hash: DE314C745483819ED320DF28C891B9BFFE8BB89714F404A5EF5D957291DBB88508CB52

Uniqueness

Uniqueness Score: -1.00%

Function 004382B0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00438364

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 004383F5

Strings

offset >= size(), xrefs: 004382E5
0S@, xrefs: 0043835C, 004383ED
sizeof(T) + offset >= size(), xrefs: 0043837D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: eb294432eec869582c96ae95fdaceec1120cc9b6e937a1ee0e486e614ee772cb
Instruction ID: 6d91e256974b8dcb517d51428854d3028a00b52da7e97cb4ae8f869577cdea60
Opcode Fuzzy Hash: eb294432eec869582c96ae95fdaceec1120cc9b6e937a1ee0e486e614ee772cb
Instruction Fuzzy Hash: 67315A745483819ED320DF28C891B9BFFE8BB89714F404A2EF5D857391DBB88508CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00437FB0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00438064

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 004380F5

Strings

offset >= size(), xrefs: 00437FE5
0S@, xrefs: 0043805C, 004380ED
sizeof(T) + offset >= size(), xrefs: 0043807D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: 1c2b86ef5baf8c42edf0ea187354acb9f8057646e8d5b260bd3297492ec5596f
Instruction ID: a2daadc58bb56fedf2dd8cf186ac821b2ccdd8b6f9d5cc3cf9c0d336c9d68ca8
Opcode Fuzzy Hash: 1c2b86ef5baf8c42edf0ea187354acb9f8057646e8d5b260bd3297492ec5596f
Instruction Fuzzy Hash: 08314A745483819ED320DF28C891B9BFFE8BB89714F404A2EF5D967291DBB88508CB52

Uniqueness

Uniqueness Score: -1.00%

Function 004363E0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00436490

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 0043651A

Strings

offset >= size(), xrefs: 00436417
0S@, xrefs: 00436488, 00436512
sizeof(T) + offset >= size(), xrefs: 004364A5

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: 3b65d9c1a517f8c2f56c0d485025321c8c2cf343d9a70a954c6139b6fc16d6af
Instruction ID: 6a69611470a68836b11ebf833c384f4d280d8b69a84ce9d194fd603d058e2eeb
Opcode Fuzzy Hash: 3b65d9c1a517f8c2f56c0d485025321c8c2cf343d9a70a954c6139b6fc16d6af
Instruction Fuzzy Hash: 68313071548380AFD320DF29C891B9BBFE8BB89714F504E6EF5A953392D77885088F52

Uniqueness

Uniqueness Score: -1.00%

Function 00436550, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00436600

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 0043668A

Strings

offset >= size(), xrefs: 00436587
0S@, xrefs: 004365F8, 00436682
sizeof(T) + offset >= size(), xrefs: 00436615

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: 0S@$offset >= size()$sizeof(T) + offset >= size()
API String ID: 3476068407-1050116358
Opcode ID: 93cc79265aa28e012d0f3270d8add916774b581c9457e24d35de10eedf47ca39
Instruction ID: 749cda136084e3386de053d3baaaf8dafa97d9124d384e09314f3f03dccf005b
Opcode Fuzzy Hash: 93cc79265aa28e012d0f3270d8add916774b581c9457e24d35de10eedf47ca39
Instruction Fuzzy Hash: AE313071548380AED320DF29C891B9BBFE8BB89714F504A5EF59953392D77885088F52

Uniqueness

Uniqueness Score: -1.00%

Function 00442B7E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_getenv.LIBCMT ref: 00442BA7
_swscanf.LIBCMT ref: 00442BC8

Part of subcall function 0054E1AC: _vscan_fn.LIBCMT ref: 0054E1C3

__wcstoui64.LIBCMT ref: 00442BD7

Part of subcall function 00560877: strtoxl.LIBCMT ref: 00560899

Strings

%I64i, xrefs: 00442BC2
OPENSSL_ia32cap, xrefs: 00442B98

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __wcstoui64_getenv_swscanf_vscan_fnstrtoxl
String ID: %I64i$OPENSSL_ia32cap
API String ID: 2402914421-1470193844
Opcode ID: fe845cbad6ffaeb06f50d377907f0a229b42b58668d76a876936c9283da00edf
Instruction ID: b22a3102071e5fffe44d22b2f13a73b4e7bc372ddf22d6e4b19c9eea0db513ac
Opcode Fuzzy Hash: fe845cbad6ffaeb06f50d377907f0a229b42b58668d76a876936c9283da00edf
Instruction Fuzzy Hash: 9B112B76E00601ABFB05DB64DD06BBE3FA5FF81314F148066E804E7344EBB85A04CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0047E300, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0047E328
_strlen.LIBCMT ref: 0047E331
_strlen.LIBCMT ref: 0047E33F
_strlen.LIBCMT ref: 0047E34E

Strings

application/octet-stream, xrefs: 0047E310

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: application/octet-stream
API String ID: 4218353326-3754511218
Opcode ID: 38d6a259b765b00e438d073e447a0c2780e1237b2b0bc2fba2759a19c25cea22
Instruction ID: 819206aa19badfe8cd35c443030323387b492a08affb3a1f9d99af8acb32de32
Opcode Fuzzy Hash: 38d6a259b765b00e438d073e447a0c2780e1237b2b0bc2fba2759a19c25cea22
Instruction Fuzzy Hash: 0B017532600205AEDF109E6AD8858DD7B99FB49374720C56BF90C8B211EB35EA418B68

Uniqueness

Uniqueness Score: -1.00%

Function 004467E1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00446845

Strings

Enter PEM pass phrase:, xrefs: 004467F1
phrase is too short, needs to be at least %d chars, xrefs: 00446806

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID: Enter PEM pass phrase:$phrase is too short, needs to be at least %d chars
API String ID: 2102423945-1714539199
Opcode ID: ff5228973f1df071bb79e0ac479e961c08d9ba868773ce56bcaf20a84ca9af06
Instruction ID: 15fc0edd1b763ec741fde534aa7debd128a1eb7acebe05d30fb01b6dd2aa3cbf
Opcode Fuzzy Hash: ff5228973f1df071bb79e0ac479e961c08d9ba868773ce56bcaf20a84ca9af06
Instruction Fuzzy Hash: 17F0E9E2E0124235F62032216D07F6E1F451FA2B39F29413BF614692C3EBBD9455815F

Uniqueness

Uniqueness Score: -1.00%

Function 00486B93, Relevance: 7.7, APIs: 5, Instructions: 241networkCOMMON

Download Yara Rule

APIs

select.WS2_32(?,00000000,00000000,00000000,00000000), ref: 00486D86
WSAGetLastError.WS2_32(?,0047F8D3,00000000,00000000,000003E8,00000000,?,?,?,0047E0B9,?,?,?,?,00000000), ref: 00486D91
__WSAFDIsSet.WS2_32(?,?), ref: 00486E07
__WSAFDIsSet.WS2_32(?,?), ref: 00486E1E
__WSAFDIsSet.WS2_32(?,?), ref: 00486E35

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 92c76339af8522225e27e8cb7aff44e340708d2c45974e3563b7089d19075537
Instruction ID: 5e878b3bdff0ff4e775f0cc140e7b69689eaa341e20193de8bcf2807341bc054
Opcode Fuzzy Hash: 92c76339af8522225e27e8cb7aff44e340708d2c45974e3563b7089d19075537
Instruction Fuzzy Hash: D8918E70E0022A8BCF65EF68C8855AEB7F5FF44310F22496BD855E6250D7389E81CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004271E0, Relevance: 7.7, APIs: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 004272A0
_memmove_s.LIBCMT ref: 004272BD

Part of subcall function 0042E210: std::exception::exception.LIBCMT ref: 0042E236
Part of subcall function 0042E210: __CxxThrowException@8.LIBCMT ref: 0042E24D

_memset.LIBCMT ref: 00427342
_memmove_s.LIBCMT ref: 0042737C
_memset.LIBCMT ref: 00427398

Part of subcall function 0042E0D0: _memmove_s.LIBCMT ref: 0042E0E0

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memmove_s$_memset$Exception@8Throwstd::exception::exception
String ID:
API String ID: 2404369685-0
Opcode ID: bbccd16c2b9ebea0a304aa12fdc2d21df42bd64c4b4229e5b300b061b16f90d9
Instruction ID: 71bf1a6ab9513a17ae10ac92af8458dcb3da32bf6228bf59c43b5896710fe430
Opcode Fuzzy Hash: bbccd16c2b9ebea0a304aa12fdc2d21df42bd64c4b4229e5b300b061b16f90d9
Instruction Fuzzy Hash: FE51C2717082228FC708DE69D98582BB7E4EFC4304F448A6EFC55DB346EA34ED0987A5

Uniqueness

Uniqueness Score: -1.00%

Function 005662C0, Relevance: 7.7, APIs: 5, Instructions: 166timeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 005662DE
__allrem.LIBCMT ref: 005663FC
__allrem.LIBCMT ref: 00566430
SystemTimeToFileTime.KERNEL32(0000003C,?,00000000,?,0000003C,00000000,?,?,000F4240,00000000,03938700,00000000,D693A400,00000000), ref: 00566444

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Time__allrem$CountFileSystemTick
String ID:
API String ID: 1221759787-0
Opcode ID: 9fba2008b28a4ddf3d72260adfed5dd395d679eb2f10fb30ca5cda1aad023ad6
Instruction ID: 6578d70a8a4ba742683499db86eb7916dfae07eed39cb48b9f16f03c5eccd327
Opcode Fuzzy Hash: 9fba2008b28a4ddf3d72260adfed5dd395d679eb2f10fb30ca5cda1aad023ad6
Instruction Fuzzy Hash: 3A51A375618301ABDB14DF68CC55B5BBBE8FFC8714F44891DF89993241E630E90887DA

Uniqueness

Uniqueness Score: -1.00%

Function 0043D54F, Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043D554
_memset.LIBCMT ref: 0043D57A
_memset.LIBCMT ref: 0043D598
GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,?,?,?,?), ref: 0043D5AD
GetWindowsDirectoryW.KERNEL32(?,00000104,?,?,?,?,?,?), ref: 0043D5E3

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: DirectoryWindows_memset$H_prolog
String ID:
API String ID: 2817606172-0
Opcode ID: 10e2b4e486a367a58e35c26c13729ff513a0371a12ca749333db6de876005bc3
Instruction ID: 10c4b7cf3fe4d14683086d95a0351edb6a3ac0ca8a300432ed90a181165070fa
Opcode Fuzzy Hash: 10e2b4e486a367a58e35c26c13729ff513a0371a12ca749333db6de876005bc3
Instruction Fuzzy Hash: 461163B2D01219ABDB11ABB09C8AADA77BCEF44304F0054A6F505E3141EA38EF44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0055473B, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00554747

Part of subcall function 005506C0: __getptd_noexit.LIBCMT ref: 005506C3
Part of subcall function 005506C0: __amsg_exit.LIBCMT ref: 005506D0

__amsg_exit.LIBCMT ref: 00554767
__lock.LIBCMT ref: 00554777
InterlockedDecrement.KERNEL32(?), ref: 00554794
InterlockedIncrement.KERNEL32(028020D0), ref: 005547BF

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: dbc4c385a83c8bbae56b0eae0724ce433894ce99e32b864b8ef2f8f59a9e6101
Instruction ID: a4731c43682fbb5342983a930bae79807f4d8c5ffba83d1b89793a5c2c295d98
Opcode Fuzzy Hash: dbc4c385a83c8bbae56b0eae0724ce433894ce99e32b864b8ef2f8f59a9e6101
Instruction Fuzzy Hash: 12010831910B12DBC714AB29945974E7FA0FF4A71AF504007EC006BA80D734698ADFC1

Uniqueness

Uniqueness Score: -1.00%

Function 0043C386, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 372COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043C38B
_memset.LIBCMT ref: 0043C4F8

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

.crypted000007, xrefs: 0043C5F9
.crypted000078, xrefs: 0043C76F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog_memsetchar_traits
String ID: .crypted000007$.crypted000078
API String ID: 3116118327-2968946936
Opcode ID: fcdd0468684ddec063d05b629f26efbbda1776fd1df424bb9a9b20728017c453
Instruction ID: faaba5355088225e506e3f089ae0e869886d76a973abe880ff9b96a94e0ce210
Opcode Fuzzy Hash: fcdd0468684ddec063d05b629f26efbbda1776fd1df424bb9a9b20728017c453
Instruction Fuzzy Hash: 72E17131C04298EEDF11DBE4CC45BDEBFB4AF15308F14409AE548B7282DAB55B48DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00408BFD, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408C02

Part of subcall function 00416AEC: _memset.LIBCMT ref: 00416B15
Part of subcall function 00416AEC: _memset.LIBCMT ref: 00416B2F
Part of subcall function 00416AEC: GetLogicalDriveStringsW.KERNELBASE(00000400,?,?,?,?,?,?,?,?), ref: 00416B4D
Part of subcall function 00416AEC: GetSystemDirectoryW.KERNEL32(?,00000400), ref: 00416B70
Part of subcall function 00416AEC: GetDriveTypeW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,005E3970,000000FF), ref: 00416BC0

Part of subcall function 0040BD0A: __EH_prolog.LIBCMT ref: 0040BD0F

Part of subcall function 0040B9A5: __EH_prolog.LIBCMT ref: 0040B9AA

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 004157B5: _sprintf.LIBCMT ref: 004157DC

Strings

README, xrefs: 00408C73
.txt, xrefs: 00408CFD
desktop.ini|boot.ini|Bootfont.bin|ntuser.ini|NTUSER.DAT|IconCache.db, xrefs: 00408E47

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Drive_memset$DirectoryLogicalStringsSystemType_sprintfchar_traits
String ID: .txt$README$desktop.ini|boot.ini|Bootfont.bin|ntuser.ini|NTUSER.DAT|IconCache.db
API String ID: 1157531627-1123676370
Opcode ID: 15c8c3025c90c8eb872e6719a7b036dd6c110e5ad12184e60290a86c3b1a6a56
Instruction ID: f5b8e4be503b413b12a18bccb2c0c28a31fe104d716199d5117416a0b5f0b484
Opcode Fuzzy Hash: 15c8c3025c90c8eb872e6719a7b036dd6c110e5ad12184e60290a86c3b1a6a56
Instruction Fuzzy Hash: 0DA15272D00158EADB14EBE5CC46BDEBB78AF15304F1041AEE605B31C1DB745B49CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042C2C0, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 275COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042C41E

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Part of subcall function 00403EB1: char_traits.LIBCPMT ref: 00403F09

__CxxThrowException@8.LIBCMT ref: 0042C58E

Part of subcall function 0054D747: _malloc.LIBCMT ref: 0054DE8D

Strings

psub->level != 0, xrefs: 0042C3DF
psub->level == 1, xrefs: 0042C54F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise_mallocchar_traits
String ID: psub->level != 0$psub->level == 1
API String ID: 4075437076-1149983645
Opcode ID: 164fb0ea3aa1f3176f17758fc44a9c088669423e41fda3caf472ae77f3eba61a
Instruction ID: 2da6aa2f2b8edcfce805cbf9cb174ec2ba475a0fe1852fafc901a76399be1828
Opcode Fuzzy Hash: 164fb0ea3aa1f3176f17758fc44a9c088669423e41fda3caf472ae77f3eba61a
Instruction Fuzzy Hash: 23A18BB16083419FD314DF68C881B6FBBE4BF88714F548A2EF19987391DB78D8488B56

Uniqueness

Uniqueness Score: -1.00%

Function 0042A940, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 275COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042AA9E

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Part of subcall function 00403EB1: char_traits.LIBCPMT ref: 00403F09

__CxxThrowException@8.LIBCMT ref: 0042AC0E

Part of subcall function 0054D747: _malloc.LIBCMT ref: 0054DE8D

Strings

psub->level != 0, xrefs: 0042AA5F
psub->level == 1, xrefs: 0042ABCF

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise_mallocchar_traits
String ID: psub->level != 0$psub->level == 1
API String ID: 4075437076-1149983645
Opcode ID: 3c4734ef666154fd0fbaf40389b80d78ed1b358cc6054c730048b17bc582fd61
Instruction ID: 07a5e00d6a81709442b3b23f1e22a4e61dfbab3ec7fa3b6cc4424dcd9a6206ae
Opcode Fuzzy Hash: 3c4734ef666154fd0fbaf40389b80d78ed1b358cc6054c730048b17bc582fd61
Instruction Fuzzy Hash: 61A17DB16083419FD310DF68C881B6BBBE5BF88714F548A2EF59987391DB78D804CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004067CA, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 270COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004067CF

Part of subcall function 0043D3FC: __EH_prolog.LIBCMT ref: 0043D401

Part of subcall function 00411787: __EH_prolog.LIBCMT ref: 0041178C

Part of subcall function 0040F08B: __EH_prolog.LIBCMT ref: 0040F090

Part of subcall function 0043C284: __EH_prolog.LIBCMT ref: 0043C289

Part of subcall function 00408F74: __EH_prolog.LIBCMT ref: 00408F79
Part of subcall function 00408F74: _swscanf.LIBCMT ref: 00408FD0

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 0040F169: __EH_prolog.LIBCMT ref: 0040F16E

Strings

PUBLIC KEY, xrefs: 00406A47
xcnt, xrefs: 004068D0
(, xrefs: 0040686E

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_swscanfchar_traits
String ID: ($PUBLIC KEY$xcnt
API String ID: 25352567-1755998082
Opcode ID: 51229fba2c4963af6274c184ca5c59b6504ac16cb4dcabfe2020a40cca34192a
Instruction ID: 9fa70eb9369410540a189eed0041eaf06646cd4c34a9a52b19605b19913ae9b8
Opcode Fuzzy Hash: 51229fba2c4963af6274c184ca5c59b6504ac16cb4dcabfe2020a40cca34192a
Instruction Fuzzy Hash: 82C15971D01259DEDB10EBA5C985BDDBBB4AF15308F1040AEE40973282DB786F89CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00406E76, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00406E7B

Part of subcall function 00402345: __EH_prolog.LIBCMT ref: 0040234A

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

open, xrefs: 00407128
exe, xrefs: 00407030

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$char_traits
String ID: exe$open
API String ID: 4022946289-3420628079
Opcode ID: 6b151e477f9f33352a44995b6025043eae982db2e480376d271e89017e3ae65d
Instruction ID: 48eeab99b258b9f057517c983029490e0a9ddfb58e4b6b1f3454af51e0286733
Opcode Fuzzy Hash: 6b151e477f9f33352a44995b6025043eae982db2e480376d271e89017e3ae65d
Instruction Fuzzy Hash: 48A14072C04248EEEB11EBE5CD56BDEBB789F15308F10416EE605B31C2DAB41B49CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00428F00, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

Part of subcall function 00430BF0: __CxxThrowException@8.LIBCMT ref: 00430CDE

__CxxThrowException@8.LIBCMT ref: 00429062

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Part of subcall function 00403EB1: char_traits.LIBCPMT ref: 00403F09

__CxxThrowException@8.LIBCMT ref: 004291D2

Part of subcall function 0054D747: _malloc.LIBCMT ref: 0054DE8D

Strings

psub->level != 0, xrefs: 0042901B
psub->level == 1, xrefs: 0042918B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise_mallocchar_traits
String ID: psub->level != 0$psub->level == 1
API String ID: 4075437076-1149983645
Opcode ID: 743b8028779da20110ec7fae90b703629569e342e1922286aeba1bee37935f08
Instruction ID: 9e4306dd14cd1c5ed1f5bfad7f2f97567613ed522252f3c62463f177691a0248
Opcode Fuzzy Hash: 743b8028779da20110ec7fae90b703629569e342e1922286aeba1bee37935f08
Instruction Fuzzy Hash: B3A17CB12083419FD310DF69C885B6BFBE4BB88718F548A2EF19997391D778D808CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0044F443, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0044F4B5
_strlen.LIBCMT ref: 0044F5FF
_strlen.LIBCMT ref: 0044F665

Strings

.%lu, xrefs: 0044F651

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: .%lu
API String ID: 4218353326-3053986306
Opcode ID: a9e710dd053c3a14cb9875843be30496b675fbf0df796659fc93b65982b72904
Instruction ID: ff55f27ad968b82a26539041d94fda9d83aeafe9759c23e136d21e6890f7754b
Opcode Fuzzy Hash: a9e710dd053c3a14cb9875843be30496b675fbf0df796659fc93b65982b72904
Instruction Fuzzy Hash: 1481D772D00219ABFF209E65C4416AF77B4AF10715F25807FE814AB242EB7CDE498F99

Uniqueness

Uniqueness Score: -1.00%

Function 004513CF, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 242COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004513FB

Strings

.\crypto\asn1\a_object.c, xrefs: 00451582
, xrefs: 00451450
(, xrefs: 00451521

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: $($.\crypto\asn1\a_object.c
API String ID: 4218353326-1036992897
Opcode ID: ffa9068849b2ee9be7cdcabce9b3369a77be52730d482f0939bb95a000317a91
Instruction ID: 5bc1cac94435a8c28092144163acf8f929c808e78d054756ed85642d1839e216
Opcode Fuzzy Hash: ffa9068849b2ee9be7cdcabce9b3369a77be52730d482f0939bb95a000317a91
Instruction Fuzzy Hash: 65810A31D0021ADBDF109F95C8817AEB7B0FF51712F14416FED12A72A2EB788A49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE6B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 238COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040FE70

Part of subcall function 0040148F: __EH_prolog.LIBCMT ref: 00401494

__CxxThrowException@8.LIBCMT ref: 0040FEB6

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

0S@, xrefs: 0040FEAF
invalid map/set<T> iterator, xrefs: 0040FE89

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: 0S@$invalid map/set<T> iterator
API String ID: 1193697898-4190648909
Opcode ID: df980b6487bc2f93eed385c48cf5a39e65a55fe5c10af513486d036f356f7250
Instruction ID: bd5efa21bde032021c809530c4314549f68a47fca6bc5bc1f690d39f2c13f7cd
Opcode Fuzzy Hash: df980b6487bc2f93eed385c48cf5a39e65a55fe5c10af513486d036f356f7250
Instruction Fuzzy Hash: 51B192706042819FD725CF14C094B557FA2AF5A318F2481BEE4495F7A2C3BAECC9CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043DAE7, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043DAEC

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

xfs, xrefs: 0043DAFE, 0043DC68
System32, xrefs: 0043DB12, 0043DC78
\\?\, xrefs: 0043DB1F, 0043DC8C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$char_traits
String ID: System32$\\?\$xfs
API String ID: 4022946289-4026912830
Opcode ID: f9b305d37d82a0fdad4c322f1ba190cf6f26406252d7ee704b5f739bfc9d1d31
Instruction ID: 9a8209c9a829826507263abed1164980f248d1247ba119b76eb0a21d69819294
Opcode Fuzzy Hash: f9b305d37d82a0fdad4c322f1ba190cf6f26406252d7ee704b5f739bfc9d1d31
Instruction Fuzzy Hash: A6912072C00158EADB11EBE5CC45BDEBB7CAF15318F1441EAE609B3181DA741F88CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00451F0D, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00451FEA
_memset.LIBCMT ref: 0045207D

Strings

.\crypto\asn1\tasn_new.c, xrefs: 00451FCE, 00452061
Y, xrefs: 00452030

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID: .\crypto\asn1\tasn_new.c$Y
API String ID: 2102423945-4127195740
Opcode ID: 2367cef5f8eb2db8b27cb3e30d5844f73fbb2d540905c06a74bdbdc9ca01de7c
Instruction ID: 8aea8426f10fde8dfe43dd7a53ad8e379aa41771bbd4a0e75993196d34dd641a
Opcode Fuzzy Hash: 2367cef5f8eb2db8b27cb3e30d5844f73fbb2d540905c06a74bdbdc9ca01de7c
Instruction Fuzzy Hash: A651F632604312AFDB219F149D85B2F7794EB45B56F14481BFD00CA293DBB8DC48CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0043AAF4, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

_swscanf.LIBCMT ref: 0043ABEE

Strings

X-Spam:, xrefs: 0043AC41
X-Mozilla-Status2:, xrefs: 0043AB4B
X-Senderinfo:, xrefs: 0043ACC0

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _swscanf
String ID: X-Mozilla-Status2:$X-Senderinfo:$X-Spam:
API String ID: 2748852333-2458561703
Opcode ID: d7e863750f1ac090ae755251db8d08eeeac9961123668200fa4a8eb61d8e6bf3
Instruction ID: b4f22cf20949498218c427472debb4354a2a61e2774513d394e3b13e8dbf5497
Opcode Fuzzy Hash: d7e863750f1ac090ae755251db8d08eeeac9961123668200fa4a8eb61d8e6bf3
Instruction Fuzzy Hash: 7B519072A442524BDB248E28848013EFB92BB5A310F283567E5D6CB381D63DED75D78B

Uniqueness

Uniqueness Score: -1.00%

Function 0041556B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

GetFileSize.KERNEL32(000000FF,00000000,00000001,00000000,00000001,00000001), ref: 00415625
ReadFile.KERNEL32(000000FF,00000000,00000001,0000000F,00000000,00000000,00000000,00000000,00000001), ref: 00415663
CloseHandle.KERNEL32(000000FF,00000001,00000000,00000000,00000000,000000FF,0058B4A1), ref: 004156C5

Strings

\\?\, xrefs: 0041558D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: File$CloseH_prologHandleReadSizechar_traits
String ID: \\?\
API String ID: 1979939384-4282027825
Opcode ID: b354d796c610ee226428b019eace8da85ea6f8f8dd73b5207359ec7f395167eb
Instruction ID: e7a8a6b27b571dc67b324a34b3fca17927c06e69b36893c63c46179c53c7dde1
Opcode Fuzzy Hash: b354d796c610ee226428b019eace8da85ea6f8f8dd73b5207359ec7f395167eb
Instruction Fuzzy Hash: 29412B72A00208ABDF10EFA5CC95FEE7BB8EF84714F10446AF515B7191EB789A44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004867ED, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_swscanf.LIBCMT ref: 00486844
_strlen.LIBCMT ref: 004868C8

Strings

%s:%d, xrefs: 0048689F
%255[^:]:%d:%255s, xrefs: 0048683E

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen_swscanf
String ID: %255[^:]:%d:%255s$%s:%d
API String ID: 380362070-2368036638
Opcode ID: eab52a0da5dab1862c75f29830e8d5e35f50ee4e2ee023028c01de3f5f826dc3
Instruction ID: 3f09196b4bd9c6ed3ec5feaf69ef00789496b15a0244c8fc649090c0a22dcea7
Opcode Fuzzy Hash: eab52a0da5dab1862c75f29830e8d5e35f50ee4e2ee023028c01de3f5f826dc3
Instruction Fuzzy Hash: D941BBB2D01119BBDF65FB94C845BFE736CAF04314F150C9BE905A7241DB789E448B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A868, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A86D

Part of subcall function 0040A521: __EH_prolog.LIBCMT ref: 0040A526
Part of subcall function 0040A521: CharUpperW.USER32(?,00000001,00000000,00000001,00000000,SOFTWARE\Microsoft\Windows\CurrentVersion\Run\,00000001,0058B70C,?,?,00000001,00000000,0040A88D,?,?,?), ref: 0040A5F1

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 0041730F: _memset.LIBCMT ref: 00417344
Part of subcall function 0041730F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417362
Part of subcall function 0041730F: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00417382

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Strings

Client Server Runtime Subsystem, xrefs: 0040A8EC
csrss.lnk, xrefs: 0040A93F
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040A8A2

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$FolderPath$CharUpper_memsetchar_traits
String ID: Client Server Runtime Subsystem$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$csrss.lnk
API String ID: 607052096-2561886397
Opcode ID: 7e7c9a813e199fd0001ffccada620719d81b3eb3bd8cc9960c5782d67e84b7d9
Instruction ID: f7e8c759a3bad84c1825ee53de4ff65dddbbce709ac82106c9d062987b5aad50
Opcode Fuzzy Hash: 7e7c9a813e199fd0001ffccada620719d81b3eb3bd8cc9960c5782d67e84b7d9
Instruction Fuzzy Hash: 5B416671904288EEEB01EBE4C945BDDBFB89F14318F14409AF504771C2DBB81B45CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0043D0A2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043D0A7
CharUpperW.USER32(?), ref: 0043D0DA
CharUpperW.USER32(?,?,000000FF,?,00000001,?), ref: 0043D16E

Strings

\, xrefs: 0043D138

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CharUpper$H_prolog
String ID: \
API String ID: 516702702-2967466578
Opcode ID: 437a66c1438685e3a2628693f679774993a1a03ec5301d7857fdac388a8f131a
Instruction ID: ffb734596cbd62641fecdd6371e5fdcb6fb6329934d0f12292e1e4c951983abc
Opcode Fuzzy Hash: 437a66c1438685e3a2628693f679774993a1a03ec5301d7857fdac388a8f131a
Instruction Fuzzy Hash: 9D415072D01219EFCF00DFE4E9859DEBB74AF05318F20866AE216B7191C7786B49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0048745E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00487466
_strncmp.LIBCMT ref: 0048747A

Strings

I64, xrefs: 00487474
I32, xrefs: 00487460

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strncmp
String ID: I32$I64
API String ID: 909875538-3980630743
Opcode ID: 24c78c6076ada9dfcff1876a02572baf152625ea48079857663cb2a0747d66b0
Instruction ID: 1181201d67f60a75f89329109cebace9db2020954eba8c14665de1ef8860f64b
Opcode Fuzzy Hash: 24c78c6076ada9dfcff1876a02572baf152625ea48079857663cb2a0747d66b0
Instruction Fuzzy Hash: B3F0F94965C5A215AE3830195DFB72FAD486A5AF61B380C23D860C4EB5E54CCEC1935F

Uniqueness

Uniqueness Score: -1.00%

Function 0044B61D, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0044B66E

Strings

6\R, xrefs: 0044B63D, 0044B681
.\crypto\err\err.c, xrefs: 0044B634
.\crypto\mem_dbg.c, xrefs: 0044B642, 0044B650, 0044B68F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memcmp
String ID: .\crypto\err\err.c$.\crypto\mem_dbg.c$6\R
API String ID: 2931989736-1861496112
Opcode ID: f6493ca880010f19fd5205331456b58391f2e54f612772ff51b0dcd8b554472f
Instruction ID: eb2acdd4a5bb930f31b2449cac90198acdded2858897b658747dc477bfa479b1
Opcode Fuzzy Hash: f6493ca880010f19fd5205331456b58391f2e54f612772ff51b0dcd8b554472f
Instruction Fuzzy Hash: 1B01D63278030421F71056659C07FA72A8DEB91764F050422BE59E66D1EBECCA5AD2EA

Uniqueness

Uniqueness Score: -1.00%

Function 00448E2F, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00448E6A

Strings

ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 00448E76
.\crypto\evp\digest.c, xrefs: 00448E80
J,E, xrefs: 00448E8C, 00448E38

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID: .\crypto\evp\digest.c$J,E$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 2102423945-656294654
Opcode ID: 0d695aa8206444d3044274a1686bec789e26a2cdb3ab1e1df748a066dfc0c3c9
Instruction ID: c034934d4394ba3a20f14b823e5cf544756ad994e1e96b1beeccb319cc1157ed
Opcode Fuzzy Hash: 0d695aa8206444d3044274a1686bec789e26a2cdb3ab1e1df748a066dfc0c3c9
Instruction Fuzzy Hash: DF014475204201EFE7159F58DC46D4AB7E1FF48711B30845EF58997261DB71EC50CA19

Uniqueness

Uniqueness Score: -1.00%

Function 0043F65D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043F662

Part of subcall function 0043F7EF: __EH_prolog.LIBCMT ref: 0043F7F4

Part of subcall function 0040148F: __EH_prolog.LIBCMT ref: 00401494

__CxxThrowException@8.LIBCMT ref: 0043F6BD

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

sC, xrefs: 0043F6A5, 0043F6B2, 0043F6B5
list<T> too long, xrefs: 0043F690

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: list<T> too long$sC
API String ID: 1193697898-823064288
Opcode ID: fb188382f2848abd7fbea194f8b6733a1ef86fe0c3a6e8b5f1f167ffc32d918a
Instruction ID: 11a62099a3964efb084f3348201b972640fb6150477ac8e4ff7337ca701d36b6
Opcode Fuzzy Hash: fb188382f2848abd7fbea194f8b6733a1ef86fe0c3a6e8b5f1f167ffc32d918a
Instruction Fuzzy Hash: 49017C729001059FCB04EFA4C855BDDBFF9FF58304F10842EE905A7665EB749A48CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0043F734, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043F739

Part of subcall function 0043F889: __EH_prolog.LIBCMT ref: 0043F88E

Part of subcall function 0040148F: __EH_prolog.LIBCMT ref: 00401494

__CxxThrowException@8.LIBCMT ref: 0043F794

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

C, xrefs: 0043F77C, 0043F789, 0043F78C
list<T> too long, xrefs: 0043F767

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: C$list<T> too long
API String ID: 1193697898-1175092348
Opcode ID: 868bd15ee114ec17abd1c704bd5b25f718e8a16e636646d295f088bfe3d3d66b
Instruction ID: e0b2eecc59f638e35996e3e26ac95b8a23fca7da2ec7c1246aa20e81a1feb70c
Opcode Fuzzy Hash: 868bd15ee114ec17abd1c704bd5b25f718e8a16e636646d295f088bfe3d3d66b
Instruction Fuzzy Hash: 3A012C72900205DFDB04EFA4C946ADDBFF9FF58308F10442EE905A7655DB749648CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00447578, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0044757F
_strlen.LIBCMT ref: 00447589

Strings

PARAMETERS, xrefs: 0044757B
EjD, xrefs: 0044757C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: EjD$PARAMETERS
API String ID: 4218353326-3416985934
Opcode ID: 580731a63ed1ed32cf8a2c43881e7876d1f0cda59eaba2e4205294562016eaa2
Instruction ID: 1bbdd5ae7c38608246f963ee886790dc278f35eb45205b72b1ec30c14c1f50f1
Opcode Fuzzy Hash: 580731a63ed1ed32cf8a2c43881e7876d1f0cda59eaba2e4205294562016eaa2
Instruction Fuzzy Hash: 8CF0A03200811A7AEB111E68D8089DD7F94AF043B0F144427FC088E942EB359A82829C

Uniqueness

Uniqueness Score: -1.00%

Function 0050B874, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188CD
Part of subcall function 005188C9: _strrchr.LIBCMT ref: 005188D7

_abort.LIBCMT ref: 0050B8A0

Part of subcall function 00550F9A: __NMSG_WRITE.LIBCMT ref: 00550FBB
Part of subcall function 00550F9A: _raise.LIBCMT ref: 00550FCC
Part of subcall function 00550F9A: _memset.LIBCMT ref: 00551064
Part of subcall function 00550F9A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000100), ref: 00551096
Part of subcall function 00550F9A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000100), ref: 005510A3

Strings

csiphash.c, xrefs: 0050B88D
! the_siphash_key_is_set, xrefs: 0050B87E
siphash_set_global_key, xrefs: 0050B883

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled_strrchr$_abort_memset_raise
String ID: ! the_siphash_key_is_set$csiphash.c$siphash_set_global_key
API String ID: 2108949938-1634380073
Opcode ID: a600ec06cc0b71ce3b829c317f42bbc440d6a72a2d489c84709df0fe9fc5140f
Instruction ID: 1355ec482d689129b9872ecc1922f50b2344eedbba90c7dc0da4a92ce2be014d
Opcode Fuzzy Hash: a600ec06cc0b71ce3b829c317f42bbc440d6a72a2d489c84709df0fe9fc5140f
Instruction Fuzzy Hash: CDF01C746403019FE3A0DF1CD88BB567BE1FBA8B10F48482AA448C3771D7745584DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00405B5B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405B60
Sleep.KERNEL32(00004E20), ref: 00405B72

Part of subcall function 0040222A: __EH_prolog.LIBCMT ref: 0040222F

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

ExitProcess.KERNEL32 ref: 00405BB0

Strings

invalid parameter exception, xrefs: 00405B78

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$ExitProcessSleepchar_traits
String ID: invalid parameter exception
API String ID: 1974170270-867022520
Opcode ID: a7eea819ca236076a3bbe5d01514a52b95bb305285bcebd9c0f14b1aceedb2b9
Instruction ID: e05ad509d20037badc5cde9ab53e21234ed25bdf85de109045ea495c6b4338c9
Opcode Fuzzy Hash: a7eea819ca236076a3bbe5d01514a52b95bb305285bcebd9c0f14b1aceedb2b9
Instruction Fuzzy Hash: 7BF03031A8020AAAE704FBE0DD5ABEC7E74AF14725F040429F201B64D1DBB81A49DB15

Uniqueness

Uniqueness Score: -1.00%

Function 00444132, Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004441BD
_memset.LIBCMT ref: 0044432F
_memset.LIBCMT ref: 00444399
_memset.LIBCMT ref: 00444406

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 41335975437410f4bba3b6dfc626544de9b1e3f0cca6acbd8da1f6ad226e8076
Instruction ID: 1f3d775a62c58edd051b4423f6a3c272465de6fd9fd5299b98ec7723d5d8adfc
Opcode Fuzzy Hash: 41335975437410f4bba3b6dfc626544de9b1e3f0cca6acbd8da1f6ad226e8076
Instruction Fuzzy Hash: 48D18A7190020AEFEF15DF94DC46EAE7BB9FF58308F00441AF805A2251E735AA25DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040723F, Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 268sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000EA60,00000001,00000000,00000000,00000000,00000001,?,00000000,?,00000000,0058349A,000000FF,?,00407AEC,?,?), ref: 0040750F

Strings

shsnt, xrefs: 0040758C
sh1, xrefs: 004072E2
sh2, xrefs: 00407401

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Sleep
String ID: sh1$sh2$shsnt
API String ID: 3472027048-1525067003
Opcode ID: 8cbcc16cb975bcbd5ed33ffa16fc13043edbf2c0137c91af737316af50f9e8d2
Instruction ID: 211ac1179d5ccf2e455bc8fc19f1cfc65f60389b089b344778a4a66442b9659b
Opcode Fuzzy Hash: 8cbcc16cb975bcbd5ed33ffa16fc13043edbf2c0137c91af737316af50f9e8d2
Instruction Fuzzy Hash: 64B17371508381EED721DFA0C881BDBBBD8AF95308F00492FF599621D1DBB86549CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 00567D31, Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00567DF5
__fileno.LIBCMT ref: 00567E15
__locking.LIBCMT ref: 00567E1C
__flsbuf.LIBCMT ref: 00567E47

Part of subcall function 0054FF67: __getptd_noexit.LIBCMT ref: 0054FF67

Part of subcall function 0054DCE9: __decode_pointer.LIBCMT ref: 0054DCF4

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: 09d7ccd6f303acb4911867ba80e7e588f6ffc583f500b44b558fd2a19fcd2fa0
Instruction ID: 6d496fd9e098907d854d45413ea95ba4845f8f4f95293599946977d79fa03773
Opcode Fuzzy Hash: 09d7ccd6f303acb4911867ba80e7e588f6ffc583f500b44b558fd2a19fcd2fa0
Instruction Fuzzy Hash: B841F831A04A0DDBDB249F79C8845AEBFB9FFC8328F2489A9E41597250E771DE45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00410FF9, Relevance: 6.1, APIs: 4, Instructions: 131sleepthreadCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00411040

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00486601,00000008,?,?,?,?,?), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

GetCurrentThreadId.KERNEL32 ref: 0041104E
_clock.LIBCMT ref: 00411056

Part of subcall function 0054E1CE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,00415DDD), ref: 0054E1DA
Part of subcall function 0054E1CE: __aulldiv.LIBCMT ref: 0054E20B

Part of subcall function 0054E24C: __getptd.LIBCMT ref: 0054E251

Part of subcall function 00401753: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401795

Part of subcall function 004017D3: SetEvent.KERNEL32(00000000), ref: 004017FC

Part of subcall function 00415DB8: __time64.LIBCMT ref: 00415DC4
Part of subcall function 00415DB8: GetCurrentThreadId.KERNEL32 ref: 00415DD0
Part of subcall function 00415DB8: _clock.LIBCMT ref: 00415DD8
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415DE8
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415DF2
Part of subcall function 00415DB8: _rand.LIBCMT ref: 00415E01

Sleep.KERNEL32(?,?,?,?,?,?,005833F5,000000FF), ref: 004110A3

Part of subcall function 0041B9C0: SetEvent.KERNEL32(00000000), ref: 0041BA54

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Time$_rand$CurrentEventFileSystemThread__aulldiv__time64_clock$ObjectSingleSleepWait__getptd
String ID:
API String ID: 53558384-0
Opcode ID: 918682ff6be57b95a81981ceeab5a21a5bfd860521cf400b661c922fab25c4a6
Instruction ID: df804daaf32dacb13e8f474498bd7c0cae830441e241280a68581f249b38c574
Opcode Fuzzy Hash: 918682ff6be57b95a81981ceeab5a21a5bfd860521cf400b661c922fab25c4a6
Instruction Fuzzy Hash: 34518F715083849FD710EF65C882A9BBBE8FF88314F404D2EF19993691DB78E948CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0043CFC9, Relevance: 6.0, APIs: 4, Instructions: 48threadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043CFCE
__time64.LIBCMT ref: 0043CFF9

Part of subcall function 0054DE22: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00486601,00000008,?,?,?,?,?), ref: 0054DE2D
Part of subcall function 0054DE22: __aulldiv.LIBCMT ref: 0054DE4D

GetCurrentThreadId.KERNEL32 ref: 0043D005
_clock.LIBCMT ref: 0043D00D

Part of subcall function 0054E1CE: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,00415DDD), ref: 0054E1DA
Part of subcall function 0054E1CE: __aulldiv.LIBCMT ref: 0054E20B

Part of subcall function 0054E24C: __getptd.LIBCMT ref: 0054E251

Part of subcall function 00401753: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401795

Part of subcall function 004151EA: _clock.LIBCMT ref: 00415208
Part of subcall function 004151EA: __time64.LIBCMT ref: 00415225
Part of subcall function 004151EA: GetCurrentThreadId.KERNEL32 ref: 00415246
Part of subcall function 004151EA: __time64.LIBCMT ref: 00415252
Part of subcall function 004151EA: _rand.LIBCMT ref: 0041525D
Part of subcall function 004151EA: _clock.LIBCMT ref: 00415264
Part of subcall function 004151EA: __time64.LIBCMT ref: 004152A2
Part of subcall function 004151EA: _rand.LIBCMT ref: 004152B3
Part of subcall function 004151EA: _clock.LIBCMT ref: 004152BA
Part of subcall function 004151EA: _rand.LIBCMT ref: 00415304
Part of subcall function 004151EA: _clock.LIBCMT ref: 00415327
Part of subcall function 004151EA: __time64.LIBCMT ref: 00415332

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __time64_clock$Time$_rand$CurrentFileSystemThread__aulldiv$H_prologObjectSingleWait__getptd
String ID:
API String ID: 3219639982-0
Opcode ID: d5e830339e2fe0eaabc09b057e6dbf05a3fbaf975c949cf4a264428a6d96c11c
Instruction ID: a6fe61b89251fb400d2645bb3e06cf06d61dfeb1e0e7e126b811986bee65e68c
Opcode Fuzzy Hash: d5e830339e2fe0eaabc09b057e6dbf05a3fbaf975c949cf4a264428a6d96c11c
Instruction Fuzzy Hash: F0016DB29017019FD710EF78D44A79ABBE8FF98324F10892EE045E7681EB74A540CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00554EA7, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00554EB3

Part of subcall function 005506C0: __getptd_noexit.LIBCMT ref: 005506C3
Part of subcall function 005506C0: __amsg_exit.LIBCMT ref: 005506D0

__getptd.LIBCMT ref: 00554ECA
__amsg_exit.LIBCMT ref: 00554ED8
__lock.LIBCMT ref: 00554EE8

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 333aabb8e14340d2b4da8bc2d76f44cf5eeaf94bd8862e41314a76933975be15
Instruction ID: 59301ca28b2bc509f3e7f17e34993b46df74066356ad74a22aa3f14521b3a6e4
Opcode Fuzzy Hash: 333aabb8e14340d2b4da8bc2d76f44cf5eeaf94bd8862e41314a76933975be15
Instruction Fuzzy Hash: CCF06231545B05CAD720FB78842B74E7E947B80726F50850BAC505B2D2CB34A898DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00417A57, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 281COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00417A77
GetVersionExW.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,000000FF), ref: 00417A8C

Part of subcall function 0040D292: __EH_prolog.LIBCMT ref: 0040D297

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 004157B5: _sprintf.LIBCMT ref: 004157DC

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

;1;, xrefs: 00417ABC

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Version_memset_sprintfchar_traits
String ID: ;1;
API String ID: 1846438395-2687057397
Opcode ID: 98430e6e7609ba38e60c82a1214602f849b89f0956b36cc0169edcaa97b31397
Instruction ID: fbc56275ef2a6ad554cba52adb2cdc2ed0b0cb946d4e2025abe141d0f83204ae
Opcode Fuzzy Hash: 98430e6e7609ba38e60c82a1214602f849b89f0956b36cc0169edcaa97b31397
Instruction Fuzzy Hash: A991D0B2C04118AADF10EBE5DC46DDF777CAF45308F1145AAB605B3141EA386F89CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00461D2A, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 258COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00461E1B
_strncpy.LIBCMT ref: 00461DA5

Part of subcall function 00442E77: _memset.LIBCMT ref: 00442F21

Strings

NO X509_NAME, xrefs: 00461D9F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset_strlen_strncpy
String ID: NO X509_NAME
API String ID: 4177705565-3563722124
Opcode ID: 5567196185c34e06f825cb60c9cfbd5bc8c6257d0749da16cc31a7517ae144ab
Instruction ID: 78f7dac7e66d507a0068691d45f10eee86e1c81409fd7fccf079b45662fa7a96
Opcode Fuzzy Hash: 5567196185c34e06f825cb60c9cfbd5bc8c6257d0749da16cc31a7517ae144ab
Instruction Fuzzy Hash: 2791DF719083428FD715CF29C84162BBBE1AF88714F28492FF894DB261E739D941CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00440755, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 004407AB

Strings

6\R, xrefs: 00440782, 004407B5, 004407E7, 00440888, 004409C8, 00440A1A
.\crypto\rand\md_rand.c, xrefs: 00440787, 00440795, 004407CC, 004407DC, 004407F5, 00440896, 004409B6, 004409D6, 00440A28

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memcmp
String ID: .\crypto\rand\md_rand.c$6\R
API String ID: 2931989736-969700016
Opcode ID: 3f2c1eaffbf314081993ffa67122e7365e96b2036ddf2993f35fd6a314eeb438
Instruction ID: e0095b0bab842c99e95501cf8e874bb4247bef20fdd8f361168434af491a5a16
Opcode Fuzzy Hash: 3f2c1eaffbf314081993ffa67122e7365e96b2036ddf2993f35fd6a314eeb438
Instruction Fuzzy Hash: 6B812371A443056BE310DF18DD82B6B77E8AF84710F14483AFA84D7282E678D919CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00461618, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00461844

Strings

= , xrefs: 004616EA
+ , xrefs: 0046168E, 004616AC

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: + $ =
API String ID: 4218353326-3101698796
Opcode ID: bda76647915f681ae572b8a8e703d330befafe9844f72cd5c3d93133880779b4
Instruction ID: f67d51dccea1f328567a377aef4fd38308321bb64a616a59a470391610de5eba
Opcode Fuzzy Hash: bda76647915f681ae572b8a8e703d330befafe9844f72cd5c3d93133880779b4
Instruction Fuzzy Hash: 1381AB71908301AFDB109F15D84065FBBE5BF88368F18492FF894972A0E779C945CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00420BF0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00420CAC

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

0S@, xrefs: 00420CA4
index >= m_child_blocks.size(), xrefs: 00420C39

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$index >= m_child_blocks.size()
API String ID: 3976011213-377766800
Opcode ID: e1acf7e5332d2f0ce9fdc6b27ac666fc95a14ac589ce62ca243f95c15f6879df
Instruction ID: ff0eb4cbc80f7bfd4d47f48d5f64024d2e78c3e0a4e51640bf927f014b17a595
Opcode Fuzzy Hash: e1acf7e5332d2f0ce9fdc6b27ac666fc95a14ac589ce62ca243f95c15f6879df
Instruction Fuzzy Hash: 52816A722047419FC324EF68D480A9BF7E5FF88304F908E1EE59A93651DB74B809CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004035BB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035C9

Part of subcall function 004044FD: __EH_prolog.LIBCMT ref: 00404502

Part of subcall function 00404578: __EH_prolog.LIBCMT ref: 0040457D

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

a4ad4ip2xzclh6fd.onion, xrefs: 004035F0
http://, xrefs: 004035DD

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$char_traits
String ID: a4ad4ip2xzclh6fd.onion$http://
API String ID: 4022946289-2353795664
Opcode ID: 324873d5c5fc93c4e5ef0cab12f71e4dc85a2296a0133df26378f1a446deec63
Instruction ID: 080a617560819567624c1ce3ddbab24155f31f243833e97fbbe0d6e22fd78d47
Opcode Fuzzy Hash: 324873d5c5fc93c4e5ef0cab12f71e4dc85a2296a0133df26378f1a446deec63
Instruction Fuzzy Hash: 365130B2801158BADB51EBA5CD45FDF7F6CAF55308F00846AB50AB2182EE385B04CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB50, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

__wfopen_s.LIBCMT ref: 0041EC6B
__CxxThrowException@8.LIBCMT ref: 0041ED0F

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

fopen failed, xrefs: 0041ECA7

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow__wfopen_s
String ID: fopen failed
API String ID: 2193877707-3133056459
Opcode ID: f33d866880b03a96149242496008bf79ad7eb5692d4bebcbdaa188a1314909cf
Instruction ID: 5852b54402d467e60acf6aab0673df04dc6e6857b751cad48f70d892856615ef
Opcode Fuzzy Hash: f33d866880b03a96149242496008bf79ad7eb5692d4bebcbdaa188a1314909cf
Instruction Fuzzy Hash: C351B0742083419BC714DF1AC884B9BBBE6BFD5314F100A2EF49547391D778A889CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00412217, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041221C

Part of subcall function 0040F1FC: __EH_prolog.LIBCMT ref: 0040F201

Strings

Walker: , xrefs: 004122ED
Watcher: , xrefs: 00412271

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID: Walker: $Watcher:
API String ID: 3519838083-2016308921
Opcode ID: cd57fe09c6261fcdc514e45f4de84a4b73a8590b7829b6c4d3e7a22be0f24da6
Instruction ID: 04b706f4096d630356abd72cb09eca4239d2138f626fcce1dfc104e7f70d174a
Opcode Fuzzy Hash: cd57fe09c6261fcdc514e45f4de84a4b73a8590b7829b6c4d3e7a22be0f24da6
Instruction Fuzzy Hash: D0417273A4020DAADB00EEE9DD46EDDBBB9BB44714F10006BB610F7181DB75AA458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A350, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A355

Part of subcall function 0040D308: __EH_prolog.LIBCMT ref: 0040D30D

Part of subcall function 0040C3BF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,0BA3A0FA,00000000,0056623E,00000000,Function_0000543E,00000000,?,00000000,?,0BA3A0FA), ref: 0040C3D5
Part of subcall function 0040C3BF: __aulldvrm.LIBCMT ref: 0040C3EF

Part of subcall function 00566810: GetTickCount.KERNEL32 ref: 00566870
Part of subcall function 00566810: GetProcessHeap.KERNEL32(00000000,0BA3A0FA), ref: 005668C2
Part of subcall function 00566810: HeapFree.KERNEL32(00000000), ref: 005668C9

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Part of subcall function 005659F0: GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A54
Part of subcall function 005659F0: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A57
Part of subcall function 005659F0: GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A80
Part of subcall function 005659F0: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A83

Strings

Client Server Runtime Subsystem, xrefs: 0040A435
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040A3E4

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess$H_prologTime$CountFileSystemTick__aulldvrmchar_traits
String ID: Client Server Runtime Subsystem$SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
API String ID: 480152762-2461271356
Opcode ID: caca0cab8840fb03af36e6f37777c02c8d23ea277e54788a4206c5a2944f5b77
Instruction ID: d25dd386754db96cd6c3d5f0210ecd887fc46f93821635a3e1d0017623949947
Opcode Fuzzy Hash: caca0cab8840fb03af36e6f37777c02c8d23ea277e54788a4206c5a2944f5b77
Instruction Fuzzy Hash: F651A372C0124CEEDF11EBA4C845BDEBB78AF15318F14819EB505B7292EB741B48CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040B237, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B23C

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

.txt, xrefs: 0040B2D8
README, xrefs: 0040B24E

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$char_traits
String ID: .txt$README
API String ID: 4022946289-3729994529
Opcode ID: daa486b0caac0ed740b6f95cbb9e2a13d5b925e31d620d0f647db4a4594be167
Instruction ID: 89ee08edfa0294d57ee2c19289f9648cf7eab5515d7f26eb91f1b7689473f718
Opcode Fuzzy Hash: daa486b0caac0ed740b6f95cbb9e2a13d5b925e31d620d0f647db4a4594be167
Instruction Fuzzy Hash: 94513372D00258EEDB11EBD4CC46BDD7B78AF14308F1440AAE609B7181DBB51F89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0045910B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

.\crypto\user\eng_ctrl.c, xrefs: 00459112

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: .\crypto\user\eng_ctrl.c
API String ID: 0-2065947053
Opcode ID: fa312c7f7601f271df96bd67c17604218a7fb9f6cef25b450987ed33ebe2e44b
Instruction ID: cad56b6a028ef0002b3b8410752229f5a722ffea05aeea6c29d5c07ce9532dc6
Opcode Fuzzy Hash: fa312c7f7601f271df96bd67c17604218a7fb9f6cef25b450987ed33ebe2e44b
Instruction Fuzzy Hash: 56411630204A12F6FB2459188844A3B3359EB81357F284D6BFC06DA393EB7DDD0EC64A

Uniqueness

Uniqueness Score: -1.00%

Function 004333D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004334AB

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

row >= size(), xrefs: 0043343D
0S@, xrefs: 004334A3

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$row >= size()
API String ID: 3976011213-1828103634
Opcode ID: 87ac2301061476188d6d388fae992d8d7af5b3159e942a69c9db2171badf0d1c
Instruction ID: 19aa58f0207cdb26ebb4d6132b625fe4868029784a8778ff38ac02c7f8536836
Opcode Fuzzy Hash: 87ac2301061476188d6d388fae992d8d7af5b3159e942a69c9db2171badf0d1c
Instruction Fuzzy Hash: A6516C71604711AFC304DF69C884B6ABBE9BF98714F048A1EF498D7281DB78E914CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004565AB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004565CA

Strings

fullname, xrefs: 004565BD
relativename, xrefs: 004565ED

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strncmp
String ID: fullname$relativename
API String ID: 909875538-2357537195
Opcode ID: d94c0ec743175277ebd9e0e3fa49b4e9c642b60110a3e97748dac75bc8428085
Instruction ID: ecf6641b05d4b7162b85ffbb1f016f35498996223a5d274ba887c786a6b8c605
Opcode Fuzzy Hash: d94c0ec743175277ebd9e0e3fa49b4e9c642b60110a3e97748dac75bc8428085
Instruction Fuzzy Hash: E5412571204701ABE7106F65D856B2AB691AF4032AF66442FFC059B393EFBDDC098A4D

Uniqueness

Uniqueness Score: -1.00%

Function 0045ABCA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

.\crypto\objects\obj_lib.c, xrefs: 0045AC17, 0045AC6D, 0045ACA5

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: .\crypto\objects\obj_lib.c
API String ID: 0-1655395264
Opcode ID: 68800310bebf6c42bde45a643dc0a0b6cbc0381970a908136d3754d7cd6672f7
Instruction ID: 552c611eb4ed508bbb995f243fa095f59a5f613c4a3367c9d29e2a2932b812ab
Opcode Fuzzy Hash: 68800310bebf6c42bde45a643dc0a0b6cbc0381970a908136d3754d7cd6672f7
Instruction Fuzzy Hash: 9641A031A00305BFEB119F66D941B5EBBA0BF00756F20416BFD00DB282EB78D964C799

Uniqueness

Uniqueness Score: -1.00%

Function 0041245D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412462

Part of subcall function 0040ED6B: _memset.LIBCMT ref: 0040ED87

Part of subcall function 00416A0E: _memset.LIBCMT ref: 00416A33
Part of subcall function 00416A0E: GetSystemDirectoryW.KERNEL32(?,00000400), ref: 00416A59

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 0040EDE2: __EH_prolog.LIBCMT ref: 0040EDE7
Part of subcall function 0040EDE2: CreatePipe.KERNEL32(0000006A,0000006E,?,00000000,?,0000000A,00412505,00000000), ref: 0040EE16

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

cmd.exe, xrefs: 004124B1
chcpexit, xrefs: 0041248F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_memset$CreateDirectoryPipeSystemchar_traits
String ID: chcpexit$cmd.exe
API String ID: 2427169262-1388658100
Opcode ID: 25322d609db4c815206e9c093fdc86077ac8857df4cd42df9e1c13d6a0126688
Instruction ID: 63b562a0dd8427dc209ff34a47a2bc89f6e18bdf1fbd8d982a3f85f4d0a02f9f
Opcode Fuzzy Hash: 25322d609db4c815206e9c093fdc86077ac8857df4cd42df9e1c13d6a0126688
Instruction Fuzzy Hash: FC41B572D00158AEDB10EBA5CC45BDE7BBCAF05318F0045AAB619B31C1DBB45B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405C11, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405C16

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

xmode, xrefs: 00405C8B
xpk, xrefs: 00405D19

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologchar_traits
String ID: xmode$xpk
API String ID: 734123105-3644361171
Opcode ID: 3173c32361fb1f8f788b7df2b7fc18ac73e798b1737e0fd4ab6d14b86b18e3db
Instruction ID: 295e7e66500701a4d93456d423cd44fadb350f16dbec91551ee53e759dbce75c
Opcode Fuzzy Hash: 3173c32361fb1f8f788b7df2b7fc18ac73e798b1737e0fd4ab6d14b86b18e3db
Instruction Fuzzy Hash: 5D415D32904259EEDB10EBA5CC42BDEBBB8AF14318F1041AEF119B71D1DB781B45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F75A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F75F

Part of subcall function 0040148F: __EH_prolog.LIBCMT ref: 00401494

__CxxThrowException@8.LIBCMT ref: 0040F7A9

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

map/set<T> too long, xrefs: 0040F77C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: map/set<T> too long
API String ID: 1193697898-1285458680
Opcode ID: d1afac720a903250aa5d1c14e8ca0c361040523005d65fe8efd62d6486769f61
Instruction ID: 2983e04883e294d139612ae10723ac7ca3c6e2563916c8f6f640b9ef4ff841a9
Opcode Fuzzy Hash: d1afac720a903250aa5d1c14e8ca0c361040523005d65fe8efd62d6486769f61
Instruction Fuzzy Hash: 2A519E716002409FC325DF19C184A96BBF4BF19314F1581BEE809ABBA2C778FC89CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0045E1DD, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0045E278

Part of subcall function 0044B8A8: _strlen.LIBCMT ref: 0044B8CB

Strings

NULL, xrefs: 0045E225
TYPE=, xrefs: 0045E24F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: NULL$TYPE=
API String ID: 4218353326-4174652433
Opcode ID: cb15feaf3fdb71a32f78000d7026cb609a27c88196d5d1cdf4ae57d87a6f8266
Instruction ID: 26939b3cd2a51b56b38c6d44e302372e8c1c58737200646770cd5565e89ce19a
Opcode Fuzzy Hash: cb15feaf3fdb71a32f78000d7026cb609a27c88196d5d1cdf4ae57d87a6f8266
Instruction Fuzzy Hash: 7D310B33A40304BAEB3859A2DC07FAE375C9B00766F10417BFE15991C2EA789B498649

Uniqueness

Uniqueness Score: -1.00%

Function 0044B4BB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0044B539

Strings

6\R, xrefs: 0044B4CF, 0044B545, 0044B55A, 0044B572, 0044B5C4, 0044B5FD
.\crypto\mem_dbg.c, xrefs: 0044B4D8, 0044B4E6, 0044B553, 0044B56B, 0044B583, 0044B5D9, 0044B60B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memcmp
String ID: .\crypto\mem_dbg.c$6\R
API String ID: 2931989736-584400434
Opcode ID: fee0abdee65a8612ed76c8f1be0392a33980a1ba54431963050bcde69b1c34f6
Instruction ID: 4347895a982b8003eba1c37a83ee00162f59a090ef504497d317edc957570ee4
Opcode Fuzzy Hash: fee0abdee65a8612ed76c8f1be0392a33980a1ba54431963050bcde69b1c34f6
Instruction Fuzzy Hash: F53128326402057BFB209BA59C82F76B694FB44708F440C3AE648D5BD1D7BCC94AE796

Uniqueness

Uniqueness Score: -1.00%

Function 00433590, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00433637

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

row >= size(), xrefs: 004335CD
0S@, xrefs: 0043362F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$row >= size()
API String ID: 3976011213-1828103634
Opcode ID: 25a7f783350a5df9af2d9e84c23c4f96d96280ab2991729c37df7d7cf4deaa5b
Instruction ID: d809594c9e1d5111e8cf432f7830345e4b0254cf749b05acfab8044df3ae1317
Opcode Fuzzy Hash: 25a7f783350a5df9af2d9e84c23c4f96d96280ab2991729c37df7d7cf4deaa5b
Instruction Fuzzy Hash: 08416A716087509FC314DF69C881B2BFBE6BBC8715F408A2EF48587380DB78E9048B65

Uniqueness

Uniqueness Score: -1.00%

Function 00440DEB, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00440E3A

Strings

6\R, xrefs: 00440E1A, 00440E44, 00440E68, 00440E7D, 00440EA5, 00440EF7
.\crypto\rand\md_rand.c, xrefs: 00440E08, 00440E28, 00440E57, 00440E76, 00440E8E, 00440EB6, 00440F0B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memcmp
String ID: .\crypto\rand\md_rand.c$6\R
API String ID: 2931989736-969700016
Opcode ID: ca99d54163b7e5a45e7d59a2af0d9bc35e6e4b30742d0bb969ce7eca9ccfd907
Instruction ID: df83739ef1de0bdaf0812ac97141f5726d41ffc7f24f8d8d5d39b354f05593e0
Opcode Fuzzy Hash: ca99d54163b7e5a45e7d59a2af0d9bc35e6e4b30742d0bb969ce7eca9ccfd907
Instruction Fuzzy Hash: BF31383078130966F2309794AD46F3737589B90F10F000926BF58EA6C2D6FD9E39D79A

Uniqueness

Uniqueness Score: -1.00%

Function 00432F50, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00432FF8

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

row >= size(), xrefs: 00432F8E
0S@, xrefs: 00432FF0

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$row >= size()
API String ID: 3976011213-1828103634
Opcode ID: 5898352adb01dbc37da5de3f9eff9fec7f729818d3b7077e13d63a6e81cd2839
Instruction ID: a0755e84b5ca7e0056079d898d7c8ecdcf672faf31af2216b752b01aa87180d0
Opcode Fuzzy Hash: 5898352adb01dbc37da5de3f9eff9fec7f729818d3b7077e13d63a6e81cd2839
Instruction Fuzzy Hash: 5B416B716087409BC314DF69C885B6BFBE9BBD8714F108A2EF48987390DB78E904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004330C0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00433167

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

row >= size(), xrefs: 004330FD
0S@, xrefs: 0043315F

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$row >= size()
API String ID: 3976011213-1828103634
Opcode ID: c59da69bc2e171eef05c326254220807be30d69e74427c53564f886f1d61f2dc
Instruction ID: 7cbc7ab5c2936355f0e25abfeb09d299af85da8b24004c045c3116447035ce51
Opcode Fuzzy Hash: c59da69bc2e171eef05c326254220807be30d69e74427c53564f886f1d61f2dc
Instruction Fuzzy Hash: B5414A716087509FD314DF69C880B2BFBE6BBC9715F408A2EF48587390DB78E9048B65

Uniqueness

Uniqueness Score: -1.00%

Function 00433230, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 004332D7

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

row >= size(), xrefs: 0043326D
0S@, xrefs: 004332CF

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$row >= size()
API String ID: 3976011213-1828103634
Opcode ID: 24dddc762f8a4350e4addf95b86f79066ef147735eb40b97c18d75509e55f5f7
Instruction ID: bc449cb825f0c57f079a9a93406bdf3a3bf239d90b2264c43f3df97d7b6d47f9
Opcode Fuzzy Hash: 24dddc762f8a4350e4addf95b86f79066ef147735eb40b97c18d75509e55f5f7
Instruction Fuzzy Hash: 2E415C716087509FC314DF69C880B2BFBE5BBC8715F448A2EF49587391DB78E9048B65

Uniqueness

Uniqueness Score: -1.00%

Function 004630B7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004631A6

Strings

%02d%02d%02d%02d%02d%02dZ, xrefs: 00463195
.\crypto\asn1\a_utctm.c, xrefs: 0046312D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: %02d%02d%02d%02d%02d%02dZ$.\crypto\asn1\a_utctm.c
API String ID: 4218353326-3214030157
Opcode ID: 6a272684c60f7c33dcd3c525290183824ed2feb50554ece4ccb3d13eed2d3cb9
Instruction ID: b9198a1031059f96ab310f60f78355f132b61af5ac012524b6f5bce85b1df5a7
Opcode Fuzzy Hash: 6a272684c60f7c33dcd3c525290183824ed2feb50554ece4ccb3d13eed2d3cb9
Instruction Fuzzy Hash: 1D3128722003416BEB259F99DCC1BDB77A4EB05725F18402BF6049B2C1FB78DE41C6AA

Uniqueness

Uniqueness Score: -1.00%

Function 0046331F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004633E5

Strings

%04d%02d%02d%02d%02d%02dZ, xrefs: 004633D4
.\crypto\asn1\a_gentm.c, xrefs: 00463382

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: %04d%02d%02d%02d%02d%02dZ$.\crypto\asn1\a_gentm.c
API String ID: 4218353326-3551432762
Opcode ID: a2c27f74f45a4cae7a9cc7cd4bed3da221139271ca7525e11d0c07c26b3303d6
Instruction ID: b291abe32158c117de478547092ce8ce92af6091f584bd5fcf6bca6f7e26f2a8
Opcode Fuzzy Hash: a2c27f74f45a4cae7a9cc7cd4bed3da221139271ca7525e11d0c07c26b3303d6
Instruction Fuzzy Hash: F72108726047426BEB115E59D882B9B7794EF04715F14002BFD059F382FF69DA8087EA

Uniqueness

Uniqueness Score: -1.00%

Function 00442577, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004425D0

Strings

.\crypto\err\err.c, xrefs: 0044258A, 004425E0
P, xrefs: 00442592

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: .\crypto\err\err.c$P
API String ID: 4218353326-1804422389
Opcode ID: 642be3abe7ba952aca4a9dd95fc3dd3015989d8161fb086d280a0e7d7cb921b3
Instruction ID: 42912dd6532e52857ecd4aeca8e755e73f575d732ab2e1bd905664f92ed93f29
Opcode Fuzzy Hash: 642be3abe7ba952aca4a9dd95fc3dd3015989d8161fb086d280a0e7d7cb921b3
Instruction Fuzzy Hash: CD31D871900205ABEB10DF99D981BAEB7A4EF04718F64445BF504E7381EBB89A40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404E62, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404E67

Part of subcall function 004157B5: _sprintf.LIBCMT ref: 004157DC

Part of subcall function 004044A4: __EH_prolog.LIBCMT ref: 004044A9

Strings

^O@, xrefs: 00404E7D
127.0.0.1:, xrefs: 00404EF0

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$_sprintf
String ID: 127.0.0.1:$^O@
API String ID: 550890233-1617651752
Opcode ID: b07ce7d5e9460cd340f3963baf88740988e46bf3b7efa422673836abf67ba978
Instruction ID: 29780194843c1a3a7ac8edaf7920a481b89f8066bfa334a42c2158a37417f924
Opcode Fuzzy Hash: b07ce7d5e9460cd340f3963baf88740988e46bf3b7efa422673836abf67ba978
Instruction Fuzzy Hash: 3621A9B1604245BEE704FB92C992FDDBB68EF44314F10815AF31D7B1C1DAB8A944C765

Uniqueness

Uniqueness Score: -1.00%

Function 00409EA3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409EA8

Strings

Client Server Runtime Subsystem, xrefs: 00409F57
csrss.lnk, xrefs: 00409EF5

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID: Client Server Runtime Subsystem$csrss.lnk
API String ID: 3519838083-3127757153
Opcode ID: 8aac67386701827d5f7c2f3e8c3a7ac8c78d388ea8dfb5a9fcca508824ab175d
Instruction ID: 00b787fd48a695fa010cc44ecaf4cffa46b18996cdcae7cc67f8b275cffcc32f
Opcode Fuzzy Hash: 8aac67386701827d5f7c2f3e8c3a7ac8c78d388ea8dfb5a9fcca508824ab175d
Instruction Fuzzy Hash: C7317271C05148EEDB10EBE4C952BDDBBB8AF14318F14406EF615B32C2DA796B48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00486583, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004865CA
__time64.LIBCMT ref: 004865FC

Strings

%s:%d, xrefs: 00486597

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: __time64_strlen
String ID: %s:%d
API String ID: 634110636-1029262843
Opcode ID: 4aba6b5850f6c04f15b613a8afb6ed7bec3f4369073bd9fed30f43fbfbd6342f
Instruction ID: cbf5763021786821f22aaf14391573fae7afb41fe22e8a4d06456c2526c438d0
Opcode Fuzzy Hash: 4aba6b5850f6c04f15b613a8afb6ed7bec3f4369073bd9fed30f43fbfbd6342f
Instruction Fuzzy Hash: 1821D472900215FFCB14AF64EC4699EBBB4FF18715B21481BF941D7251EB359E00ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420F10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00420FB0

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

index > 0, xrefs: 00420F44
0S@, xrefs: 00420FA8

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$index > 0
API String ID: 3976011213-894382809
Opcode ID: 5b5289dfdcf463b86ff2638c259421173119b349290d1ceecd7150599e90590a
Instruction ID: 2059d3d9538208efe3307b6e2567f9c44a16b29837dac52301ba7e4413873e0d
Opcode Fuzzy Hash: 5b5289dfdcf463b86ff2638c259421173119b349290d1ceecd7150599e90590a
Instruction Fuzzy Hash: 933169712083809FC311DF19C891B5BFBE5BBD5724F408A2EF4A553391D7789908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004156EB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D237: __EH_prolog.LIBCMT ref: 0040D23C

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

WriteFile.KERNEL32(000000FF,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,005E3970,000000FF), ref: 0041578F
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,005E3970,000000FF), ref: 004157A7

Strings

\\?\, xrefs: 004156FB

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseFileH_prologHandleWritechar_traits
String ID: \\?\
API String ID: 3280158836-4282027825
Opcode ID: 0634fffbe1012b6e10b3c48fcb755af3e76fe02baa35d1a971eca07a335bff45
Instruction ID: 485bf9524eb0662c63c7e391ffd59a94ae1a12836b783cb91e60e07b8cb5580e
Opcode Fuzzy Hash: 0634fffbe1012b6e10b3c48fcb755af3e76fe02baa35d1a971eca07a335bff45
Instruction Fuzzy Hash: F8215E72900208BADF10ABE5DC4AEDEBB78EF40754F04446AF601B7191DA796A49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004209F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00420A9E

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

offset >= size(), xrefs: 00420A37
0S@, xrefs: 00420A96

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 0S@$offset >= size()
API String ID: 3976011213-2175775595
Opcode ID: f7eb190bf03319729d881fcfa6ddd1ebda0e98298f10e7a07b40ba795b64a947
Instruction ID: d3b3d97530c9e75ff42b21831b395de75290847bf617acef4cfb67e31f7ea0ee
Opcode Fuzzy Hash: f7eb190bf03319729d881fcfa6ddd1ebda0e98298f10e7a07b40ba795b64a947
Instruction Fuzzy Hash: A3218E71248345AFD300DF59C890A5BFBE8FB99760F404A2EF59493381DB78D904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00453109, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00453178

Strings

b <= sizeof ctx->buf, xrefs: 0045319A
.\crypto\evp\evp_enc.c, xrefs: 004531A4

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _memset
String ID: .\crypto\evp\evp_enc.c$b <= sizeof ctx->buf
API String ID: 2102423945-417187130
Opcode ID: 7ac418f3916f112fb15ff61d0a17478e62dde33f9837cae8f06c19e7eb40d3e1
Instruction ID: 9fafb146507bd6dbcd057388470ab4215ac7465bfbcddde4964d52078c63ffe6
Opcode Fuzzy Hash: 7ac418f3916f112fb15ff61d0a17478e62dde33f9837cae8f06c19e7eb40d3e1
Instruction Fuzzy Hash: 5D11E631200A01AFDB249F75DD45F2B33D5AF40747F14041AF9429A182E7B8EA498719

Uniqueness

Uniqueness Score: -1.00%

Function 00436320, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00436377

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 004363C6

Strings

PiB, xrefs: 00436367, 004363B6

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: PiB
API String ID: 3476068407-3205498864
Opcode ID: 39d2b4ea2b7b87fbc3175235e3b78f364f7daa92e6b083b126ce367b0bce2ed2
Instruction ID: c9e4170fe6454b2deeb442f2eb8c322739948b6013e3cb14590d1bf497e8299b
Opcode Fuzzy Hash: 39d2b4ea2b7b87fbc3175235e3b78f364f7daa92e6b083b126ce367b0bce2ed2
Instruction Fuzzy Hash: C82184712002028F8310DF59C8C0C6EBBE5BFC9314B058A5EE9488B3A5DB70E90ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0046500C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 0046507E

Strings

.\crypto\x509v3\v3_alt.c, xrefs: 00465069
OF, xrefs: 0046503E

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strncpy
String ID: .\crypto\x509v3\v3_alt.c$OF
API String ID: 2961919466-118201736
Opcode ID: 2de173d19ae5b33192ba6aa195a4cc5ecb068ea99a4b2284b4e893aa69d542e6
Instruction ID: f139488f5c50dfe4c9585bf350698dfc706f07a941de3c9a062d3f8d2c621b80
Opcode Fuzzy Hash: 2de173d19ae5b33192ba6aa195a4cc5ecb068ea99a4b2284b4e893aa69d542e6
Instruction Fuzzy Hash: 1F112571509712AFDB11AF68DC46B5ABBD8FF08354F40802AF80897252EB75EC10C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 0042CAB0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0042CB02

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 0042CB46

Strings

PiB, xrefs: 0042CAF5, 0042CB39

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: PiB
API String ID: 3476068407-3205498864
Opcode ID: 9748ff926cae1b1e26082c19f2d874fafc50dbde1e7d5267a8cfe3b00e1f3ee1
Instruction ID: 8ac66654b1a3cc9e00f6af658c8be0f0a1764a661f293eb42dabd9a5936a68dc
Opcode Fuzzy Hash: 9748ff926cae1b1e26082c19f2d874fafc50dbde1e7d5267a8cfe3b00e1f3ee1
Instruction Fuzzy Hash: 32118E792002029BC320EF19C8C1CAEF7E4FFD9714B404959F5449B3A1EB70E946C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004397E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00439830

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

__CxxThrowException@8.LIBCMT ref: 00439870

Strings

PiB, xrefs: 00439824, 00439864

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: PiB
API String ID: 3476068407-3205498864
Opcode ID: 3807c88a0bab4074f682901ecc0d7871f81e5a031eab6e30acb2f843b75e58e3
Instruction ID: e6ffc3d3059b1513344e3809e93bb7dd22496fed3947353668e7c79e04cd2834
Opcode Fuzzy Hash: 3807c88a0bab4074f682901ecc0d7871f81e5a031eab6e30acb2f843b75e58e3
Instruction Fuzzy Hash: E61167752002069B9310EF19C8C0CAEB7E9FFDA314F404A6EE5449B3A5DB70E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0043D82E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043D872
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0043D888

Strings

(, xrefs: 0043D862

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FileRead_memset
String ID: (
API String ID: 3514341948-3887548279
Opcode ID: dd0716ef8bc99e526b7b0f5eee6bc879b4263a9e405d45afc0df25295ea29cc0
Instruction ID: ab16c77ed83951d849fe6746f2d5c09628b7d9e7d84b0e7c9535e820d66fdd8f
Opcode Fuzzy Hash: dd0716ef8bc99e526b7b0f5eee6bc879b4263a9e405d45afc0df25295ea29cc0
Instruction Fuzzy Hash: 0F118C76900608EFCB21EF89E8C099EBBF8FF09314F10582AE516A7610D334BA44DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00435D2F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00435D3F

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

gfff, xrefs: 00435D4C
gfff, xrefs: 00435D8A

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: gfff$gfff
API String ID: 3976011213-3084402119
Opcode ID: 6f2c0233425277e37d8c9a53372e452fab7f27dc0eb9da85463c2b55d8cc81a7
Instruction ID: 80463d28104e4cb52d8f93d440159eff72295cf9a77186eb678953621616cf99
Opcode Fuzzy Hash: 6f2c0233425277e37d8c9a53372e452fab7f27dc0eb9da85463c2b55d8cc81a7
Instruction Fuzzy Hash: DC1191B2B002099BCB0CDF29E955ADD7762FB88314F058569ED06AF381D671FD10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFCD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53filepipeCOMMON

Download Yara Rule

APIs

PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,p@,00000000,00000001,?,0040EF70), ref: 0040EFEC
ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000102,?,0040EF70), ref: 0040F013

Strings

p@, xrefs: 0040EFDC, 0040EFFC, 0040EFDF

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FileNamedPeekPipeRead
String ID: p@
API String ID: 327342812-1482256116
Opcode ID: e863d6940344f07fe5e87380b982f0cdc9e0bc68511cfa642bf798dad228194a
Instruction ID: c9665e138dbd7d267d66197b32280cee37dddce7f3bb8f1b203877ba24e16af4
Opcode Fuzzy Hash: e863d6940344f07fe5e87380b982f0cdc9e0bc68511cfa642bf798dad228194a
Instruction Fuzzy Hash: 94017172901208BFDB219FA1DC85DEFBBBCFB51384B20047BF401A2652D635AE45EB24

Uniqueness

Uniqueness Score: -1.00%

Function 00518488, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 005184AE

Strings

[server], xrefs: 005184AD
Windows 8, xrefs: 0051848D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strlen
String ID: [server]$Windows 8
API String ID: 4218353326-3838127165
Opcode ID: 0b6eba52d92da72897ffc17bef6dc2ae2a3a18b23e7c929f68abddab9b3b6f5e
Instruction ID: aed34c397b3238379ec8210f1bdc044313d4a491ebd71697345c8895d0f145f3
Opcode Fuzzy Hash: 0b6eba52d92da72897ffc17bef6dc2ae2a3a18b23e7c929f68abddab9b3b6f5e
Instruction Fuzzy Hash: 62F09036A086A31BFF37053C9C543FA5F846B93324F0D45E9E4859B255CEA48CC1C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 005198FE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,00000000,?,?,005036E6,00000000), ref: 00519924
LocalFree.KERNEL32(00000000,?,005036E6,00000000), ref: 0051994D

Strings

<unformattable error>, xrefs: 00519938

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: FormatFreeLocalMessage
String ID: <unformattable error>
API String ID: 1427518018-1798847607
Opcode ID: 9b194513c7d34e142c419afab315d958d121a8fbc2702baed99e67904cb7a375
Instruction ID: ecf96324091e50f6cc3d64c67e726d816cc333c234da7b06191f12646664e4d0
Opcode Fuzzy Hash: 9b194513c7d34e142c419afab315d958d121a8fbc2702baed99e67904cb7a375
Instruction Fuzzy Hash: 8AF05471502225FBDB219B929D19DDE7F39FB81F61F204056FA05B5140D6304F44EAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00404C10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404C15

Part of subcall function 00404749: __EH_prolog.LIBCMT ref: 0040474E

Strings

oH@, xrefs: 00404C51
:N@, xrefs: 00404C4B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID: :N@$oH@
API String ID: 3519838083-3732481758
Opcode ID: 8243164c156a0d8c227b62e4f85dfc2805968c4ff98b441a3da74958de1e8bec
Instruction ID: c94c80212a349cf45fb97de1f887cd9e762c3fab49d5b52a8a0e46deab61e7f8
Opcode Fuzzy Hash: 8243164c156a0d8c227b62e4f85dfc2805968c4ff98b441a3da74958de1e8bec
Instruction Fuzzy Hash: F5F08CB15016009AC718EF59D40565EBFE4BF84714B00082FF605A7681EBB4AA40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 005222F7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 0051AAC5: _strlen.LIBCMT ref: 0051AAC9
Part of subcall function 0051AAC5: _strncmp.LIBCMT ref: 0051AAD7

_strlen.LIBCMT ref: 0052230E

Part of subcall function 0051A7B3: _abort.LIBCMT ref: 0051A7DF
Part of subcall function 0051A7B3: _abort.LIBCMT ref: 0051A805
Part of subcall function 0051A7B3: _strncpy.LIBCMT ref: 0051A81A

Strings

OpenSSL 1.0.1j 15 Oct 2014, xrefs: 00522301, 00522317, 00522329, 00522333
OpenSSL , xrefs: 005222F9, 00522300, 0052230D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _abort_strlen$_strncmp_strncpy
String ID: OpenSSL $OpenSSL 1.0.1j 15 Oct 2014
API String ID: 3866226041-1405123842
Opcode ID: 643cc370818d7c9e3527cb1140542444f5b3aff6a0689e6f280a66026de80049
Instruction ID: d19ed58a50614055fe02f15871e7033c4b610d17568957d0b5d61978fb0322ad
Opcode Fuzzy Hash: 643cc370818d7c9e3527cb1140542444f5b3aff6a0689e6f280a66026de80049
Instruction Fuzzy Hash: 54E0D82760A633347125203D7C8EEEF0E9CEEE3774B140426F904951C3F9498B4240FA

Uniqueness

Uniqueness Score: -1.00%

Function 00519F01, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0051A69D: _memset.LIBCMT ref: 0051A6B0

Part of subcall function 00519E08: _abort.LIBCMT ref: 00519E38
Part of subcall function 00519E08: _abort.LIBCMT ref: 00519E60
Part of subcall function 00519E08: _abort.LIBCMT ref: 00519E8A
Part of subcall function 00519E08: _memset.LIBCMT ref: 00519E97

Part of subcall function 005197E1: _abort.LIBCMT ref: 0051983C
Part of subcall function 005197E1: RtlEnterCriticalSection.NTDLL(00000000), ref: 00519846

__fileno.LIBCMT ref: 00519F2C
RtlLeaveCriticalSection.NTDLL(005FF3E8), ref: 00519F58

Part of subcall function 0054FB25: __lock.LIBCMT ref: 0054FB43
Part of subcall function 0054FB25: ___sbh_find_block.LIBCMT ref: 0054FB4E
Part of subcall function 0054FB25: ___sbh_free_block.LIBCMT ref: 0054FB5D
Part of subcall function 0054FB25: RtlFreeHeap.NTDLL(00000000,?,005DAA68,0000000C,005506B1,00000000,?,00550A15,?,00000001,?,?,0055609C,00000018,005DAC78,0000000C), ref: 0054FB8D
Part of subcall function 0054FB25: GetLastError.KERNEL32(?,00550A15,?,00000001,?,?,0055609C,00000018,005DAC78,0000000C,0055612D,?,?,?,0055076B,0000000D), ref: 0054FB9E

Strings

<temp>, xrefs: 00519F32

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _abort$CriticalSection_memset$EnterErrorFreeHeapLastLeave___sbh_find_block___sbh_free_block__fileno__lock
String ID: <temp>
API String ID: 751504769-1820400485
Opcode ID: 3920c2d59f7884fc499117dbe0af41eed3119804231935811fdada3bbd5016db
Instruction ID: dce7593d86b9721c6338faf7d51c3b9c5b69f559aab4ad4388909c6574e60362
Opcode Fuzzy Hash: 3920c2d59f7884fc499117dbe0af41eed3119804231935811fdada3bbd5016db
Instruction Fuzzy Hash: D2E0EC729012136BF2167765EC6FFEF2E5CFFD6711F040419F90496282DA204C8646B6

Uniqueness

Uniqueness Score: -1.00%

Function 00404749, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040474E

Strings

2N@, xrefs: 00404785
H@, xrefs: 0040478B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog
String ID: H@$2N@
API String ID: 3519838083-1473922170
Opcode ID: b7dbabe3c05d673c4642c1d707b09f8428ede20a9d0b9fe04d84824a9d1d8b96
Instruction ID: d1bfba15fc914394738cffe3de8867397a6dbe086f57aabf61115400917e4379
Opcode Fuzzy Hash: b7dbabe3c05d673c4642c1d707b09f8428ede20a9d0b9fe04d84824a9d1d8b96
Instruction Fuzzy Hash: A9F05EB2A006159BC724AF68940665EFBE4FB85754B00482FE501E7240EBB4AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005188C9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 005188CD
_strrchr.LIBCMT ref: 005188D7

Strings

util.c, xrefs: 005188CC, 005188D4

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: _strrchr
String ID: util.c
API String ID: 3213747228-1042335965
Opcode ID: e2479a7f8100cdd015d1917fc2ee7a54e3376adfd63e937479ff20a354463359
Instruction ID: b15c382e42ffcba1610f7e7304f986b30cb7ac5b49e89901e7f26086c74c095f
Opcode Fuzzy Hash: e2479a7f8100cdd015d1917fc2ee7a54e3376adfd63e937479ff20a354463359
Instruction Fuzzy Hash: 7ED01D3260472225F97071293C45AF75D9DABC5790B4D0866FE54E6187EA09CC9240E5

Uniqueness

Uniqueness Score: -1.00%

Function 0040543E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405443
__localtime64.LIBCMT ref: 00405453

Part of subcall function 00405352: __EH_prolog.LIBCMT ref: 00405357

Part of subcall function 0040CCAC: __EH_prolog.LIBCMT ref: 0040CCB1
Part of subcall function 0040CCAC: __CxxThrowException@8.LIBCMT ref: 0040CCEC

Strings

could not convert calendar time to UTC time, xrefs: 0040545D

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$Exception@8Throw__localtime64
String ID: could not convert calendar time to UTC time
API String ID: 3427038727-2088861013
Opcode ID: 6afbf168251b57aa5b37edefd927b37cc56500f74868827edc9cc95989156c01
Instruction ID: b475e5de74abf67bb68491f4049495fd133e282f58378dc81e6795486edc674e
Opcode Fuzzy Hash: 6afbf168251b57aa5b37edefd927b37cc56500f74868827edc9cc95989156c01
Instruction Fuzzy Hash: 24E03032901505DADB04FBA4C856BDE7B78BB54318F10807AF405B65D2EB784A48CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004054F7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004054FC

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

0S@, xrefs: 00405534
Year is out of valid range: 1400..10000, xrefs: 0040550C

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologchar_traits
String ID: 0S@$Year is out of valid range: 1400..10000
API String ID: 734123105-3821191700
Opcode ID: 8a1e9b109a4b6ef4088949b8f0f451e4adafc21a3b89780f5b8787aacf2f2425
Instruction ID: 994d968eba40dfa4c31a6bd1a0e5b7b8ac5ca25f24bf18fbf0844095dd5d7786
Opcode Fuzzy Hash: 8a1e9b109a4b6ef4088949b8f0f451e4adafc21a3b89780f5b8787aacf2f2425
Instruction Fuzzy Hash: 41E06D32A402009AE714BB549826BAC7AA8AB04715F00182EB901B72C2EBB85A048B88

Uniqueness

Uniqueness Score: -1.00%

Function 00405490, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405495

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

Day of month value is out of range 1..31, xrefs: 004054A5
0S@, xrefs: 004054CD

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologchar_traits
String ID: 0S@$Day of month value is out of range 1..31
API String ID: 734123105-4176859717
Opcode ID: 76a0bef914bf197a7dc64c6e887e5952d5e7950d4b4d405e19451d38740325af
Instruction ID: 166d17a7ef52d4d727e223ee3eb1d1ec8a7b03b8a41e046ce3fb822cf6e0fe3a
Opcode Fuzzy Hash: 76a0bef914bf197a7dc64c6e887e5952d5e7950d4b4d405e19451d38740325af
Instruction Fuzzy Hash: 18E06D32A402049AE714BB549826B9DBAA8AB44715F10142EB902B72C1EBF85A048B88

Uniqueness

Uniqueness Score: -1.00%

Function 00405546, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040554B

Part of subcall function 00403C22: char_traits.LIBCPMT ref: 00403C47

Strings

Month number is out of range 1..12, xrefs: 0040555B
0S@, xrefs: 00405583

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prologchar_traits
String ID: 0S@$Month number is out of range 1..12
API String ID: 734123105-1766077199
Opcode ID: ceaa0c56ba8c761ec653ca7c3f53406ce0b7f4c536f75014835bddb8c8d2f924
Instruction ID: 99086c52819f6e5bb2d30991b6eb02e65f6ffdb8bdb41b83c8c056fe5ac79b55
Opcode Fuzzy Hash: ceaa0c56ba8c761ec653ca7c3f53406ce0b7f4c536f75014835bddb8c8d2f924
Instruction Fuzzy Hash: 3BE0ED32A402149AE714BF549826B9D7AA8EB54715F10186EF901B72C1EBB85A448B58

Uniqueness

Uniqueness Score: -1.00%

Function 00401705, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040170A
CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 00401721

Part of subcall function 00404466: __EH_prolog.LIBCMT ref: 0040446B
Part of subcall function 00404466: __CxxThrowException@8.LIBCMT ref: 0040449E

Strings

,_X, xrefs: 0040173E, 00401741

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$CreateEventException@8Throw
String ID: ,_X
API String ID: 198059956-2525363915
Opcode ID: 0eb987b52f69cf8b4a54528859f9f5ee53ebf8c10ecaaf96a51baba888bbcb87
Instruction ID: 57852108811ff4f402473431d4c0e0fff0ba1159126b3cfcdd03703cba0705f8
Opcode Fuzzy Hash: 0eb987b52f69cf8b4a54528859f9f5ee53ebf8c10ecaaf96a51baba888bbcb87
Instruction Fuzzy Hash: 3FE0ED75D00209ABDB04EFA0D81AB9D7B74FB54705F008429FA15B61D1EB789608DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00555609, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0055561A

Part of subcall function 00556112: __mtinitlocknum.LIBCMT ref: 00556128
Part of subcall function 00556112: __amsg_exit.LIBCMT ref: 00556134
Part of subcall function 00556112: RtlEnterCriticalSection.NTDLL(?), ref: 0055613C

RtlEnterCriticalSection.NTDLL(T?P), ref: 00555633

Strings

T?P, xrefs: 0055562C, 0055561F, 00555632

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
String ID: T?P
API String ID: 3996875869-2806064310
Opcode ID: a5410f12379498dad32d791636b9c3523069326688aec43c6d437d6b079364ba
Instruction ID: 6de559990f05b4d2cd9b8db48f8d1a80fd0b67f4779099f374fbac2bf061923c
Opcode Fuzzy Hash: a5410f12379498dad32d791636b9c3523069326688aec43c6d437d6b079364ba
Instruction Fuzzy Hash: 55D05B725006086BEB109B99D85FA5D37DCFB94335B95C401F84CDB542DB35F4988F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C1A5

Part of subcall function 0040148F: __EH_prolog.LIBCMT ref: 00401494

__CxxThrowException@8.LIBCMT ref: 0040C1DF

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

vector<T> too long, xrefs: 0040C1B2

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: vector<T> too long
API String ID: 1193697898-3788999226
Opcode ID: 1c287bcadb19f7fb3cbe583b1f2ceeed1d7d396fe0b0494dc6d57f8cdf1d9d8d
Instruction ID: 14690c6792836f8e578b184e8e39d66fb179264ca3931cf97176258ea88dd3f8
Opcode Fuzzy Hash: 1c287bcadb19f7fb3cbe583b1f2ceeed1d7d396fe0b0494dc6d57f8cdf1d9d8d
Instruction Fuzzy Hash: F4E04F71C111099AEB04FBE4C55BADD7BBC7B14309F10842AF601B61A6EB785B0CCB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDA8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CDAD
__CxxThrowException@8.LIBCMT ref: 0040CDE8

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

<@, xrefs: 0040CDCD, 0040CDD3

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8H_prologRaiseThrow
String ID: <@
API String ID: 1681477883-3776883955
Opcode ID: 3e7848c5d8ccd68897fd3dc0c60ec9100719e256370e1b5a6b56709aa303a610
Instruction ID: 765d0385263d2f8915f5dac21231178825b7ccea4e3d6ea80912860e1f5a9d32
Opcode Fuzzy Hash: 3e7848c5d8ccd68897fd3dc0c60ec9100719e256370e1b5a6b56709aa303a610
Instruction Fuzzy Hash: 5AE0B675D01119A6DF50BBA5880ABCD7A7CBB10308F408862B648F2082EE7896994B59

Uniqueness

Uniqueness Score: -1.00%

Function 00410E73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410E78

Part of subcall function 0040148F: __EH_prolog.LIBCMT ref: 00401494

__CxxThrowException@8.LIBCMT ref: 00410EB2

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

deque<T> too long, xrefs: 00410E85

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: deque<T> too long
API String ID: 1193697898-309773918
Opcode ID: a05541004ef29bb8772b11375c364d60027a38f8da324c2018db6ef0476ed302
Instruction ID: 3d844b7491a3e5a869290e68ab56627180a9a4cf341f9215d91d1ebeaf02d25e
Opcode Fuzzy Hash: a05541004ef29bb8772b11375c364d60027a38f8da324c2018db6ef0476ed302
Instruction Fuzzy Hash: A4E04F718501099AD704FBD0C85ABDD7FBC7B14304F04042AFA00B6096EBB45608CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5D3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040D5D8
__CxxThrowException@8.LIBCMT ref: 0040D613

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

<@, xrefs: 0040D5F8, 0040D5FE

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8H_prologRaiseThrow
String ID: <@
API String ID: 1681477883-3776883955
Opcode ID: 6b506633d70b07f992b1f80c780c957dc9604cd4c421f5f6c6d500fb20d6d961
Instruction ID: 482e05f01d4a7653e1dba6df5827e92d8cccd19cb72294c9c8517d2cc707f84a
Opcode Fuzzy Hash: 6b506633d70b07f992b1f80c780c957dc9604cd4c421f5f6c6d500fb20d6d961
Instruction Fuzzy Hash: E3E0EC71D0010DA6DF50BBE5C80ABCD7AACBF10309F518C66B548F3082EE38A7594F59

Uniqueness

Uniqueness Score: -1.00%

Function 0056BF73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0056BF81

Part of subcall function 00556112: __mtinitlocknum.LIBCMT ref: 00556128
Part of subcall function 00556112: __amsg_exit.LIBCMT ref: 00556134
Part of subcall function 00556112: RtlEnterCriticalSection.NTDLL(?), ref: 0055613C

__getdcwd_nolock.LIBCMT ref: 0056BF93

Strings

I?I, xrefs: 0056BF8B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CriticalEnterSection__amsg_exit__getdcwd_nolock__lock__mtinitlocknum
String ID: I?I
API String ID: 1608177133-3621043285
Opcode ID: e0b3a07f3aaa2e70eb52020f99f348668cb7e4b461f97eff7a841c3c4d12a17c
Instruction ID: ddb5241d2341c8fa7046cfe55d2db4cad3b2fc9dd23c47ce99b84fbfbe3cdff2
Opcode Fuzzy Hash: e0b3a07f3aaa2e70eb52020f99f348668cb7e4b461f97eff7a841c3c4d12a17c
Instruction Fuzzy Hash: DDE0463698130AAAEB10BBA4CC1BB8C7E21BB80722F108106F5286A2D2CA7856449B41

Uniqueness

Uniqueness Score: -1.00%

Function 0054D77F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0054D786
__CxxThrowException@8.LIBCMT ref: 0054D7B1

Part of subcall function 0054F67B: RaiseException.KERNEL32(?,?,0054DED7,?,?,?,?,?,0054DED7,?,005DB794,005FBA64), ref: 0054F6BD

Strings

invalid string position, xrefs: 0054D78B

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid string position
API String ID: 1961742612-1799206989
Opcode ID: a2355e74667d0e96fafbf53d6d3ef8c3a056ea7e69f05a33a57f3a2b07b4c831
Instruction ID: c65fba52e4357f925ff41530b1b7a7bab157990fc253210c9770f05e5ed54c20
Opcode Fuzzy Hash: a2355e74667d0e96fafbf53d6d3ef8c3a056ea7e69f05a33a57f3a2b07b4c831
Instruction Fuzzy Hash: 4DD0127295020996DB04F6D4C85AEDD7FBCBF14304F40546AB601BA085EBB45A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00486957, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12sleepnetworkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00002726,00486BD1,00000000,00000000,00000005,00000000,?,0047F8D3,00000000,00000000,000003E8,00000000,?,?,?,0047E0B9), ref: 00486966
Sleep.KERNEL32(bP@,00486BD1,00000000,00000000,00000005,00000000,?,0047F8D3,00000000,00000000,000003E8,00000000,?,?,?,0047E0B9), ref: 00486971

Strings

bP@, xrefs: 00486957, 00486970

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: ErrorLastSleep
String ID: bP@
API String ID: 1458359878-2020989592
Opcode ID: 62998d30e1319c0fe576a722794b8ff953c98b9cc67cee6049a1788114206973
Instruction ID: b81ff277d398858d1eb431061022ebe339a1f9c4cc82e9d96002f5d1c79792e9
Opcode Fuzzy Hash: 62998d30e1319c0fe576a722794b8ff953c98b9cc67cee6049a1788114206973
Instruction Fuzzy Hash: 21C012B0700202979E002B748C0C61E32E86BA4762B814F45FA24D80D0DB38D404AB14

Uniqueness

Uniqueness Score: -1.00%

Function 00566720, Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 005667B6
HeapFree.KERNEL32(00000000), ref: 005667BD
GetProcessHeap.KERNEL32(00000000,0BA3A0FA), ref: 005667E8
HeapFree.KERNEL32(00000000), ref: 005667EF

Part of subcall function 005664B0: TlsGetValue.KERNEL32(00000000,0BA3A0FA,?,00000000,?,0BA3A0FA), ref: 0056651B
Part of subcall function 005664B0: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0056658A
Part of subcall function 005664B0: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0BA3A0FA), ref: 005665BD

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcessTimerWaitable$CreateValue
String ID:
API String ID: 3072597929-0
Opcode ID: 48636be8f4a94227aa95b884e29699227c58c3142cc1972680ad1cf019b1f752
Instruction ID: 73aa6a0a45b03615fab9055cd7e970b15851b9833d1b9bcae778440813fc0569
Opcode Fuzzy Hash: 48636be8f4a94227aa95b884e29699227c58c3142cc1972680ad1cf019b1f752
Instruction Fuzzy Hash: 54219C716046019FD710DF68C885B1BBBE8FB89725F008629FA558B290EB34A809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005659F0, Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A54
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A57
GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A80
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,0057E808,000000FF,00406779,00000001,00000000,00000001,00000000,?,xmode), ref: 00565A83

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: e4605458b1f26976028d6a189664f506c948956c1f3e7384f127a485c0b910c8
Instruction ID: c71abc59a1471a17557de82831ecf0c2818dc55f9c3483f24bc709260ea0150e
Opcode Fuzzy Hash: e4605458b1f26976028d6a189664f506c948956c1f3e7384f127a485c0b910c8
Instruction Fuzzy Hash: EE11BE71645B109FD310CF58CC81B2ABBE8FB89B70F100719E9648B3D0EB35A801CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040F042, Relevance: 5.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,0040EEFE,00000001,00000001), ref: 0040F04A
CloseHandle.KERNEL32(?,0040EEFE,00000001,00000001), ref: 0040F05C
CloseHandle.KERNEL32(?,0040EEFE,00000001,00000001), ref: 0040F06E
CloseHandle.KERNEL32(?,0040EEFE,00000001,00000001), ref: 0040F080

Memory Dump Source

Source File: 00000002.00000002.414979337.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.416883751.00000000005E5000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.416986683.00000000005FF000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.417014829.0000000000604000.00000040.00000001.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 751f47e8ec7c1f8cd04c87943f27f8ee9a87f0f2da027f6d3e018a656329ce2f
Instruction ID: df87bf9c783cc774c7383b0d216860b11489985fe752ad8cd4369dc9f9f655d5
Opcode Fuzzy Hash: 751f47e8ec7c1f8cd04c87943f27f8ee9a87f0f2da027f6d3e018a656329ce2f
Instruction Fuzzy Hash: 1BF07431600B44AFD7309B2AC848B2773E8BF11786F044839A482D6A90C77DE408DB24

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: csrss.exe PID: 5636 Parent PID: 3440 csrss.exeCOMMON

Executed Functions

Function 007E3D80, Relevance: 4.7, APIs: 3, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 007E3DC5
VirtualProtect.KERNELBASE(?,?,00000000,?,?,?,?), ref: 007E3E79
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 007E3ED2

Memory Dump Source

Source File: 00000004.00000002.440627622.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID: Virtual$Alloc$Protect
String ID:
API String ID: 655996629-0
Opcode ID: 906e68909d15a4fb586f7e88fc43e186f601afe9a98fa1fb1e7fddc7105f0e08
Instruction ID: ecf168ae13ec177412f1bb3c6c2f9467f7cf7e6bdb49846c71861437c552f32c
Opcode Fuzzy Hash: 906e68909d15a4fb586f7e88fc43e186f601afe9a98fa1fb1e7fddc7105f0e08
Instruction Fuzzy Hash: 9CA1B9B5A01109DFCB08CF99D495EAEB7B5BF4C314F208159E909AB342D775EE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007E3830, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 007E389C

Strings

VirtualAlloc, xrefs: 007E3881, 007E3884

Memory Dump Source

Source File: 00000004.00000002.440627622.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: ea834c74fc57b1eb379842a09c45168dceb37f59ab5946c3ea9aff66bb75d60b
Instruction ID: 5c797519e89640c905bb416ff23f97472101e3ddc379c1a877170092d5732882
Opcode Fuzzy Hash: ea834c74fc57b1eb379842a09c45168dceb37f59ab5946c3ea9aff66bb75d60b
Instruction Fuzzy Hash: 6101ED60D082C9EAEB01D7E8C409BFFBFB55F15704F1440D8EA846B282D6BE575887B6

Uniqueness

Uniqueness Score: -1.00%

Function 007E3B00, Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 007E3B58

Memory Dump Source

Source File: 00000004.00000002.440627622.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a2c2d76fb87602c03bfdf45c71e65d7c2dc1016122473ecb74e563991d5f964e
Instruction ID: 71825688ac80a766dc42c5d2069c8ff87c22492cdbd4866ae6910c9f96ac9e10
Opcode Fuzzy Hash: a2c2d76fb87602c03bfdf45c71e65d7c2dc1016122473ecb74e563991d5f964e
Instruction Fuzzy Hash: 9F31A8B5A01109DFCB04CF99C884AADB7B5FF8C314F24C299D819AB355D735AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report yjOapKcgE1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Code Manipulations

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Network protocol analysis
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Tactics:	Impact
Data Sources:	Packet capture, Packet capture, Web application firewall logs, Web logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre