Play interactive tour

Edit tour

Windows Analysis Report yWteP7e12z

Overview

General Information

Sample Name:	yWteP7e12z (renamed file extension from none to dll)
Analysis ID:	492789
MD5:	a75be08d11b5028b6e0fa8be59676599
SHA1:	c47a48e04dc10641df07dba7dbbb73602e6615aa
SHA256:	7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a
Tags:	Dridexexe
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Contains functionality to prevent local Windows debugging

Uses Atom Bombing / ProGate to inject into other processes

PE file contains section with special chars

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Binary contains a suspicious time stamp

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6928 cmdline: loaddll64.exe 'C:\Users\user\Desktop\yWteP7e12z.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)

cmd.exe (PID: 4668 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 4528 cmdline: rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4536 cmdline: rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

recdisc.exe (PID: 6628 cmdline: C:\Windows\system32\recdisc.exe MD5: D2AEFB37C329E455DC2C17D3AA049666)

SnippingTool.exe (PID: 7044 cmdline: C:\Windows\system32\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)

SnippingTool.exe (PID: 6200 cmdline: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)

raserver.exe (PID: 3604 cmdline: C:\Windows\system32\raserver.exe MD5: DE2022F0B86E33875D8A40B65550CFEB)

raserver.exe (PID: 2992 cmdline: C:\Users\user\AppData\Local\eQL\raserver.exe MD5: DE2022F0B86E33875D8A40B65550CFEB)

ddodiag.exe (PID: 5808 cmdline: C:\Windows\system32\ddodiag.exe MD5: 3CE911D7C12A2EFA9108514013BD17FE)

ddodiag.exe (PID: 5828 cmdline: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe MD5: 3CE911D7C12A2EFA9108514013BD17FE)

dccw.exe (PID: 2364 cmdline: C:\Windows\system32\dccw.exe MD5: 341515B9556F37E623777D1C377BCFAC)

SppExtComObj.Exe (PID: 6280 cmdline: C:\Windows\system32\SppExtComObj.Exe MD5: 809E11DECADAEBE2454EFEDD620C4769)

SppExtComObj.Exe (PID: 5620 cmdline: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe MD5: 809E11DECADAEBE2454EFEDD620C4769)

WMPDMC.exe (PID: 6628 cmdline: C:\Windows\system32\WMPDMC.exe MD5: 4085FDA375E50214142BD740559F5835)

WMPDMC.exe (PID: 6480 cmdline: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe MD5: 4085FDA375E50214142BD740559F5835)

wscript.exe (PID: 5532 cmdline: C:\Windows\system32\wscript.exe MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 5012 cmdline: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

BdeUISrv.exe (PID: 5368 cmdline: C:\Windows\system32\BdeUISrv.exe MD5: 25D86BC656025F38D6E626B606F1D39D)

BdeUISrv.exe (PID: 6080 cmdline: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe MD5: 25D86BC656025F38D6E626B606F1D39D)

rundll32.exe (PID: 6568 cmdline: rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3912 cmdline: rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.290585928.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.384630779.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000020.00000002.502508138.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000022.00000002.529404050.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000029.00000002.583509816.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000008.00000002.299168621.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000025.00000002.556857266.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000009.00000002.305431916.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001C.00000002.469517159.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000013.00000002.415702992.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001A.00000002.443389132.0000000140001000.00000020.00020000.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: yWteP7e12z.dll	Virustotal: Detection: 64%			Perma Link
Source: yWteP7e12z.dll	ReversingLabs: Detection: 77%

Antivirus / Scanner detection for submitted sample

Show sources

Source: yWteP7e12z.dll

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	Avira: detection malicious, Label: HEUR/AGEN.1114452
Source: C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Show sources

Source: yWteP7e12z.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11E7CC SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	26_2_00007FF74E11E7CC
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11E3A0 CryptBinaryToStringW,GetLastError,malloc,CryptBinaryToStringW,GetLastError,free,SysFreeString,	26_2_00007FF74E11E3A0
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11E530 CryptStringToBinaryW,GetLastError,malloc,CryptStringToBinaryW,GetLastError,	26_2_00007FF74E11E530
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11CDC8 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,??3@YAXPEAX@Z,	26_2_00007FF74E11CDC8
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11DE38 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGenKey,GetLastError,GetLastError,	26_2_00007FF74E11DE38
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11E22C CryptExportKey,GetLastError,malloc,CryptExportKey,GetLastError,free,	26_2_00007FF74E11E22C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791479B90 CryptGenRandom,GetLastError,	32_2_00007FF791479B90
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791479520 CryptReleaseContext,	32_2_00007FF791479520
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791479F20 CryptAcquireContextW,GetLastError,	32_2_00007FF791479F20

Source: yWteP7e12z.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SppExtComObj.pdb source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
Source:	Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
Source:	Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
Source:	Binary string: RAServer.pdb source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
Source:	Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
Source:	Binary string: DDODiag.pdbGCTL source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
Source:	Binary string: DDODiag.pdb source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,		0_2_000000014005D290
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E892D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,		37_2_00007FF6E892D4A0

Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe

Code function: 34_2_00007FF67B612AE8 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,GetObjectW,GdiplusStartup,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageWidth,GdipGetImageHeight,GdipCreateHBITMAPFromBitmap,GdiplusShutdown,DeleteObject,DeleteDC,ReleaseDC,

34_2_00007FF67B612AE8

Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe

Code function: 19_2_00007FF73D0437A8 OpenClipboard,GetLastError,

19_2_00007FF73D0437A8

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000003.00000002.290585928.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.384630779.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.502508138.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.529404050.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.583509816.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.299168621.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.556857266.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.305431916.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.469517159.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.415702992.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.443389132.0000000140001000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\eQL\raserver.exe

Code function: 26_2_00007FF74E11E7CC SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysAllocString,SysStringLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysAllocStringByteLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

26_2_00007FF74E11E7CC

System Summary:

PE file contains section with special chars

Show sources

Source: SppExtComObj.Exe.5.dr

Static PE information: section name: ?g_Encry

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034870	0_2_0000000140034870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035270	0_2_0000000140035270
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048AC0	0_2_0000000140048AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005C340	0_2_000000014005C340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140065B80	0_2_0000000140065B80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0	0_2_000000014006A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400524B0	0_2_00000001400524B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026CC0	0_2_0000000140026CC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BD40	0_2_000000014004BD40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400495B0	0_2_00000001400495B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036F30	0_2_0000000140036F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069010	0_2_0000000140069010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001010	0_2_0000000140001010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066020	0_2_0000000140066020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F840	0_2_000000014002F840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D850	0_2_000000014005D850
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064080	0_2_0000000140064080
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140010880	0_2_0000000140010880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400688A0	0_2_00000001400688A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D0D0	0_2_000000014002D0D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400018D0	0_2_00000001400018D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016100	0_2_0000000140016100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D100	0_2_000000014001D100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A110	0_2_000000014002A110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001D910	0_2_000000014001D910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140015120	0_2_0000000140015120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000B120	0_2_000000014000B120
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F940	0_2_000000014004F940
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039140	0_2_0000000140039140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023140	0_2_0000000140023140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140057950	0_2_0000000140057950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001E170	0_2_000000014001E170
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140002980	0_2_0000000140002980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400611A0	0_2_00000001400611A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A0	0_2_00000001400389A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400381A0	0_2_00000001400381A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E1B0	0_2_000000014002E1B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400139D0	0_2_00000001400139D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400319F0	0_2_00000001400319F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA00	0_2_000000014002EA00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022A00	0_2_0000000140022A00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003B220	0_2_000000014003B220
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140067A40	0_2_0000000140067A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140069A50	0_2_0000000140069A50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007A60	0_2_0000000140007A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AAC0	0_2_000000014003AAC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A2E0	0_2_000000014003A2E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140062B00	0_2_0000000140062B00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018300	0_2_0000000140018300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FB20	0_2_000000014002FB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031340	0_2_0000000140031340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022340	0_2_0000000140022340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017B40	0_2_0000000140017B40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000BB40	0_2_000000014000BB40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EB60	0_2_000000014004EB60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005370	0_2_0000000140005370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002CB80	0_2_000000014002CB80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B390	0_2_000000014006B390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140054BA0	0_2_0000000140054BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033BB0	0_2_0000000140033BB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400263C0	0_2_00000001400263C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400123C0	0_2_00000001400123C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063BD0	0_2_0000000140063BD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400663F0	0_2_00000001400663F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023BF0	0_2_0000000140023BF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B41B	0_2_000000014006B41B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B424	0_2_000000014006B424
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B42D	0_2_000000014006B42D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B436	0_2_000000014006B436
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B43D	0_2_000000014006B43D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024440	0_2_0000000140024440
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005C40	0_2_0000000140005C40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006B446	0_2_000000014006B446
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005F490	0_2_000000014005F490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D00	0_2_0000000140022D00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140035520	0_2_0000000140035520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019D20	0_2_0000000140019D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030530	0_2_0000000140030530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023530	0_2_0000000140023530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031540	0_2_0000000140031540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033540	0_2_0000000140033540
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014007BD50	0_2_000000014007BD50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140078570	0_2_0000000140078570
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019580	0_2_0000000140019580
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205A0	0_2_00000001400205A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025DB0	0_2_0000000140025DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140071DC0	0_2_0000000140071DC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000C5C0	0_2_000000014000C5C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DDE0	0_2_000000014002DDE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DF0	0_2_0000000140031DF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000DDF0	0_2_000000014000DDF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001620	0_2_0000000140001620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018630	0_2_0000000140018630
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032650	0_2_0000000140032650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140064E80	0_2_0000000140064E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140016E80	0_2_0000000140016E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007EA0	0_2_0000000140007EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400286B0	0_2_00000001400286B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006EB0	0_2_0000000140006EB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400276C0	0_2_00000001400276C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002FEC0	0_2_000000014002FEC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EED0	0_2_000000014002EED0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B6E0	0_2_000000014002B6E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053F20	0_2_0000000140053F20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022730	0_2_0000000140022730
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029780	0_2_0000000140029780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018F80	0_2_0000000140018F80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003EFB0	0_2_000000014003EFB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400067B0	0_2_00000001400067B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400667D0	0_2_00000001400667D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060FE0	0_2_0000000140060FE0
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D058A64	19_2_00007FF73D058A64
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D04AE80	19_2_00007FF73D04AE80
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D045EBC	19_2_00007FF73D045EBC
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D048D50	19_2_00007FF73D048D50
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D049978	19_2_00007FF73D049978
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D0539A8	19_2_00007FF73D0539A8
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D054598	19_2_00007FF73D054598
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D0429F4	19_2_00007FF73D0429F4
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D041600	19_2_00007FF73D041600
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D05C470	19_2_00007FF73D05C470
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D06EC80	19_2_00007FF73D06EC80
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D0458C0	19_2_00007FF73D0458C0
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D04250C	19_2_00007FF73D04250C
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D05EF38	19_2_00007FF73D05EF38
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D049338	19_2_00007FF73D049338
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D041F60	19_2_00007FF73D041F60
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D04EB98	19_2_00007FF73D04EB98
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D05F3CC	19_2_00007FF73D05F3CC
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D059008	19_2_00007FF73D059008
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D055FF8	19_2_00007FF73D055FF8
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E119740	26_2_00007FF74E119740
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E111FA4	26_2_00007FF74E111FA4
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E1177B4	26_2_00007FF74E1177B4
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E117008	26_2_00007FF74E117008
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E1183E0	26_2_00007FF74E1183E0
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11C87C	26_2_00007FF74E11C87C
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11B4DC	26_2_00007FF74E11B4DC
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11BD30	26_2_00007FF74E11BD30
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11A9AC	26_2_00007FF74E11A9AC
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E119DAC	26_2_00007FF74E119DAC
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E112A08	26_2_00007FF74E112A08
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11D2B0	26_2_00007FF74E11D2B0
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E11A2EC	26_2_00007FF74E11A2EC
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe	Code function: 28_2_00007FF7409826A0	28_2_00007FF7409826A0
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe	Code function: 28_2_00007FF74098236C	28_2_00007FF74098236C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79146CA30	32_2_00007FF79146CA30
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79146BB70	32_2_00007FF79146BB70
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79146B3B0	32_2_00007FF79146B3B0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79146C690	32_2_00007FF79146C690
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79146CE10	32_2_00007FF79146CE10
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79146B7A0	32_2_00007FF79146B7A0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B62DC68	34_2_00007FF67B62DC68
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B64FD30	34_2_00007FF67B64FD30
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B691D00	34_2_00007FF67B691D00
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B645CD8	34_2_00007FF67B645CD8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B5F7B78	34_2_00007FF67B5F7B78
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B63BB7C	34_2_00007FF67B63BB7C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B67FC30	34_2_00007FF67B67FC30
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6C5BB8	34_2_00007FF67B6C5BB8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B647BC0	34_2_00007FF67B647BC0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B621A98	34_2_00007FF67B621A98
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6B5A90	34_2_00007FF67B6B5A90
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B695A78	34_2_00007FF67B695A78
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6ABA68	34_2_00007FF67B6ABA68
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B665AFC	34_2_00007FF67B665AFC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B601AF0	34_2_00007FF67B601AF0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6499A0	34_2_00007FF67B6499A0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6AD9F4	34_2_00007FF67B6AD9F4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6520B4	34_2_00007FF67B6520B4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B68003C	34_2_00007FF67B68003C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6B011C	34_2_00007FF67B6B011C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B5FE0FC	34_2_00007FF67B5FE0FC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B64A0E0	34_2_00007FF67B64A0E0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6B6020	34_2_00007FF67B6B6020
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B699FC8	34_2_00007FF67B699FC8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B64BFB8	34_2_00007FF67B64BFB8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6B1EA0	34_2_00007FF67B6B1EA0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B66DE58	34_2_00007FF67B66DE58
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6A5E48	34_2_00007FF67B6A5E48
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B69FE18	34_2_00007FF67B69FE18
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6A94B4	34_2_00007FF67B6A94B4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B67D490	34_2_00007FF67B67D490
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B673510	34_2_00007FF67B673510
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6AD4D8	34_2_00007FF67B6AD4D8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6174B8	34_2_00007FF67B6174B8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6454BC	34_2_00007FF67B6454BC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6A33A0	34_2_00007FF67B6A33A0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B5FF35C	34_2_00007FF67B5FF35C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B63D310	34_2_00007FF67B63D310
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B63731C	34_2_00007FF67B63731C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B631320	34_2_00007FF67B631320
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B61D2F8	34_2_00007FF67B61D2F8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6A52C0	34_2_00007FF67B6A52C0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6032CC	34_2_00007FF67B6032CC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6B11B4	34_2_00007FF67B6B11B4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B67F18C	34_2_00007FF67B67F18C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B67B140	34_2_00007FF67B67B140
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6C31F0	34_2_00007FF67B6C31F0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B5F4E60	34_2_00007FF67B5F4E60
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B65D1C0	34_2_00007FF67B65D1C0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B605930	34_2_00007FF67B605930
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B633910	34_2_00007FF67B633910
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B69B78C	34_2_00007FF67B69B78C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B61976C	34_2_00007FF67B61976C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6B175C	34_2_00007FF67B6B175C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B63773C	34_2_00007FF67B63773C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B67D820	34_2_00007FF67B67D820
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6957D8	34_2_00007FF67B6957D8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6BD7D0	34_2_00007FF67B6BD7D0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B65171C	34_2_00007FF67B65171C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B639590	34_2_00007FF67B639590
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B64B610	34_2_00007FF67B64B610
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B65D5F4	34_2_00007FF67B65D5F4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B67AC70	34_2_00007FF67B67AC70
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B664D18	34_2_00007FF67B664D18
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B60AB3C	34_2_00007FF67B60AB3C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B61AB44	34_2_00007FF67B61AB44
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B65CBE8	34_2_00007FF67B65CBE8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B602A84	34_2_00007FF67B602A84
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B644A8C	34_2_00007FF67B644A8C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B646940	34_2_00007FF67B646940
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B638A0C	34_2_00007FF67B638A0C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B69A9D0	34_2_00007FF67B69A9D0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B65504C	34_2_00007FF67B65504C
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B698FA0	34_2_00007FF67B698FA0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B624F80	34_2_00007FF67B624F80
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B630F54	34_2_00007FF67B630F54
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B61D034	34_2_00007FF67B61D034
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B664FFC	34_2_00007FF67B664FFC
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B687000	34_2_00007FF67B687000
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B68CE54	34_2_00007FF67B68CE54
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B68AD78	34_2_00007FF67B68AD78
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B620D50	34_2_00007FF67B620D50
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B67CD50	34_2_00007FF67B67CD50
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B692E28	34_2_00007FF67B692E28
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6B0E08	34_2_00007FF67B6B0E08
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B632498	34_2_00007FF67B632498
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6BC464	34_2_00007FF67B6BC464
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B66E510	34_2_00007FF67B66E510
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B60C4F4	34_2_00007FF67B60C4F4
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B5F84E8	34_2_00007FF67B5F84E8
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B64A340	34_2_00007FF67B64A340
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B686428	34_2_00007FF67B686428
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B68C3F0	34_2_00007FF67B68C3F0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B60A3F0	34_2_00007FF67B60A3F0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6463C8	34_2_00007FF67B6463C8
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E89321C4	37_2_00007FF6E89321C4
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8931A34	37_2_00007FF6E8931A34
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8925A34	37_2_00007FF6E8925A34
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8926954	37_2_00007FF6E8926954
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E89291AC	37_2_00007FF6E89291AC
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8927B1C	37_2_00007FF6E8927B1C
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E892AE8C	37_2_00007FF6E892AE8C
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8930A94	37_2_00007FF6E8930A94
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E893340C	37_2_00007FF6E893340C
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8931F68	37_2_00007FF6E8931F68
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8928348	37_2_00007FF6E8928348
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E89234D8	37_2_00007FF6E89234D8
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8931C9C	37_2_00007FF6E8931C9C
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E89314A0	37_2_00007FF6E89314A0
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D62134	41_2_00007FF6E6D62134
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D64500	41_2_00007FF6E6D64500
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D638D0	41_2_00007FF6E6D638D0
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D62A9C	41_2_00007FF6E6D62A9C
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D64D78	41_2_00007FF6E6D64D78
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D63F74	41_2_00007FF6E6D63F74

Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: String function: 00007FF67B5F3240 appears 37 times
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: String function: 00007FF73D061454 appears 227 times
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: String function: 00007FF74E11FA1C appears 106 times

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140046C90 NtClose,	0_2_0000000140046C90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014006A4B0 NtQuerySystemInformation,	0_2_000000014006A4B0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF7914751E0 OpenEventW,NtQuerySystemInformation,	32_2_00007FF7914751E0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791480C90 NtQuerySystemInformation,	32_2_00007FF791480C90
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791479440 NtQuerySystemInformation,	32_2_00007FF791479440
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791480CE0 NtQuerySystemInformation,	32_2_00007FF791480CE0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791479E57 NtQuerySystemInformation,	32_2_00007FF791479E57
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791479EA0 NtQuerySystemInformation,	32_2_00007FF791479EA0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791479E13 NtQuerySystemInformation,	32_2_00007FF791479E13
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791480820 NtQuerySystemInformation,	32_2_00007FF791480820
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79147676C NtQuerySystemInformation,	32_2_00007FF79147676C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791480780 NtQuerySystemInformation,	32_2_00007FF791480780
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791480721 NtQuerySystemInformation,	32_2_00007FF791480721
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79147679C NtQuerySystemInformation,	32_2_00007FF79147679C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791480FA0 NtQuerySystemInformation,	32_2_00007FF791480FA0
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF7914807D0 NtQuerySystemInformation,	32_2_00007FF7914807D0
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E892AE00 GetWindowLongPtrA,SetWindowLongPtrA,NtdllDefWindowProc_A,	37_2_00007FF6E892AE00
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E892AC78 KillTimer,GetLastError,KillTimer,GetLastError,SetTimer,GetLastError,NtdllDefWindowProc_A,KillTimer,EnumThreadWindows,PostQuitMessage,	37_2_00007FF6E892AC78

Source: SnippingTool.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SnippingTool.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WMPDMC.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wscript.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sethc.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MusNotifyIcon.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MusNotifyIcon.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MusNotifyIcon.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MusNotifyIcon.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: yWteP7e12z.dll	Static PE information: Number of sections : 40 > 10
Source: ACTIVEDS.dll.5.dr	Static PE information: Number of sections : 41 > 10
Source: WTSAPI32.dll.5.dr	Static PE information: Number of sections : 41 > 10
Source: OLEACC.dll1.5.dr	Static PE information: Number of sections : 41 > 10
Source: VERSION.dll.5.dr	Static PE information: Number of sections : 41 > 10
Source: XmlLite.dll1.5.dr	Static PE information: Number of sections : 41 > 10
Source: XmlLite.dll0.5.dr	Static PE information: Number of sections : 41 > 10
Source: XmlLite.dll.5.dr	Static PE information: Number of sections : 41 > 10
Source: OLEACC.dll0.5.dr	Static PE information: Number of sections : 41 > 10
Source: OLEACC.dll.5.dr	Static PE information: Number of sections : 41 > 10
Source: WTSAPI32.dll0.5.dr	Static PE information: Number of sections : 41 > 10

Source: yWteP7e12z.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ACTIVEDS.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SppExtComObj.Exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll0.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VERSION.dll.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WTSAPI32.dll0.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll0.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OLEACC.dll1.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll1.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: yWteP7e12z.dll	Virustotal: Detection: 64%
Source: yWteP7e12z.dll	ReversingLabs: Detection: 77%

Source: yWteP7e12z.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\yWteP7e12z.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\raserver.exe C:\Windows\system32\raserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\eQL\raserver.exe C:\Users\user\AppData\Local\eQL\raserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\ddodiag.exe C:\Windows\system32\ddodiag.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe C:\Users\user\AppData\Local\JFuMqIg\wscript.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\raserver.exe C:\Windows\system32\raserver.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\eQL\raserver.exe C:\Users\user\AppData\Local\eQL\raserver.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\ddodiag.exe C:\Windows\system32\ddodiag.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\dccw.exe C:\Windows\system32\dccw.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\recdisc.exe C:\Windows\system32\recdisc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BdeUISrv.exe C:\Windows\system32\BdeUISrv.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@49/21@0/0

Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe

Code function: 19_2_00007FF73D057E20 CoCreateInstance,

19_2_00007FF73D057E20

Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe

Code function: 37_2_00007FF6E8926954 FormatMessageW,GetLastError,WideCharToMultiByte,WideCharToMultiByte,FormatMessageA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,SysAllocString,LocalFree,LocalFree,

37_2_00007FF6E8926954

Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe

Code function: 41_2_00007FF6E6D664A0 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,QueryServiceStatus,StartServiceW,GetLastError,Sleep,QueryServiceStatus,GetLastError,CloseServiceHandle,CloseServiceHandle,

41_2_00007FF6E6D664A0

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation

Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Mutant created: \Sessions\1\BaseNamedObjects\{169aafc0-b674-dc63-e06b-2eae4586757b}
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Mutant created: \Sessions\1\BaseNamedObjects\{25f30cca-9195-545a-ce6a-753d20cd2cd4}

Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe

Code function: 19_2_00007FF73D04C9A0 LoadResource,LockResource,SizeofResource,

19_2_00007FF73D04C9A0

Source: SppExtComObj.Exe

String found in binary or memory: msSPP-InstallationId

Source: yWteP7e12z.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: yWteP7e12z.dll

Static file information: File size 2105344 > 1048576

Source: yWteP7e12z.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SppExtComObj.pdb source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdb source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
Source:	Binary string: SnippingTool.pdb source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
Source:	Binary string: SnippingTool.pdbGCTL source: SnippingTool.exe, 00000013.00000000.393138580.00007FF73D070000.00000002.00020000.sdmp
Source:	Binary string: BdeUISrv.pdbGCTL source: BdeUISrv.exe, 00000029.00000000.561844612.00007FF6E6D69000.00000002.00020000.sdmp
Source:	Binary string: RAServer.pdb source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 00000025.00000002.559644071.00007FF6E8935000.00000002.00020000.sdmp
Source:	Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe, 00000020.00000000.480829026.00007FF7914D1000.00000002.00020000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: raserver.exe, 0000001A.00000000.421498383.00007FF74E123000.00000002.00020000.sdmp
Source:	Binary string: DDODiag.pdbGCTL source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
Source:	Binary string: DDODiag.pdb source: ddodiag.exe, 0000001C.00000000.447876390.00007FF740984000.00000002.00020000.sdmp
Source:	Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000022.00000000.507457464.00007FF67B6CD000.00000002.00020000.sdmp

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140056A4D push rdi; ret	0_2_0000000140056A4E
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791478A2E push rax; iretd	32_2_00007FF791478A35
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791479AB9 push rsi; retf	32_2_00007FF791479ABA
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF7914791EA push 6826517Ch; retf	32_2_00007FF7914791F5
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF791479B37 push rcx; ret	32_2_00007FF791479B38

Source: yWteP7e12z.dll	Static PE information: section name: .qkm
Source: yWteP7e12z.dll	Static PE information: section name: .cvjb
Source: yWteP7e12z.dll	Static PE information: section name: .tlmkv
Source: yWteP7e12z.dll	Static PE information: section name: .wucsxe
Source: yWteP7e12z.dll	Static PE information: section name: .fltwtj
Source: yWteP7e12z.dll	Static PE information: section name: .sfplio
Source: yWteP7e12z.dll	Static PE information: section name: .rpg
Source: yWteP7e12z.dll	Static PE information: section name: .bewzc
Source: yWteP7e12z.dll	Static PE information: section name: .vksvaw
Source: yWteP7e12z.dll	Static PE information: section name: .wmhg
Source: yWteP7e12z.dll	Static PE information: section name: .kswemc
Source: yWteP7e12z.dll	Static PE information: section name: .kaxfk
Source: yWteP7e12z.dll	Static PE information: section name: .wualk
Source: yWteP7e12z.dll	Static PE information: section name: .qwqp
Source: yWteP7e12z.dll	Static PE information: section name: .txp
Source: yWteP7e12z.dll	Static PE information: section name: .ezxpm
Source: yWteP7e12z.dll	Static PE information: section name: .kdkmc
Source: yWteP7e12z.dll	Static PE information: section name: .vwqjj
Source: yWteP7e12z.dll	Static PE information: section name: .ute
Source: yWteP7e12z.dll	Static PE information: section name: .hzotrb
Source: yWteP7e12z.dll	Static PE information: section name: .mkb
Source: yWteP7e12z.dll	Static PE information: section name: .plbi
Source: yWteP7e12z.dll	Static PE information: section name: .dmwl
Source: yWteP7e12z.dll	Static PE information: section name: .qorltm
Source: yWteP7e12z.dll	Static PE information: section name: .ubg
Source: yWteP7e12z.dll	Static PE information: section name: .lhm
Source: yWteP7e12z.dll	Static PE information: section name: .wojiyd
Source: yWteP7e12z.dll	Static PE information: section name: .ekv
Source: yWteP7e12z.dll	Static PE information: section name: .vmf
Source: yWteP7e12z.dll	Static PE information: section name: .rqv
Source: yWteP7e12z.dll	Static PE information: section name: .rseab
Source: yWteP7e12z.dll	Static PE information: section name: .pxtlo
Source: yWteP7e12z.dll	Static PE information: section name: .nri
Source: yWteP7e12z.dll	Static PE information: section name: .fcbpa
Source: raserver.exe.5.dr	Static PE information: section name: .didat
Source: WMPDMC.exe.5.dr	Static PE information: section name: .didat
Source: MusNotifyIcon.exe.5.dr	Static PE information: section name: .didat
Source: OLEACC.dll.5.dr	Static PE information: section name: .qkm
Source: OLEACC.dll.5.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll.5.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll.5.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll.5.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll.5.dr	Static PE information: section name: .sfplio
Source: OLEACC.dll.5.dr	Static PE information: section name: .rpg
Source: OLEACC.dll.5.dr	Static PE information: section name: .bewzc
Source: OLEACC.dll.5.dr	Static PE information: section name: .vksvaw
Source: OLEACC.dll.5.dr	Static PE information: section name: .wmhg
Source: OLEACC.dll.5.dr	Static PE information: section name: .kswemc
Source: OLEACC.dll.5.dr	Static PE information: section name: .kaxfk
Source: OLEACC.dll.5.dr	Static PE information: section name: .wualk
Source: OLEACC.dll.5.dr	Static PE information: section name: .qwqp
Source: OLEACC.dll.5.dr	Static PE information: section name: .txp
Source: OLEACC.dll.5.dr	Static PE information: section name: .ezxpm
Source: OLEACC.dll.5.dr	Static PE information: section name: .kdkmc
Source: OLEACC.dll.5.dr	Static PE information: section name: .vwqjj
Source: OLEACC.dll.5.dr	Static PE information: section name: .ute
Source: OLEACC.dll.5.dr	Static PE information: section name: .hzotrb
Source: OLEACC.dll.5.dr	Static PE information: section name: .mkb
Source: OLEACC.dll.5.dr	Static PE information: section name: .plbi
Source: OLEACC.dll.5.dr	Static PE information: section name: .dmwl
Source: OLEACC.dll.5.dr	Static PE information: section name: .qorltm
Source: OLEACC.dll.5.dr	Static PE information: section name: .ubg
Source: OLEACC.dll.5.dr	Static PE information: section name: .lhm
Source: OLEACC.dll.5.dr	Static PE information: section name: .wojiyd
Source: OLEACC.dll.5.dr	Static PE information: section name: .ekv
Source: OLEACC.dll.5.dr	Static PE information: section name: .vmf
Source: OLEACC.dll.5.dr	Static PE information: section name: .rqv
Source: OLEACC.dll.5.dr	Static PE information: section name: .rseab
Source: OLEACC.dll.5.dr	Static PE information: section name: .pxtlo
Source: OLEACC.dll.5.dr	Static PE information: section name: .nri
Source: OLEACC.dll.5.dr	Static PE information: section name: .fcbpa
Source: OLEACC.dll.5.dr	Static PE information: section name: .ciqu
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .sfplio
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .rpg
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .bewzc
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .vksvaw
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .wmhg
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .kswemc
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .kaxfk
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .wualk
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .qwqp
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .txp
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .ezxpm
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .kdkmc
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .vwqjj
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .ute
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .hzotrb
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .mkb
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .plbi
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .dmwl
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .qorltm
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .ubg
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .lhm
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .wojiyd
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .ekv
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .vmf
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .rqv
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .rseab
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .pxtlo
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .nri
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .fcbpa
Source: WTSAPI32.dll.5.dr	Static PE information: section name: .wwwa
Source: XmlLite.dll.5.dr	Static PE information: section name: .qkm
Source: XmlLite.dll.5.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll.5.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll.5.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll.5.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll.5.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll.5.dr	Static PE information: section name: .rpg
Source: XmlLite.dll.5.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll.5.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll.5.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll.5.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll.5.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll.5.dr	Static PE information: section name: .wualk
Source: XmlLite.dll.5.dr	Static PE information: section name: .qwqp
Source: XmlLite.dll.5.dr	Static PE information: section name: .txp
Source: XmlLite.dll.5.dr	Static PE information: section name: .ezxpm
Source: XmlLite.dll.5.dr	Static PE information: section name: .kdkmc
Source: XmlLite.dll.5.dr	Static PE information: section name: .vwqjj
Source: XmlLite.dll.5.dr	Static PE information: section name: .ute
Source: XmlLite.dll.5.dr	Static PE information: section name: .hzotrb
Source: XmlLite.dll.5.dr	Static PE information: section name: .mkb
Source: XmlLite.dll.5.dr	Static PE information: section name: .plbi
Source: XmlLite.dll.5.dr	Static PE information: section name: .dmwl
Source: XmlLite.dll.5.dr	Static PE information: section name: .qorltm
Source: XmlLite.dll.5.dr	Static PE information: section name: .ubg
Source: XmlLite.dll.5.dr	Static PE information: section name: .lhm
Source: XmlLite.dll.5.dr	Static PE information: section name: .wojiyd
Source: XmlLite.dll.5.dr	Static PE information: section name: .ekv
Source: XmlLite.dll.5.dr	Static PE information: section name: .vmf
Source: XmlLite.dll.5.dr	Static PE information: section name: .rqv
Source: XmlLite.dll.5.dr	Static PE information: section name: .rseab
Source: XmlLite.dll.5.dr	Static PE information: section name: .pxtlo
Source: XmlLite.dll.5.dr	Static PE information: section name: .nri
Source: XmlLite.dll.5.dr	Static PE information: section name: .fcbpa
Source: XmlLite.dll.5.dr	Static PE information: section name: .kwig
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .qkm
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .cvjb
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .tlmkv
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wucsxe
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .fltwtj
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .sfplio
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .rpg
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .bewzc
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .vksvaw
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wmhg
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .kswemc
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .kaxfk
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wualk
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .qwqp
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .txp
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ezxpm
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .kdkmc
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .vwqjj
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ute
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .hzotrb
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .mkb
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .plbi
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .dmwl
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .qorltm
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ubg
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .lhm
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .wojiyd
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .ekv
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .vmf
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .rqv
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .rseab
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .pxtlo
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .nri
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .fcbpa
Source: ACTIVEDS.dll.5.dr	Static PE information: section name: .pemb
Source: SppExtComObj.Exe.5.dr	Static PE information: section name: ?g_Encry
Source: OLEACC.dll0.5.dr	Static PE information: section name: .qkm
Source: OLEACC.dll0.5.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll0.5.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll0.5.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll0.5.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll0.5.dr	Static PE information: section name: .sfplio
Source: OLEACC.dll0.5.dr	Static PE information: section name: .rpg
Source: OLEACC.dll0.5.dr	Static PE information: section name: .bewzc
Source: OLEACC.dll0.5.dr	Static PE information: section name: .vksvaw
Source: OLEACC.dll0.5.dr	Static PE information: section name: .wmhg
Source: OLEACC.dll0.5.dr	Static PE information: section name: .kswemc
Source: OLEACC.dll0.5.dr	Static PE information: section name: .kaxfk
Source: OLEACC.dll0.5.dr	Static PE information: section name: .wualk
Source: OLEACC.dll0.5.dr	Static PE information: section name: .qwqp
Source: OLEACC.dll0.5.dr	Static PE information: section name: .txp
Source: OLEACC.dll0.5.dr	Static PE information: section name: .ezxpm
Source: OLEACC.dll0.5.dr	Static PE information: section name: .kdkmc
Source: OLEACC.dll0.5.dr	Static PE information: section name: .vwqjj
Source: OLEACC.dll0.5.dr	Static PE information: section name: .ute
Source: OLEACC.dll0.5.dr	Static PE information: section name: .hzotrb
Source: OLEACC.dll0.5.dr	Static PE information: section name: .mkb
Source: OLEACC.dll0.5.dr	Static PE information: section name: .plbi
Source: OLEACC.dll0.5.dr	Static PE information: section name: .dmwl
Source: OLEACC.dll0.5.dr	Static PE information: section name: .qorltm
Source: OLEACC.dll0.5.dr	Static PE information: section name: .ubg
Source: OLEACC.dll0.5.dr	Static PE information: section name: .lhm
Source: OLEACC.dll0.5.dr	Static PE information: section name: .wojiyd
Source: OLEACC.dll0.5.dr	Static PE information: section name: .ekv
Source: OLEACC.dll0.5.dr	Static PE information: section name: .vmf
Source: OLEACC.dll0.5.dr	Static PE information: section name: .rqv
Source: OLEACC.dll0.5.dr	Static PE information: section name: .rseab
Source: OLEACC.dll0.5.dr	Static PE information: section name: .pxtlo
Source: OLEACC.dll0.5.dr	Static PE information: section name: .nri
Source: OLEACC.dll0.5.dr	Static PE information: section name: .fcbpa
Source: OLEACC.dll0.5.dr	Static PE information: section name: .kmhbw
Source: VERSION.dll.5.dr	Static PE information: section name: .qkm
Source: VERSION.dll.5.dr	Static PE information: section name: .cvjb
Source: VERSION.dll.5.dr	Static PE information: section name: .tlmkv
Source: VERSION.dll.5.dr	Static PE information: section name: .wucsxe
Source: VERSION.dll.5.dr	Static PE information: section name: .fltwtj
Source: VERSION.dll.5.dr	Static PE information: section name: .sfplio
Source: VERSION.dll.5.dr	Static PE information: section name: .rpg
Source: VERSION.dll.5.dr	Static PE information: section name: .bewzc
Source: VERSION.dll.5.dr	Static PE information: section name: .vksvaw
Source: VERSION.dll.5.dr	Static PE information: section name: .wmhg
Source: VERSION.dll.5.dr	Static PE information: section name: .kswemc
Source: VERSION.dll.5.dr	Static PE information: section name: .kaxfk
Source: VERSION.dll.5.dr	Static PE information: section name: .wualk
Source: VERSION.dll.5.dr	Static PE information: section name: .qwqp
Source: VERSION.dll.5.dr	Static PE information: section name: .txp
Source: VERSION.dll.5.dr	Static PE information: section name: .ezxpm
Source: VERSION.dll.5.dr	Static PE information: section name: .kdkmc
Source: VERSION.dll.5.dr	Static PE information: section name: .vwqjj
Source: VERSION.dll.5.dr	Static PE information: section name: .ute
Source: VERSION.dll.5.dr	Static PE information: section name: .hzotrb
Source: VERSION.dll.5.dr	Static PE information: section name: .mkb
Source: VERSION.dll.5.dr	Static PE information: section name: .plbi
Source: VERSION.dll.5.dr	Static PE information: section name: .dmwl
Source: VERSION.dll.5.dr	Static PE information: section name: .qorltm
Source: VERSION.dll.5.dr	Static PE information: section name: .ubg
Source: VERSION.dll.5.dr	Static PE information: section name: .lhm
Source: VERSION.dll.5.dr	Static PE information: section name: .wojiyd
Source: VERSION.dll.5.dr	Static PE information: section name: .ekv
Source: VERSION.dll.5.dr	Static PE information: section name: .vmf
Source: VERSION.dll.5.dr	Static PE information: section name: .rqv
Source: VERSION.dll.5.dr	Static PE information: section name: .rseab
Source: VERSION.dll.5.dr	Static PE information: section name: .pxtlo
Source: VERSION.dll.5.dr	Static PE information: section name: .nri
Source: VERSION.dll.5.dr	Static PE information: section name: .fcbpa
Source: VERSION.dll.5.dr	Static PE information: section name: .oeep
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .qkm
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .cvjb
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .tlmkv
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .wucsxe
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .fltwtj
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .sfplio
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .rpg
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .bewzc
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .vksvaw
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .wmhg
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .kswemc
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .kaxfk
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .wualk
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .qwqp
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .txp
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .ezxpm
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .kdkmc
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .vwqjj
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .ute
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .hzotrb
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .mkb
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .plbi
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .dmwl
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .qorltm
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .ubg
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .lhm
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .wojiyd
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .ekv
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .vmf
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .rqv
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .rseab
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .pxtlo
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .nri
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .fcbpa
Source: WTSAPI32.dll0.5.dr	Static PE information: section name: .ugx
Source: XmlLite.dll0.5.dr	Static PE information: section name: .qkm
Source: XmlLite.dll0.5.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll0.5.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll0.5.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll0.5.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll0.5.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll0.5.dr	Static PE information: section name: .rpg
Source: XmlLite.dll0.5.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll0.5.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll0.5.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll0.5.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll0.5.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll0.5.dr	Static PE information: section name: .wualk
Source: XmlLite.dll0.5.dr	Static PE information: section name: .qwqp
Source: XmlLite.dll0.5.dr	Static PE information: section name: .txp
Source: XmlLite.dll0.5.dr	Static PE information: section name: .ezxpm
Source: XmlLite.dll0.5.dr	Static PE information: section name: .kdkmc
Source: XmlLite.dll0.5.dr	Static PE information: section name: .vwqjj
Source: XmlLite.dll0.5.dr	Static PE information: section name: .ute
Source: XmlLite.dll0.5.dr	Static PE information: section name: .hzotrb
Source: XmlLite.dll0.5.dr	Static PE information: section name: .mkb
Source: XmlLite.dll0.5.dr	Static PE information: section name: .plbi
Source: XmlLite.dll0.5.dr	Static PE information: section name: .dmwl
Source: XmlLite.dll0.5.dr	Static PE information: section name: .qorltm
Source: XmlLite.dll0.5.dr	Static PE information: section name: .ubg
Source: XmlLite.dll0.5.dr	Static PE information: section name: .lhm
Source: XmlLite.dll0.5.dr	Static PE information: section name: .wojiyd
Source: XmlLite.dll0.5.dr	Static PE information: section name: .ekv
Source: XmlLite.dll0.5.dr	Static PE information: section name: .vmf
Source: XmlLite.dll0.5.dr	Static PE information: section name: .rqv
Source: XmlLite.dll0.5.dr	Static PE information: section name: .rseab
Source: XmlLite.dll0.5.dr	Static PE information: section name: .pxtlo
Source: XmlLite.dll0.5.dr	Static PE information: section name: .nri
Source: XmlLite.dll0.5.dr	Static PE information: section name: .fcbpa
Source: XmlLite.dll0.5.dr	Static PE information: section name: .htvhcf
Source: OLEACC.dll1.5.dr	Static PE information: section name: .qkm
Source: OLEACC.dll1.5.dr	Static PE information: section name: .cvjb
Source: OLEACC.dll1.5.dr	Static PE information: section name: .tlmkv
Source: OLEACC.dll1.5.dr	Static PE information: section name: .wucsxe
Source: OLEACC.dll1.5.dr	Static PE information: section name: .fltwtj
Source: OLEACC.dll1.5.dr	Static PE information: section name: .sfplio
Source: OLEACC.dll1.5.dr	Static PE information: section name: .rpg
Source: OLEACC.dll1.5.dr	Static PE information: section name: .bewzc
Source: OLEACC.dll1.5.dr	Static PE information: section name: .vksvaw
Source: OLEACC.dll1.5.dr	Static PE information: section name: .wmhg
Source: OLEACC.dll1.5.dr	Static PE information: section name: .kswemc
Source: OLEACC.dll1.5.dr	Static PE information: section name: .kaxfk
Source: OLEACC.dll1.5.dr	Static PE information: section name: .wualk
Source: OLEACC.dll1.5.dr	Static PE information: section name: .qwqp
Source: OLEACC.dll1.5.dr	Static PE information: section name: .txp
Source: OLEACC.dll1.5.dr	Static PE information: section name: .ezxpm
Source: OLEACC.dll1.5.dr	Static PE information: section name: .kdkmc
Source: OLEACC.dll1.5.dr	Static PE information: section name: .vwqjj
Source: OLEACC.dll1.5.dr	Static PE information: section name: .ute
Source: OLEACC.dll1.5.dr	Static PE information: section name: .hzotrb
Source: OLEACC.dll1.5.dr	Static PE information: section name: .mkb
Source: OLEACC.dll1.5.dr	Static PE information: section name: .plbi
Source: OLEACC.dll1.5.dr	Static PE information: section name: .dmwl
Source: OLEACC.dll1.5.dr	Static PE information: section name: .qorltm
Source: OLEACC.dll1.5.dr	Static PE information: section name: .ubg
Source: OLEACC.dll1.5.dr	Static PE information: section name: .lhm
Source: OLEACC.dll1.5.dr	Static PE information: section name: .wojiyd
Source: OLEACC.dll1.5.dr	Static PE information: section name: .ekv
Source: OLEACC.dll1.5.dr	Static PE information: section name: .vmf
Source: OLEACC.dll1.5.dr	Static PE information: section name: .rqv
Source: OLEACC.dll1.5.dr	Static PE information: section name: .rseab
Source: OLEACC.dll1.5.dr	Static PE information: section name: .pxtlo
Source: OLEACC.dll1.5.dr	Static PE information: section name: .nri
Source: OLEACC.dll1.5.dr	Static PE information: section name: .fcbpa
Source: OLEACC.dll1.5.dr	Static PE information: section name: .xtmp
Source: XmlLite.dll1.5.dr	Static PE information: section name: .qkm
Source: XmlLite.dll1.5.dr	Static PE information: section name: .cvjb
Source: XmlLite.dll1.5.dr	Static PE information: section name: .tlmkv
Source: XmlLite.dll1.5.dr	Static PE information: section name: .wucsxe
Source: XmlLite.dll1.5.dr	Static PE information: section name: .fltwtj
Source: XmlLite.dll1.5.dr	Static PE information: section name: .sfplio
Source: XmlLite.dll1.5.dr	Static PE information: section name: .rpg
Source: XmlLite.dll1.5.dr	Static PE information: section name: .bewzc
Source: XmlLite.dll1.5.dr	Static PE information: section name: .vksvaw
Source: XmlLite.dll1.5.dr	Static PE information: section name: .wmhg
Source: XmlLite.dll1.5.dr	Static PE information: section name: .kswemc
Source: XmlLite.dll1.5.dr	Static PE information: section name: .kaxfk
Source: XmlLite.dll1.5.dr	Static PE information: section name: .wualk
Source: XmlLite.dll1.5.dr	Static PE information: section name: .qwqp
Source: XmlLite.dll1.5.dr	Static PE information: section name: .txp
Source: XmlLite.dll1.5.dr	Static PE information: section name: .ezxpm
Source: XmlLite.dll1.5.dr	Static PE information: section name: .kdkmc
Source: XmlLite.dll1.5.dr	Static PE information: section name: .vwqjj
Source: XmlLite.dll1.5.dr	Static PE information: section name: .ute
Source: XmlLite.dll1.5.dr	Static PE information: section name: .hzotrb
Source: XmlLite.dll1.5.dr	Static PE information: section name: .mkb
Source: XmlLite.dll1.5.dr	Static PE information: section name: .plbi
Source: XmlLite.dll1.5.dr	Static PE information: section name: .dmwl
Source: XmlLite.dll1.5.dr	Static PE information: section name: .qorltm
Source: XmlLite.dll1.5.dr	Static PE information: section name: .ubg
Source: XmlLite.dll1.5.dr	Static PE information: section name: .lhm
Source: XmlLite.dll1.5.dr	Static PE information: section name: .wojiyd
Source: XmlLite.dll1.5.dr	Static PE information: section name: .ekv
Source: XmlLite.dll1.5.dr	Static PE information: section name: .vmf
Source: XmlLite.dll1.5.dr	Static PE information: section name: .rqv
Source: XmlLite.dll1.5.dr	Static PE information: section name: .rseab
Source: XmlLite.dll1.5.dr	Static PE information: section name: .pxtlo
Source: XmlLite.dll1.5.dr	Static PE information: section name: .nri
Source: XmlLite.dll1.5.dr	Static PE information: section name: .fcbpa
Source: XmlLite.dll1.5.dr	Static PE information: section name: .gbpuqn

Source: C:\Users\user\AppData\Local\eQL\raserver.exe

Code function: 26_2_00007FF74E1183E0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString,

26_2_00007FF74E1183E0

Source: yWteP7e12z.dll	Static PE information: real checksum: 0x7d786c40 should be: 0x208f5c
Source: ACTIVEDS.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20e14e
Source: WTSAPI32.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2040a8
Source: OLEACC.dll1.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20e541
Source: VERSION.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2120a4
Source: XmlLite.dll1.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2053cb
Source: XmlLite.dll0.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20bbcb
Source: XmlLite.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x209517
Source: OLEACC.dll0.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20a1b8
Source: OLEACC.dll.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x2065b2
Source: WTSAPI32.dll0.5.dr	Static PE information: real checksum: 0x7d786c40 should be: 0x20419e

Source: raserver.exe.5.dr

Static PE information: 0xEBE25ACA [Sun May 29 04:02:18 2095 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.59477523886
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679
Source: initial sample	Static PE information: section name: .text entropy: 7.73364605679

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\yoY8Y\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\yoY8Y\ddodiag.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\eQL\raserver.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\S8mrk1\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\eQL\WTSAPI32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\92ea6x\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Iz08tEz\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\7YI8zy\sethc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe

41_2_00007FF6E6D664A0

Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D04DE78 IsWindowVisible,ShowWindow,IsZoomed,ShowWindow,SendMessageW,SendMessageW,IsIconic,OpenIcon,IsWindowVisible,	19_2_00007FF73D04DE78
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D043078 IsWindowVisible,IsIconic,DwmGetWindowAttribute,	19_2_00007FF73D043078
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D04F79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon,	19_2_00007FF73D04F79C
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D04F79C DefWindowProcW,memset,TraceEvent,DefWindowProcW,SendMessageW,IsIconic,GetWindowRect,IsWindowVisible,IsIconic,OpenIcon,	19_2_00007FF73D04F79C
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D047800 FindWindowW,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,FindWindowW,IsWindowVisible,IsIconic,OpenIcon,SetForegroundWindow,GetLastError,	19_2_00007FF73D047800
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B617020 GetWindow,IsWindowVisible,GetWindowThreadProcessId,GetDesktopWindow,GetWindow,GetWindowThreadProcessId,GetParent,GetWindow,GetClassNameW,CompareStringOrdinal,SetForegroundWindow,IsIconic,ShowWindow,	34_2_00007FF67B617020

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe TID: 5916

Thread sleep count: 40 > 30

Jump to behavior

Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe

Last function: Thread delayed

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\7YI8zy\sethc.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe

Code function: 32_2_00007FF79146D314 rdtsc

32_2_00007FF79146D314

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005C340 GetSystemInfo,

0_2_000000014005C340

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005D290 FindFirstFileExW,		0_2_000000014005D290
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E892D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,		37_2_00007FF6E892D4A0

Source: explorer.exe, 00000005.00000000.321902451.000000000EEE0000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.342238983.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}onsappsD
Source: explorer.exe, 00000005.00000000.317335575.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.317457618.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000005.00000000.342238983.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oogle Chrome.l
Source: explorer.exe, 00000005.00000000.313685798.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.317335575.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000005.00000000.342238983.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}microsoF
Source: explorer.exe, 00000005.00000000.313685798.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000005.00000000.313685798.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA
Source: explorer.exe, 00000005.00000000.317335575.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe

Code function: 19_2_00007FF73D06DF84 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

19_2_00007FF73D06DF84

Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe

Code function: 34_2_00007FF67B616008 OutputDebugStringA,ActivateActCtx,GetLastError,

34_2_00007FF67B616008

Source: C:\Users\user\AppData\Local\eQL\raserver.exe

26_2_00007FF74E1183E0

Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe

Code function: 19_2_00007FF73D05E274 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

19_2_00007FF73D05E274

Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe

Code function: 32_2_00007FF79146D314 rdtsc

32_2_00007FF79146D314

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,

0_2_0000000140048AC0

Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Code function: 19_2_00007FF73D06DF84 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00007FF73D06DF84
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E120B80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_00007FF74E120B80
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Code function: 26_2_00007FF74E121170 SetUnhandledExceptionFilter,	26_2_00007FF74E121170
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe	Code function: 28_2_00007FF7409832A4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_00007FF7409832A4
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe	Code function: 28_2_00007FF740983010 SetUnhandledExceptionFilter,	28_2_00007FF740983010
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79146DD00 SetUnhandledExceptionFilter,	32_2_00007FF79146DD00
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79146DF84 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_00007FF79146DF84
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6CACE0 SetUnhandledExceptionFilter,	34_2_00007FF67B6CACE0
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6CA9E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00007FF67B6CA9E4
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8933CC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_00007FF6E8933CC8
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D67DA0 SetUnhandledExceptionFilter,	41_2_00007FF6E6D67DA0
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D67984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_00007FF6E6D67984

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: OLEACC.dll.5.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Contains functionality to prevent local Windows debugging

Show sources

Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6C9860 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLastError,SetLastError,LeaveCriticalSection,		34_2_00007FF67B6C9860
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: 34_2_00007FF67B6C97F0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection,		34_2_00007FF67B6C97F0

Uses Atom Bombing / ProGate to inject into other processes

Show sources

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1

Jump to behavior

Source: C:\Users\user\AppData\Local\eQL\raserver.exe

Code function: 26_2_00007FF74E11A9AC AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid,

26_2_00007FF74E11A9AC

Source: C:\Users\user\AppData\Local\eQL\raserver.exe

26_2_00007FF74E11A9AC

Source: explorer.exe, 00000005.00000000.330726582.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000005.00000000.310248689.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.335309459.0000000005E10000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.310248689.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.310248689.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.317457618.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\eQL\raserver.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Queries volume information: unknown VolumeInformation

Source: C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	Code function: DisableContainerHwnd,DestroyWindow,DeleteObject,GetModuleHandleW,GetClassInfoExW,memset,GetModuleHandleW,LoadCursorW,GetStockObject,DefWindowProcW,RegisterClassExW,GetModuleHandleW,CreateWindowExW,SetWindowLongPtrW,SetWindowLongPtrW,SendMessageW,GetWindowLongPtrW,GetWindowLongPtrW,SetWindowLongPtrW,GetThreadUILanguage,GetUserDefaultUILanguage,GetLocaleInfoW,GetWindowLongPtrW,SetWindowLongPtrW,CreateGadget,GetLastError,SetGadgetMessageFilter,SetGadgetStyle,GetDC,GetDeviceCaps,ReleaseDC,GetDC,CreateHalftonePalette,ReleaseDC,memset,SetGadgetRootInfo,TlsGetValue,	34_2_00007FF67B6499A0
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: GetUserDefaultLCID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,	37_2_00007FF6E8930EC4
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,_wcsncoll,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,	37_2_00007FF6E893340C

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\eQL\raserver.exe

Code function: 26_2_00007FF74E121300 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

26_2_00007FF74E121300

Source: C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe

Code function: 19_2_00007FF73D055FF8 PostMessageW,DialogBoxParamW,memset,GetVersionExW,ShellAboutW,GetLastError,InvalidateRect,

19_2_00007FF73D055FF8

Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe

Code function: 37_2_00007FF6E8926CEC RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,SysFreeString,RegCloseKey,RegCloseKey,

37_2_00007FF6E8926CEC

Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79147B16C RpcStringFreeW,RpcBindingFree,CloseHandle,	32_2_00007FF79147B16C
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79147AF10 memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,CreateEventW,GetLastError,RpcAsyncInitializeHandle,WaitForMultipleObjects,RpcAsyncCancelCall,WaitForSingleObject,RpcAsyncCompleteCall,memcpy,RpcStringFreeW,RpcBindingFree,CloseHandle,	32_2_00007FF79147AF10
Source: C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe	Code function: 32_2_00007FF79147B0A2 WaitForMultipleObjects,RpcAsyncCancelCall,WaitForSingleObject,RpcAsyncCompleteCall,RpcStringFreeW,RpcBindingFree,CloseHandle,	32_2_00007FF79147B0A2
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E89291AC GetUserDefaultLCID,CreateBindCtx,	37_2_00007FF6E89291AC
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E8924FE0 CreateBindCtx,SysAllocStringByteLen,SysFreeString,	37_2_00007FF6E8924FE0
Source: C:\Users\user\AppData\Local\JFuMqIg\wscript.exe	Code function: 37_2_00007FF6E892C370 CreateBindCtx,MkParseDisplayName,	37_2_00007FF6E892C370
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D672BC memset,RpcStringBindingComposeW,RpcBindingFromStringBindingW,AllocateAndInitializeSid,GetLastError,RpcBindingSetAuthInfoExW,RpcStringFreeW,FreeSid,RpcBindingFree,	41_2_00007FF6E6D672BC
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D674BE RpcBindingFree,	41_2_00007FF6E6D674BE
Source: C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	Code function: 41_2_00007FF6E6D67450 NdrClientCall3,RpcBindingFree,	41_2_00007FF6E6D67450

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Windows Service1	Windows Service1	Deobfuscate/Decode Files or Information1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Process Injection412	Obfuscated Files or Information3	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Logon Script (Windows)	Logon Script (Windows)	Software Packing2	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	System Information Discovery35	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery41	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection412	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
yWteP7e12z.dll	64%	Virustotal		Browse
yWteP7e12z.dll	78%	ReversingLabs	Win64.Infostealer.Dridex
yWteP7e12z.dll	100%	Avira	TR/Crypt.ZPACK.Gen
yWteP7e12z.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	100%	Avira	HEUR/AGEN.1114452
C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\7YI8zy\sethc.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\7YI8zy\sethc.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
34.2.WMPDMC.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
32.2.SppExtComObj.Exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
28.2.ddodiag.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
19.2.SnippingTool.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll64.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
26.2.raserver.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
41.2.BdeUISrv.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
37.2.wscript.exe.140000000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492789
Start date:	29.09.2021
Start time:	01:30:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	yWteP7e12z (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@49/21@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 25.6% (good quality ratio 19.6%) Quality average: 55.9% Quality standard deviation: 39.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.82.209.183, 20.54.110.249, 23.0.174.185, 23.0.174.200, 20.199.120.151, 20.199.120.182, 23.10.249.43, 23.10.249.26, 40.112.88.60, 20.82.210.154, 20.50.102.62, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\2Pnr0hm64\MusNotifyIcon.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	348248
Entropy (8bit):	4.476463179941575
Encrypted:	false
SSDEEP:	3072:h+3PxWVjjy9Vya+bgdI/uQmyDbT/j0MQXOAfib98:h+5WVje+UdI/uQmyDbDWOAfH
MD5:	56EB45AF6E8DAC3DE13BFBDDD23471FD
SHA1:	B6CD69E22DF2AC6220DDE6BD5B96D0333C81664E
SHA-256:	96C7678DFB92B3666D5A41BB251EE21DF24D7C3F32E0115BB302438F364DFA7D
SHA-512:	4062829F81BF34C25ECDE96D46BC55A9CB40E3D0B78E73C07245DCCE42B7F60EE169A8545518F758E52215E9ABA3E62BEC02E7D4F5B5AE79DA690518920E974B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R...R...R...[.......=..Q...=..E...R.......=..C...=..E...=..]...=.r.S...=..S...RichR...........................PE..d...R............."......P.....................@....................................).....`.......... ..........................................H.......H....P..@...."..X....p......P...T............................d...............e..`............................text...<N.......P.................. ..`.rdata..T....`.......T..............@..@.data...(....@.......&..............@....pdata..@....P.......(..............@..@.didat.......p.......:..............@....rsrc...H............<..............@..@.reloc.......p....... ..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\2Pnr0hm64\XmlLite.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.576077189317853
Encrypted:	false
SSDEEP:	12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	8D382555F4058C485E44A6F1746DF8AE
SHA1:	CA1DD960D00123E12458CE1E1C56B9DB7E06623E
SHA-256:	E266F25DE43726B4AEDFEF41B4561CA93156A5DB9FDE2EE68E2A9790DBF93A7F
SHA-512:	361C29520A7B22149F1F7D24831C06BA90514381F53918B4FB4F74FA8A8E456BAF216F6DE4F7538C7ECC21038A449C2419A4301B6551216AB593C1ED69F5C7AC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52736
Entropy (8bit):	5.7946530792580475
Encrypted:	false
SSDEEP:	768:NS51B2sZMD1mYu/Lr7p0dHkf9abpWnGjTopPjZdWC2bNrHuOKAh/4J99j4ktPUww:J/Yn/Lr7qwYb7/oRjeJh2991t8Yte
MD5:	25D86BC656025F38D6E626B606F1D39D
SHA1:	673F32CCA79DC890ADA1E5A2CF6ECA3EF863629D
SHA-256:	202BEC0F63167ED57FCB55DB48C9830A5323D72C662D9A58B691D16CE4DB8C1E
SHA-512:	D4B4BC411B122499E611E1F9A45FD40EC2ABA23354F261D4668BF0578D30AEC5419568489261FC773ABBB350CC77C1E00F8E7C0B135A1FD4A9B6500825FA6E06
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..hw.;w.;w.;~.";u.;...:t.;...:`.;...:q.;...:d.;w.;..;...:..;..N;v.;...:v.;Richw.;................PE..d...X............."......v...\......0y.........@............................. ......Db....`.......... ......................................p...................................x......T............................................................................text...At.......v.................. ..`.rdata...3.......4...z..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\2lBRPi\WTSAPI32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.583353111174115
Encrypted:	false
SSDEEP:	12288:0VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:xfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	860C08B5CFEB671CA94A0CEC612CA670
SHA1:	584648309587E969A66C78F2DB9E995BA138DB1A
SHA-256:	C1C3B44B2E6EE00A256E4B6ECDFF26E4EE3C6F89C5B88026EA2C929D95CD0719
SHA-512:	AD81404B4AEE0F8C268D87ED57DC7A8093E87C9DF454CDC324DD3432DC9E6125FF9ED376ECA36C456AAF0B7FA81A077E9AB86BA0698CF8A396844619861650DD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\7YI8zy\OLEACC.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.5783451393964993
Encrypted:	false
SSDEEP:	12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	B882DA1C973F306CE92DF7B397F79477
SHA1:	D3A451F40911018FD3FB3827CBC794A91D50C0BF
SHA-256:	BDC8B5C0E124749EFD29F926C5DEB99D4D6111E37C290354EB69BBD43891BE43
SHA-512:	59381D442B6D01629468C9DEE364976C73AF67162C03F112835E50FB3C5A3652E17325BF79FD5DA50D8E8231B8C6208010D1DD4398935884D78C67243F0C3D7D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\7YI8zy\sethc.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	284160
Entropy (8bit):	6.85709982153028
Encrypted:	false
SSDEEP:	6144:z1dgUn5C1AlGr66uFz2LJGRg4kLNnei36cw:XiKFCdUc
MD5:	1C0BF0B710016600C9D9F23CC7103C0A
SHA1:	EFA944D43F76AEA0C72A5C7FB3240ADC55E7DAE8
SHA-256:	AEA110EE0865635EE764B1B40409DB3A3165E57EFFF4CAF942BCD8982F3063C5
SHA-512:	775F075A9D43A887B1AFB000E5E2CBC8EF514C4B1864C694977342307C61173DACC5BA8E5D47002870687B24914B3E6D2D0EB48BF99517822511A8BA2A122515
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r../6q.\|6q.\|6q.\|Y..}5q.\|Y..} q.\|Y..}1q.\|Y..}-q.\|6q.\|8p.\|Y..}$q.\|Y.[\|7q.\|Y..}7q.\|Rich6q.\|........................PE..d.... ............"............................@..........................................`.......... ......................................P........`..h'...P..................x.......T...........................0...............0................................text............................... ..`.rdata...j.......l..................@..@.data...8....0......................@....pdata.......P.......$..............@..@.rsrc...h'...`...(...,..............@..@.reloc..x............T..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\92ea6x\OLEACC.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.578353842294324
Encrypted:	false
SSDEEP:	12288:hVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:QfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	562B44A22DF95EC9CAB4D5FE434F6B79
SHA1:	B8C66B70032983B0F6767CA39D5ED53BE1090E83
SHA-256:	157395ACD40DFE6078A29173CBEFF6E17E522607CB4D92C9AA9E64A1CFA4616F
SHA-512:	B76402269EB0CED9A0788BEFC131ABBAD97A2BC53DAA0FBACF51AA3D5A745DC56DEB3CD1AF871F4FC03F95781B22A1D6BC40AFAC938AE1327FF3D0EE9BC39F27
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1517568
Entropy (8bit):	6.62150533612437
Encrypted:	false
SSDEEP:	24576:esSffc55l2PlDph6LYq3BRf6Te8+n3wAJF1/Mk+F6uwY6V0qRr8kmHVJZh/u:cct2PpphUlxRn3wAblMk+F6+6S2r8/Hu
MD5:	4085FDA375E50214142BD740559F5835
SHA1:	22D548F1E0F4832AAEE3D983A156FDABD3021DA4
SHA-256:	93F61516B7FD3CE8F1E97F25B760BDF62AE58CC7714B559FEFC2C75AD1130804
SHA-512:	7712F8E551D475A9D2FF3BED9992A2B3D53AB01F61DCB7313320181F9EB6B5B84558CCA45AE95150267128C8B228F806F869157B7F4961755076DD83F02E3BDF
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@..................-......*......+....../...../.A.....'.X...........,....Rich...................PE..d...D..9.........."................. ..........@..........................................`.......... ............................................... ..x.......l............0...S..`Y..T....................G..(....F..............8G...............................text.............................. ..`.rdata..Pg.......h..................@..@.data...p=...@.......,..............@....pdata..l............D..............@..@.didat..............................@....rsrc...x.... ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Iz08tEz\XmlLite.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.576061001877867
Encrypted:	false
SSDEEP:	12288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	4DFE07B3BCAFD9CE65D8C33C35692412
SHA1:	72E62D60652D8B8E0FFAEABE38E85DF7474DE3F0
SHA-256:	601E95E3207C0693E50E0DF68F2D3F4563365D832C22A28F18659B9F30C37DF5
SHA-512:	020BA9DB617F445299631A8A9097AC67014B1FA640209B302A679474AF329CD25887295BCDBBCC1E4DD7DF66D818507232F3AF5879B3BB9DBDDDF6DE1F6B37FE
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.0324146638870335
Encrypted:	false
SSDEEP:	768:Ii5tlKBaheiGK/hc3aZkLmMgMaouZl6i9Kott/D:/C0heiGK/hc3aZkLmMgMaouZl6i9t/D
MD5:	3CE911D7C12A2EFA9108514013BD17FE
SHA1:	2F739BD7731932A0BF13A3B8526FC867EC41C63E
SHA-256:	FC55CB5FF243496B039D3DB181BD846BDD38D11C7D52E4BA20D882B65FBE1C3B
SHA-512:	33F4FD94916DB3F0BC4E138DD88125D9B45108F7EECFDE0A54BE1901F4BE3F1966BC0FE9278A919A3D94AEC53A8269ACA9451EBA7D53C82BF64CC215522AD78E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.=...S...S...S.s.P...S.s.W...S.s.V...S.s.R...S...R.$.S.s.Z...S.s....S.s.Q...S.Rich..S.........PE..d...~3............"......&...p......p/.........@.....................................q....`.......... .......................................~..d.......p.......................(...`z..T........................... E.............. F...............................text...P%.......&.................. ..`.rdata.."D...@...F...*..............@..@.data................p..............@....pdata..............................@..@.rsrc...p...........................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\JFuMqIg\VERSION.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.5769403032587643
Encrypted:	false
SSDEEP:	12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	D76C4636DA44EBABF1FC1E81811471E0
SHA1:	3191D457033E6D791CDBE097A3D1ADC3F7284491
SHA-256:	E06D76E1543A31F7BC71EA29D772368867B8A971C303B5CA10EE224F69D814AE
SHA-512:	8A57090E6156AD7D73CC637E6BDA63F74E896F8A6A53581A2A4D12996AFB49CBE9B27DD18AD2DB2FEE6E9CC1750F81CB1640394BC0C95C88085AFE1AA9CE18D5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... .+....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\JFuMqIg\wscript.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	5.729539450068024
Encrypted:	false
SSDEEP:	1536:8HSpBlnak9UH8bCAHZ1LQ434syPz7M5hh/kzhwS827HuYHwHugXEYJ6S7775MWUn:aC4HWCp/fM5hvNebgXEYJN73uWUZxtt
MD5:	9A68ADD12EB50DDE7586782C3EB9FF9C
SHA1:	2661E5F3562DD03C0ED21C33E2888E2FD1137D8C
SHA-256:	62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED
SHA-512:	156CAED6E1BF27B275E4BA0707FB550F1BF347A26361D6D3CAD12C612C327686950B47B6C5487110CF8B35A490FAADC812ADE3777FFF7ED76A528D970914A6E0
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................n.........Rich...................PE..d....U.E.........."......2...R......@*.........@....................................8w....`.............................................8...8...................................T.......T..........................................................................text..."1.......2.................. ..`.rdata..F....P.......6..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..T............t..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\S8mrk1\OLEACC.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.578355139397792
Encrypted:	false
SSDEEP:	12288:qVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:3fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	D37540715730618EC4C8D8320D14BA1F
SHA1:	61DE879F216BFDFC426752CA83E326632F229203
SHA-256:	828D0A3C802DBDB43DB11772E7AB9432AC794124F5C1766D7B89802A35094B7B
SHA-512:	20ACED35734330011806C82F3523BF15B3E3CB5E2FCBDBA861A9FB4496F6249198AFCBCCA0271E65B3184B555041E122C76D67991E7903FD3F31FF6A3FE9B3A5
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3292160
Entropy (8bit):	4.311007815185121
Encrypted:	false
SSDEEP:	24576:+oNva52v20/OB1b1v+YMTvlcZbbAbn3ItpG:VNtv20/OB1hXulc10L4tp
MD5:	9012F9C6AC7F3F99ECDD37E24C9AC3BB
SHA1:	7B8268C1B847301C0B5372C2A76CCE326C74991E
SHA-256:	4E30A8C88C755944145F2BC6C935EE5107C56832772F2561229E20CEAB1D10D2
SHA-512:	B76D2BE02A22990E224DBC5AED9E5B701EAC52C1376529DE3E90B084CD6860B88D746CD61093E93FC932E12FBAF45B4CA342CC0D9C9DAE4EAFE05921D83A7397
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$...w...w...w...w...w...v...w...v...w...v...w...v...w...w'..w...v...w..mw...w..ow...w...v...wRich...w................PE..d.....i..........."..........v/.....0..........@..............................2.....I.2...`.......... ..............................................P..(;...0................2.\|...`...T.......................(....................................................text...9........................... ..`.rdata..............................@..@.data....0..........................@....pdata.......0......................@..@.rsrc...(;...P...<..................@..@.reloc..\|.....2......82.............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\eQL\WTSAPI32.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.583321391509454
Encrypted:	false
SSDEEP:	12288:aVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:HfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	4FBEA39A2FFB22CDAEB407491596D80B
SHA1:	EB0102854221347A1F395685A8B10591F0A7A275
SHA-256:	ABF264AEB0738742100E969CAFC9328B84070A69D87CF920CE1A83628E13D47D
SHA-512:	E72BDBFE7B1CA46C9003AEACC1CB3B2BF766D1F8BD915DC5DEA965A44554F08299816E7E5ECA11D71BF10EBE4C6418126ED1CAD2934DC30279A3B74A75B39247
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\eQL\raserver.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128000
Entropy (8bit):	5.845576104002147
Encrypted:	false
SSDEEP:	3072:KPtuXlMcmw7mMH/5+fDxE/loYJZFr3kzH:plMcmzMH/5Sy/loYJZFSH
MD5:	DE2022F0B86E33875D8A40B65550CFEB
SHA1:	391DDE6C03A58D0FC0B4BF5AF46BD181584936C2
SHA-256:	95470F8DE7666C026DB37D2A754085BA3832358C422D6218126D293A67B2F60E
SHA-512:	903A9B137715B114D861BED86E4CAEB9772455DA6749E40C0DDA9758DEE5BDDF0DB3FB46B484556DD55162294C97A399105E3C3E8FDFC0D63F9A8967F99EDDAA
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................u.....................3...............Rich..................PE..d....Z............"................. ..........@.............................@.......u....`.......... ......................................p............6...................0..........T...........................0D..............0E..X......@....................text............................... ..`.rdata......0......................@..@.data... ...........................@....pdata..............................@..@.didat..............................@....rsrc....6.......8..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\jYs4ma0u\ACTIVEDS.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.5780991878185837
Encrypted:	false
SSDEEP:	12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	9E70F06EEB43B7684995C76AFF5E3B6F
SHA1:	3245C9D942678CAA6CC3B3FE91B84B8BBA961B0B
SHA-256:	8BADF14EA6C4EC41342CAB9CA944EA6D1CA4B76E3A65DFA11E94736B78E4E16F
SHA-512:	0FE463B9EDF9E3723E5E738F9D417D9CED2FE8D85BBC4CDA67CFA4FC02FE5835F9DC2CD0F126912343E5D314C2C3F6D4536D66EAD905A3AC827680373A6C4F39
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... .y....c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	577024
Entropy (8bit):	7.365924302927238
Encrypted:	false
SSDEEP:	12288:KEpKNOQ/1mgFgnHF+2ryqfut4iob3vBzx4PQpIQbwhsi:lpKbbFgl+2Oqfuqiob3JUFs
MD5:	809E11DECADAEBE2454EFEDD620C4769
SHA1:	A121B9FC2010247C65CE8975FE4D88F5E9AC953E
SHA-256:	8906D8D8BCD7C8302A3E56EA2EBD0357748ACC9D3FDA91925609C742384B9CC2
SHA-512:	F78F46437C011C102A9BCEC2A8565EDC75500C9448AC17457FF44D3C8DB1980F772C0D1546F1DEE0F8A6F2C7273A5A915860B768DE9BB24EBEFE2907CE18B0DF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.].a.3.a.3.a.3.h.u.3...6.`.3...7.t.3...2.n.3.a.2...3...=.r.3...0.e.3....`.3...1.`.3.Richa.3.........PE..d...b.............".................0..........@................CS P................3................ .......................................Y..h................J......................T............................S...............z..`............................text............................... ..`?g_Encry.-.......................... ..`.rdata..._.......`..................@..@.data........p.......V..............@....pdata...J.......L...d..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\yoY8Y\XmlLite.dll Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2109440
Entropy (8bit):	3.576064881611147
Encrypted:	false
SSDEEP:	12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
MD5:	960BA4F38C3F96CA6C088B732D12F98D
SHA1:	2282B2027E83696813DAE22FA050CBEE25641814
SHA-256:	60843D78DAAA68AB9F7A82D127138C6E67DD47F2CA7C1C47820CAD85FFA4879F
SHA-512:	E709B8EF755F827DC853BDD5DD69FE2863B1918FF9EED50815DC347D71236F8B1292ADFD176E4CE948192B34AECCD6F3BDF3B700ED241F7EDB79F37EE006F42B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|..[.K./}...I.h}..u.Y.k\|.......\|..W"...\|..b.L.t\|...\|...}......N\|..2%...\|..Rich.\|..............................................................................................................PE..d.)..DN^.........." ................p..........@.............................0 .....@lx}..b.......................................... ......c..........h.......................$#................................................... ...............................text............................... ..`.rdata..,O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...

C:\Users\user\AppData\Local\yoY8Y\ddodiag.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.0324146638870335
Encrypted:	false
SSDEEP:	768:Ii5tlKBaheiGK/hc3aZkLmMgMaouZl6i9Kott/D:/C0heiGK/hc3aZkLmMgMaouZl6i9t/D
MD5:	3CE911D7C12A2EFA9108514013BD17FE
SHA1:	2F739BD7731932A0BF13A3B8526FC867EC41C63E
SHA-256:	FC55CB5FF243496B039D3DB181BD846BDD38D11C7D52E4BA20D882B65FBE1C3B
SHA-512:	33F4FD94916DB3F0BC4E138DD88125D9B45108F7EECFDE0A54BE1901F4BE3F1966BC0FE9278A919A3D94AEC53A8269ACA9451EBA7D53C82BF64CC215522AD78E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.=...S...S...S.s.P...S.s.W...S.s.V...S.s.R...S...R.$.S.s.Z...S.s....S.s.Q...S.Rich..S.........PE..d...~3............"......&...p......p/.........@.....................................q....`.......... .......................................~..d.......p.......................(...`z..T........................... E.............. F...............................text...P%.......&.................. ..`.rdata.."D...@...F...*..............@..@.data................p..............@....pdata..............................@..@.rsrc...p...........................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	4442
Entropy (8bit):	5.464429481363534
Encrypted:	false
SSDEEP:	48:F3sV8UzB4ghZgNEDJN5G/3sV8Uwfg5p+sDw/RsSUZQKrt:F3sV8a26iQm3sV8SWsDOJ0Z
MD5:	F8E3EE8D7E508146B4D4A69987A397E0
SHA1:	117280869E2C01839C86F013FED869887721D73B
SHA-256:	B1C8DC44B2B3A83A1B831665D934AABEA14BE2F52C02D859C9728A1ED3AB64FB
SHA-512:	4835D8A9F18EA4755A5BDCB3D04F315BB9E528F90394CEE9C274F7188A5B59922ACD6088EDE6DA7CCFF9D7611CBF3A4E14AF8FD85D0EFC3F3760866B879BCABB
Malicious:	false
Reputation:	unknown
Preview:	........................................user.........................................user.....................RSA1................1P...v.........@..\|V..3..>.}.&....E. ..G .pd?...l..w.....!.W.}.......c9>T4.:...@....'SI...x.7.e.J......8.p..\|....p]. .........................z..O......A\..1..F..:M...F....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....E#^.C.I...^0..rRQ2..................... ...`....#.$.......9. ........0.................X..........p.......X-.....Qx.s......{..@.........6w..N....>3Dp.Q...!.^....K.-q7.......`.....WOp..v$K.R..Y.1..U...cj.r`...^.1\|_. X..).:.U^.SF.O=.....P;....w.zz.FV...h.)...0.O.&....i...#..... 6.W~.I.N\q.+.C.....>...S.....Y..].g.t.8.x... }..H..o..gC...9.>T:R....Oa]........,"..M..R%..b.L.....#..!i...5jTIp).$t&+.Ip..Jj...3.B.F.F...gv.o...J...n:..t....E..@........kR.q6...T!.....v ?~..s7.....LW=I.?.Iu!....s..VH....T\|+/...t..F.......d.l.f..y.......$...\|*...X....l...@..O}....Gi....Y+Z....q.(.5...%...+c.+3f+..

Static File Info

General
File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	3.58956560239292
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	yWteP7e12z.dll
File size:	2105344
MD5:	a75be08d11b5028b6e0fa8be59676599
SHA1:	c47a48e04dc10641df07dba7dbbb73602e6615aa
SHA256:	7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a
SHA512:	444d9ddbdbfac48953e01df6ed9376a78de22f6ae5d8155e5325a8482c228f96c099985ac4b9fd2e5447090380e535bdad59f59b7ebfa20578cd2038262a53b8
SSDEEP:	12288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|....K.#}...'...}......{}....X.#}....f..\|....g..}.....a\|.......}....N..}.....E}..[.I.E\|...'..U}....N.+}..[.K.P\|.

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x140041070
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6668be91e2c948b183827f040944057f

Entrypoint Preview

Instruction
dec eax
xor eax, eax
dec eax
add eax, 5Ah
dec eax
mov dword ptr [00073D82h], ecx
dec eax
lea ecx, dword ptr [FFFFECABh]
dec eax
mov dword ptr [00073D7Ch], edx
dec eax
add eax, ecx
dec esp
mov dword ptr [00073D92h], ecx
dec esp
mov dword ptr [00073DA3h], ebp
dec esp
mov dword ptr [00073D7Ch], eax
dec esp
mov dword ptr [00073D85h], edi
dec esp
mov dword ptr [00073D86h], esi
dec esp
mov dword ptr [00073D8Fh], esp
dec eax
mov ecx, eax
dec eax
sub ecx, 5Ah
dec eax
mov dword ptr [00073D89h], esi
dec eax
test eax, eax
je 00007FEB80B363DFh
dec eax
mov dword ptr [00073D45h], esp
dec eax
mov dword ptr [00073D36h], ebp
dec eax
mov dword ptr [00073D7Fh], ebx
dec eax
mov dword ptr [00073D70h], edi
dec eax
test eax, eax
je 00007FEB80B363BEh
jmp ecx
dec eax
add edi, ecx
dec eax
mov dword ptr [FFFFEC37h], ecx
dec eax
xor ecx, eax
jmp ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
dec eax
sub esp, 00000080h
mov eax, F957B016h
mov byte ptr [esp+7Fh], 00000037h
mov edx, dword ptr [esp+78h]
inc ecx
mov eax, edx
inc ecx
or eax, 5D262B0Ch
inc esp
mov dword ptr [esp+78h], eax
dec eax
mov dword ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[LNK] VS2012 UPD4 build 61030
[ASM] VS2013 UPD2 build 30501
[ C ] VS2012 UPD2 build 60315
[C++] VS2013 UPD4 build 31101
[RES] VS2012 UPD3 build 60610
[LNK] VS2017 v15.5.4 build 25834
[ C ] VS2017 v15.5.4 build 25834
[ASM] VS2010 build 30319
[EXP] VS2015 UPD1 build 23506
[IMP] VS2008 SP1 build 30729
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD2 build 60315
[C++] VS2015 UPD1 build 23506
[ C ] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x201010	0x9bd	.fcbpa
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6390	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x468	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc1000	0x2324	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x42000	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40796	0x41000	False	0.776085486779	data	7.73364605679	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x42000	0x64f2c	0x65000	False	0.702390160891	data	7.86574512659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa7000	0x178b8	0x18000	False	0.0694580078125	data	3.31515306295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbf000	0x12c	0x1000	False	0.06005859375	PEX Binary Archive	0.581723022719	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x880	0x1000	False	0.139892578125	data	1.23838501563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc1000	0x2324	0x3000	False	0.0498046875	data	4.65321444248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.qkm	0xc4000	0x74a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cvjb	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tlmkv	0xc7000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wucsxe	0xc8000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fltwtj	0x10e000	0x1267	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sfplio	0x110000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rpg	0x111000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bewzc	0x157000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vksvaw	0x159000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wmhg	0x15a000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kswemc	0x15c000	0x36d	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kaxfk	0x15d000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wualk	0x15f000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qwqp	0x160000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.txp	0x161000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ezxpm	0x162000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kdkmc	0x163000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vwqjj	0x164000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ute	0x165000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hzotrb	0x166000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mkb	0x167000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.plbi	0x169000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.dmwl	0x16a000	0x2da	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qorltm	0x16b000	0x141	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ubg	0x16c000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lhm	0x16d000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wojiyd	0x16f000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ekv	0x170000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vmf	0x171000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rqv	0x172000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rseab	0x174000	0x543	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pxtlo	0x175000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nri	0x1bb000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fcbpa	0x201000	0x9cd	0x1000	False	0.323974609375	data	4.02720598472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc00a0	0x370	data	English	United States
RT_MANIFEST	0xc0410	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
USER32.dll	LookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
SETUPAPI.dll	CM_Get_Resource_Conflict_DetailsW
KERNEL32.dll	DeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
GDI32.dll	CreateBitmapIndirect, GetPolyFillMode
CRYPT32.dll	CertGetCTLContextProperty
ADVAPI32.dll	AddAccessDeniedObjectAce
SHLWAPI.dll	ChrCmpIW

Exports

Name	Ordinal	Address
BeginBufferedAnimation	37	0x14000e1c4
BeginBufferedPaint	38	0x140034960
BeginPanningFeedback	5	0x14000dde8
BufferedPaintClear	39	0x14003e2a0
BufferedPaintInit	40	0x140011420
BufferedPaintRenderAnimation	41	0x140027838
BufferedPaintSetAlpha	42	0x14003c940
BufferedPaintStopAllAnimations	51	0x14000d880
BufferedPaintUnInit	52	0x14000c8e8
CloseThemeData	53	0x14002b608
DrawThemeBackground	54	0x1400333ec
DrawThemeBackgroundEx	47	0x1400377b0
DrawThemeEdge	55	0x14003fa10
DrawThemeIcon	56	0x1400182a8
DrawThemeParentBackground	57	0x14000278c
DrawThemeParentBackgroundEx	58	0x140013d80
DrawThemeText	59	0x140013a38
DrawThemeTextEx	70	0x140005e30
EnableThemeDialogTexture	71	0x14000d0a0
EnableTheming	87	0x14001596c
EndBufferedAnimation	88	0x140001da4
EndBufferedPaint	89	0x140022970
EndPanningFeedback	6	0x140007acc
GetBufferedPaintBits	90	0x140025dbc
GetBufferedPaintDC	91	0x140009a64
GetBufferedPaintTargetDC	92	0x1400116c8
GetBufferedPaintTargetRect	93	0x14000ac90
GetCurrentThemeName	94	0x14001e7dc
GetThemeAppProperties	95	0x14000e1e8
GetThemeBackgroundContentRect	96	0x14003c528
GetThemeBackgroundExtent	97	0x140016f60
GetThemeBackgroundRegion	98	0x1400325d0
GetThemeBitmap	99	0x14000efcc
GetThemeBool	100	0x1400253cc
GetThemeColor	101	0x14001af54
GetThemeDocumentationProperty	102	0x140007628
GetThemeEnumValue	103	0x140034af4
GetThemeFilename	104	0x14001d0a4
GetThemeFont	105	0x14000446c
GetThemeInt	106	0x1400243b4
GetThemeIntList	107	0x140012d4c
GetThemeMargins	108	0x14003ddf0
GetThemeMetric	109	0x140031c30
GetThemePartSize	110	0x14001aa3c
GetThemePosition	111	0x140027f54
GetThemePropertyOrigin	112	0x1400207b0
GetThemeRect	113	0x14000bb50
GetThemeStream	114	0x14001e4bc
GetThemeString	115	0x14003f730
GetThemeSysBool	116	0x140032c84
GetThemeSysColor	117	0x14001a024
GetThemeSysColorBrush	118	0x140009020
GetThemeSysFont	119	0x1400251f0
GetThemeSysInt	120	0x140011e80
GetThemeSysSize	121	0x140021080
GetThemeSysString	122	0x14002c904
GetThemeTextExtent	123	0x1400288cc
GetThemeTextMetrics	124	0x14000db14
GetThemeTransitionDuration	125	0x1400028b0
GetWindowTheme	126	0x14002f9c0
HitTestThemeBackground	127	0x1400338b8
IsAppThemed	128	0x14001ae64
IsCompositionActive	129	0x14002754c
IsThemeActive	130	0x14002da10
IsThemeBackgroundPartiallyTransparent	131	0x140014d68
IsThemeDialogTextureEnabled	132	0x140014cac
IsThemePartDefined	133	0x140001c1c
OpenThemeData	134	0x14001d6c0
OpenThemeDataEx	61	0x140021568
SetThemeAppProperties	135	0x1400140a4
SetWindowTheme	136	0x14001dd7c
SetWindowThemeAttribute	137	0x14002b344
ThemeInitApiHook	138	0x14001a594
UpdatePanningFeedback	12	0x140011150

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserv
InternalName	bitsp
FileVersion	7.5.7600.16385 (win7_rtm.090713-
CompanyName	Microsoft Corporati
ProductName	Microsoft Windows Operating S
ProductVersion	6.1.7600
FileDescription	Background Intellig
OriginalFilename	kbdy
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2021 01:31:13.054862022 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:31:13.074254036 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 29, 2021 01:31:38.226092100 CEST	52806	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:31:38.263222933 CEST	53	52806	8.8.8.8	192.168.2.3
Sep 29, 2021 01:31:59.954021931 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:00.020800114 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:00.988364935 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:01.072475910 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:01.635704041 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:01.723259926 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:02.036216021 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:02.052841902 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:02.466451883 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:02.479648113 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:02.879232883 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:02.892606974 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:03.623147011 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:03.706111908 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:04.821763992 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:04.835903883 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:05.557941914 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:05.580034971 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:05.670160055 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:05.684632063 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:06.011302948 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:06.027302027 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:06.614862919 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:06.628751993 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:07.293760061 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:07.321690083 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:10.907967091 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:10.935909033 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:13.451327085 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:13.471812010 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:13.584922075 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:13.615865946 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:21.566078901 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:21.581753016 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:39.901835918 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:39.931700945 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 29, 2021 01:32:46.614447117 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:32:46.643491030 CEST	53	53777	8.8.8.8	192.168.2.3
Sep 29, 2021 01:33:04.313590050 CEST	57106	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:33:04.331159115 CEST	53	57106	8.8.8.8	192.168.2.3
Sep 29, 2021 01:33:29.165997028 CEST	60352	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:33:29.179877043 CEST	53	60352	8.8.8.8	192.168.2.3
Sep 29, 2021 01:33:42.497419119 CEST	56773	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:33:42.511296034 CEST	53	56773	8.8.8.8	192.168.2.3
Sep 29, 2021 01:33:49.308461905 CEST	60982	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:33:49.324182987 CEST	53	60982	8.8.8.8	192.168.2.3
Sep 29, 2021 01:34:00.461139917 CEST	58058	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:34:00.476252079 CEST	53	58058	8.8.8.8	192.168.2.3
Sep 29, 2021 01:34:37.127656937 CEST	64367	53	192.168.2.3	8.8.8.8
Sep 29, 2021 01:34:37.140685081 CEST	53	64367	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 6928 Parent PID: 5496

General

Start time:	01:31:16
Start date:	29/09/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\yWteP7e12z.dll'
Imagebase:	0x7ff6440f0000
File size:	1136128 bytes
MD5 hash:	E0CC9D126C39A9D2FA1CAD5027EBBD18
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4668 Parent PID: 6928

General

Start time:	01:31:17
Start date:	29/09/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
Imagebase:	0x7ff786250000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4536 Parent PID: 6928

General

Start time:	01:31:17
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedAnimation
Imagebase:	0x7ff7e9410000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.384630779.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4528 Parent PID: 4668

General

Start time:	01:31:17
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\yWteP7e12z.dll',#1
Imagebase:	0x7ff7e9410000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.290585928.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3352 Parent PID: 4536

General

Start time:	01:31:19
Start date:	29/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6568 Parent PID: 6928

General

Start time:	01:31:20
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginBufferedPaint
Imagebase:	0x7ff7e9410000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.299168621.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3912 Parent PID: 6928

General

Start time:	01:31:24
Start date:	29/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\yWteP7e12z.dll,BeginPanningFeedback
Imagebase:	0x7ff7e9410000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.305431916.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: recdisc.exe PID: 6628 Parent PID: 3352

General

Start time:	01:32:04
Start date:	29/09/2021
Path:	C:\Windows\System32\recdisc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\recdisc.exe
Imagebase:	0x7ff7400a0000
File size:	192512 bytes
MD5 hash:	D2AEFB37C329E455DC2C17D3AA049666
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: SnippingTool.exe PID: 7044 Parent PID: 3352

General

Start time:	01:32:04
Start date:	29/09/2021
Path:	C:\Windows\System32\SnippingTool.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SnippingTool.exe
Imagebase:	0x7ff75dea0000
File size:	3292160 bytes
MD5 hash:	9012F9C6AC7F3F99ECDD37E24C9AC3BB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SnippingTool.exe PID: 6200 Parent PID: 3352

General

Start time:	01:32:06
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\S8mrk1\SnippingTool.exe
Imagebase:	0x7ff73d040000
File size:	3292160 bytes
MD5 hash:	9012F9C6AC7F3F99ECDD37E24C9AC3BB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.415702992.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: raserver.exe PID: 3604 Parent PID: 3352

General

Start time:	01:32:18
Start date:	29/09/2021
Path:	C:\Windows\System32\raserver.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\raserver.exe
Imagebase:	0x7ff7f7510000
File size:	128000 bytes
MD5 hash:	DE2022F0B86E33875D8A40B65550CFEB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: raserver.exe PID: 2992 Parent PID: 3352

General

Start time:	01:32:19
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\eQL\raserver.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\eQL\raserver.exe
Imagebase:	0x7ff74e110000
File size:	128000 bytes
MD5 hash:	DE2022F0B86E33875D8A40B65550CFEB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001A.00000002.443389132.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: ddodiag.exe PID: 5808 Parent PID: 3352

General

Start time:	01:32:30
Start date:	29/09/2021
Path:	C:\Windows\System32\ddodiag.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\ddodiag.exe
Imagebase:	0x7ff7da9c0000
File size:	37888 bytes
MD5 hash:	3CE911D7C12A2EFA9108514013BD17FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: ddodiag.exe PID: 5828 Parent PID: 3352

General

Start time:	01:32:31
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Iz08tEz\ddodiag.exe
Imagebase:	0x7ff740980000
File size:	37888 bytes
MD5 hash:	3CE911D7C12A2EFA9108514013BD17FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001C.00000002.469517159.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: dccw.exe PID: 2364 Parent PID: 3352

General

Start time:	01:32:44
Start date:	29/09/2021
Path:	C:\Windows\System32\dccw.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dccw.exe
Imagebase:	0x7ff722dc0000
File size:	657920 bytes
MD5 hash:	341515B9556F37E623777D1C377BCFAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SppExtComObj.Exe PID: 6280 Parent PID: 3352

General

Start time:	01:32:46
Start date:	29/09/2021
Path:	C:\Windows\System32\SppExtComObj.Exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SppExtComObj.Exe
Imagebase:	0x7ff6c3600000
File size:	577024 bytes
MD5 hash:	809E11DECADAEBE2454EFEDD620C4769
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SppExtComObj.Exe PID: 5620 Parent PID: 3352

General

Start time:	01:32:47
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\jYs4ma0u\SppExtComObj.Exe
Imagebase:	0x7ff791460000
File size:	577024 bytes
MD5 hash:	809E11DECADAEBE2454EFEDD620C4769
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000020.00000002.502508138.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: WMPDMC.exe PID: 6628 Parent PID: 3352

General

Start time:	01:32:58
Start date:	29/09/2021
Path:	C:\Windows\System32\WMPDMC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WMPDMC.exe
Imagebase:	0x7ff74b5f0000
File size:	1517568 bytes
MD5 hash:	4085FDA375E50214142BD740559F5835
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WMPDMC.exe PID: 6480 Parent PID: 3352

General

Start time:	01:32:59
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\92ea6x\WMPDMC.exe
Imagebase:	0x7ff67b5f0000
File size:	1517568 bytes
MD5 hash:	4085FDA375E50214142BD740559F5835
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000022.00000002.529404050.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: wscript.exe PID: 5532 Parent PID: 3352

General

Start time:	01:33:11
Start date:	29/09/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.exe
Imagebase:	0x7ff70a400000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: wscript.exe PID: 5012 Parent PID: 3352

General

Start time:	01:33:12
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\JFuMqIg\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\JFuMqIg\wscript.exe
Imagebase:	0x7ff6e8920000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000025.00000002.556857266.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: BdeUISrv.exe PID: 5368 Parent PID: 3352

General

Start time:	01:33:23
Start date:	29/09/2021
Path:	C:\Windows\System32\BdeUISrv.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\BdeUISrv.exe
Imagebase:	0x7ff609f50000
File size:	52736 bytes
MD5 hash:	25D86BC656025F38D6E626B606F1D39D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: BdeUISrv.exe PID: 6080 Parent PID: 3352

General

Start time:	01:33:24
Start date:	29/09/2021
Path:	C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\2lBRPi\BdeUISrv.exe
Imagebase:	0x7ff6e6d60000
File size:	52736 bytes
MD5 hash:	25D86BC656025F38D6E626B606F1D39D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000029.00000002.583509816.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll64.exe PID: 6928 Parent PID: 5496 loaddll64.exeCOMMON

Executed Functions

Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON

Download Yara Rule

Strings

}*, xrefs: 0000000140049BDD
}*, xrefs: 0000000140049620

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
Instruction ID: dfe71950bb4b00d773a2c1e4d7d9ca62016f185058a51a46645e99606ce0912a
Opcode Fuzzy Hash: b2d8981d994e193b974dd97b3248349f041180fa9e1ee75c24f96b4e32672199
Instruction Fuzzy Hash: CDF2E476601B8481EB269F17D5503EE77A1F78EBC8F9A4025EB0A077B5DB38C945C348

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

FreeConsole.KERNELBASE ref: 000000014003704B
EntryPoint.YWTEP7E12Z ref: 00000001400370EE

Strings

d, xrefs: 0000000140037032
)8GV, xrefs: 0000000140037008

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleEntryFreePoint
String ID: )8GV$d
API String ID: 3550414006-3589632123
Opcode ID: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction ID: d510f836e5bc92855b025e221ee4853bd72dbb3d22a76ed0b2795177c136f2ac
Opcode Fuzzy Hash: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
Instruction Fuzzy Hash: 2C91983230064096EB26EB66D0513EE23A5AB9C7D4F914526BB1E47BFBEE34CA05C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 000000014005D101

Strings

sy;, xrefs: 000000014005C420
sy;, xrefs: 000000014005C9ED

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoSystem
String ID: sy;$sy;
API String ID: 31276548-3660992706
Opcode ID: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction ID: 6e6b9d6b41ba510f9365bd6ae70f9dc3139515c8db1fe8c3f4a6c85962f57752
Opcode Fuzzy Hash: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
Instruction Fuzzy Hash: 2A82DB72215B848AEB26CF27D4507E977E1F789BC4F498426EB4A077B6DB39C941C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON

Download Yara Rule

Strings

}*, xrefs: 000000014004BDB0
}*, xrefs: 000000014004C37C

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction ID: 589d9863290c94d963c78ae1aba4b537ce1e649f887b860e334c2c2edf70769e
Opcode Fuzzy Hash: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
Instruction Fuzzy Hash: B872E172211B8081EBA68F23D4547ED77A1F78DBC4F8A5125EB4A477B6EB38C944C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 000000014005D2ED

Strings

., xrefs: 000000014005D36A

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindFirst
String ID: .
API String ID: 1974802433-248832578
Opcode ID: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction ID: 4bac0f1caae8588fed560e2f4dd75fe3b4005a9d196e6938d52e54566134f4c2
Opcode Fuzzy Hash: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
Instruction Fuzzy Hash: C841A43260564085FB76DB26E1003AD73A1A748BF8F184713EF69177E9DB7AC982C742

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140026CC0, Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

)8GV, xrefs: 0000000140027120
)8GV, xrefs: 000000014002703B

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV
API String ID: 0-993736920
Opcode ID: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
Instruction ID: e7db99c2ed76c24e9271fdfca30502f9120cd4f12b6678b2f47d4e41cadbe873
Opcode Fuzzy Hash: 5886ea82fe4a1d5b647365e044932bffc6999eebc1d65fac80672f325e465605
Instruction Fuzzy Hash: 3BF18F7272064095EB52EB72D8913EE6365FB993C8F900426BB0E47AFADF34CA45C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006A4B0, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000000014006A550

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: c571d8b9788f13bc1a6c9d6d9ec75b3e860dc3d379630f9026fe8c942d3d5bbc
Instruction ID: ba306794fc56961ae9be9e8108b60f4a03202e28571258f9feaa1cffdeadac3d
Opcode Fuzzy Hash: c571d8b9788f13bc1a6c9d6d9ec75b3e860dc3d379630f9026fe8c942d3d5bbc
Instruction Fuzzy Hash: 25B16E36601B409AE712EF26D9403EE33A6F7497C8F645825EB4E47BA6DF38D524CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 0000000140048CDE

Part of subcall function 000000014005D1F0: FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindLoadNext
String ID:
API String ID: 50669962-0
Opcode ID: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction ID: 5bbbb247b64301f03cc62f5655f26b2922a91791dd430743fbd3ba68f8766a4f
Opcode Fuzzy Hash: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
Instruction Fuzzy Hash: 07819D3261568092FB22EB26E4513EE6365FBD83D4F814521FB4A57AEBEF38C605C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035270, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

ExitProcess.KERNEL32 ref: 00000001400354E1

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseExitProcess
String ID:
API String ID: 3487036407-0
Opcode ID: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
Instruction ID: 3d479053040576d7404e3dfab4813d6254088c9544e20b556efee73ce8d776a8
Opcode Fuzzy Hash: 5c30d9f3bf3ad5247cfe131953472b6de56d2531a4e84ebcbfa6a909151eb5a4
Instruction Fuzzy Hash: 5771BF32710A5096FB16EB72D4513EE2365AB883D9F844522BF5E53AFADF35C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046C90, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction ID: acc9ee73913d888b71121e4cedfe861758cf19cabea33dd7822bbf7d3cf7603a
Opcode Fuzzy Hash: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
Instruction Fuzzy Hash: 42E08CA1741A0041EF265276D0803A812809B4D7B4E194B209A7D0B3E0EA3888898716

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction ID: bccbce3911ab829ef3288d496869760cb1404da12fac801df191153d1e38d36e
Opcode Fuzzy Hash: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
Instruction Fuzzy Hash: 9172CD72601B9485FB26CF17D4503E967A1FB8EFC4F998426EB0A077A5EB39C945C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction ID: 84a8ec628d281786b49b5e6f6f6dec0d0376b1c45e732984354cafa0c8984479
Opcode Fuzzy Hash: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
Instruction Fuzzy Hash: D761947121164102FE76B72399047EE5292AFAD3E4F650B21BF6E47BF9EE38C9018740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140034870, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
Instruction ID: 713527809b35fed6260ebd230ad48717dd4fa7a304d79e310e96a8de0daf9cee
Opcode Fuzzy Hash: 9551ae3eb8102b5ebebf946a3998feeee295eeedab946ed72fd7e67ef554d99f
Instruction Fuzzy Hash: 5A717D32B04B4095FB12EBB2E4913DF67A5FBC8388F954025BB4957AAADF38D445CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061459
RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00000001400614B4
RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061539
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 0000000140061664

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction ID: 4377045c35190c944746a6ea10b9b47c13ce871b5e3b3a15cce40fdff127085f
Opcode Fuzzy Hash: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
Instruction Fuzzy Hash: 5BC1A43120568082FE629B16E8503EEA791E7C97E0F6C4A21FB6E47BE5DE78C941C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000027B54B42252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000027B54B423B0
VirtualProtect.KERNELBASE ref: 0000027B54B42471
RtlAvlRemoveNode.NTDLL ref: 0000027B54B425B4
VirtualProtect.KERNELBASE ref: 0000027B54B42677

Memory Dump Source

Source File: 00000000.00000002.312219206.0000027B54B40000.00000040.00000001.sdmp, Offset: 0000027B54B40000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 930c77498da91333b6c8a6b4c81c02e00d05f7929e93d5575d8c36730acd1f84
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: FAB14376618BC486DB70CB5AE44079EB7A1F7C9B80F508126EECDA7B58DB79C8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000000014005FA4B

Strings

4aX, xrefs: 000000014005FA09

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertString
String ID: 4aX
API String ID: 3907675253-4042356595
Opcode ID: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction ID: 5c7b4eddd96f597e19123db416744eb931adcf52cf9da5c093af566d74744993
Opcode Fuzzy Hash: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
Instruction Fuzzy Hash: EC216D72214B4582EA12EF66E1403DEB3A0FB8C7C4F844525EB8D07B6AEF39D625C745

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DAE0, Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction ID: c5574eec75406f68cf122a08b4571db932f63f1e1c7d3e43579234279b4bb767
Opcode Fuzzy Hash: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
Instruction Fuzzy Hash: A151D03130464182FA72EA63A4507EA77A2BB8CBD4F154527BF5A077E2EF7AC801C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DD30, Relevance: 3.1, APIs: 2, Instructions: 122fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 000000014005DDD8
ReadFile.KERNELBASE ref: 000000014005DE49

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction ID: 869152f87e2051f324d9e8f0f01270def7d2743b76a8e6c9a5e95a296a3a7e26
Opcode Fuzzy Hash: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
Instruction Fuzzy Hash: A541583161464087EA62DB3AA4447AAB3A1FBD87E0F144712BB6D4B7F5DF39C802DB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction ID: 944ab0cbe82d54181631abf043b2a82f72de4fdca767e43f24bb2c72b9c0c91f
Opcode Fuzzy Hash: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
Instruction Fuzzy Hash: 8D21B431214A4581EA72DB66A0407EA3795F78CBE4F184617EFAE077E5DF7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction ID: bee1728ae0ee1a0caa625709e376bb4aadd3217f15d1bcce0d190476addee932
Opcode Fuzzy Hash: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
Instruction Fuzzy Hash: BE21D332311A4581EA72DA66A0407EA3795B78CBE4F184527AF9D077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction ID: a00dbcca095f64b26cda9c271166364bdf2e86a9b80154192fb139b54d898421
Opcode Fuzzy Hash: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
Instruction Fuzzy Hash: 5521E532315A4581EA72DB62A0407EE3791F78CBE4F184517AFAD077E5DE7AC806C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060D85
RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060DE8

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction ID: 09cc4365fb23fa9fe14c599ab373ea3e5ec1bde103bfdbf39ccb6e9a9538c2db
Opcode Fuzzy Hash: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
Instruction Fuzzy Hash: F521A37671569046EF52CB56E8003AFA391EB897F4F184621BF9C07BE8EA38D582C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction ID: 68fcab11a3bde380270331896f94efb0ab36e54eb9d04e7f46ecdc112822b6b1
Opcode Fuzzy Hash: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
Instruction Fuzzy Hash: 6821C132315A4541EA72DB62A0407EA3795F78CBE4F184627EFAD077E5DE7AC806C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046F60, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32 ref: 0000000140046FDE

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 6fbd370f509e15ded848fb55215db030cd5a070b2eb2f404213be6c4e10dd337
Instruction ID: 560481d37deeb2f3cc02cd101c0a384bc9ca8e36dca6fa428839860d024f360c
Opcode Fuzzy Hash: 6fbd370f509e15ded848fb55215db030cd5a070b2eb2f404213be6c4e10dd337
Instruction Fuzzy Hash: EDA15D3271064099EB12EFB6C4913EE2365A7987C8F915126BF0D67AFAEF34C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNELBASE ref: 000000014005FEFE

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction ID: 2cd33cf12082532a652157af79f02d7873b375395221c82c38bac87e111ef697
Opcode Fuzzy Hash: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
Instruction Fuzzy Hash: 6E51B2326117408AEB66EB22A0013EE6291EB9DBC4F580535FF4E477E6DF39C802D790

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D1F0, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,CD3BEB56,0000000140048BFE), ref: 000000014005D21B

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction ID: fe48dd106ee2d63de4642147a978de6f9e341aec22c75ad1205c2678dbe1ece1
Opcode Fuzzy Hash: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
Instruction Fuzzy Hash: 80115B7561034082FF76DA6691047E933E1EB697C8F051013EF59472E9EB36C8D2C751

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32 ref: 0000000140060C16

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction ID: 650aff04d41c3b1619de3e88208a4500c6b85af191ab70c767efd2679610bbe3
Opcode Fuzzy Hash: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
Instruction Fuzzy Hash: 1C112E72204B8486D7219F12E84039EB7A5F788B90FA89529EB8D43B58DF39D991CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046690, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlCreateHeap.NTDLL ref: 00000001400466DD

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction ID: 54976bf3431427af6da968cf6b263ec8d4a99ac7c2bea2f2fd5649cd882baac1
Opcode Fuzzy Hash: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
Instruction Fuzzy Hash: B901D635706A8082EB528712FA4039A73A0F78C3C4F198524EF884B7A5EF38C8518B44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140046730, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 000000014004678C

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction ID: 7e2fcedd46cf55f04110c2a11ced308778be976df41b62f125aabd7639a18320
Opcode Fuzzy Hash: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
Instruction Fuzzy Hash: 70F0F878A4730141FE6A63B354543A511821FCC7C4F0E8834AF095B7A6EE38CD518699

Uniqueness

Uniqueness Score: -1.00%

Function 0000027B54B42057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000027B54B429A8), ref: 0000027B54B420A7

Memory Dump Source

Source File: 00000000.00000002.312219206.0000027B54B40000.00000040.00000001.sdmp, Offset: 0000027B54B40000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: f4c5f852e18d628f1d77cf147a7bc7e15859071f97af1588b488ef8cd7c2a529
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 24315A72615B9086D780DF5AE45875A7BA1F389BC4F608026FF8D97B28DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000014002B6E0, Relevance: 8.2, Strings: 6, Instructions: 741COMMON

Download Yara Rule

Strings

3050, xrefs: 000000014002BB42
3050, xrefs: 000000014002B992
0020, xrefs: 000000014002BB49
GNOP, xrefs: 000000014002B9CB
0020, xrefs: 000000014002B98B
4040, xrefs: 000000014002BB6A

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0020$0020$3050$3050$4040$GNOP
API String ID: 0-829999343
Opcode ID: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction ID: 282167bc52f218920562f67345f8403ae15435ff558287d674a5e0b6e797f698
Opcode Fuzzy Hash: 537da1a0c1bbc7e636232495bc2fdab7c2537f76630bc9218dea00809d8f4601
Instruction Fuzzy Hash: 4172507261068195EB22EF26D8913EE6365FB983C8F804016FB4E475FAEF34CA45C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140071DC0, Relevance: 5.7, Strings: 4, Instructions: 682COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000000014007213B
VUUU, xrefs: 0000000140072194
ERCP, xrefs: 0000000140071EED
VUUU, xrefs: 000000014007211B

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU
API String ID: 0-2165971703
Opcode ID: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction ID: a95f611128f1d5d13a9bca75b656ea52fec65ffdb08565925219bb8e60db198b
Opcode Fuzzy Hash: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
Instruction Fuzzy Hash: 2252BE727046848AEB6A8F6AD5503ED7BA1F3087D8F144116FF569BAE8D73CC981C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400667D0, Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

SW, xrefs: 0000000140066A69
SW, xrefs: 0000000140066CA6
SW, xrefs: 0000000140066A1A
SW, xrefs: 0000000140066C49

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: SW$SW$SW$SW
API String ID: 0-1120820918
Opcode ID: 517e9c748c7166ea23e42337479b6e8f1bff1248af9cf0015b4bedbae01fd632
Instruction ID: 5271b3b9b35d550c8de01999338ba1aa790ab169e66fccb1d44a6718ff6f2241
Opcode Fuzzy Hash: 517e9c748c7166ea23e42337479b6e8f1bff1248af9cf0015b4bedbae01fd632
Instruction Fuzzy Hash: 4C026D3170160146EB62EB73D8603EE2396AB9C3C8F554925BB4D87BEAEF35DA01C310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031DF0, Relevance: 5.3, Strings: 4, Instructions: 270COMMON

Download Yara Rule

Strings

GC,, xrefs: 00000001400321D7
GC,, xrefs: 000000014003216C
GC,, xrefs: 0000000140031FC2
GC,, xrefs: 0000000140032008

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,$GC,$GC,
API String ID: 0-2774350030
Opcode ID: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction ID: dd0ba4053c6bdb050c0e262549aa376da4335980b2dde8bb0cc8774c9fa84b1c
Opcode Fuzzy Hash: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
Instruction Fuzzy Hash: 39B14A3232168096EA16EB22D4513EFA765FBDC7C4F854425FB4E57ABAEE38C605C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140057950, Relevance: 4.5, Strings: 2, Instructions: 1977COMMON

Download Yara Rule

Strings

}*, xrefs: 0000000140057F89
}*, xrefs: 00000001400579C0

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }*$}*
API String ID: 0-2047341001
Opcode ID: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
Instruction ID: 7c281f25cbc51a2c663274e483e0a5d4adc9f9b548fde4e06667abda5a9e2262
Opcode Fuzzy Hash: a0a69438047e54f28e9ccb842af0afe3b69bef60083965763f3b059d71ba89a0
Instruction Fuzzy Hash: 6E03CB72201B8482EB26CF23D4543ED67A1F78DBC4F994416EF4A177A6EB3AC945C380

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400263C0, Relevance: 4.3, Strings: 3, Instructions: 519COMMON

Download Yara Rule

Strings

@, xrefs: 0000000140026B3F
)8GV, xrefs: 00000001400267B0
)8GV, xrefs: 0000000140026A4D

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV$@
API String ID: 0-2802744955
Opcode ID: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
Instruction ID: d4403fa2ef2757ed15b0d897a8d3d48ae9d82dee7601a7ae60b507309942f45e
Opcode Fuzzy Hash: a3e8ee5ab549556569e9006b525bd9d1ac3761a68850dd604f4cfbeaa6d7384c
Instruction Fuzzy Hash: 8F326E72610A8095FB22EB72D8513EE6365FB997C8F940026BB4E476FADF34CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400067B0, Relevance: 4.2, Strings: 3, Instructions: 406COMMON

Download Yara Rule

Strings

GET, xrefs: 000000014000688D, 000000014000689B
POST, xrefs: 0000000140006CF6
*/*, xrefs: 0000000140006D02

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: */*$GET$POST
API String ID: 0-3233530491
Opcode ID: f5c0abb872f3f3a9c24645541f102443df8f6c01efe130de31add9333cb11604
Instruction ID: 6cf15a5ed41f927c804a0d4041fd2741414eb33ceb6b5d93e391305a3a4948eb
Opcode Fuzzy Hash: f5c0abb872f3f3a9c24645541f102443df8f6c01efe130de31add9333cb11604
Instruction Fuzzy Hash: 57125C72610A8196EB11EF72E8913DE6765F7883D8F904122FB4E57AAADF34C249C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140035520, Relevance: 3.9, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140035665
GC,, xrefs: 0000000140035622
{QN, xrefs: 00000001400355E1

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GC,$GC,${QN
API String ID: 0-3150587038
Opcode ID: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction ID: 9244b60d004d0bd22f383007071d62e4da67c70af0efad37e4d475a9577969ab
Opcode Fuzzy Hash: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
Instruction Fuzzy Hash: D851B3726017408AEB26AF72A0517DF3392EB98398F559529FB4E0BBE9DF39C401C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140025DB0, Relevance: 2.9, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

GC,, xrefs: 0000000140025E65
0, xrefs: 0000000140025FF4

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0$GC,
API String ID: 0-3557465234
Opcode ID: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
Instruction ID: 8e8f5bced65d739128878f1be46f709eb140c798bd495bd8ba2efbba04664ca7
Opcode Fuzzy Hash: 666bbe70a71d3c2c69398fa3d4293e156315b44e2ec60054ed199f516d69305b
Instruction Fuzzy Hash: 90F1C132705B8086EB56DB26A5503EE77A5F788BC8F544029FF8A47BA9DF38C845C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FB20, Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

cLpS, xrefs: 000000014002FB46
cLpS, xrefs: 000000014002FB76

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS$cLpS
API String ID: 0-581437482
Opcode ID: ee193233b973f877082caca428861b37c4d86ff6b56278014f21858ccd893e61
Instruction ID: d6b56411a1e340b191dd7f08d0c8a8920ca136b0ade9766ce73097337fe28e3c
Opcode Fuzzy Hash: ee193233b973f877082caca428861b37c4d86ff6b56278014f21858ccd893e61
Instruction Fuzzy Hash: F5916E32700A41A6FB12EB72D5513ED2366AB983D8F900126BF1D97AFADF34D919D340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140039140, Relevance: 2.1, Strings: 1, Instructions: 866COMMON

Download Yara Rule

Strings

D, xrefs: 0000000140039B2B

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction ID: a2166a60d7ca2b4a0d1872d5e3506bb785f107662951e93f9f6f62b20c08bf0e
Opcode Fuzzy Hash: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
Instruction Fuzzy Hash: 32827E3222468186EB13EB26D4907EF6365FBD8794F904612FB5A47AFADF38C605C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000C5C0, Relevance: 2.1, Strings: 1, Instructions: 865COMMON

Download Yara Rule

Strings

GET, xrefs: 000000014000C5D5

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: GET
API String ID: 0-1805413626
Opcode ID: 10a9cab01500edb3aab632b5fd7f2a1bd3141a9130328a12816a57488f7d5cf8
Instruction ID: e67aa13565bd515be4758c424d677281e7e48e69fdea67d752e56d6b70eb8f16
Opcode Fuzzy Hash: 10a9cab01500edb3aab632b5fd7f2a1bd3141a9130328a12816a57488f7d5cf8
Instruction Fuzzy Hash: 7182CFB262568082FB52EB26E491BEE6761F7C97C8F851022FB4A576E7CF38C505C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140015120, Relevance: 2.1, APIs: 1, Instructions: 555COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 000000014001530B

Part of subcall function 0000000140046C90: NtClose.NTDLL ref: 0000000140046CBE

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnvironmentExpandStrings
String ID:
API String ID: 1839112984-0
Opcode ID: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
Instruction ID: c0dbe0ee55e83fb6c0f3bef3624a57e5635b4c6ed11a4d6c977be8f15ec7e338
Opcode Fuzzy Hash: 0c8cab0b1b935b3a37cb31b96907ffd9b34d960d626d1d55b93d79ad55693549
Instruction Fuzzy Hash: CB427E32710A4096FB12EB72D4913EE6765EB983D8F814422BB4D4BAFAEF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019D20, Relevance: 2.0, APIs: 1, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e1936ce1466a1017e738ae0ac7aa847660dc2e6b258b6821bd1dcd72aa8059
Instruction ID: abc698a25be580435ac5d46bd6b01b3c7dd535f90f9c32282677b8a643a0cbd6
Opcode Fuzzy Hash: 40e1936ce1466a1017e738ae0ac7aa847660dc2e6b258b6821bd1dcd72aa8059
Instruction Fuzzy Hash: 3C427D3271068095FB22EB76D8513EE2361EB993C8F904121BB0E5BAFAEF79C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140019580, Relevance: 2.0, APIs: 1, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4738e3fe64d1d4a136827329fea48ffdfa8dbfaacc033bdcb5be0b89d5978d7
Instruction ID: 0bcce83d19b55e388762cc41cc2fbdfa61478623d1bee2f25155124e52c32027
Opcode Fuzzy Hash: e4738e3fe64d1d4a136827329fea48ffdfa8dbfaacc033bdcb5be0b89d5978d7
Instruction Fuzzy Hash: 8A128E3271468095FB22EB72D8913EE2355EB997C4F804026BB4E5BAFADF35C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140006EB0, Relevance: 1.9, Strings: 1, Instructions: 651COMMON

Download Yara Rule

Strings

cLpS, xrefs: 00000001400072A3

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cLpS
API String ID: 0-2886372077
Opcode ID: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction ID: 96b4c198141fe6e7034ab14ad9d5ea3cda72442e6a1109ae0a48173783152c86
Opcode Fuzzy Hash: 39b3e9410c272ead3331ad6fef3a5a390c12b147565654b66b7ca87bf70ff1a0
Instruction Fuzzy Hash: CF528D7272464092FA12EB62E8517EE63A5FB9C7C4F814022BB4E57BBADF38C505C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400139D0, Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

m, xrefs: 000000014001422E

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID: m
API String ID: 1964310414-3775001192
Opcode ID: 548cbf9660611174ae7dc0bac9e348dfce328ca606fda0702f7edea96afa79e3
Instruction ID: 0a9d90af75a6ede7406656d6adb6787827cf479cbe6b14872f7c626c13ea0b6d
Opcode Fuzzy Hash: 548cbf9660611174ae7dc0bac9e348dfce328ca606fda0702f7edea96afa79e3
Instruction Fuzzy Hash: 6A529B32710A80A6F74EEB32C5913EE7369F788384F904026AB2947AE6DF34D576C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D100, Relevance: 1.7, Strings: 1, Instructions: 497COMMON

Download Yara Rule

Strings

s( j, xrefs: 000000014001D128

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: s( j
API String ID: 0-1450404818
Opcode ID: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction ID: 6f5b3d0b06e06ce3defbe5b62ba999e8dce43b7996f1ec96da6707378b1ebcba
Opcode Fuzzy Hash: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
Instruction Fuzzy Hash: 14325632715B9085EB16EF66D8513ED73A5FB88B88F454026EB4E5BBAADF38C505C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140029780, Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

kw9b, xrefs: 000000014002989A

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseEnumValue
String ID: kw9b
API String ID: 858281747-837114885
Opcode ID: f81a6af6aa5bae8f58b09e8056114ac14450d6ddc5e73db6d9253ff8d3da1ddd
Instruction ID: a79da12e532d7eb86b4034213f2927d281404f76e1d3d8be4d202bd2a10f559e
Opcode Fuzzy Hash: f81a6af6aa5bae8f58b09e8056114ac14450d6ddc5e73db6d9253ff8d3da1ddd
Instruction Fuzzy Hash: D622A03270064056FB22EB62E4513EE6361EB8C7D8F814625BB4E57AFADF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033BB0, Relevance: 1.7, Strings: 1, Instructions: 454COMMON

Download Yara Rule

Strings

U, xrefs: 000000014003408F

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: ba7432df101b9cf3a5babe4648e08d44601ea8e877a2baced26de989607f507f
Instruction ID: 04dcf981b535b3d5a04f4e0f983876b723d65533687fb2a3abc72c4897885b35
Opcode Fuzzy Hash: ba7432df101b9cf3a5babe4648e08d44601ea8e877a2baced26de989607f507f
Instruction Fuzzy Hash: 7A22A032714A8095FB22EB76D4913EE2761EB993D4F900122BB4E5BAFADF38C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023530, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

Content-Type, xrefs: 000000014002385F

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Content-Type
API String ID: 0-2058190213
Opcode ID: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
Instruction ID: 8ed0294b40edec3e111ebf6e63eddced9ff886ac8d86313f53d4d34ac86a637b
Opcode Fuzzy Hash: cd802d8b45f15130d3c27f80ef655ed1c5064d239956586ea4d9a7fa25c30ca4
Instruction Fuzzy Hash: D0128B7271064096EB26EB72D0953EE63A5EB9D7C8F804029FB4E576B6DF34C909C341

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400389A0, Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 0000000140038A46

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID: 0
API String ID: 3535843008-4108050209
Opcode ID: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
Instruction ID: 021d52728ad99ff4b45c00a2ee63d530dbb35c35c3e7b67721d4418a9cae59c0
Opcode Fuzzy Hash: 7016f170174e11ab425f8740a2873dc54fd790cf1ab3d78218ff6c8b86cc580b
Instruction Fuzzy Hash: A4D1483271064185EB22EB66D8503EF6365FB987C8F944421FF4E57AAAEF34CA05C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400205A0, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

, xrefs: 000000014002069B

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d615a8395c91a4f270b16f16243a88213025be9c74bd528c78ddbcfbe443d7c5
Instruction ID: 091f4e73938a5afec608f70625f4eed5baac112ec883e15b973b01c59944fd94
Opcode Fuzzy Hash: d615a8395c91a4f270b16f16243a88213025be9c74bd528c78ddbcfbe443d7c5
Instruction Fuzzy Hash: 8FB1903271164156FB26EB72C0513EE2365A78C7C8F554429BF0E67BEAEE34D906C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EED0, Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

, xrefs: 000000014002F04E

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction ID: 79bcb73a3e0a748e54816e3c2b9a8955141e4b7d1d3c260807ef7fd3e9233e09
Opcode Fuzzy Hash: 266006fd5134fcae821d54f81f057cdba6f5be873c6199ef93d4c42334c526d2
Instruction Fuzzy Hash: 4681AF3171528042FA66AB63A5513EE6382BBDC7C0F954839BF0E57BEADE38C9019750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023140, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

tI*k, xrefs: 0000000140023300

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: tI*k
API String ID: 0-257501792
Opcode ID: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction ID: 2b3e36108f388e75195695150bf3b7502d87346db4925aa772ee75e92517338c
Opcode Fuzzy Hash: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
Instruction Fuzzy Hash: C891B332710A41C6FB12EB73D4913ED2365AB987C8F815026BF0E67AABDE34C605C391

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140078570, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00000001400785BF

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ERCP
API String ID: 0-1384759551
Opcode ID: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction ID: 36d71a898891e4cfc692b0c24b63e4f8a605753b41eb4ec31f3d0d909baacb04
Opcode Fuzzy Hash: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
Instruction Fuzzy Hash: 8541C2677244554AE3189F2598213BE2391F7E8781B008838BBC7C3B99E97CCE41C754

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004F940, Relevance: .9, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
Instruction ID: fc2f62d5942ef41123ea32f2955be4f6aadf7052ab01c2248917173129c7cd0f
Opcode Fuzzy Hash: cb12e34294cccc152743157d68ecf537d73dadfb1b78744b1cf0542ab0e03321
Instruction Fuzzy Hash: 8A82BD72301B8486EB269F23D4503EE67A5F78DFC4F964022EB4A577A6DB38C945C384

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140053F20, Relevance: .8, Instructions: 808COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction ID: b1defcb4bfd3908c290bb80924a7f4486985742b072abc47c5e9bd5be53152ef
Opcode Fuzzy Hash: d7250f98c0d712e4fed8a9177b7990c03dbf5da58cb0dd37bc7f0a46ed34db0c
Instruction Fuzzy Hash: FF72CE32601BA482EB26CF17E4503ED77A5FB99BC8F9A4016EB49477B6DB36C941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction ID: 8249503d4e55669e8e7119aec1729776b7b2f3ca46fae70a891a003f6664f3d4
Opcode Fuzzy Hash: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
Instruction Fuzzy Hash: 3472DF32201B9486EB26DB17E4603ED77A5FB9DBC5F894012EB4A477B6DB3AC941C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: e3af66671b5b614331ec7cf6e36132d82806e65a593ee42bfcdbdbcf9a6cfdc7
Instruction ID: 4fdb0601fab6f7a848b28641239d596080eab1ec2c6ff824b21f12e2ef69b5a1
Opcode Fuzzy Hash: e3af66671b5b614331ec7cf6e36132d82806e65a593ee42bfcdbdbcf9a6cfdc7
Instruction Fuzzy Hash: 48722D32724A4095EB02EB76D4913EE6765EB983C4FC05012BB4E879BBEF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction ID: d53d10191d1a85c044aba7f3ec212ac92ce5176a248edb2932ce54add84afe44
Opcode Fuzzy Hash: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
Instruction Fuzzy Hash: 9D52BE72601B8081EB269F23D4543EE77A1F78CBC4F8A5426EB4A577B6DB38D845C348

Uniqueness

Uniqueness Score: -1.00%

Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction ID: 9c06e88039ccf999e040ad7794a2e2d02b6699145a9792014979c24fd1337f6c
Opcode Fuzzy Hash: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
Instruction Fuzzy Hash: B4623CB76206548BD7668F26C080B6C37B1F35DFA8F25521ADF0A43799CB39D891CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003B220, Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction ID: acd1ff4a64a9c803ec812a22a8ce79600e1464d52fdb42fb628072365476121f
Opcode Fuzzy Hash: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
Instruction Fuzzy Hash: 64429E31301A8141FA23EB6698513EF6391EB8C7E8F544616BF5A5BBEAEE38C505C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140024440, Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction ID: 78f3400fd7e206f6a511ea736ed45412fb3e7259efd4ed926287f6c9bd4c6aa7
Opcode Fuzzy Hash: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
Instruction Fuzzy Hash: E6427C32204A8096EB66EB32D0513EE67A4E79D3C8F914026F79A876F7DF38C945C741

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018630, Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5df13ac6ad6b177f0d6348ee0792d0267ce7592fd72d9a49b7ba42017b7971a
Instruction ID: 8108868c1ca7c4f1afbe8bd34af9d7f1e96dfbbf12b1edd0cffad3fdf1fa0b6f
Opcode Fuzzy Hash: e5df13ac6ad6b177f0d6348ee0792d0267ce7592fd72d9a49b7ba42017b7971a
Instruction Fuzzy Hash: 3F429E3231068095FB22EB72D8913EE6765EB983D8F844122BB0D97AFADF34C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction ID: 183f2e46b23aa86a2c091461a645f9a581571388db0d92becfc597eb429af356
Opcode Fuzzy Hash: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
Instruction Fuzzy Hash: 0732AB3271064089EB16EB36D4513EE27A5EB8CBD8F555126FF0E877BADE38C4868340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30db4ded57f65ad5fd13648519ecc6db5536df19e5deb93067b0525fe46ee407
Instruction ID: 71edd40f2b1ab928f6f3b4ddf8d26af45cb7d1258c95c78617a62a1a74f3288a
Opcode Fuzzy Hash: 30db4ded57f65ad5fd13648519ecc6db5536df19e5deb93067b0525fe46ee407
Instruction Fuzzy Hash: BF32AC3261068195EB12EB26D4913EE2765FB983C8F814122FB4E57AFBEF38C645C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000B120, Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction ID: 3ba19fba285517c5acd5c21b3c9b7592edaf423ca2de06bba8230fcf7af2400b
Opcode Fuzzy Hash: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
Instruction Fuzzy Hash: 3C429B72624A8095FB12EB62D4957EE2365FB983C8F814022FB0D57ABBDF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction ID: eb795f204498a8d956ef0de19ff8bd43d97085c04d8ed5933d3115b51340510f
Opcode Fuzzy Hash: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
Instruction Fuzzy Hash: 7022793270064186EA23EB2AD4957EF63A5EB88BD4F554626FF0A477F6EE34C506C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003A2E0, Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction ID: 697e8bd1027fccc09012cb901671f32632dfdae7722e2c733c5167ca59ce0a7a
Opcode Fuzzy Hash: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
Instruction Fuzzy Hash: AE227C3271064186EA23EB26D4513EF63A1FB89BD4F544625EB4A577F6EF38C50AC340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B390, Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction ID: 5c003effdee5129b35cf12aebe167f862a01b0c8d0d2f43ab9f1123e32a30f31
Opcode Fuzzy Hash: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
Instruction Fuzzy Hash: 8C0203B21082A489F7768B26C9413FA7BE2E759788F254906FB8A435F5D738C9C1D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction ID: c2c66f55aa66479377f68c186b881699d763759fa92e2ffabb716b860ed1a50b
Opcode Fuzzy Hash: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
Instruction Fuzzy Hash: CD224D72710A8091EB12EB72D4913EE6765FB987C8F904116FB4E876BAEF38C245C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction ID: 217fabc6e38e1d640ccd999207fddb20e056db183073941d35cbdb4b11e649c3
Opcode Fuzzy Hash: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
Instruction Fuzzy Hash: 10229B72620A8091EB12EB62E4957EE2365F79D7C4F814022FB4E576BBDF38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction ID: 3448a1cfdf5732c1482eebf940cb1862e5db89764351cf67f11e8459266109f6
Opcode Fuzzy Hash: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
Instruction Fuzzy Hash: CD026C727006418AEB12DF26D4907EE73A6F788BC4F614525EB0E977AADF34D90AC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction ID: a963730c34943060851cd64ea719675db259de8104656558a9074d2de6a51302
Opcode Fuzzy Hash: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
Instruction Fuzzy Hash: 41128F7222468096FB52EB22D4917EE6765FBD93C8F811022FB4E57AABDF38C505C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069010, Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: 95963d20b21cf3e2b12cfe18c6fe82eaabeff9446a80277d54ce9a7fffb05132
Instruction ID: 5afa6d75f76fbbc9d7f53df6043056336d1db5d7591574d5123318d553f9c856
Opcode Fuzzy Hash: 95963d20b21cf3e2b12cfe18c6fe82eaabeff9446a80277d54ce9a7fffb05132
Instruction Fuzzy Hash: 19124E3272469096EB12EF72D8913DE6765FB987C8F815022BB0D57AABDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001E170, Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
Instruction ID: ac8bef764291a5126b18a53dad73757551fec454a5992e6944e07fe4b855ac86
Opcode Fuzzy Hash: 9b801c6cfe21829965e01690717934929f301b57ebd9e24914ab7e4ccc7a8bd8
Instruction Fuzzy Hash: 2A023B32724A80A2FB52EB72D4913EE6764FB983C4F815022BB4D57AEADF35C545C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002FEC0, Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction ID: b67327a95b15ec145a913cc43aeca3e3a8a77925bd43874970612b3ea802a6ff
Opcode Fuzzy Hash: 4119716334bae8ce4a12a511c9ef3e68b40bfa4d08e13555b81686db08763198
Instruction Fuzzy Hash: A802707272064095EB02EB66D4913EE6765FB987C8F905022FB4D83ABBEF34C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140002980, Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
Instruction ID: 5d574d698b33f004de0812fa71b34c36bbdae31478704d480fb686f148b39898
Opcode Fuzzy Hash: 8eff327b3244b5e4bcb204ecf2616417784072c62e8997917ef3bb952dc9c563
Instruction Fuzzy Hash: EB024C72324A8096FB12EB62D4913EE6765EB983D4FC15022BB4E57AEBDF34C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018F80, Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4831c91d88212ea6bae896733b605764c098bda2cb8106883d018c424b82a2c3
Instruction ID: d38a929efe70148cd0bcafb05e8c0916e90d43f0c382b2c9e415ecaf47ade149
Opcode Fuzzy Hash: 4831c91d88212ea6bae896733b605764c098bda2cb8106883d018c424b82a2c3
Instruction Fuzzy Hash: C8F16D32610A8095FB12EB76D8513EE6365EB983D8F940521BB0E57AFBEF35C605C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140010880, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction ID: f0fb79f68922493fed5bc905321703954c20a875d362dace52344ff7232635a8
Opcode Fuzzy Hash: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
Instruction Fuzzy Hash: D7029272320AA19AEB42DF36C8917EE2724F748789F805016FF4B57AAAEF35C545C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014001D910, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
Instruction ID: 9c3e8f75c9e591130820bb2956cb3806339feb13e112d9af22726fcddd3bd126
Opcode Fuzzy Hash: 05ee41dc75372f3184bd1bd526553eb93c41a596f4ef0b14bf7d6c74ff3eb6f4
Instruction Fuzzy Hash: 12026C32314A8095FB52EB72D4917EE2765EB983C4F805022BB4E97AEBDF35C649C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140033540, Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc591bb1ef0223378186731e544c118eab0e5afa1f11a9305b54302f8137c9b
Instruction ID: d0d419901b6e3c3183ee3913f1137c5e588d0fadc92f77f7791849e6aeb29d3b
Opcode Fuzzy Hash: 4fc591bb1ef0223378186731e544c118eab0e5afa1f11a9305b54302f8137c9b
Instruction Fuzzy Hash: 8A029132614A8095EB22EF32D4913EE6765FB98388F904412FB4E57AFADF34C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb9de39e3049ab5455ed32541b517d82ebf0524dcb0a324d3a012e30b74715a
Instruction ID: fccd9241a873054b7c24d42fb58abb6f012b2f7f19fe3a4c061a127f88627f2a
Opcode Fuzzy Hash: adb9de39e3049ab5455ed32541b517d82ebf0524dcb0a324d3a012e30b74715a
Instruction Fuzzy Hash: 41E18E3271068095FB12EB76D8917EE6765EB983C8F804021BB0D5BAEBEF35C645C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0f4076e790a67f6d98515807fb9bce675ae33bef5415c9236f66c5c68241f2
Instruction ID: 02ee9b89192d395c78975687d30e6fb06be8b995001c736011e159ca0d17724c
Opcode Fuzzy Hash: 8c0f4076e790a67f6d98515807fb9bce675ae33bef5415c9236f66c5c68241f2
Instruction Fuzzy Hash: E2E13D32714A4095EB02EB66D4913EE6765FB983D8F900012FB4D97AFAEF34CA49C750

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
Instruction ID: 95da75048f27146dafc5de9d612871b80806eb61125b8034b1f63b71f4cba504
Opcode Fuzzy Hash: 4b36c55cc0c64182b75bd054714d27820267f0f2f65f1b0bf4452dbf409dd159
Instruction Fuzzy Hash: 47F12C3262498096EB12EB62D8513ED6365FBD8388F814522BB4E479FBEF74CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
Instruction ID: cf5fdc312f2229dc6ff813412d90ddbabd12b8e4de7574aebc9877f7d05b411a
Opcode Fuzzy Hash: 9e7780c785dee08e0bb9155763342d8440fe36315939b45b58d1687e3de4f63a
Instruction Fuzzy Hash: 28D19032711A4195EB12EB76D4903EE23A1EB993C4F844425BF4E57BEAEF38C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064080, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction ID: bf23390ce128f79092fde7b2b9043ef6653a4f1b38eae35900255c6e9c132ad5
Opcode Fuzzy Hash: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
Instruction Fuzzy Hash: ABC1D4231282D04BD7569B3764503FAAE91E79A3C8F280655FFC997AEBD63CC2149B10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7584585ec3b4b53ec8fb5b27a8843822aad1f1e51d0aa4fbe30674dd8de1ab0d
Instruction ID: d0d512be425b72175eef7d799d9923e381f6a995b1e0446f0295c878f1c0c086
Opcode Fuzzy Hash: 7584585ec3b4b53ec8fb5b27a8843822aad1f1e51d0aa4fbe30674dd8de1ab0d
Instruction Fuzzy Hash: CED13972724A4091EB02EB76D4913EE6765F7983C8F904016BB4D97ABAEF38C605C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140030530, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction ID: 96955b53f7f5b4430e01eb0035ad3df088e7672fa3a311151148bede835f9000
Opcode Fuzzy Hash: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
Instruction Fuzzy Hash: E7C16136B0564089FB22EB76D0613EF27A1AB9C388F554425BF4E976FADE34C506C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002A110, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
Instruction ID: 08807915bc927436db1a901aa043915a979950c5e23cf508b5f0d65b77d78aa9
Opcode Fuzzy Hash: 8317b6107b79d8746eb836802ab66d92c4c2213a6f1849c4bee5ec7b69d23b54
Instruction Fuzzy Hash: 0CD17032614A8096EB02EB26D4513EE6364FBD97C4F815122FB4D57AEBDF38CA05C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005F490, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction ID: f96005f1b71c62cd91ec633b0fa556b6f093996ab6e40a041e3cbd638a23d0d9
Opcode Fuzzy Hash: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
Instruction Fuzzy Hash: C1C1BD3270164096FB12EF76D4413ED23A4EB883A8F484622BF2D57AE6EF38D955D350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction ID: 38de139323f3e079e5738bdd278af51575638bb101dd3218b17e6965c0953cb4
Opcode Fuzzy Hash: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
Instruction Fuzzy Hash: 1DB16A3671062094FB46EBA2D8A17DE2365BB89BC8F825025FF0D67BA7DE38C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031540, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
Instruction ID: bfe4e87f351d28bd3d3693bc96d2151355ab9388d993d4a46e39ffd0a3f78ad6
Opcode Fuzzy Hash: 97dd306fff28f1ab02ecd5c90015a73acd09471cf75e7327e0331e3ccb750c21
Instruction Fuzzy Hash: E6C16332704A809AFB22EBB2D4513EE2365AB9C3D8F854521BF1E676EADF30C505C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction ID: f23c3879964f3f83b961310f1bad7f7be1ef7afa2b68ec7d59790f469601a501
Opcode Fuzzy Hash: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
Instruction Fuzzy Hash: A9A10231211E8145EBA79A2798543EF27A6AB8C3D4F645825FF0E5B6E9EF34C901C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction ID: c0d98bc7e162404dc537a7c1af49e5fbe25e03b535df8b2493956c53732576b9
Opcode Fuzzy Hash: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
Instruction Fuzzy Hash: B2A114F31182A486FB778A2685413FA7FE2E719789F254402FB8A435F6C63CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140066020, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction ID: d17e179c4ad3c1814a715198efb3da372d22ab0628f3c9d9f6a3a053a6971865
Opcode Fuzzy Hash: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
Instruction Fuzzy Hash: 79A1903271164045EB22EB7298507EE67E6AB9C3C8F550925BF4D47BEAEF34CA068310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction ID: 7cb660c1bafc6db3c15f0a4866a94b05aa7759728bb06ab0739d07cd917ce7e2
Opcode Fuzzy Hash: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
Instruction Fuzzy Hash: 33B18C7262464191EB12EB62E4913EE6365FB9C7C4F801022FB4E47ABBDF38C649C750

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction ID: ff1b56ecf022c2229069a5389c0477a62f006b84fd5f9f69eebb894724ab9066
Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction Fuzzy Hash: 44A125F21182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B424, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction ID: f965aa676d2cc64f6a485257af634002c7fef1377d4791c8bed9b1b7e56d6411
Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction Fuzzy Hash: 79A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction ID: 86c182e730ead1fa639f737d8458d4edb1cdee6041daaa12aedc2aef895c7c0c
Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction Fuzzy Hash: 83A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B436, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction ID: 7a8579acbe1e06e5dcc528155c10978c06d1d02f61772b3afab02cdca005db6d
Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction Fuzzy Hash: 3EA115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 000000014006B446, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction ID: 9b5f4d2890da7bc9148b0c777fb781a5a0913674a9f0c1f21bc34f13756e8484
Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction Fuzzy Hash: 37A114F31182A489FB778A2685413FA7FE2E719789F254402FB8A475F6C23CC985D720

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
Instruction ID: 9e8436de532ad8a8b9d83a7ce7f67d33a1e65f1b543d517c902b78be038a8119
Opcode Fuzzy Hash: 847c53cd22c21084d67cb822d3c8f80ec4024bd4884789ed31c06eb0f484aec6
Instruction Fuzzy Hash: 6FA19F3271464095EB22EB72D4913EE63A5A78C7C8F914426FF0D57AFAEE38C609C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001010, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction ID: 891caef274385c1d9a1a05b5f8e139ad0eea2bdcde326525a3acf11d5ee056db
Opcode Fuzzy Hash: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
Instruction Fuzzy Hash: 79918D7270164095EB16EF66E4507EE23A5ABDC7C4F448425BF4E97BA6EE34C906C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe13e77ec2a6c39a7eeb857abf77be5bd43dd3bfff72b646a5cfb36ea006c22
Instruction ID: 09ec91f3f7d35e473cfa3e72b303784d96220d522314983c3d838af10b8059fe
Opcode Fuzzy Hash: dbe13e77ec2a6c39a7eeb857abf77be5bd43dd3bfff72b646a5cfb36ea006c22
Instruction Fuzzy Hash: C4A16E32314A8095FB22EB72D8513EE2365EB987D4F940426BB4D57AFADF34CA05C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140018300, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction ID: 9282ef7f3f2e177ec3162a27807bc3d77d508fe5c2bed51c5ff564ba7b898efa
Opcode Fuzzy Hash: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
Instruction Fuzzy Hash: 99912232B15A4099FB12EBB2D4913ED23659B9C7C8F814525BF0DA76EBEE34C609C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
Instruction ID: a01e236db0e61280ae7bc249da652572acbbc64743681568c883ee8cb5c556df
Opcode Fuzzy Hash: e13badc4eecd54d72134e33fa3c908df50463b4c7afbc823f6efb99f8860a50f
Instruction Fuzzy Hash: D7916C3272468092FB12EB62D4957DE6365FB9C7C4F811022BB4D43AABDF78C544CB10

Uniqueness

Uniqueness Score: -1.00%

Function 000000014003EFB0, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction ID: 2085d5fbde7ab3b46fd7c59f247d5158c6ccb74e37f4a5dfc0e2ff2c0c09d730
Opcode Fuzzy Hash: 9bec047f33ee0572188590f4278c6d3b9bee721e36306d1774188d0e8c9170a8
Instruction Fuzzy Hash: 87814F36204A85C6EB679B2BE9403AF6B61F38DBD0F594512EF9A477B5CE38C442D310

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400276C0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction ID: bfac23c94d9038130fb0cc9f6c7292f6f1aa2b418e68c536fc9a693e481bc66c
Opcode Fuzzy Hash: edcdc2154c5838ab1c8625022021c2da12bae5cdd39a93ebf1f5cb6a04e32108
Instruction Fuzzy Hash: 1E91B13270164096FB22EB22D4517EE23A0EB9C3C8F855426BB4E57AFADF34C944C351

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction ID: 348a5c641c523964159132b8cb670365254cd557f13034448bd6fc243d7f1d42
Opcode Fuzzy Hash: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
Instruction Fuzzy Hash: AB81503271064095FB12EB76D8913EE63A5AB9D7C8F944621BF0D4BAEAEF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140016100, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
Instruction ID: 4362bffb4ce140633d60009826b42a117c21897de7dbf4a94b418fc321f1d931
Opcode Fuzzy Hash: 0e54b42b1a183fcc3e26b712d0c98e0febe665e521d345cd27406ffce54824ba
Instruction Fuzzy Hash: 35812032714A809AFB12EB72D4513ED2365EB9C388F814425BB4E67AEBEF35C605C354

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140032650, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
Instruction ID: a8b049447ef23dc7a2f3147d56ae0c312f8ac6a7955db6ed7517384e00930876
Opcode Fuzzy Hash: 1556071639309c0f3bf9c98b804d70b10111ac1c0d30ce30fda26827df1e6222
Instruction Fuzzy Hash: 0371893270264096FB66AB7294503EE6391EB9C7C8F054526BB1D47BEAEF39C905C360

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction ID: 4c1290556f20f3e20b66d81894b0d385f6ea8bc2319cc982c81cb2944955426d
Opcode Fuzzy Hash: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
Instruction Fuzzy Hash: 6E61B031301A4041EA66E737A9517EF97929F9D7D0FA44621BF5E877FAEE38C9028700

Uniqueness

Uniqueness Score: -1.00%

Function 000000014005D850, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction ID: 50d9e92313d7fbe24902196c924c1612cff9653e99501bbf2772a847790ebefc
Opcode Fuzzy Hash: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
Instruction Fuzzy Hash: 7D618D3271464496FB22EB72C0913EE23A5ABDC7C8F854422BF4D57AEAEE35C501C791

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140001620, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction ID: f8f81a1e6eeb4aa67bd22a5a7a70358e1ddf5b3241a247c9d5674b6b5ab46101
Opcode Fuzzy Hash: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
Instruction Fuzzy Hash: 9061C43262465091FB21EB26E0517EE6360FBCD7C4F815122BB5D47AEAEF79C541CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
Instruction ID: f33abad4c1c8ba015261be05896130ca5dc3e7c07ce7e813c180037223ea8262
Opcode Fuzzy Hash: ac7f08871eadb0e88aebf12c8c96c3d08f64978839d47a5fff32e650f5283656
Instruction Fuzzy Hash: 08718E32714A809AEB12EF76D4913EE7761F798388F844026FB4D47AAADF74C548CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$ClosePointerRead
String ID:
API String ID: 2610616218-0
Opcode ID: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
Instruction ID: 125c4d10a522e701d1fb6d0f1aef761f583aa31ccbb75f1db25899523a723602
Opcode Fuzzy Hash: c6b0428fc7416c9690bb78137e55356240e86da8257680fa94455239788aca03
Instruction Fuzzy Hash: 0151633271468052FB22EBB6E4513EE6761EBD83C4F951122BB4D47AEADE38C544CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022730, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction ID: af2d80f9b144edbe9aa630ca6e788b257520dbedf888a3db325da96401233726
Opcode Fuzzy Hash: 025899d978c00459a39b97666279dda4e96ed2cbcc4f77a24580eef4709ea6a8
Instruction Fuzzy Hash: FA612832600B8085E755DF36A481BDD33A9F78DB88FA84138EF990B36ADF318055D768

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140031340, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction ID: 50cb9f747c07e87171e39f534f7bbd71060f83f950b2ada1a46c15cbddfc577a
Opcode Fuzzy Hash: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
Instruction Fuzzy Hash: A0511B32700A4096FB12EB76D4917EE2365AB9C7C8F954421BF0DA7AEADF34C605C350

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002F840, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction ID: 9602d307e9de31d357e639a9611a18ab9b6f2b9e1d5f0c6a8a00986c6f50d329
Opcode Fuzzy Hash: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
Instruction Fuzzy Hash: 7F51AD32200A40A2EA22EB22D9957FE63A5F7DC7D0F854626FB0D836B6DF34C556D710

Uniqueness

Uniqueness Score: -1.00%

Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
Instruction ID: aca98edda921e0e11dbb2b437e66833b6d9475281c93859f86ded24665675a69
Opcode Fuzzy Hash: 92949d39d4540ea38b5c00f16dffcfa1214f5dbdd9c806517ba7762cbc11b342
Instruction Fuzzy Hash: E5516E3271465095FB52EB76E4913EE6761EBD8388F850026BB4E479EADF38C948CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140060FE0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction ID: 51a026cb75a50cc44213724d5bb8c382370875f63e51d6fdf42d7c4c4c07ed92
Opcode Fuzzy Hash: 1c1f30609a35c92b6828c9fb432082ebd1e5c5e84766b67bb61e5bcc9401a082
Instruction Fuzzy Hash: 5D415F32B1066095FB12E77798517EE23A2ABCD7C4FA94421BF0E57AEBDE34C5018354

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction ID: fec891e6c53086f7b9094a78f95b73510c7007b912bc3ef8a41aa8e11e9acb14
Opcode Fuzzy Hash: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
Instruction Fuzzy Hash: 01413D31B2066095FB12EB7798513EE13A6ABDC7C4F994421BF0E97AEADE38C5058314

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction ID: 4d6ce7f696a26fe9a74b6bb9734e6d6bbac3d85ccec2ef1c97bdec5ab73240ea
Opcode Fuzzy Hash: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
Instruction Fuzzy Hash: FC51D732610B9085E785DF36E4813DD33A9F748F88F58413AAB8D4B7AADF348152C764

Uniqueness

Uniqueness Score: -1.00%

Function 00000001400286B0, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction ID: a9185cf0004c76bb3001b2cb896eaa84c5f9aff40342764b4326ba4d96cea24c
Opcode Fuzzy Hash: 0dd31b007056381f4657a5f1dbdce23ecbf955912ad383fd51e82bbfc18d9e36
Instruction Fuzzy Hash: 9F514632310B81A2E74EDB32E5813D9B369FB8C384F908415EB9813AA6DF35D676D704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140022340, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction ID: 1e1e8128ca37617077ad8d3bddb138d765a5f71e348f586f351b06e9a9582713
Opcode Fuzzy Hash: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
Instruction Fuzzy Hash: 5C51C773611B9085E745DF36E8813DD37A8F748F88F58413AEB894B6AADF308156C760

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction ID: 5f416d68214368cc8d497caad67b5ad9eebcd67f96a0df70edf52f54e079c757
Opcode Fuzzy Hash: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
Instruction Fuzzy Hash: DE31F53221099842FBA6471B9C613F93292E79C3E4F649625FB8E537F4D67DC8038B80

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140005370, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction ID: 604a730c127844f2816d2636316060c5dd02da03d6f4240a24423d76594c64fe
Opcode Fuzzy Hash: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
Instruction Fuzzy Hash: 55313F32610B9091E749DB36D9813DD73A9F78CB84FA58526A39847AA6DF35C177C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000140007EA0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.311924847.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.311913248.0000000140000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312064708.0000000140080000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312085021.0000000140092000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312093144.0000000140094000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction ID: 1d8fa33d8030516f9812c7435f1c2f5fee2e6c5a40d503ba1f82db291cb841dc
Opcode Fuzzy Hash: cc6e0ee29a39c7d5a8b9bac5d98e7e3adc62a080d0eb157144b98198d9367420
Instruction Fuzzy Hash: 7131DC32600B4080E745DF3699813EDB3E9FBACB88FA9853697484A9B6DF35C157D310

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4536 Parent PID: 6928 rundll32.exeCOMMON

Executed Functions

Function 0000029EBD7F2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000029EBD7F23B0
VirtualProtect.KERNELBASE ref: 0000029EBD7F2471
RtlAvlRemoveNode.NTDLL ref: 0000029EBD7F25B4
VirtualProtect.KERNELBASE ref: 0000029EBD7F2677

Memory Dump Source

Source File: 00000002.00000002.385174738.0000029EBD7F0000.00000040.00000001.sdmp, Offset: 0000029EBD7F0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: ad1241f1d688f18ae4cc842da938043b0176287875b13a02b2c120ad5633768c
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 63B144B7618BD486DB30CB1AE4507DEB7A1F789B84F118126EEC957B58CB79C8818F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000029EBD7F2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000029EBD7F29A8), ref: 0000029EBD7F20A7

Memory Dump Source

Source File: 00000002.00000002.385174738.0000029EBD7F0000.00000040.00000001.sdmp, Offset: 0000029EBD7F0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: e2e5e48f5548b9ec866e0d24049cbd69fcbb95b1d4c32bbc8453503788f3966a
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 52315EB2615B9086D790DF1AE45479A7BA0F789BC4F214026EF8D87B18DF39C442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 4528 Parent PID: 4668 rundll32.exeCOMMON

Executed Functions

Function 000001BAD6CE2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 000001BAD6CE23B0
VirtualProtect.KERNELBASE ref: 000001BAD6CE2471
RtlAvlRemoveNode.NTDLL ref: 000001BAD6CE25B4
VirtualProtect.KERNELBASE ref: 000001BAD6CE2677

Memory Dump Source

Source File: 00000003.00000002.290809783.000001BAD6CE0000.00000040.00000001.sdmp, Offset: 000001BAD6CE0000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 9323be1c6f82bb78cca6cd5374be2582ca82e8afe03383791e7aa845f77ad57d
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: DCB14176619BC486D730CB5AE440BDAB7A1F7C9B80F508026EE8957B59CB7DC8528F40

Uniqueness

Uniqueness Score: -1.00%

Function 000001BAD6CE2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001BAD6CE29A8), ref: 000001BAD6CE20A7

Memory Dump Source

Source File: 00000003.00000002.290809783.000001BAD6CE0000.00000040.00000001.sdmp, Offset: 000001BAD6CE0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 749a0fb05d40f8952817d811ed71c0a1ebf5612fe55d849e876425d8b1f1d2de
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: EB314876615B8086D790DF1AE45479A7BB0F789BC4F608026EF8D87B28DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6568 Parent PID: 6928 rundll32.exeCOMMON

Executed Functions

Function 0000024309E62252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000024309E623B0
VirtualProtect.KERNELBASE ref: 0000024309E62471
RtlAvlRemoveNode.NTDLL ref: 0000024309E625B4
VirtualProtect.KERNELBASE ref: 0000024309E62677

Memory Dump Source

Source File: 00000008.00000002.299820442.0000024309E60000.00000040.00000001.sdmp, Offset: 0000024309E60000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: de1890486111ba62c1631b1dc5f389a779b75216f27f791bd647a75cf466ee2f
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: AAB14276618BC486DB70CB1AE440B9EB7A1F7D9B80F108126EF8997B58DB79C941CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0000024309E62057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000024309E629A8), ref: 0000024309E620A7

Memory Dump Source

Source File: 00000008.00000002.299820442.0000024309E60000.00000040.00000001.sdmp, Offset: 0000024309E60000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: 998aef090ad05fed401bc962be9ab2535915ca10ca53c2471468e32bfea1a57d
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: FE315C72615B8086D780DF1AE45475A7BB0F789BC4F205126EF8D87B18DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 3912 Parent PID: 6928 rundll32.exeCOMMON

Executed Functions

Function 0000020D32892252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000020D328923B0
VirtualProtect.KERNELBASE ref: 0000020D32892471
RtlAvlRemoveNode.NTDLL ref: 0000020D328925B4
VirtualProtect.KERNELBASE ref: 0000020D32892677

Memory Dump Source

Source File: 00000009.00000002.305975330.0000020D32890000.00000040.00000001.sdmp, Offset: 0000020D32890000, based on PE: true

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: d553b5ad0ffac3229e62f9ab01859286daa4da879ec49e0348d1d660782802ba
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 71B15376A19BC486D770CB5AE4407AEBBA0F7C9B80F108026EEC957B59CB79C851CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0000020D32892057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000020D328929A8), ref: 0000020D328920A7

Memory Dump Source

Source File: 00000009.00000002.305975330.0000020D32890000.00000040.00000001.sdmp, Offset: 0000020D32890000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: f5be37a263f9c51a7aeeea6ab0121ab365f566b5e5853db89ebdf3eede926483
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 3C314976719B8086D780DF1AE45475A7BA0F389BC4F208026EF8D87B28DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: SnippingTool.exe PID: 6200 Parent PID: 3352 SnippingTool.exeCOMMON

Executed Functions

Function 0000019CE76C2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000019CE76C23B0
VirtualProtect.KERNELBASE ref: 0000019CE76C2471
RtlAddFunctionTable.NTDLL ref: 0000019CE76C25B4
VirtualProtect.KERNELBASE ref: 0000019CE76C2677

Memory Dump Source

Source File: 00000013.00000002.416135211.0000019CE76C0000.00000040.00000001.sdmp, Offset: 0000019CE76C0000, based on PE: true

Similarity

API ID: ProtectVirtual$FunctionTable
String ID:
API String ID: 847647671-0
Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction ID: 48cf0f696bd3a25d1056df5414dc2ea9ef6724d9e129054d3dd8b855b896dcec
Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
Instruction Fuzzy Hash: 12B14476618BC48AD770CB1AE4407DEBBA5F7C9B84F108026EEC997B58DB79C8418F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000019CE76C2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000019CE76C29A8), ref: 0000019CE76C20A7

Memory Dump Source

Source File: 00000013.00000002.416135211.0000019CE76C0000.00000040.00000001.sdmp, Offset: 0000019CE76C0000, based on PE: true

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction ID: d3f41bf23ed51fdfebab50e196bfc58b9f437d5a3d7f2b1670646801c9d15427
Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
Instruction Fuzzy Hash: 42314DB2615B8086D780DF1AE45479A7BB4F389BC4F204026EF8E87B18DF39C442CB40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF73D058A64, Relevance: 56.3, APIs: 30, Strings: 2, Instructions: 289windowthreadCOMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D058AD2
SetThreadDpiAwarenessContext.USER32 ref: 00007FF73D058AFB
PrintDlgExW.COMDLG32 ref: 00007FF73D058B08
SetThreadDpiAwarenessContext.USER32 ref: 00007FF73D058B13
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D058B3A
StartDocW.GDI32 ref: 00007FF73D058B55
GetLastError.KERNEL32 ref: 00007FF73D058B5F
EnterCriticalSection.KERNEL32 ref: 00007FF73D058BB6
LeaveCriticalSection.KERNEL32 ref: 00007FF73D058BC9
GetDC.USER32 ref: 00007FF73D058BD3
GetDeviceCaps.GDI32 ref: 00007FF73D058C06
GetDeviceCaps.GDI32 ref: 00007FF73D058C1D
GetDeviceCaps.GDI32 ref: 00007FF73D058C30
GetDeviceCaps.GDI32 ref: 00007FF73D058C51
GetDeviceCaps.GDI32 ref: 00007FF73D058C71
GetDeviceCaps.GDI32 ref: 00007FF73D058C9C
SetBrushOrgEx.GDI32 ref: 00007FF73D058CC9
SetStretchBltMode.GDI32 ref: 00007FF73D058CD6
StartPage.GDI32 ref: 00007FF73D058D5E
CreateCompatibleDC.GDI32 ref: 00007FF73D058DAE
SelectObject.GDI32 ref: 00007FF73D058DC3
StretchBlt.GDI32 ref: 00007FF73D058E12
SelectObject.GDI32 ref: 00007FF73D058E25
DeleteDC.GDI32 ref: 00007FF73D058E4B
EndPage.GDI32 ref: 00007FF73D058E5C
SetStretchBltMode.GDI32 ref: 00007FF73D058EA5
EndDoc.GDI32 ref: 00007FF73D058EAF
GlobalFree.KERNEL32 ref: 00007FF73D058EE4
GlobalFree.KERNEL32 ref: 00007FF73D058EF3
DeleteDC.GDI32 ref: 00007FF73D058EFD

Strings

, xrefs: 00007FF73D058DCD
Snipping Tool Print Job, xrefs: 00007FF73D058B43

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Stretch$AwarenessContextCriticalDeleteFreeGlobalModeObjectPageSectionSelectStartThreadmemset$BrushCompatibleCreateEnterErrorLastLeavePrint
String ID: $Snipping Tool Print Job
API String ID: 834904562-1111817778
Opcode ID: 48ed861a4218c5f09a5a49b7c70d6ed3c68fbb802bb8f16cf057ffa0bfe93843
Instruction ID: cd093e35b8c42f676a6951bffcf753952110f6ff58bdc3d94282f9c4b79faca1
Opcode Fuzzy Hash: 48ed861a4218c5f09a5a49b7c70d6ed3c68fbb802bb8f16cf057ffa0bfe93843
Instruction Fuzzy Hash: D0E1FE32A18B8999F701ABB6D8411BDB3B0FF89B88F444335DE4E67665EF38A451C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D048D50, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 218windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF73D048DAF
SendMessageW.USER32 ref: 00007FF73D048DFF
GetSysColor.USER32 ref: 00007FF73D048E11

Part of subcall function 00007FF73D062150: CreateSolidBrush.GDI32 ref: 00007FF73D062178
Part of subcall function 00007FF73D062150: GetLastError.KERNEL32 ref: 00007FF73D062186

FillRect.USER32 ref: 00007FF73D048E34

Part of subcall function 00007FF73D0616E4: DeleteObject.GDI32 ref: 00007FF73D061711
Part of subcall function 00007FF73D0616E4: GetLastError.KERNEL32 ref: 00007FF73D06171D

GetSysColor.USER32 ref: 00007FF73D048E53
GetDpiForWindow.USER32 ref: 00007FF73D048EA7
MulDiv.KERNEL32 ref: 00007FF73D048EB8
InflateRect.USER32 ref: 00007FF73D048EC9
Rectangle.GDI32 ref: 00007FF73D048F41
SetRect.USER32 ref: 00007FF73D048FAA
GetDpiForWindow.USER32 ref: 00007FF73D048FB4
MulDiv.KERNEL32 ref: 00007FF73D048FC5
SetTextColor.GDI32 ref: 00007FF73D048FD7
SetBkMode.GDI32 ref: 00007FF73D048FE8
DrawTextW.USER32 ref: 00007FF73D049006
SetBkMode.GDI32 ref: 00007FF73D049012
SetTextColor.GDI32 ref: 00007FF73D04901E
DrawFocusRect.USER32 ref: 00007FF73D049038

Strings

$, xrefs: 00007FF73D048FF0
COptions::ComboboxDrawColorItem, xrefs: 00007FF73D048D8E

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorRect$Text$DrawErrorLastMessageModeSendWindow$BrushCreateDeleteFillFocusInflateObjectRectangleSolid
String ID: $$COptions::ComboboxDrawColorItem
API String ID: 3641498829-614217680
Opcode ID: c1c5a636f5c1dd729686eb2b3a51d595435a68704ae6ec7d17910cfd2f60bd7c
Instruction ID: 4b4f23dce53041f1356f59598940a6581650d05388dceb44cd510cc74c18c863
Opcode Fuzzy Hash: c1c5a636f5c1dd729686eb2b3a51d595435a68704ae6ec7d17910cfd2f60bd7c
Instruction Fuzzy Hash: 06917F32B186059BE760EBB2D8145AEB3B1FB88B84F844135DE4E97B55EF3CE8019710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D045EBC, Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 289COMMON

Download Yara Rule

APIs

LoadAcceleratorsW.USER32 ref: 00007FF73D045F62
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF73D045F7C
LoadAcceleratorsW.USER32 ref: 00007FF73D045FC5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF73D045FD3

Strings

CToolbar::StartQuickCapture, xrefs: 00007FF73D046047
CMain::Exit, xrefs: 00007FF73D046291
CMain::Run, xrefs: 00007FF73D045EF9

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: AcceleratorsErrorLastLoad
String ID: CMain::Exit$CMain::Run$CToolbar::StartQuickCapture
API String ID: 2233532191-3786192203
Opcode ID: 7b81f54af6d34a68129e93b5d6c4c919dacc1464b5c2f5ba9608bc6733fbe80a
Instruction ID: 96474219b13f674bc915daab45545ac064eaac5d058207513de0bdb055fe5434
Opcode Fuzzy Hash: 7b81f54af6d34a68129e93b5d6c4c919dacc1464b5c2f5ba9608bc6733fbe80a
Instruction Fuzzy Hash: 43D17D21B0CA5AA6E754FBA5D9546FDA770FB40F48FC40031DA0D47AA5EF38E416E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D04DE78, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00007FF73D04DEB1
ShowWindow.USER32 ref: 00007FF73D04DECC
IsZoomed.USER32 ref: 00007FF73D04DEDE
ShowWindow.USER32 ref: 00007FF73D04DEEF
SendMessageW.USER32 ref: 00007FF73D04DF09
SendMessageW.USER32 ref: 00007FF73D04DF26
IsIconic.USER32 ref: 00007FF73D04DF34
OpenIcon.USER32 ref: 00007FF73D04DF42
IsWindowVisible.USER32 ref: 00007FF73D04DF50

Strings

CToolbar::SetVisible, xrefs: 00007FF73D04DE9A

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageSendShowVisible$IconIconicOpenZoomed
String ID: CToolbar::SetVisible
API String ID: 2210635757-1235422291
Opcode ID: e0af8dd6f7ade6923e99ded2a9e94addd2ad8e76ac62ec0c92f0406b0a7855a7
Instruction ID: cdd4413f5e511b5b2637eb6d8b5b1cdcfa1b64d233ca4a8e72291c4bf93c44a3
Opcode Fuzzy Hash: e0af8dd6f7ade6923e99ded2a9e94addd2ad8e76ac62ec0c92f0406b0a7855a7
Instruction Fuzzy Hash: 61414F31A0C75AA2EB10AFA6D584579B770FF84F80F844135DA1D87A94EF3CE455DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D05E274, Relevance: 7.7, APIs: 6, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF73D05E2B2
HeapAlloc.KERNEL32 ref: 00007FF73D05E2C4
GetProcessHeap.KERNEL32 ref: 00007FF73D05E415
HeapAlloc.KERNEL32 ref: 00007FF73D05E426
GetProcessHeap.KERNEL32 ref: 00007FF73D05E434
HeapFree.KERNEL32 ref: 00007FF73D05E443

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 8472549cb7306442726d52183cac52018c27dd02721f30855830fbb48f1c995f
Instruction ID: 36891a1de223026c9391dac52d49390117abb626b9ae4a350e4b1b382143b02e
Opcode Fuzzy Hash: 8472549cb7306442726d52183cac52018c27dd02721f30855830fbb48f1c995f
Instruction Fuzzy Hash: D361AEB2A0D749A2EB54DFA5E500269B3A1FB08F84B844135DF8D47741EF3CE461D754

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D04AE80, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 277COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF73D04B0BC

Part of subcall function 00007FF73D06234C: LoadStringW.USER32 ref: 00007FF73D06238E
Part of subcall function 00007FF73D06234C: GetLastError.KERNEL32 ref: 00007FF73D06239A

SysStringLen.OLEAUT32 ref: 00007FF73D04B1F9

Strings

CSnip::GenerateHTMLBody, xrefs: 00007FF73D04AEB3
COptions::IsCaptureURLEnabled, xrefs: 00007FF73D04B090

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ErrorLastLoad
String ID: COptions::IsCaptureURLEnabled$CSnip::GenerateHTMLBody
API String ID: 1753007181-2719301266
Opcode ID: 4b1fa235167b190c543153f8aeecec018da2b359f8ac8b4d7777746d078b3e80
Instruction ID: e4a70ad7c8afcf1dd4917099a7adcd4f72a2e51fbec1bb2a37297550c9781672
Opcode Fuzzy Hash: 4b1fa235167b190c543153f8aeecec018da2b359f8ac8b4d7777746d078b3e80
Instruction Fuzzy Hash: 87C1703271C76AAAE741FFA1C580AAC6360FB48F48B801135EE1D57B55EF38E115D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D057E20, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 268comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF73D057E7B

Strings

CEditorPanel::InitInkOverlay, xrefs: 00007FF73D057E49

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID: CEditorPanel::InitInkOverlay
API String ID: 542301482-3935991377
Opcode ID: d3184da0fc006e8ec1488c01b4fb73f4e81aa78473164ed894b6c1887a874747
Instruction ID: c37aac0b64cb7d0a9899e56954ea87170bc1a42a12059760b236c58aec4afef2
Opcode Fuzzy Hash: d3184da0fc006e8ec1488c01b4fb73f4e81aa78473164ed894b6c1887a874747
Instruction Fuzzy Hash: 87D14E76B0CA0EA1EB10EBA6C894279A761FB44F88F945132CE1D477A4EF3DE445D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D052A34, Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 336memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D06D950: SystemParametersInfoW.USER32 ref: 00007FF73D06D996
Part of subcall function 00007FF73D06D950: GetLastError.KERNEL32 ref: 00007FF73D06D9A0

GdipAlloc.GDIPLUS ref: 00007FF73D052AF6
GdipCreateFromHDC.GDIPLUS ref: 00007FF73D052B10

Strings

CToolbar::PaintInstructions, xrefs: 00007FF73D052A74

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Gdip$AllocCreateErrorFromInfoLastParametersSystem
String ID: CToolbar::PaintInstructions
API String ID: 3768384540-150017951
Opcode ID: 428d130e34ac218fbb2c4ffb9e2086493543ac33b2f70e2a0ca6745ab5e76142
Instruction ID: a730dbdcc64d05ae83e6f788d44bb0238cefcf001d862f83dffa36a75a9db403
Opcode Fuzzy Hash: 428d130e34ac218fbb2c4ffb9e2086493543ac33b2f70e2a0ca6745ab5e76142
Instruction Fuzzy Hash: 08F18E72B0CA46AAE710EBB5D4402BDB3B1FB44B48F804235DE0D6AA98EF3CE555D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D04B280, Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 263fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF73D04B358
GetLastError.KERNEL32 ref: 00007FF73D04B366

Part of subcall function 00007FF73D06234C: LoadStringW.USER32 ref: 00007FF73D06238E
Part of subcall function 00007FF73D06234C: GetLastError.KERNEL32 ref: 00007FF73D06239A

UrlCreateFromPathW.SHLWAPI ref: 00007FF73D04B400
SysStringLen.OLEAUT32 ref: 00007FF73D04B469
VarBstrCat.OLEAUT32 ref: 00007FF73D04B48F
SysFreeString.OLEAUT32 ref: 00007FF73D04B49E
SysStringLen.OLEAUT32 ref: 00007FF73D04B4BD
WideCharToMultiByte.KERNEL32 ref: 00007FF73D04B4E5
SysStringLen.OLEAUT32 ref: 00007FF73D04B50D
WideCharToMultiByte.KERNEL32 ref: 00007FF73D04B536
WriteFile.KERNEL32 ref: 00007FF73D04B558
GetLastError.KERNEL32 ref: 00007FF73D04B56C
GetLastError.KERNEL32 ref: 00007FF73D04B5B4
GetLastError.KERNEL32 ref: 00007FF73D04B646
CloseHandle.KERNEL32 ref: 00007FF73D04B68A
SysFreeString.OLEAUT32 ref: 00007FF73D04B694
SysFreeString.OLEAUT32 ref: 00007FF73D04B69E

Strings

CSnip::GenerateHTML, xrefs: 00007FF73D04B320

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ErrorLast$Free$ByteCharCreateFileMultiWide$BstrCloseFromHandleLoadPathWrite
String ID: CSnip::GenerateHTML
API String ID: 2562088656-1866566025
Opcode ID: 161b7adf8a3347582f371f2a825d954c49570f4975afe56d609fa70d67f3b388
Instruction ID: 87bb9772b266ea80172a5a1eba99e005e31f4335163d2196b40f1d159ef03e17
Opcode Fuzzy Hash: 161b7adf8a3347582f371f2a825d954c49570f4975afe56d609fa70d67f3b388
Instruction Fuzzy Hash: 90C19031A0C756A2EB10EB95E804AB9B7B0FB85B94F900135DA4D47AA4EF3DD505EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D05C230, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C266
GdiplusStartup.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C298
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C2AE
GdipGetImageEncodersSize.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C2CA
_o_malloc.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C321
GdipGetImageEncoders.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C353
GdipCreateBitmapFromScan0.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C3E5
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C401
GdipSaveImageToStream.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C418
GdipDisposeImage.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C425
GdipDisposeImage.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF73D05BB70), ref: 00007FF73D05C432

Strings

&, xrefs: 00007FF73D05C3CE

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Gdip$Image$BitmapCreateCriticalDisposeEncodersFromSection$EnterGdiplusLeaveSaveScan0SizeStartupStream_o_malloc
String ID: &
API String ID: 673744522-3042966939
Opcode ID: 8c251ef1d326d078fcc128a32be507db72e0245e106dac4ff11b7835bc7a2012
Instruction ID: efc84f4378afbcfd3e12bdbc8e9ed28eed7312d3a6dac1b66d5e9a8390c73175
Opcode Fuzzy Hash: 8c251ef1d326d078fcc128a32be507db72e0245e106dac4ff11b7835bc7a2012
Instruction Fuzzy Hash: 3F6198A1A0CB8AA6EB10EFA1D4405B8A3A1FF44F94FC45531ED0D4BB94EF3CE5499364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D04A168, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF73D04A247
GetDlgItem.USER32 ref: 00007FF73D04A265
CheckDlgButton.USER32 ref: 00007FF73D04A2C4
CheckDlgButton.USER32 ref: 00007FF73D04A2DC
CheckDlgButton.USER32 ref: 00007FF73D04A2F4
CheckDlgButton.USER32 ref: 00007FF73D04A30C
CheckDlgButton.USER32 ref: 00007FF73D04A327
CheckDlgButton.USER32 ref: 00007FF73D04A33F

Strings

COptions::OptionsCmdProc, xrefs: 00007FF73D04A1F4
COptions::IsCaptureURLEnabled, xrefs: 00007FF73D04A295
COptions::OptionsDlgProc, xrefs: 00007FF73D04A197

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ButtonCheck$DialogItem
String ID: COptions::IsCaptureURLEnabled$COptions::OptionsCmdProc$COptions::OptionsDlgProc
API String ID: 4294804678-382390881
Opcode ID: 113dcfcff2c56a7bd0ae87f1a72db9d7fee94dcae62e93d7794db94b620ce81f
Instruction ID: 62ccf4d5411c57aee739d11ee0ceabb2aeedba12a082bc01ff305e3b31b79140
Opcode Fuzzy Hash: 113dcfcff2c56a7bd0ae87f1a72db9d7fee94dcae62e93d7794db94b620ce81f
Instruction Fuzzy Hash: E9510422F0C61BA2E620BBA5D54467DA331FB40F80F844535DA0E1B695EF3DE915EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D04C6D8, Relevance: 18.1, APIs: 12, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF73D04C71F
SysAllocStringLen.OLEAUT32 ref: 00007FF73D04C740
SysStringLen.OLEAUT32 ref: 00007FF73D04C751
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00007FF73D05BA89), ref: 00007FF73D04C784
memset.API-MS-WIN-CRT-STRING-L1-1-0(?,00007FF73D05BA89), ref: 00007FF73D04C7A9
_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00007FF73D05BA89), ref: 00007FF73D04C7B5
memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00007FF73D05BA89), ref: 00007FF73D04C7CD
SysFreeString.OLEAUT32 ref: 00007FF73D04C7DD
_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00007FF73D05BA89), ref: 00007FF73D04C7FD
_o__errno.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,00007FF73D05BA89), ref: 00007FF73D04C819
GdipDisposeImage.GDIPLUS ref: 00007FF73D04C85D
GdipFree.GDIPLUS ref: 00007FF73D04C872

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: String$_o__errno$FreeGdipmemmove$AllocDisposeImagememset
String ID:
API String ID: 1780219601-0
Opcode ID: c54273b162ce6145e8be470aeeeaec8d964705566c3cac622588ca4de7b6f80a
Instruction ID: e5a7a5872c709a6c3b42a111102c51b6aff929d7cc23d0a8a9aadf12051a6aa6
Opcode Fuzzy Hash: c54273b162ce6145e8be470aeeeaec8d964705566c3cac622588ca4de7b6f80a
Instruction Fuzzy Hash: 2141F635A0C61AA6EA10BBD1D818579A2B0BF44F94F94C134EE1D467D0FF3CD852AB24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D058228, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 330memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D06D950: SystemParametersInfoW.USER32 ref: 00007FF73D06D996
Part of subcall function 00007FF73D06D950: GetLastError.KERNEL32 ref: 00007FF73D06D9A0

Part of subcall function 00007FF73D047598: GetSysColor.USER32 ref: 00007FF73D0475B7

VariantInit.OLEAUT32 ref: 00007FF73D058312
SysAllocString.OLEAUT32 ref: 00007FF73D058329
VariantInit.OLEAUT32 ref: 00007FF73D058384
SysAllocString.OLEAUT32 ref: 00007FF73D058396
VariantClear.OLEAUT32 ref: 00007FF73D058667
VariantClear.OLEAUT32 ref: 00007FF73D058672

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

{FFADD4B1-76C6-4044-9B4E-10AE6009EB82}, xrefs: 00007FF73D05838F
CEditorPanel::OnSysColorChange, xrefs: 00007FF73D058257
{CDCC3C6A-53FE-4cee-9F03-597C4E5A4892}, xrefs: 00007FF73D058322

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearInitString$ColorErrorInfoLastMessageParametersSystemTrace
String ID: CEditorPanel::OnSysColorChange${CDCC3C6A-53FE-4cee-9F03-597C4E5A4892}${FFADD4B1-76C6-4044-9B4E-10AE6009EB82}
API String ID: 2442347882-1661900029
Opcode ID: d4cc3ea3f70d4c648ec383d1cd048f055bc74a993af42035a7fe5d6bea4085e0
Instruction ID: 75bfd8adc373b961471f7e00bfeed4978e6d2464e61bca70856098f6601ebbb6
Opcode Fuzzy Hash: d4cc3ea3f70d4c648ec383d1cd048f055bc74a993af42035a7fe5d6bea4085e0
Instruction Fuzzy Hash: D7F14B76A0CB8E96EB00EFA5D884179A761FB84F98F900136DE0E47768EF78E445D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D05EA40, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 246COMMON

Download Yara Rule

APIs

WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF73D05EA8D
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF73D05EACB
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF73D05EB5B
WindowsCreateStringReference.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF73D05EC15
RoGetActivationFactory.API-MS-WIN-CORE-WINRT-L1-1-0 ref: 00007FF73D05EC53
WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF73D05EC75
WindowsGetStringRawBuffer.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF73D05ECB1

Part of subcall function 00007FF73D05EEBC: memmove.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,00000018,00007FF73D054082), ref: 00007FF73D05EF0A

WindowsDeleteString.API-MS-WIN-CORE-WINRT-STRING-L1-1-0 ref: 00007FF73D05ECC8

Strings

Windows.ApplicationModel.DataTransfer.SharedStorageAccessManager, xrefs: 00007FF73D05EC0E
Windows.Storage.StorageFile, xrefs: 00007FF73D05EA86

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: StringWindows$CreateReference$ActivationDeleteFactory$Buffermemmove
String ID: Windows.ApplicationModel.DataTransfer.SharedStorageAccessManager$Windows.Storage.StorageFile
API String ID: 182396921-3475081696
Opcode ID: fdeb86fce10057bf28de6d571ac000ba885209811436b7274ae2c4dd67f8034b
Instruction ID: 4444be0d33428bac0a8b522b163d4c1ce59cce515204639f0b8880e2b4f43eb4
Opcode Fuzzy Hash: fdeb86fce10057bf28de6d571ac000ba885209811436b7274ae2c4dd67f8034b
Instruction Fuzzy Hash: 8BB18072B0CB4992EB14AF65E48467AA361FB84F84F405131DE9E47BA4EF3CE045E714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D055278, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetSystemMetricsForDpi.USER32 ref: 00007FF73D0552D4
GetSystemMetricsForDpi.USER32 ref: 00007FF73D0552E7

Part of subcall function 00007FF73D06326C: CopyRect.USER32 ref: 00007FF73D0632A3
Part of subcall function 00007FF73D06326C: GetLastError.KERNEL32 ref: 00007FF73D0632AF

InflateRect.USER32 ref: 00007FF73D05531F
GetWindowLongPtrW.USER32 ref: 00007FF73D05533F
AdjustWindowRectExForDpi.USER32 ref: 00007FF73D055372
GetLastError.KERNEL32 ref: 00007FF73D05537C
GetLastError.KERNEL32 ref: 00007FF73D0553B3
CopyRect.USER32 ref: 00007FF73D055409

Strings

CEditor::GetEditorRect, xrefs: 00007FF73D0552A9

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$ErrorLast$CopyMetricsSystemWindow$AdjustInflateLong
String ID: CEditor::GetEditorRect
API String ID: 1549110756-3618154988
Opcode ID: dd914c42bbceddc7a07318a16978499ca715d0fc2d6ef887900a3a84b7a8e6a5
Instruction ID: c3a105218a1452382667c13fe8372392fbdd5c48e8915c7d357bb46dd65c647b
Opcode Fuzzy Hash: dd914c42bbceddc7a07318a16978499ca715d0fc2d6ef887900a3a84b7a8e6a5
Instruction Fuzzy Hash: B8518962F0C60AAAF700EBF5D8446B9A3B0BB44B48F804535DE0D9B694EF7CE4459760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D050EB0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102windowCOMMON

Download Yara Rule

APIs

_o_free.API-MS-WIN-CRT-PRIVATE-L1-1-0 ref: 00007FF73D050F77
ImageList_Destroy.COMCTL32 ref: 00007FF73D050FAB
ImageList_Destroy.COMCTL32 ref: 00007FF73D050FBF
DestroyIcon.USER32 ref: 00007FF73D050FD3
SetWindowLongPtrW.USER32 ref: 00007FF73D050FF7
SetWindowLongPtrW.USER32 ref: 00007FF73D051011
UnregisterHotKey.USER32 ref: 00007FF73D05101D

Strings

CCaptureForm::~CCaptureForm, xrefs: 00007FF73D050F53
CToolbar::Cleanup, xrefs: 00007FF73D050ECF

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$ImageList_LongWindow$IconUnregister_o_free
String ID: CCaptureForm::~CCaptureForm$CToolbar::Cleanup
API String ID: 350089133-3702220804
Opcode ID: c5311cbeb27b9dcd4682fab9523efdefcdf694abe3ee93ddc57911319e7c6497
Instruction ID: 48186a9b909f5f2800441de056ced94e46e68393b152f7292b2bd433df9470e5
Opcode Fuzzy Hash: c5311cbeb27b9dcd4682fab9523efdefcdf694abe3ee93ddc57911319e7c6497
Instruction Fuzzy Hash: FD417D7660DA09A2EB44EFA6C55037CA361FF84F98F844235CA1D0B6A8DF3CD854D350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D061AFC, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,00007FF73D061E0B), ref: 00007FF73D061B41
GetDeviceCaps.GDI32 ref: 00007FF73D061B59
GetDeviceCaps.GDI32 ref: 00007FF73D061B6B
HeapAlloc.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,00007FF73D061E0B), ref: 00007FF73D061BE4
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,00007FF73D061E0B), ref: 00007FF73D061BF2
HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,00007FF73D061E0B), ref: 00007FF73D061CBC
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,?,?,?,00007FF73D061E0B), ref: 00007FF73D061CC4

Strings

Helpers::CreateCompatibleDIBSection, xrefs: 00007FF73D061B2A

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CapsDeviceErrorLast$AllocFreeProcess
String ID: Helpers::CreateCompatibleDIBSection
API String ID: 412750379-3924154291
Opcode ID: 4f79404391110a2fc358460677299dd5f638985a4c7a505fcb039a762227c1b2
Instruction ID: 5b8b4679b9b78b5737bc953ca8485eb4b5210aa1c8ddb8c201cd9c7f1db7b8d6
Opcode Fuzzy Hash: 4f79404391110a2fc358460677299dd5f638985a4c7a505fcb039a762227c1b2
Instruction Fuzzy Hash: 4951D172A0C65AA6E754EF95E5002B9B7A0FB84F80F804135DA4D47B90FF3CE818DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D049EC4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D048C78: GetDlgItem.USER32 ref: 00007FF73D048CAA
Part of subcall function 00007FF73D048C78: SendMessageW.USER32(?,?,?,?,?,00007FF73D0487C3), ref: 00007FF73D048CC6
Part of subcall function 00007FF73D048C78: SendMessageW.USER32(?,?,?,?,?,00007FF73D0487C3), ref: 00007FF73D048CE2

IsDlgButtonChecked.USER32 ref: 00007FF73D049F73
IsDlgButtonChecked.USER32 ref: 00007FF73D049FCE
IsDlgButtonChecked.USER32 ref: 00007FF73D049FE6
IsDlgButtonChecked.USER32 ref: 00007FF73D04A001
IsDlgButtonChecked.USER32 ref: 00007FF73D04A01C
IsDlgButtonChecked.USER32 ref: 00007FF73D04A077

Part of subcall function 00007FF73D047C8C: TraceMessage.ADVAPI32 ref: 00007FF73D047CE9

Strings

COptions::OptionsDlgToOptions, xrefs: 00007FF73D049EE5

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ButtonChecked$Message$Send$ItemTrace
String ID: COptions::OptionsDlgToOptions
API String ID: 3080089328-2598284891
Opcode ID: f70ec3fa45aa3b6ce30c4d957ebd0542fe2cee52762bcf6e55fc24374f3649d8
Instruction ID: e9d1ebd3523e3bbc317eba16ee38a553bcc6460bf7a618c2d4b69c1363458eb7
Opcode Fuzzy Hash: f70ec3fa45aa3b6ce30c4d957ebd0542fe2cee52762bcf6e55fc24374f3649d8
Instruction Fuzzy Hash: 3151FEB2A0C316A7D754AF51E18446CB7B0FB84F40F904639EA4947B80DF3CE9669B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D056F04, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF73D056FC8
SendMessageW.USER32 ref: 00007FF73D056FE4
SendMessageW.USER32 ref: 00007FF73D057000
GetLastError.KERNEL32 ref: 00007FF73D05700A
CheckMenuRadioItem.USER32 ref: 00007FF73D0570A0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF73D0570B2

Strings

CEditor::SetButtonCheck, xrefs: 00007FF73D056F2C

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ErrorLast$CheckItemMenuRadio
String ID: CEditor::SetButtonCheck
API String ID: 881549364-3091195016
Opcode ID: 7725922c2d4cba3f30fc93ff6bb6a5eb6e2fc886bf30a201d4bd26ad661f1b1b
Instruction ID: cf034949c4c1b4805f0d7d9c8dfb7d85490d6967bf225cf04f99a450d817a8ff
Opcode Fuzzy Hash: 7725922c2d4cba3f30fc93ff6bb6a5eb6e2fc886bf30a201d4bd26ad661f1b1b
Instruction Fuzzy Hash: 1651F471E0C74AA1FB20ABA2D8406B9A6E1FB84F94FC44135DD0D4BA95EF3CE541A760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D048640, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF73D048761
InvalidateRect.USER32 ref: 00007FF73D04876F

Part of subcall function 00007FF73D048C78: GetDlgItem.USER32 ref: 00007FF73D048CAA
Part of subcall function 00007FF73D048C78: SendMessageW.USER32(?,?,?,?,?,00007FF73D0487C3), ref: 00007FF73D048CC6
Part of subcall function 00007FF73D048C78: SendMessageW.USER32(?,?,?,?,?,00007FF73D0487C3), ref: 00007FF73D048CE2

GetDlgItem.USER32 ref: 00007FF73D0487E5
InvalidateRect.USER32 ref: 00007FF73D0487F3
GetDlgItem.USER32 ref: 00007FF73D048801
InvalidateRect.USER32 ref: 00007FF73D04880F

Strings

COptions::CustColCmdProc, xrefs: 00007FF73D048669

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$InvalidateRect$MessageSend
String ID: COptions::CustColCmdProc
API String ID: 161732798-370793746
Opcode ID: 592b95fca214f866af905ff725debeb74e6c838573aeff77f2a0523f982dd683
Instruction ID: 3be999a4653218834fe99a9e71805eb9bd25aec2704b73ca4bec6b686a6ffa0a
Opcode Fuzzy Hash: 592b95fca214f866af905ff725debeb74e6c838573aeff77f2a0523f982dd683
Instruction Fuzzy Hash: E151D421E0C21A66FA64BB56D488579A671FB44F90F900639DA1D1BBE0FF3CD502AF10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D041D1C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 00007FF73D041D62
GetLastError.KERNEL32 ref: 00007FF73D041D78

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

LoadCursorW.USER32 ref: 00007FF73D041DCD
GetLastError.KERNEL32 ref: 00007FF73D041DDC
LoadCursorW.USER32 ref: 00007FF73D041E2B
GetLastError.KERNEL32 ref: 00007FF73D041E3A

Strings

CCaptureForm::InitResources, xrefs: 00007FF73D041D3E

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorErrorLastLoad$MessageTrace
String ID: CCaptureForm::InitResources
API String ID: 1589401705-1836353799
Opcode ID: f3eec62fcfde5e1747a68795d7d56a11f83d94c9a7cadc37c62b1f3f8acea2e8
Instruction ID: 4adeb89eba91d6a8189ac3990965cb475886c686e2dd2b9dc25e74a0d676b9b2
Opcode Fuzzy Hash: f3eec62fcfde5e1747a68795d7d56a11f83d94c9a7cadc37c62b1f3f8acea2e8
Instruction Fuzzy Hash: 0F41E335B0C746A6E700EBA6D4846B5B3B0FB40F84F900435DA0D47AA5EF3CE429D761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D0536C0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF73D0536FE
CallWindowProcW.USER32 ref: 00007FF73D053745
LoadCursorW.USER32 ref: 00007FF73D053757
SetCursor.USER32 ref: 00007FF73D053760
DefWindowProcW.USER32 ref: 00007FF73D05377D

Strings

CToolbar::HelpButtonWndProc, xrefs: 00007FF73D053717
CToolbar::HelpButtonWndProcDispatch, xrefs: 00007FF73D0536E0

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CursorProc$CallLoadLong
String ID: CToolbar::HelpButtonWndProc$CToolbar::HelpButtonWndProcDispatch
API String ID: 4251273321-490664659
Opcode ID: 8b3084ae9df8c84d27473eed97d15c8143ec5e45901213b727700f0d3f9f9b8c
Instruction ID: 312a6ea444750ed8c53551c5d3bb705e8550d590e64c49af59224f09207de195
Opcode Fuzzy Hash: 8b3084ae9df8c84d27473eed97d15c8143ec5e45901213b727700f0d3f9f9b8c
Instruction Fuzzy Hash: 22219565B1CB4AA2EA10ABA6E4444B9A361FF88FC0FC44131EE4E07755EF3CE546D310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D051A7C, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetWindowRgnBox.USER32 ref: 00007FF73D051AF9
OffsetRect.USER32 ref: 00007FF73D051B0F
IntersectRect.USER32 ref: 00007FF73D051B21

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

WinSqmIsOptedIn.NTDLL ref: 00007FF73D051C03
WinSqmIncrementDWORD.NTDLL ref: 00007FF73D051C18

Strings

CToolbar::WindowSelectEvent, xrefs: 00007FF73D051ABE

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IncrementIntersectMessageOffsetOptedTraceWindow
String ID: CToolbar::WindowSelectEvent
API String ID: 4003234921-162377675
Opcode ID: 72736bc5c29dad661c0fc09ecdbc5220eae6cdfca5905ce0ef4974b710125e4f
Instruction ID: 8f795a66592ec3c029fb36c2013eeb262c3e391d9ca2c29224f1e08331ec03cd
Opcode Fuzzy Hash: 72736bc5c29dad661c0fc09ecdbc5220eae6cdfca5905ce0ef4974b710125e4f
Instruction Fuzzy Hash: 02815E72F0CA49AAF710EBA1D4407ADB372EB44B58F900136DE0D5BA98EF38D50AD750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D0526E0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetSystemDefaultUILanguage.KERNEL32 ref: 00007FF73D052728
DrawIconEx.USER32 ref: 00007FF73D052770
GetLastError.KERNEL32 ref: 00007FF73D05277A

Part of subcall function 00007FF73D0633EC: SetLayout.GDI32 ref: 00007FF73D063417
Part of subcall function 00007FF73D0633EC: GetLastError.KERNEL32 ref: 00007FF73D063424

Part of subcall function 00007FF73D062088: CreatePen.GDI32 ref: 00007FF73D0620C6
Part of subcall function 00007FF73D062088: GetLastError.KERNEL32 ref: 00007FF73D0620D4

Part of subcall function 00007FF73D061628: SelectObject.GDI32 ref: 00007FF73D06165F
Part of subcall function 00007FF73D061628: GetLastError.KERNEL32 ref: 00007FF73D06166D

Part of subcall function 00007FF73D062B9C: GetStockObject.GDI32 ref: 00007FF73D062BCB
Part of subcall function 00007FF73D062B9C: GetLastError.KERNEL32 ref: 00007FF73D062BD9

Rectangle.GDI32 ref: 00007FF73D05285D
GetLastError.KERNEL32 ref: 00007FF73D052867

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

CToolbar::DrawIcon, xrefs: 00007FF73D052715

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Object$CreateDefaultDrawIconLanguageLayoutMessageRectangleSelectStockSystemTrace
String ID: CToolbar::DrawIcon
API String ID: 2683400192-209355775
Opcode ID: e46512fec3e75c8d5ddb25966b9f1eba5258e38b54542158d062bd4fd768b081
Instruction ID: 78c8a42b91e96fa02898b2cd7209a5efd3e4d97bd4172ec97ebe388c37899a8b
Opcode Fuzzy Hash: e46512fec3e75c8d5ddb25966b9f1eba5258e38b54542158d062bd4fd768b081
Instruction Fuzzy Hash: 19519D62B0C65A66FB50EBF1E811BB9A7A1FF44B88F844035DE0D07A95EF3CD505A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D043F0C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 00007FF73D043F72
PathYetAnotherMakeUniqueName.SHELL32 ref: 00007FF73D043F92
GetLastError.KERNEL32 ref: 00007FF73D043FD2

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

GetLastError.KERNEL32 ref: 00007FF73D043FEC

Strings

SnipImage().JPG, xrefs: 00007FF73D043F80
CEmailSupport::ComposeAsAttachment, xrefs: 00007FF73D043F56

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastPath$AnotherMakeMessageNameTempTraceUnique
String ID: CEmailSupport::ComposeAsAttachment$SnipImage().JPG
API String ID: 2468147465-1857612051
Opcode ID: 59765c2ddece35717d330cc374aaaf9274184a3bba5e8976ac8f040f798038a0
Instruction ID: d7f89ddf5a829072bb290c3ce34a33971feb1f7a5d952b64581895e627519a49
Opcode Fuzzy Hash: 59765c2ddece35717d330cc374aaaf9274184a3bba5e8976ac8f040f798038a0
Instruction Fuzzy Hash: 9741A331A0C78AA6E710EFA6D8446B9A770FB48F84FC04232DA5D476A4EF7CD505DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D061E24, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF73D061E59
SetLastError.KERNEL32 ref: 00007FF73D061E63
MapWindowPoints.USER32 ref: 00007FF73D061E74
GetLastError.KERNEL32 ref: 00007FF73D061E80

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

SetLastError.KERNEL32 ref: 00007FF73D061EDC

Strings

Helpers::MapWindowPoints, xrefs: 00007FF73D061E3C

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$MessagePointsTraceWindow
String ID: Helpers::MapWindowPoints
API String ID: 64208972-3763993354
Opcode ID: ff354ce3a340eac36c3e9993d26610486f40bef2f5b21144845347cd2fb0e233
Instruction ID: 153e1313705788d0b2ba46d9604d794a537bab546123278322de6386e9babed5
Opcode Fuzzy Hash: ff354ce3a340eac36c3e9993d26610486f40bef2f5b21144845347cd2fb0e233
Instruction Fuzzy Hash: 6621B121B1C75992EB10AB96E400678F760FF44F90F804035CA4D47B60EF3CE805DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D047A3C, Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D047958: GetDC.USER32 ref: 00007FF73D0479C1
Part of subcall function 00007FF73D047958: GetDeviceCaps.GDI32 ref: 00007FF73D0479D5
Part of subcall function 00007FF73D047958: ReleaseDC.USER32 ref: 00007FF73D0479E2

Part of subcall function 00007FF73D06227C: LoadImageW.USER32 ref: 00007FF73D0622C3
Part of subcall function 00007FF73D06227C: GetLastError.KERNEL32 ref: 00007FF73D0622D1

GetObjectW.GDI32 ref: 00007FF73D047AB4

Part of subcall function 00007FF73D06DB04: GetProcessDefaultLayout.USER32(?,?,?,?,?,00007FF73D04E623), ref: 00007FF73D06DB2F
Part of subcall function 00007FF73D06DB04: GetLastError.KERNEL32(?,?,?,?,?,00007FF73D04E623), ref: 00007FF73D06DB39

ImageList_Destroy.COMCTL32 ref: 00007FF73D047AD1
ImageList_Create.COMCTL32 ref: 00007FF73D047AF1
ImageList_Add.COMCTL32 ref: 00007FF73D047B08
GetLastError.KERNEL32 ref: 00007FF73D047B13

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$ErrorLastList_$CapsCreateDefaultDestroyDeviceLayoutLoadObjectProcessRelease
String ID:
API String ID: 1201471260-0
Opcode ID: 27207a9bd19791e97da1eb3a3f06e0c0596b852e1f99f980106dc82d3c00b89a
Instruction ID: 30d8fbf4bab2a363ee3950b6bf19aad9be7636806af16918ebbe77d103a69ff2
Opcode Fuzzy Hash: 27207a9bd19791e97da1eb3a3f06e0c0596b852e1f99f980106dc82d3c00b89a
Instruction Fuzzy Hash: 2841B361A0C75AA2EB50FBA5D448BB9A3B1FF84F40F904131DA5D47794EF3CD8019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D04B6D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32 ref: 00007FF73D04B7E8
SysStringLen.OLEAUT32 ref: 00007FF73D04B80A
SysFreeString.OLEAUT32 ref: 00007FF73D04B8E5
SysFreeString.OLEAUT32 ref: 00007FF73D04B91B

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

CSnip::GenerateInlineHTML, xrefs: 00007FF73D04B703

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$CreateGlobalMessageStreamTrace
String ID: CSnip::GenerateInlineHTML
API String ID: 1171298351-3299380430
Opcode ID: 995e0ea94fdf2860cfa8e9916ee24b6bea96e7dc77772dac6def682b8f4ed080
Instruction ID: 8306a9a453d62b18d76766eece56062e76e90211f69adfd0f35d18e6608dbf22
Opcode Fuzzy Hash: 995e0ea94fdf2860cfa8e9916ee24b6bea96e7dc77772dac6def682b8f4ed080
Instruction Fuzzy Hash: D5714D72A0DB5AE9EB11EFA5C4847B867B0EB44F48F904135DE0D87AA4EF38E505D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D04A638, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D061E24: GetLastError.KERNEL32 ref: 00007FF73D061E59
Part of subcall function 00007FF73D061E24: SetLastError.KERNEL32 ref: 00007FF73D061E63
Part of subcall function 00007FF73D061E24: MapWindowPoints.USER32 ref: 00007FF73D061E74
Part of subcall function 00007FF73D061E24: GetLastError.KERNEL32 ref: 00007FF73D061E80
Part of subcall function 00007FF73D061E24: SetLastError.KERNEL32 ref: 00007FF73D061EDC

GetWindow.USER32 ref: 00007FF73D04A6EC
IsWindowVisible.USER32 ref: 00007FF73D04A70A

Part of subcall function 00007FF73D061FD0: GetWindowRect.USER32 ref: 00007FF73D062007
Part of subcall function 00007FF73D061FD0: GetLastError.KERNEL32 ref: 00007FF73D062013

IntersectRect.USER32 ref: 00007FF73D04A737
DRMIsWindowProtected.MSDRM ref: 00007FF73D04A748

Strings

CScreenCapture::IsScreenShotAllowed, xrefs: 00007FF73D04A66F

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastWindow$Rect$IntersectPointsProtectedVisible
String ID: CScreenCapture::IsScreenShotAllowed
API String ID: 404671582-160682021
Opcode ID: b29bfade0effb73d999a6ebf661e7d50cf99c41195c6c22d58e71394a9f90630
Instruction ID: 19c45a1a692628f64f2d5e86da6804f293f943568c5e6901566626d82e0b4635
Opcode Fuzzy Hash: b29bfade0effb73d999a6ebf661e7d50cf99c41195c6c22d58e71394a9f90630
Instruction Fuzzy Hash: 68517376B08659AAF710EFA1D4455ADB3B0FB88B8CF844036DE0C67A44EF38E505D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D0442C4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00007FF73D04432B
GetLastError.KERNEL32 ref: 00007FF73D0443D6

Part of subcall function 00007FF73D0624E4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF73D06252B

Part of subcall function 00007FF73D062594: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF73D0625C1

Strings

Software\Microsoft\Windows\TabletPC\Snipping Tool\LinkFingerprints, xrefs: 00007FF73D044348
IEFrame, xrefs: 00007FF73D044399
CLinkFingerprint::Load, xrefs: 00007FF73D04430B

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassCloseErrorLastNameOpen
String ID: CLinkFingerprint::Load$IEFrame$Software\Microsoft\Windows\TabletPC\Snipping Tool\LinkFingerprints
API String ID: 2833873311-545031376
Opcode ID: a7a20cb16c52db9707e32eaed2acec976ce4388888d9042b91b39a7d2be6f298
Instruction ID: 9bd14fbda279be4665da56e7e84fe7565ba70282a7ae0014a8347032f0aba701
Opcode Fuzzy Hash: a7a20cb16c52db9707e32eaed2acec976ce4388888d9042b91b39a7d2be6f298
Instruction Fuzzy Hash: EB41B632A1C74AA6E710EBA5E4806B9E370FB84B94F804131EA9E47699FF7CD505DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D047694, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF73D0476ED
SysAllocString.OLEAUT32 ref: 00007FF73D047708
SysFreeString.OLEAUT32 ref: 00007FF73D047730

Strings

CMain::ShowHelp, xrefs: 00007FF73D0476BA
mshelp://Windows/?id=1337CDBA-52A2-4704-AD4D-2D7BACE605B4, xrefs: 00007FF73D047701

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocCreateFreeInstance
String ID: CMain::ShowHelp$mshelp://Windows/?id=1337CDBA-52A2-4704-AD4D-2D7BACE605B4
API String ID: 391255401-1203155038
Opcode ID: 02d01a2b5d45c6d7b0ff42ae4bc0b9bd20abcda5b35163bf7b0379f76306c57c
Instruction ID: 1016b1564c5f732856839616b4bd61e0a94aab1e9a5b16ed431b9d7c44ff214f
Opcode Fuzzy Hash: 02d01a2b5d45c6d7b0ff42ae4bc0b9bd20abcda5b35163bf7b0379f76306c57c
Instruction Fuzzy Hash: C9415D22A08B0AA6EB10EB61D8547B867B0FB84F88FD04131D90D476A4EF7CE545DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D04F6D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF73D04F718
SetWindowLongPtrW.USER32 ref: 00007FF73D04F73B
GetDpiForWindow.USER32 ref: 00007FF73D04F744
DefWindowProcW.USER32 ref: 00007FF73D04F793

Strings

CToolbar::WndProcDispatch, xrefs: 00007FF73D04F6FF

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$Proc
String ID: CToolbar::WndProcDispatch
API String ID: 3468714886-779148243
Opcode ID: 81ee72b20a71534ee6800b055a37c737cff34035c4ad12f406b4b77a02b9bae0
Instruction ID: f0af77996161026f43943790ad4b09afc6c59db6328741754f4d612e26c1e249
Opcode Fuzzy Hash: 81ee72b20a71534ee6800b055a37c737cff34035c4ad12f406b4b77a02b9bae0
Instruction Fuzzy Hash: 3E11D236A08B5592DA00AF96D9444BDB770EB84FE0B884231DE5D177A5EF3CE4029740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D054B10, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00007FF73D054B41
IsZoomed.USER32 ref: 00007FF73D054B5C
ShowWindow.USER32(?,?,?,?,00000000,00007FF73D046BCB), ref: 00007FF73D054B6E
ShowWindow.USER32(?,?,?,?,00000000,00007FF73D046BCB), ref: 00007FF73D054B7E

Part of subcall function 00007FF73D054A90: SendMessageW.USER32(?,?,?,?,00007FF73D054B57,?,?,?,?,00000000,00007FF73D046BCB), ref: 00007FF73D054AB5
Part of subcall function 00007FF73D054A90: GetLastError.KERNEL32(?,?,?,?,00007FF73D054B57,?,?,?,?,00000000,00007FF73D046BCB), ref: 00007FF73D054AD8

Strings

CEditor::SetVisible, xrefs: 00007FF73D054B29

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$ErrorLastMessageSendVisibleZoomed
String ID: CEditor::SetVisible
API String ID: 3161135578-1916840354
Opcode ID: 9dde70f6b25e570fb53d360c232086d0f5a992e75b9d51bc3eea68c9db7d4928
Instruction ID: bbeb046abffac10e07b9be25601b41e6588193349ea831c243ddc699488559f8
Opcode Fuzzy Hash: 9dde70f6b25e570fb53d360c232086d0f5a992e75b9d51bc3eea68c9db7d4928
Instruction Fuzzy Hash: E7117076B0C64592EB00ABA2D5801BCB321FB84F80B844531DA1D47755EF38D829D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D041ADC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D0621E4: LoadIconW.USER32 ref: 00007FF73D062213
Part of subcall function 00007FF73D0621E4: GetLastError.KERNEL32 ref: 00007FF73D062221

LoadCursorW.USER32 ref: 00007FF73D041B31
RegisterClassW.USER32 ref: 00007FF73D041B6B

Strings

CCaptureForm::Register, xrefs: 00007FF73D041AEF
Microsoft-Windows-SnipperCaptureForm-WinShiftS, xrefs: 00007FF73D041B45
Microsoft-Windows-SnipperCaptureForm, xrefs: 00007FF73D041B51

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$ClassCursorErrorIconLastRegister
String ID: CCaptureForm::Register$Microsoft-Windows-SnipperCaptureForm$Microsoft-Windows-SnipperCaptureForm-WinShiftS
API String ID: 1253014879-1700326
Opcode ID: f83d31de2cfb640514b123f39cfe0c04309d655737a3d6167eca1d4a5adcb668
Instruction ID: 478274f56f065566a72f1c4a47cb543df78dd6c731ae3bc1c3942c03200d2384
Opcode Fuzzy Hash: f83d31de2cfb640514b123f39cfe0c04309d655737a3d6167eca1d4a5adcb668
Instruction Fuzzy Hash: 9F112922E18B56A9FB00ABE1E8803BC7371FB44B59F844135DA8D5AA99EF38D059C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D056E5C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D0621E4: LoadIconW.USER32 ref: 00007FF73D062213
Part of subcall function 00007FF73D0621E4: GetLastError.KERNEL32 ref: 00007FF73D062221

LoadCursorW.USER32 ref: 00007FF73D056EB4
GetStockObject.GDI32 ref: 00007FF73D056EC0
RegisterClassW.USER32 ref: 00007FF73D056EDE

Strings

Microsoft-Windows-SnipperEditor, xrefs: 00007FF73D056ED3
CEditor::Register, xrefs: 00007FF73D056E6F

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$ClassCursorErrorIconLastObjectRegisterStock
String ID: CEditor::Register$Microsoft-Windows-SnipperEditor
API String ID: 1352477044-4097437351
Opcode ID: d5aa498bbb8cd128faa12a2128f022b77e1da0a46d86144a5636434f9fc9f30e
Instruction ID: 0f655f6331227de40a2af680c56b83318cca5e70027aa9a5f54e1f5f5cbea6ec
Opcode Fuzzy Hash: d5aa498bbb8cd128faa12a2128f022b77e1da0a46d86144a5636434f9fc9f30e
Instruction Fuzzy Hash: 36110D32F08B1699FB00ABE0E8553BD73B4FB44719F800135DA4D5AA99EF38D169D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D05223C, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D04A638: GetWindow.USER32 ref: 00007FF73D04A6EC
Part of subcall function 00007FF73D04A638: IsWindowVisible.USER32 ref: 00007FF73D04A70A
Part of subcall function 00007FF73D04A638: IntersectRect.USER32 ref: 00007FF73D04A737
Part of subcall function 00007FF73D04A638: DRMIsWindowProtected.MSDRM ref: 00007FF73D04A748

Part of subcall function 00007FF73D061A50: CreateCompatibleDC.GDI32 ref: 00007FF73D061A7D
Part of subcall function 00007FF73D061A50: GetLastError.KERNEL32 ref: 00007FF73D061A8B

Part of subcall function 00007FF73D061D48: CreateCompatibleBitmap.GDI32 ref: 00007FF73D061D86
Part of subcall function 00007FF73D061D48: GetLastError.KERNEL32 ref: 00007FF73D061D94

Part of subcall function 00007FF73D061628: SelectObject.GDI32 ref: 00007FF73D06165F
Part of subcall function 00007FF73D061628: GetLastError.KERNEL32 ref: 00007FF73D06166D

WinSqmIsOptedIn.NTDLL ref: 00007FF73D052425
WinSqmIncrementDWORD.NTDLL ref: 00007FF73D05243A

Part of subcall function 00007FF73D04396C: TraceMessage.ADVAPI32 ref: 00007FF73D0439CE

Strings

, xrefs: 00007FF73D0523A8
CToolbar::StrokeToEditor, xrefs: 00007FF73D052279

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastWindow$CompatibleCreate$BitmapIncrementIntersectMessageObjectOptedProtectedRectSelectTraceVisible
String ID: $CToolbar::StrokeToEditor
API String ID: 3329928209-2523353361
Opcode ID: c09f517f37ff991b4577dcd65435023737ffe03bfd5fab2a73ff62d6c54712c3
Instruction ID: eb32236ab03457f9d950b84b6e97501a2344b81143d248362eefc705b46bfd48
Opcode Fuzzy Hash: c09f517f37ff991b4577dcd65435023737ffe03bfd5fab2a73ff62d6c54712c3
Instruction Fuzzy Hash: EEB1BE72B0D646AAEB10EFB5D4402ADB3A1FB44B88F904135EE4E17B98EF38D505D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D0542E0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D055734: LoadMenuW.USER32 ref: 00007FF73D0558A8
Part of subcall function 00007FF73D055734: GetLastError.KERNEL32 ref: 00007FF73D0558BA

Part of subcall function 00007FF73D056E5C: LoadCursorW.USER32 ref: 00007FF73D056EB4
Part of subcall function 00007FF73D056E5C: GetStockObject.GDI32 ref: 00007FF73D056EC0
Part of subcall function 00007FF73D056E5C: RegisterClassW.USER32 ref: 00007FF73D056EDE

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73D045F40), ref: 00007FF73D0543A5

Part of subcall function 00007FF73D062FC0: CreateWindowExW.USER32 ref: 00007FF73D063065
Part of subcall function 00007FF73D062FC0: GetLastError.KERNEL32 ref: 00007FF73D063073

ShowWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF73D045F40), ref: 00007FF73D05439D

Strings

Microsoft-Windows-SnipperEditor, xrefs: 00007FF73D054357
CEditor::Init, xrefs: 00007FF73D054301

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$LoadWindow$ClassCreateCursorMenuObjectRegisterShowStock
String ID: CEditor::Init$Microsoft-Windows-SnipperEditor
API String ID: 2558372479-1887321107
Opcode ID: b90906d9cbb1fcd7729643edf24c348c4b556f32feafaf851d9171b85a1df6b5
Instruction ID: 92340b045c6fa291adf0038a6e6bde30966bb6cc8c029479148d190480798727
Opcode Fuzzy Hash: b90906d9cbb1fcd7729643edf24c348c4b556f32feafaf851d9171b85a1df6b5
Instruction Fuzzy Hash: D8316D71A0CB8AA5DB14EFA6E4403A9B7A0FB44B80F804136DA8D47B55EF3CD455DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D041EA0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF73D041EE8
SetWindowLongPtrW.USER32 ref: 00007FF73D041F0B
DefWindowProcW.USER32 ref: 00007FF73D041F54

Strings

CCaptureForm::WndProcDispatch, xrefs: 00007FF73D041ECF

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$Proc
String ID: CCaptureForm::WndProcDispatch
API String ID: 3468714886-1029861109
Opcode ID: a887c8033bb2d930564ef4b062759662da15b133a4b34a125774871708071cef
Instruction ID: 5ab3fd9b75c9ba4fe4e068f50949456e6cf01fc9ad50d37d696054299db24eb3
Opcode Fuzzy Hash: a887c8033bb2d930564ef4b062759662da15b133a4b34a125774871708071cef
Instruction Fuzzy Hash: 31119032B08B5592DA00AB97D9444A9B770EF84FE0B880231EE5D17BE9EF38E5169744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D059710, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF73D059758
SetWindowLongPtrW.USER32 ref: 00007FF73D05977B
DefWindowProcW.USER32 ref: 00007FF73D0597C4

Strings

CEditorPanel::WndProcDispatch, xrefs: 00007FF73D05973F

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$Proc
String ID: CEditorPanel::WndProcDispatch
API String ID: 3468714886-481295940
Opcode ID: 53bf7e3b631159cf771efe0aa90796ead81bfac4bed11f79bff449df9c634344
Instruction ID: 9127c9e976f6a95234c5d9752bc2684f3cb092448fc9ff68329bed8e6bb7e496
Opcode Fuzzy Hash: 53bf7e3b631159cf771efe0aa90796ead81bfac4bed11f79bff449df9c634344
Instruction Fuzzy Hash: 4C11E676B0CB0992DA00AF96D9400ADB761EB85FE0F880235DE5D177A5EF3CD402D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D0506EC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 00007FF73D050728
GetLastError.KERNEL32 ref: 00007FF73D050733

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

TabletPenServiceHelperClass, xrefs: 00007FF73D050721
CToolbar::ClearTouchUI, xrefs: 00007FF73D0506FF

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFindLastMessageTraceWindow
String ID: CToolbar::ClearTouchUI$TabletPenServiceHelperClass
API String ID: 1563800024-3658422759
Opcode ID: 776942223592dc7c63e6e3fb395460a80ebf51f28a9da344fe016756a74c7d4f
Instruction ID: b72b5212d73f379b85d12c83f09f29496ac83e638eedcc1486f58606e5b507d2
Opcode Fuzzy Hash: 776942223592dc7c63e6e3fb395460a80ebf51f28a9da344fe016756a74c7d4f
Instruction Fuzzy Hash: A0113061E1C68AA1FB50B7A0D9557B8A7A1FB80B44FC48035D90D476A0FF3CD51AD720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D05D290, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF73D05D2B7
GetProcAddress.KERNEL32 ref: 00007FF73D05D2CE

Strings

RtlDllShutdownInProgress, xrefs: 00007FF73D05D2C4
ntdll.dll, xrefs: 00007FF73D05D2B0

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 502f774bfe8741a04755ed4f6d02f298a1c5767c119003654b5c8d10fb205171
Instruction ID: 382bcd401f2b7f06b7164c3f04e39613447687d374259a936ef26f7b6d0ffa4c
Opcode Fuzzy Hash: 502f774bfe8741a04755ed4f6d02f298a1c5767c119003654b5c8d10fb205171
Instruction Fuzzy Hash: 41F0B760E0EB0AA5FA05ABE5A945171A3A4AF68F44F841135C85D06760FF2CE469A730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D05F2E4, Relevance: 6.3, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF73D05F34C
CloseHandle.KERNEL32 ref: 00007FF73D05F35F
CloseHandle.KERNEL32 ref: 00007FF73D05F372

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2c5118ede7ef3876de41cfc58ae818377a1785ff0b9d26e89dabaf02900563d7
Instruction ID: 91f9c43312d9fa542250e4e07828b428d12d07cc4767b6359510e79f2cb93ee1
Opcode Fuzzy Hash: 2c5118ede7ef3876de41cfc58ae818377a1785ff0b9d26e89dabaf02900563d7
Instruction Fuzzy Hash: A721B165B0DA0A95FB64EF92D410179A766EF84F80F984131DE8E47B58EF3CE452A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D051D54, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

WinSqmIsOptedIn.NTDLL ref: 00007FF73D052047
WinSqmIncrementDWORD.NTDLL ref: 00007FF73D05205B

Part of subcall function 00007FF73D04396C: TraceMessage.ADVAPI32 ref: 00007FF73D0439CE

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

CToolbar::FullScreenSelectEvent, xrefs: 00007FF73D051D9B

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageTrace$IncrementOpted
String ID: CToolbar::FullScreenSelectEvent
API String ID: 3669814838-542482644
Opcode ID: f534e18091c2109e5ed0b79b1800d5789ba01c37c79ce029bbeda1e133000405
Instruction ID: e278b0119fbb58e6010447021bfbab7f603aface2a1df0fe3466e15b20e8c3c8
Opcode Fuzzy Hash: f534e18091c2109e5ed0b79b1800d5789ba01c37c79ce029bbeda1e133000405
Instruction Fuzzy Hash: 33C1ABB2B0CA459AEB10EFA5D4402ADB3A2FB44B88B844136DE0D577A4EF3CE405D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D044D4C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF73D044DCD
VariantInit.OLEAUT32 ref: 00007FF73D044DE0

Strings

CLinkFingerprint::DoesParentMatch, xrefs: 00007FF73D044D8F

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: InitVariant
String ID: CLinkFingerprint::DoesParentMatch
API String ID: 1927566239-1327914226
Opcode ID: ab531eb9cca118562c0b04001d0fa3760983ad8d70b1ccdd229e0999bdbdf5ec
Instruction ID: 0abd5a1dc49275e12390d8ed744bf93eb1df19498525798b903dda9c88bf30b4
Opcode Fuzzy Hash: ab531eb9cca118562c0b04001d0fa3760983ad8d70b1ccdd229e0999bdbdf5ec
Instruction Fuzzy Hash: 6D81AA76A08A699AEB10DFB9C4049ADB3B4FB48F8CB454232DE0D13658EF38D855CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D055A18, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF73D055A7F
#345.COMCTL32 ref: 00007FF73D055AF7

Strings

CEditor::ShowSaveExitDlg, xrefs: 00007FF73D055A36

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: #345memset
String ID: CEditor::ShowSaveExitDlg
API String ID: 2653015145-2661841184
Opcode ID: 17d1ce49aa629410b013b850331180542f4ab4844a47f649d4aa7374684bac99
Instruction ID: a4b25f5e960b9146dec11a4fc9abf13f5896e904f3d5881a2d51ce54a6d4a417
Opcode Fuzzy Hash: 17d1ce49aa629410b013b850331180542f4ab4844a47f649d4aa7374684bac99
Instruction Fuzzy Hash: 623117B2A18B4ADEF7109FE4D5497EC73B1E70475DF800039DE0C5AA99EBB99018D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D05B544, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF73D05B5D2

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

CMimeFile::Release, xrefs: 00007FF73D05B57D
CMimeFile::InitNew, xrefs: 00007FF73D05B566

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstanceMessageTrace
String ID: CMimeFile::InitNew$CMimeFile::Release
API String ID: 365332588-405731026
Opcode ID: cae51e91cbde571ac93b1bcfd03436d7a209eae151784750fb0c1100e55bb318
Instruction ID: eceb164130cd95b0abf1318a3ef05b71d3e306d5542b2212a061c8f4c08458fa
Opcode Fuzzy Hash: cae51e91cbde571ac93b1bcfd03436d7a209eae151784750fb0c1100e55bb318
Instruction Fuzzy Hash: A5319E72B0CA0AA2EB00EFA9D4402B9B760FB84F84F804131DB5D476A5EF3CE55AD710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D062D40, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

BitBlt.GDI32 ref: 00007FF73D062DBB
GetLastError.KERNEL32 ref: 00007FF73D062DC7

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::BitBlt, xrefs: 00007FF73D062D64

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessageTrace
String ID: Helpers::BitBlt
API String ID: 1771602149-3070415838
Opcode ID: 7ede8c921f181fd21eabf82e520ca0d33b1dc223de2164498ea398ea535b4b11
Instruction ID: c10d2b618a6414dd9548b4fe4589a03a832e74c70c4f5ff4c0fc4440b001623b
Opcode Fuzzy Hash: 7ede8c921f181fd21eabf82e520ca0d33b1dc223de2164498ea398ea535b4b11
Instruction Fuzzy Hash: 5731C0367187859BDB60EF69E4406A9B7A0FB88F90F944131DA8C87B14EF3CD905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D061D48, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32 ref: 00007FF73D061D86
GetLastError.KERNEL32 ref: 00007FF73D061D94

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::CreateCompatibleBitmap, xrefs: 00007FF73D061D6B

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: BitmapCompatibleCreateErrorLastMessageTrace
String ID: Helpers::CreateCompatibleBitmap
API String ID: 2782753064-735526303
Opcode ID: 365e9ae90165587fe2231c9777e690f3404ff3c5bfa148ca7401e985a6ba226d
Instruction ID: 3758560a59c7cd875340bf6b0eb909f96bd62b5da3a51e09a61bd36d3778068a
Opcode Fuzzy Hash: 365e9ae90165587fe2231c9777e690f3404ff3c5bfa148ca7401e985a6ba226d
Instruction Fuzzy Hash: A021C422B1C75AA1EB10BB96E4005B4A7A0FB84F80F844031DE4C47765FF3CD509D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D048AF8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73D06234C: LoadStringW.USER32 ref: 00007FF73D06238E
Part of subcall function 00007FF73D06234C: GetLastError.KERNEL32 ref: 00007FF73D06239A

SendMessageW.USER32 ref: 00007FF73D048B6F
SendMessageW.USER32 ref: 00007FF73D048B8B

Strings

COptions::ComboboxAddItemWithData, xrefs: 00007FF73D048B21

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ErrorLastLoadString
String ID: COptions::ComboboxAddItemWithData
API String ID: 2847769298-3345801249
Opcode ID: 890617182274538aba58c96d71c485e8b936b0cddc305e26e108a65b055fc0fb
Instruction ID: 76fc7673cc23e95c339d8977db5a01a762ece81c686fd4cbbd19be8f7a92f643
Opcode Fuzzy Hash: 890617182274538aba58c96d71c485e8b936b0cddc305e26e108a65b055fc0fb
Instruction Fuzzy Hash: D011085270D69966FA40A792EC447B6A320EF84FE0F840231EE2D0BBD5EF3CD4069710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D06227C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00007FF73D0622C3
GetLastError.KERNEL32 ref: 00007FF73D0622D1

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::LoadImageW, xrefs: 00007FF73D06229A

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorImageLastLoadMessageTrace
String ID: Helpers::LoadImageW
API String ID: 1087851872-3821065122
Opcode ID: de8915bdc36f50e35fe69cc9fc657e7645abc9c1df894a4c0fba954434d0c88a
Instruction ID: 3fe5f9c30eccc0e5e1b91ab7261d76cd6a39eeda104946689d55244974fc0a44
Opcode Fuzzy Hash: de8915bdc36f50e35fe69cc9fc657e7645abc9c1df894a4c0fba954434d0c88a
Instruction Fuzzy Hash: F6118E72B1875992EB50EBA5E5047B8A760FB44F84FC44131DA4D4BBA1EF3CE505DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D061628, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 00007FF73D06165F
GetLastError.KERNEL32 ref: 00007FF73D06166D

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::SelectObject, xrefs: 00007FF73D061649

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessageObjectSelectTrace
String ID: Helpers::SelectObject
API String ID: 4081516388-3038181788
Opcode ID: a7f11d40eb09543b5d57b2a45716a9dd965de26e5a97eafac662752d6aa56b53
Instruction ID: d9be347c6bd30ce323faf728bfe64c6287ca1d215679c8894ddc76c2655d7e16
Opcode Fuzzy Hash: a7f11d40eb09543b5d57b2a45716a9dd965de26e5a97eafac662752d6aa56b53
Instruction Fuzzy Hash: 1411B125B0C79AA2EB00AB95D5002B8B760FB44F84F884535DE4C4BB64EF3CD915DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D062E4C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32 ref: 00007FF73D062E83
GetLastError.KERNEL32 ref: 00007FF73D062E91

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::LoadMenuW, xrefs: 00007FF73D062E6D

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLoadMenuMessageTrace
String ID: Helpers::LoadMenuW
API String ID: 1818229841-670640312
Opcode ID: 0c1ef83dfcda5f7ce778ff54a1da4ada95f270bda59b62c673854972accb7dec
Instruction ID: b66bddcf8cf6881e54d6cadc8eba48f9fbf6701c127e158beefb96d84516d8d4
Opcode Fuzzy Hash: 0c1ef83dfcda5f7ce778ff54a1da4ada95f270bda59b62c673854972accb7dec
Instruction Fuzzy Hash: 3011AF21B1C79AA1EA00EB95E8002B8A760FB44F84F844031CE4C0BB64EF3CE945DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D06326C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CopyRect.USER32 ref: 00007FF73D0632A3
GetLastError.KERNEL32 ref: 00007FF73D0632AF

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::CopyRect, xrefs: 00007FF73D06328D

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: CopyErrorLastMessageRectTrace
String ID: Helpers::CopyRect
API String ID: 930548525-3070950323
Opcode ID: 8d5cea2948f985c5b0d955d7c2eee02f59528a6a4450f6b8102a16477949878a
Instruction ID: 56eeae1d360edf871b1efcb5745e48fb4672f92c7d217d2421d5cf8855c6552f
Opcode Fuzzy Hash: 8d5cea2948f985c5b0d955d7c2eee02f59528a6a4450f6b8102a16477949878a
Instruction Fuzzy Hash: E5116D31B1C696A2EB00AFA5D5402B9B760FB44F84F844031DA4C47B65EF6CD955DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D062F08, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetSubMenu.USER32 ref: 00007FF73D062F3D
GetLastError.KERNEL32 ref: 00007FF73D062F4B

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::GetSubMenu, xrefs: 00007FF73D062F28

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMenuMessageTrace
String ID: Helpers::GetSubMenu
API String ID: 1948982149-4186770072
Opcode ID: 1adcc2eb55f8131d3606ae7418eb34ab49b948536e5dbf9c7de6cdeabaf5c6e0
Instruction ID: a860de4db12fcfaa62734ce52c634ee4eac4485ff9f513f6b098612a5f177634
Opcode Fuzzy Hash: 1adcc2eb55f8131d3606ae7418eb34ab49b948536e5dbf9c7de6cdeabaf5c6e0
Instruction Fuzzy Hash: 3611D631B1C75AA2EB00EBA5E4402B8B760FB84F84F844431DA4C07B64EF7CE906D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D062A34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF73D062A6B
GetLastError.KERNEL32 ref: 00007FF73D062A79

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::CreateMutexW, xrefs: 00007FF73D062A47

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastMessageMutexTrace
String ID: Helpers::CreateMutexW
API String ID: 3154876411-208822395
Opcode ID: bd509bba46f1a6deced16c0279543910b3f3a9dc6bd8ef42e50c0626868ce251
Instruction ID: bb30628f4f6ee28e3ebbf34412dfc4188e4386e75cb08f8d148d2b9ef4547ed9
Opcode Fuzzy Hash: bd509bba46f1a6deced16c0279543910b3f3a9dc6bd8ef42e50c0626868ce251
Instruction Fuzzy Hash: F311BE32B1C74AA2EB10ABA9D5002F8A760FB44F84F844431DA0C47BA5EF7DE604DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D06D950, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00007FF73D06D996
GetLastError.KERNEL32 ref: 00007FF73D06D9A0

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

TabUtils::IsHighContrastModeOn, xrefs: 00007FF73D06D961

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorInfoLastMessageParametersSystemTrace
String ID: TabUtils::IsHighContrastModeOn
API String ID: 2359276039-1997263045
Opcode ID: 8ca8dcee2fa7c10afbf8b3291607036dda9ad52d1575d01ad5f80485d5e4cee7
Instruction ID: 1f7101d27025e0cf26d0ea55d0ea00a27455b5c52743da7b2304988dbb097b2c
Opcode Fuzzy Hash: 8ca8dcee2fa7c10afbf8b3291607036dda9ad52d1575d01ad5f80485d5e4cee7
Instruction Fuzzy Hash: E8117571A0C74A92E710EBA4E8406F5B7A0FB84B08F804136DA5D47658FF7CD949D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D062AEC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,?,?,00000000), ref: 00007FF73D062B21
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00007FF73D062B2D

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::ReleaseMutex, xrefs: 00007FF73D062B12

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessageMutexReleaseTrace
String ID: Helpers::ReleaseMutex
API String ID: 2315261655-115701670
Opcode ID: 094b33accbd4a7ddb25400e12e5a692c186726503e60a05e3f1400281349f726
Instruction ID: 4560b5a0b728e047bf6c94435272ee154defbe4e8b5d14c8c310f2eaa0697fa5
Opcode Fuzzy Hash: 094b33accbd4a7ddb25400e12e5a692c186726503e60a05e3f1400281349f726
Instruction Fuzzy Hash: 1C118E31B1C78AA6EB00AFA9E9402B8A7A0FB84F84F944031CA5D47664EF3CD515D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D061A50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 00007FF73D061A7D
GetLastError.KERNEL32 ref: 00007FF73D061A8B

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::CreateCompatibleDC, xrefs: 00007FF73D061A6A

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: CompatibleCreateErrorLastMessageTrace
String ID: Helpers::CreateCompatibleDC
API String ID: 3001999966-205123639
Opcode ID: ad7bbc4d21d67ea343377f90c09bf45b077045e99c36c5b5517b81b182b4cdb5
Instruction ID: 53d0bc5239cc9373bb36705015d7bb7c40442142d1b69de2522d11d92d521d32
Opcode Fuzzy Hash: ad7bbc4d21d67ea343377f90c09bf45b077045e99c36c5b5517b81b182b4cdb5
Instruction Fuzzy Hash: D4116D72B1CA4AA2EB00AB95E5402B8A760FF44F84F944531DA4D47A61FF3CE519DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D0616E4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF73D061711
GetLastError.KERNEL32 ref: 00007FF73D06171D

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::DeleteObject, xrefs: 00007FF73D0616FE

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteErrorLastMessageObjectTrace
String ID: Helpers::DeleteObject
API String ID: 2866401289-2051101351
Opcode ID: a1a25561edc997f6a087098b75165d01626ceacfa6416dd0a3dbdbc2cefcb44f
Instruction ID: 27e120f89a74328294c9fe35b3f3769eb303b82009f03ce701ca5749a4ea1a25
Opcode Fuzzy Hash: a1a25561edc997f6a087098b75165d01626ceacfa6416dd0a3dbdbc2cefcb44f
Instruction Fuzzy Hash: 9011822571C74AA2EB00AB95E9406B8E770FF44F84F944431CA5D47661FF3CD519DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D052650, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF73D052693
DefWindowProcW.USER32 ref: 00007FF73D0526B3

Part of subcall function 00007FF73D052904: CallWindowProcW.USER32 ref: 00007FF73D05297D

Strings

CToolbar::InstructionsWndProcDispatch, xrefs: 00007FF73D05267A

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Proc$CallLong
String ID: CToolbar::InstructionsWndProcDispatch
API String ID: 2055830364-1362369973
Opcode ID: 79740966fd945411b3920112feb519cf105400f6fc0fb1a46797e878fecf21c2
Instruction ID: 3f34d36097347377ba2b3c69ed4725a869d52595006c85108af3bc5973472d15
Opcode Fuzzy Hash: 79740966fd945411b3920112feb519cf105400f6fc0fb1a46797e878fecf21c2
Instruction Fuzzy Hash: A701B521B0DB4992DA00AB96E440069A321EF85FE0B984235DE6D077E5EF38D5058350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D06DB04, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetProcessDefaultLayout.USER32(?,?,?,?,?,00007FF73D04E623), ref: 00007FF73D06DB2F
GetLastError.KERNEL32(?,?,?,?,?,00007FF73D04E623), ref: 00007FF73D06DB39

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

TabUtils::IsRTLProcess, xrefs: 00007FF73D06DB11

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: DefaultErrorLastLayoutMessageProcessTrace
String ID: TabUtils::IsRTLProcess
API String ID: 4036566328-24494515
Opcode ID: c0c5a03ccae446ec95ca47c59d11261959ffab1c9208bfa6cbaf367e621a964a
Instruction ID: eb20af2c9d9bbe5deb0000a6f85adb0872e6bbf2f9ed19025c694809fce55bae
Opcode Fuzzy Hash: c0c5a03ccae446ec95ca47c59d11261959ffab1c9208bfa6cbaf367e621a964a
Instruction Fuzzy Hash: 92018236A0C64AA2EB10BBE4E8805B9B770FB80B54F901436DA5D465A4FF3DD509EB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF73D062150, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32 ref: 00007FF73D062178
GetLastError.KERNEL32 ref: 00007FF73D062186

Part of subcall function 00007FF73D041374: TraceMessage.ADVAPI32 ref: 00007FF73D04139D

Strings

Helpers::CreateSolidBrush, xrefs: 00007FF73D062166

Memory Dump Source

Source File: 00000013.00000002.417739545.00007FF73D041000.00000020.00020000.sdmp, Offset: 00007FF73D040000, based on PE: true

Associated: 00000013.00000002.417717594.00007FF73D040000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417902910.00007FF73D070000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.417971716.00007FF73D07F000.00000004.00020000.sdmp Download File
Associated: 00000013.00000002.418013409.00007FF73D083000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418157385.00007FF73D0AB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418243184.00007FF73D0BB000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418303908.00007FF73D0DA000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418342671.00007FF73D109000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418380840.00007FF73D14C000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418445919.00007FF73D1BD000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418458965.00007FF73D1C9000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418471831.00007FF73D1D3000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418486105.00007FF73D1E6000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418507338.00007FF73D202000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418535999.00007FF73D22D000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418588753.00007FF73D271000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418610446.00007FF73D288000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418634075.00007FF73D29A000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418680514.00007FF73D2B7000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418717459.00007FF73D2E2000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418764836.00007FF73D327000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418795553.00007FF73D335000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.418877373.00007FF73D357000.00000002.00020000.sdmp Download File

Similarity

API ID: BrushCreateErrorLastMessageSolidTrace
String ID: Helpers::CreateSolidBrush
API String ID: 498938405-2701559361
Opcode ID: 0b2022a19d523b9eaa2cc64fcc1d9e0e3b9f5c3c764f34bba54d851c659800b0
Instruction ID: a7589558637b3f4bbfaeabc47baf5ecb279b0842e660fa630d029b4c99c7cf04
Opcode Fuzzy Hash: 0b2022a19d523b9eaa2cc64fcc1d9e0e3b9f5c3c764f34bba54d851c659800b0
Instruction Fuzzy Hash: 83016D65B0C74AA2EB14FBA4D8416B8A760FB84F44F800435DA5D4B6A1FF3CE609D770

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report yWteP7e12z

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre