Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2epPHr8ygJ

Overview

General Information

Sample Name:2epPHr8ygJ (renamed file extension from none to dll)
Analysis ID:492879
MD5:31058530a762dc9f9bb34d28203f5314
SHA1:28c5d0fc080868ebb37050a565796f19a48eee87
SHA256:2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991
Tags:Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Accesses ntoskrnl, likely to find offsets for exploits
Uses Atom Bombing / ProGate to inject into other processes
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 6180 cmdline: loaddll64.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll' MD5: E0CC9D126C39A9D2FA1CAD5027EBBD18)
    • cmd.exe (PID: 6256 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 4364 cmdline: rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4524 cmdline: rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader MD5: 73C519F050C20580F8A62C849D49215A)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 5044 cmdline: C:\Windows\system32\msdt.exe MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
        • msdt.exe (PID: 4768 cmdline: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
        • WMPDMC.exe (PID: 5144 cmdline: C:\Windows\system32\WMPDMC.exe MD5: 4085FDA375E50214142BD740559F5835)
        • WMPDMC.exe (PID: 4864 cmdline: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe MD5: 4085FDA375E50214142BD740559F5835)
        • FXSCOVER.exe (PID: 1752 cmdline: C:\Windows\system32\FXSCOVER.exe MD5: BEAB16FEFCB7F62BBC135FB87DF7FDF2)
        • FXSCOVER.exe (PID: 5664 cmdline: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe MD5: BEAB16FEFCB7F62BBC135FB87DF7FDF2)
        • CameraSettingsUIHost.exe (PID: 5424 cmdline: C:\Windows\system32\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • CameraSettingsUIHost.exe (PID: 6136 cmdline: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • MDMAppInstaller.exe (PID: 6636 cmdline: C:\Windows\system32\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • MDMAppInstaller.exe (PID: 5904 cmdline: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe MD5: E2C777B6E3CE4C15C5657429A63787A3)
        • eudcedit.exe (PID: 1132 cmdline: C:\Windows\system32\eudcedit.exe MD5: 0ED10F2F98B80FF9F95EED2B04CFA076)
        • CameraSettingsUIHost.exe (PID: 2984 cmdline: C:\Windows\system32\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • CameraSettingsUIHost.exe (PID: 5528 cmdline: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe MD5: 34F32BC06CDC7AF56607D351B155140D)
        • SnippingTool.exe (PID: 2408 cmdline: C:\Windows\system32\SnippingTool.exe MD5: 9012F9C6AC7F3F99ECDD37E24C9AC3BB)
    • rundll32.exe (PID: 2528 cmdline: rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePage MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1012 cmdline: rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingName MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.309477044.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
    00000021.00000002.555412391.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
      00000007.00000002.301872328.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
        00000012.00000002.423955889.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
          00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmpJoeSecurity_Dridex_2Yara detected Dridex unpacked fileJoe Security
            Click to see the 6 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\system32\msdt.exe, CommandLine: C:\Windows\system32\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\msdt.exe, NewProcessName: C:\Windows\System32\msdt.exe, OriginalFileName: C:\Windows\System32\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\system32\msdt.exe, ProcessId: 5044

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 2epPHr8ygJ.dllMetadefender: Detection: 62%Perma Link
            Source: 2epPHr8ygJ.dllReversingLabs: Detection: 80%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 2epPHr8ygJ.dllAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllAvira: detection malicious, Label: HEUR/AGEN.1114452
            Source: C:\Users\user\AppData\Local\29qb\MFC42u.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dllAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Machine Learning detection for sampleShow sources
            Source: 2epPHr8ygJ.dllJoe Sandbox ML: detected
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\29qb\MFC42u.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dllJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BDF30 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext,18_2_00007FF68F2BDF30
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF72944E64C EnterCriticalSection,CryptAcquireContextW,CryptAcquireContextW,GetLastError,LeaveCriticalSection,CryptReleaseContext,memset,33_2_00007FF72944E64C
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF72944E934 CreateFileW,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CloseHandle,CryptDestroyHash,??_V@YAXPEAX@Z,CryptReleaseContext,??3@YAXPEAX@Z,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetHashParam,GetLastError,33_2_00007FF72944E934

            Exploits:

            barindex
            Accesses ntoskrnl, likely to find offsets for exploitsShow sources
            Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\ntkrnlmp.exeJump to behavior
            Source: 2epPHr8ygJ.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
            Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
            Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
            Source: Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
            Source: Binary string: msdt.pdb source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
            Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,0_2_000000014005D290
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,18_2_00007FF68F2B2770
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,18_2_00007FF68F2B7784
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,18_2_00007FF68F2CA65C
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,18_2_00007FF68F2B6720
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,18_2_00007FF68F2CBD48
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,18_2_00007FF68F2B7C3C
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree,18_2_00007FF68F2B6494
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1322AE8 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,GetObjectW,GdiplusStartup,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageWidth,GdipGetImageHeight,GdipCreateHBITMAPFromBitmap,GdiplusShutdown,DeleteObject,DeleteDC,ReleaseDC,24_2_00007FF6A1322AE8
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B3120 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,18_2_00007FF68F2B3120

            E-Banking Fraud:

            barindex
            Yara detected Dridex unpacked fileShow sources
            Source: Yara matchFile source: 00000009.00000002.309477044.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.555412391.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.301872328.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.423955889.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.489814069.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.394275962.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.451585055.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.294861665.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.526607967.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.597575856.0000000140001000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400348700_2_0000000140034870
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400352700_2_0000000140035270
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC00_2_0000000140048AC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C3400_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140065B800_2_0000000140065B80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B00_2_000000014006A4B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400524B00_2_00000001400524B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140026CC00_2_0000000140026CC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004BD400_2_000000014004BD40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400495B00_2_00000001400495B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140036F300_2_0000000140036F30
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400690100_2_0000000140069010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400010100_2_0000000140001010
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400660200_2_0000000140066020
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002F8400_2_000000014002F840
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D8500_2_000000014005D850
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400640800_2_0000000140064080
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400108800_2_0000000140010880
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400688A00_2_00000001400688A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002D0D00_2_000000014002D0D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400018D00_2_00000001400018D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400161000_2_0000000140016100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D1000_2_000000014001D100
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002A1100_2_000000014002A110
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001D9100_2_000000014001D910
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400151200_2_0000000140015120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000B1200_2_000000014000B120
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004F9400_2_000000014004F940
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400391400_2_0000000140039140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400231400_2_0000000140023140
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400579500_2_0000000140057950
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014001E1700_2_000000014001E170
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400029800_2_0000000140002980
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400611A00_2_00000001400611A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400389A00_2_00000001400389A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400381A00_2_00000001400381A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002E1B00_2_000000014002E1B0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400139D00_2_00000001400139D0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400319F00_2_00000001400319F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002EA000_2_000000014002EA00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022A000_2_0000000140022A00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003B2200_2_000000014003B220
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140067A400_2_0000000140067A40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140069A500_2_0000000140069A50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140007A600_2_0000000140007A60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003AAC00_2_000000014003AAC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014003A2E00_2_000000014003A2E0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140062B000_2_0000000140062B00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400183000_2_0000000140018300
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002FB200_2_000000014002FB20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400313400_2_0000000140031340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400223400_2_0000000140022340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140017B400_2_0000000140017B40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000BB400_2_000000014000BB40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014004EB600_2_000000014004EB60
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400053700_2_0000000140005370
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002CB800_2_000000014002CB80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B3900_2_000000014006B390
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140054BA00_2_0000000140054BA0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140033BB00_2_0000000140033BB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400263C00_2_00000001400263C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400123C00_2_00000001400123C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140063BD00_2_0000000140063BD0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400663F00_2_00000001400663F0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140023BF00_2_0000000140023BF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B41B0_2_000000014006B41B
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4240_2_000000014006B424
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B42D0_2_000000014006B42D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4360_2_000000014006B436
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B43D0_2_000000014006B43D
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400244400_2_0000000140024440
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140005C400_2_0000000140005C40
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006B4460_2_000000014006B446
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005F4900_2_000000014005F490
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140022D000_2_0000000140022D00
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400355200_2_0000000140035520
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140019D200_2_0000000140019D20
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400305300_2_0000000140030530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400235300_2_0000000140023530
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400315400_2_0000000140031540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400335400_2_0000000140033540
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014007BD500_2_000000014007BD50
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400785700_2_0000000140078570
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400195800_2_0000000140019580
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400205A00_2_00000001400205A0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140025DB00_2_0000000140025DB0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140071DC00_2_0000000140071DC0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000C5C00_2_000000014000C5C0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014002DDE00_2_000000014002DDE0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140031DF00_2_0000000140031DF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014000DDF00_2_000000014000DDF0
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400016200_2_0000000140001620
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400186300_2_0000000140018630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00000001400326500_2_0000000140032650
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140064E800_2_0000000140064E80
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140016E800_2_0000000140016E80
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B205018_2_00007FF68F2B2050
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BC87818_2_00007FF68F2BC878
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AC0E418_2_00007FF68F2AC0E4
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2A80F818_2_00007FF68F2A80F8
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B778418_2_00007FF68F2B7784
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B37E018_2_00007FF68F2B37E0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C97D818_2_00007FF68F2C97D8
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AA6A418_2_00007FF68F2AA6A4
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29567818_2_00007FF68F295678
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29967818_2_00007FF68F299678
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7F1818_2_00007FF68F2B7F18
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AC6FC18_2_00007FF68F2AC6FC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BAD3C18_2_00007FF68F2BAD3C
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B5DEC18_2_00007FF68F2B5DEC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CE5CC18_2_00007FF68F2CE5CC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AD61818_2_00007FF68F2AD618
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2D1E0418_2_00007FF68F2D1E04
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B344018_2_00007FF68F2B3440
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CD44018_2_00007FF68F2CD440
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BCCE818_2_00007FF68F2BCCE8
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2AF4DC18_2_00007FF68F2AF4DC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F297D1818_2_00007FF68F297D18
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B236018_2_00007FF68F2B2360
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29636018_2_00007FF68F296360
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29FB9018_2_00007FF68F29FB90
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BFBEC18_2_00007FF68F2BFBEC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BBA5818_2_00007FF68F2BBA58
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BD25C18_2_00007FF68F2BD25C
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2ACA3818_2_00007FF68F2ACA38
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2D52B018_2_00007FF68F2D52B0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2A6AF018_2_00007FF68F2A6AF0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29BAEC18_2_00007FF68F29BAEC
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2A230018_2_00007FF68F2A2300
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2A615018_2_00007FF68F2A6150
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2969B018_2_00007FF68F2969B0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BB1A418_2_00007FF68F2BB1A4
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2999D818_2_00007FF68F2999D8
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C19B818_2_00007FF68F2C19B8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A135C25024_2_00007FF6A135C250
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13BE2F824_2_00007FF6A13BE2F8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138230024_2_00007FF6A1382300
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13A831824_2_00007FF6A13A8318
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138C33024_2_00007FF6A138C330
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139233024_2_00007FF6A1392330
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A135818024_2_00007FF6A1358180
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132022024_2_00007FF6A1320220
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132A1BC24_2_00007FF6A132A1BC
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A134249824_2_00007FF6A1342498
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13CC46424_2_00007FF6A13CC464
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A137E51024_2_00007FF6A137E510
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13084E824_2_00007FF6A13084E8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A131C4F424_2_00007FF6A131C4F4
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A135A34024_2_00007FF6A135A340
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139642824_2_00007FF6A1396428
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13563C824_2_00007FF6A13563C8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139C3F024_2_00007FF6A139C3F0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A131A3F024_2_00007FF6A131A3F0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A133669024_2_00007FF6A1336690
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13906B024_2_00007FF6A13906B0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138C72C24_2_00007FF6A138C72C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A134C6D024_2_00007FF6A134C6D0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A137054424_2_00007FF6A1370544
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138057024_2_00007FF6A1380570
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A135A88024_2_00007FF6A135A880
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13A890024_2_00007FF6A13A8900
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A134478424_2_00007FF6A1344784
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139481024_2_00007FF6A1394810
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1312A8424_2_00007FF6A1312A84
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1354A8C24_2_00007FF6A1354A8C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A135694024_2_00007FF6A1356940
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1348A0C24_2_00007FF6A1348A0C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13AA9D024_2_00007FF6A13AA9D0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138AC7024_2_00007FF6A138AC70
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1374D1824_2_00007FF6A1374D18
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A131AB3C24_2_00007FF6A131AB3C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132AB4424_2_00007FF6A132AB44
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A136CBE824_2_00007FF6A136CBE8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139CE5424_2_00007FF6A139CE54
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139AD7824_2_00007FF6A139AD78
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138CD5024_2_00007FF6A138CD50
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1330D5024_2_00007FF6A1330D50
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13C0E0824_2_00007FF6A13C0E08
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13A2E2824_2_00007FF6A13A2E28
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A136504C24_2_00007FF6A136504C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1334F8024_2_00007FF6A1334F80
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13A8FA024_2_00007FF6A13A8FA0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1340F5424_2_00007FF6A1340F54
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1374FFC24_2_00007FF6A1374FFC
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A139700024_2_00007FF6A1397000
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132D03424_2_00007FF6A132D034
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132D2F824_2_00007FF6A132D2F8
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A134731C24_2_00007FF6A134731C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A134132024_2_00007FF6A1341320
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13B52C024_2_00007FF6A13B52C0
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13132CC24_2_00007FF6A13132CC
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138F18C24_2_00007FF6A138F18C
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13C11B424_2_00007FF6A13C11B4
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A138B14024_2_00007FF6A138B140
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9BCDB027_2_00007FF74C9BCDB0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9BBF0027_2_00007FF74C9BBF00
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B4E3C27_2_00007FF74C9B4E3C
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C5E5027_2_00007FF74C9C5E50
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B5E5427_2_00007FF74C9B5E54
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C0FA027_2_00007FF74C9C0FA0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C47B027_2_00007FF74C9C47B0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9BAF5427_2_00007FF74C9BAF54
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CC8A027_2_00007FF74C9CC8A0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C8AC027_2_00007FF74C9C8AC0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C53BC27_2_00007FF74C9C53BC
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B2BD027_2_00007FF74C9B2BD0
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B240027_2_00007FF74C9B2400
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C334827_2_00007FF74C9C3348
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C832027_2_00007FF74C9C8320
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B8B3027_2_00007FF74C9B8B30
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9BFB9027_2_00007FF74C9BFB90
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CA35C27_2_00007FF74C9CA35C
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9C2CD827_2_00007FF74C9C2CD8
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF72944963033_2_00007FF729449630
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF72944464833_2_00007FF729444648
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF72944E93433_2_00007FF72944E934
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF7294549FF33_2_00007FF7294549FF
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF7294519D433_2_00007FF7294519D4
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729446BDC33_2_00007FF729446BDC
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729443FAC33_2_00007FF729443FAC
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: String function: 00007FF729445F34 appears 75 times
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: String function: 00007FF729446124 appears 108 times
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: String function: 00007FF68F294474 appears 37 times
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: String function: 00007FF68F2D410C appears 37 times
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: String function: 00007FF68F29CF60 appears 903 times
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: String function: 00007FF68F29419C appears 54 times
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729449630 memset,memset,GetSystemDirectoryW,??3@YAXPEAX@Z,??3@YAXPEAX@Z,wcscat_s,GetTempFileNameW,GetLastError,#6,#177,RevertToSelf,CreateEnvironmentBlock,GetLastError,CreateProcessAsUserW,GetLastError,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,GetLastError,DeleteFileW,GetLastError,GetLastError,RevertToSelf,DeleteFileW,GetLastError,DestroyEnvironmentBlock,EnterCriticalSection,LeaveCriticalSection,CloseHandle,CloseHandle,CloseHandle,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,??3@YAXPEAX@Z,33_2_00007FF729449630
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140046C90 NtClose,0_2_0000000140046C90
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014006A4B0 NtQuerySystemInformation,0_2_000000014006A4B0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C5580 NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose,18_2_00007FF68F2C5580
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C54EC NtQueryInformationToken,NtQueryInformationToken,18_2_00007FF68F2C54EC
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: msdt.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: WMPDMC.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FXSCOVER.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: SnippingTool.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DUI70.dll0.5.drStatic PE information: Number of sections : 51 > 10
            Source: 2epPHr8ygJ.dllStatic PE information: Number of sections : 50 > 10
            Source: DUI70.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: WTSAPI32.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: UxTheme.dll0.5.drStatic PE information: Number of sections : 51 > 10
            Source: UxTheme.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: MFC42u.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: OLEACC.dll.5.drStatic PE information: Number of sections : 51 > 10
            Source: WTSAPI32.dll0.5.drStatic PE information: Number of sections : 51 > 10
            Source: 2epPHr8ygJ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OLEACC.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: MFC42u.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: DUI70.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: UxTheme.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: WTSAPI32.dll0.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 2epPHr8ygJ.dllMetadefender: Detection: 62%
            Source: 2epPHr8ygJ.dllReversingLabs: Detection: 80%
            Source: 2epPHr8ygJ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll'
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePage
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingName
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exe
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePageJump to behavior
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingNameJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\msdt.exe C:\Windows\system32\msdt.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WMPDMC.exe C:\Windows\system32\WMPDMC.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\FXSCOVER.exe C:\Windows\system32\FXSCOVER.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\29qb\FXSCOVER.exe C:\Users\user\AppData\Local\29qb\FXSCOVER.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesAdvanced.exe C:\Windows\system32\SystemPropertiesAdvanced.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\MDMAppInstaller.exe C:\Windows\system32\MDMAppInstaller.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SystemPropertiesComputerName.exe C:\Windows\system32\SystemPropertiesComputerName.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\eudcedit.exe C:\Windows\system32\eudcedit.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\CameraSettingsUIHost.exe C:\Windows\system32\CameraSettingsUIHost.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\SnippingTool.exe C:\Windows\system32\SnippingTool.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winDLL@47/17@0/0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29D838 VariantInit,CoCreateInstance,SysAllocString,VariantClear,18_2_00007FF68F29D838
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9B96F0 LoadLibraryW,GetLastError,FormatMessageW,#1463,CreateWindowExW,GetLastError,FormatMessageW,LocalFree,27_2_00007FF74C9B96F0
            Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeMutant created: \Sessions\1\BaseNamedObjects\{6e96cc13-3796-2f23-5ab3-d2d937ee5666}
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeMutant created: \Sessions\1\BaseNamedObjects\{d2e34cc6-e6aa-6365-5632-f8c3222ca63e}
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2C56C4 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,SizeofResource,GetLastError,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,FreeResource,GlobalUnlock,GlobalFree,18_2_00007FF68F2C56C4
            Source: 2epPHr8ygJ.dllStatic PE information: Image base 0x140000000 > 0x60000000
            Source: 2epPHr8ygJ.dllStatic file information: File size 2347008 > 1048576
            Source: 2epPHr8ygJ.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: FXSCOVER.pdb source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
            Source: Binary string: mdmappinstaller.pdbGCTL source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
            Source: Binary string: msdt.pdbGCTL source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
            Source: Binary string: FXSCOVER.pdbGCTL source: FXSCOVER.exe, 0000001B.00000002.491482868.00007FF74C9D2000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdbGCTL source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
            Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe, 0000001F.00000002.531397524.00007FF7EAC35000.00000002.00020000.sdmp
            Source: Binary string: msdt.pdb source: msdt.exe, 00000012.00000000.401947777.00007FF68F2D8000.00000002.00020000.sdmp
            Source: Binary string: WMPDMC.pdb source: WMPDMC.exe, 00000018.00000002.453541823.00007FF6A13DD000.00000002.00020000.sdmp
            Source: Binary string: mdmappinstaller.pdb source: MDMAppInstaller.exe, 00000021.00000002.558251742.00007FF729455000.00000002.00020000.sdmp
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140056A4D push rdi; ret 0_2_0000000140056A4E
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .qkm
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .cvjb
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .tlmkv
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .wucsxe
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .fltwtj
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .sfplio
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .rpg
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .bewzc
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .vksvaw
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .wmhg
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .kswemc
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .kaxfk
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .wualk
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .qdxz
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .rkyg
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .psul
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .pyjm
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .eoadme
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .fnz
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .gwheg
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .fcd
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .dwk
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .hgy
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .nfm
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .qmfqd
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .buzyfh
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .piwc
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .nnrqzz
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .hycwe
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .unt
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .hoj
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .xufjr
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .ukllwd
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .dmpewo
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .kerz
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .skdwx
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .diq
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .cbuheu
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .hwca
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .mkabuo
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .vstkx
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .zpzkgm
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .qkdzqp
            Source: 2epPHr8ygJ.dllStatic PE information: section name: .arp
            Source: WMPDMC.exe.5.drStatic PE information: section name: .didat
            Source: CameraSettingsUIHost.exe.5.drStatic PE information: section name: .imrsiv
            Source: MDMAppInstaller.exe.5.drStatic PE information: section name: .didat
            Source: CameraSettingsUIHost.exe0.5.drStatic PE information: section name: .imrsiv
            Source: MDMAppInstaller.exe0.5.drStatic PE information: section name: .didat
            Source: UxTheme.dll.5.drStatic PE information: section name: .qkm
            Source: UxTheme.dll.5.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll.5.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll.5.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll.5.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll.5.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll.5.drStatic PE information: section name: .rpg
            Source: UxTheme.dll.5.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll.5.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll.5.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll.5.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll.5.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll.5.drStatic PE information: section name: .wualk
            Source: UxTheme.dll.5.drStatic PE information: section name: .qdxz
            Source: UxTheme.dll.5.drStatic PE information: section name: .rkyg
            Source: UxTheme.dll.5.drStatic PE information: section name: .psul
            Source: UxTheme.dll.5.drStatic PE information: section name: .pyjm
            Source: UxTheme.dll.5.drStatic PE information: section name: .eoadme
            Source: UxTheme.dll.5.drStatic PE information: section name: .fnz
            Source: UxTheme.dll.5.drStatic PE information: section name: .gwheg
            Source: UxTheme.dll.5.drStatic PE information: section name: .fcd
            Source: UxTheme.dll.5.drStatic PE information: section name: .dwk
            Source: UxTheme.dll.5.drStatic PE information: section name: .hgy
            Source: UxTheme.dll.5.drStatic PE information: section name: .nfm
            Source: UxTheme.dll.5.drStatic PE information: section name: .qmfqd
            Source: UxTheme.dll.5.drStatic PE information: section name: .buzyfh
            Source: UxTheme.dll.5.drStatic PE information: section name: .piwc
            Source: UxTheme.dll.5.drStatic PE information: section name: .nnrqzz
            Source: UxTheme.dll.5.drStatic PE information: section name: .hycwe
            Source: UxTheme.dll.5.drStatic PE information: section name: .unt
            Source: UxTheme.dll.5.drStatic PE information: section name: .hoj
            Source: UxTheme.dll.5.drStatic PE information: section name: .xufjr
            Source: UxTheme.dll.5.drStatic PE information: section name: .ukllwd
            Source: UxTheme.dll.5.drStatic PE information: section name: .dmpewo
            Source: UxTheme.dll.5.drStatic PE information: section name: .kerz
            Source: UxTheme.dll.5.drStatic PE information: section name: .skdwx
            Source: UxTheme.dll.5.drStatic PE information: section name: .diq
            Source: UxTheme.dll.5.drStatic PE information: section name: .cbuheu
            Source: UxTheme.dll.5.drStatic PE information: section name: .hwca
            Source: UxTheme.dll.5.drStatic PE information: section name: .mkabuo
            Source: UxTheme.dll.5.drStatic PE information: section name: .vstkx
            Source: UxTheme.dll.5.drStatic PE information: section name: .zpzkgm
            Source: UxTheme.dll.5.drStatic PE information: section name: .qkdzqp
            Source: UxTheme.dll.5.drStatic PE information: section name: .arp
            Source: UxTheme.dll.5.drStatic PE information: section name: .rlm
            Source: OLEACC.dll.5.drStatic PE information: section name: .qkm
            Source: OLEACC.dll.5.drStatic PE information: section name: .cvjb
            Source: OLEACC.dll.5.drStatic PE information: section name: .tlmkv
            Source: OLEACC.dll.5.drStatic PE information: section name: .wucsxe
            Source: OLEACC.dll.5.drStatic PE information: section name: .fltwtj
            Source: OLEACC.dll.5.drStatic PE information: section name: .sfplio
            Source: OLEACC.dll.5.drStatic PE information: section name: .rpg
            Source: OLEACC.dll.5.drStatic PE information: section name: .bewzc
            Source: OLEACC.dll.5.drStatic PE information: section name: .vksvaw
            Source: OLEACC.dll.5.drStatic PE information: section name: .wmhg
            Source: OLEACC.dll.5.drStatic PE information: section name: .kswemc
            Source: OLEACC.dll.5.drStatic PE information: section name: .kaxfk
            Source: OLEACC.dll.5.drStatic PE information: section name: .wualk
            Source: OLEACC.dll.5.drStatic PE information: section name: .qdxz
            Source: OLEACC.dll.5.drStatic PE information: section name: .rkyg
            Source: OLEACC.dll.5.drStatic PE information: section name: .psul
            Source: OLEACC.dll.5.drStatic PE information: section name: .pyjm
            Source: OLEACC.dll.5.drStatic PE information: section name: .eoadme
            Source: OLEACC.dll.5.drStatic PE information: section name: .fnz
            Source: OLEACC.dll.5.drStatic PE information: section name: .gwheg
            Source: OLEACC.dll.5.drStatic PE information: section name: .fcd
            Source: OLEACC.dll.5.drStatic PE information: section name: .dwk
            Source: OLEACC.dll.5.drStatic PE information: section name: .hgy
            Source: OLEACC.dll.5.drStatic PE information: section name: .nfm
            Source: OLEACC.dll.5.drStatic PE information: section name: .qmfqd
            Source: OLEACC.dll.5.drStatic PE information: section name: .buzyfh
            Source: OLEACC.dll.5.drStatic PE information: section name: .piwc
            Source: OLEACC.dll.5.drStatic PE information: section name: .nnrqzz
            Source: OLEACC.dll.5.drStatic PE information: section name: .hycwe
            Source: OLEACC.dll.5.drStatic PE information: section name: .unt
            Source: OLEACC.dll.5.drStatic PE information: section name: .hoj
            Source: OLEACC.dll.5.drStatic PE information: section name: .xufjr
            Source: OLEACC.dll.5.drStatic PE information: section name: .ukllwd
            Source: OLEACC.dll.5.drStatic PE information: section name: .dmpewo
            Source: OLEACC.dll.5.drStatic PE information: section name: .kerz
            Source: OLEACC.dll.5.drStatic PE information: section name: .skdwx
            Source: OLEACC.dll.5.drStatic PE information: section name: .diq
            Source: OLEACC.dll.5.drStatic PE information: section name: .cbuheu
            Source: OLEACC.dll.5.drStatic PE information: section name: .hwca
            Source: OLEACC.dll.5.drStatic PE information: section name: .mkabuo
            Source: OLEACC.dll.5.drStatic PE information: section name: .vstkx
            Source: OLEACC.dll.5.drStatic PE information: section name: .zpzkgm
            Source: OLEACC.dll.5.drStatic PE information: section name: .qkdzqp
            Source: OLEACC.dll.5.drStatic PE information: section name: .arp
            Source: OLEACC.dll.5.drStatic PE information: section name: .cjy
            Source: MFC42u.dll.5.drStatic PE information: section name: .qkm
            Source: MFC42u.dll.5.drStatic PE information: section name: .cvjb
            Source: MFC42u.dll.5.drStatic PE information: section name: .tlmkv
            Source: MFC42u.dll.5.drStatic PE information: section name: .wucsxe
            Source: MFC42u.dll.5.drStatic PE information: section name: .fltwtj
            Source: MFC42u.dll.5.drStatic PE information: section name: .sfplio
            Source: MFC42u.dll.5.drStatic PE information: section name: .rpg
            Source: MFC42u.dll.5.drStatic PE information: section name: .bewzc
            Source: MFC42u.dll.5.drStatic PE information: section name: .vksvaw
            Source: MFC42u.dll.5.drStatic PE information: section name: .wmhg
            Source: MFC42u.dll.5.drStatic PE information: section name: .kswemc
            Source: MFC42u.dll.5.drStatic PE information: section name: .kaxfk
            Source: MFC42u.dll.5.drStatic PE information: section name: .wualk
            Source: MFC42u.dll.5.drStatic PE information: section name: .qdxz
            Source: MFC42u.dll.5.drStatic PE information: section name: .rkyg
            Source: MFC42u.dll.5.drStatic PE information: section name: .psul
            Source: MFC42u.dll.5.drStatic PE information: section name: .pyjm
            Source: MFC42u.dll.5.drStatic PE information: section name: .eoadme
            Source: MFC42u.dll.5.drStatic PE information: section name: .fnz
            Source: MFC42u.dll.5.drStatic PE information: section name: .gwheg
            Source: MFC42u.dll.5.drStatic PE information: section name: .fcd
            Source: MFC42u.dll.5.drStatic PE information: section name: .dwk
            Source: MFC42u.dll.5.drStatic PE information: section name: .hgy
            Source: MFC42u.dll.5.drStatic PE information: section name: .nfm
            Source: MFC42u.dll.5.drStatic PE information: section name: .qmfqd
            Source: MFC42u.dll.5.drStatic PE information: section name: .buzyfh
            Source: MFC42u.dll.5.drStatic PE information: section name: .piwc
            Source: MFC42u.dll.5.drStatic PE information: section name: .nnrqzz
            Source: MFC42u.dll.5.drStatic PE information: section name: .hycwe
            Source: MFC42u.dll.5.drStatic PE information: section name: .unt
            Source: MFC42u.dll.5.drStatic PE information: section name: .hoj
            Source: MFC42u.dll.5.drStatic PE information: section name: .xufjr
            Source: MFC42u.dll.5.drStatic PE information: section name: .ukllwd
            Source: MFC42u.dll.5.drStatic PE information: section name: .dmpewo
            Source: MFC42u.dll.5.drStatic PE information: section name: .kerz
            Source: MFC42u.dll.5.drStatic PE information: section name: .skdwx
            Source: MFC42u.dll.5.drStatic PE information: section name: .diq
            Source: MFC42u.dll.5.drStatic PE information: section name: .cbuheu
            Source: MFC42u.dll.5.drStatic PE information: section name: .hwca
            Source: MFC42u.dll.5.drStatic PE information: section name: .mkabuo
            Source: MFC42u.dll.5.drStatic PE information: section name: .vstkx
            Source: MFC42u.dll.5.drStatic PE information: section name: .zpzkgm
            Source: MFC42u.dll.5.drStatic PE information: section name: .qkdzqp
            Source: MFC42u.dll.5.drStatic PE information: section name: .arp
            Source: MFC42u.dll.5.drStatic PE information: section name: .amu
            Source: DUI70.dll.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll.5.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll.5.drStatic PE information: section name: .sfplio
            Source: DUI70.dll.5.drStatic PE information: section name: .rpg
            Source: DUI70.dll.5.drStatic PE information: section name: .bewzc
            Source: DUI70.dll.5.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll.5.drStatic PE information: section name: .wmhg
            Source: DUI70.dll.5.drStatic PE information: section name: .kswemc
            Source: DUI70.dll.5.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll.5.drStatic PE information: section name: .wualk
            Source: DUI70.dll.5.drStatic PE information: section name: .qdxz
            Source: DUI70.dll.5.drStatic PE information: section name: .rkyg
            Source: DUI70.dll.5.drStatic PE information: section name: .psul
            Source: DUI70.dll.5.drStatic PE information: section name: .pyjm
            Source: DUI70.dll.5.drStatic PE information: section name: .eoadme
            Source: DUI70.dll.5.drStatic PE information: section name: .fnz
            Source: DUI70.dll.5.drStatic PE information: section name: .gwheg
            Source: DUI70.dll.5.drStatic PE information: section name: .fcd
            Source: DUI70.dll.5.drStatic PE information: section name: .dwk
            Source: DUI70.dll.5.drStatic PE information: section name: .hgy
            Source: DUI70.dll.5.drStatic PE information: section name: .nfm
            Source: DUI70.dll.5.drStatic PE information: section name: .qmfqd
            Source: DUI70.dll.5.drStatic PE information: section name: .buzyfh
            Source: DUI70.dll.5.drStatic PE information: section name: .piwc
            Source: DUI70.dll.5.drStatic PE information: section name: .nnrqzz
            Source: DUI70.dll.5.drStatic PE information: section name: .hycwe
            Source: DUI70.dll.5.drStatic PE information: section name: .unt
            Source: DUI70.dll.5.drStatic PE information: section name: .hoj
            Source: DUI70.dll.5.drStatic PE information: section name: .xufjr
            Source: DUI70.dll.5.drStatic PE information: section name: .ukllwd
            Source: DUI70.dll.5.drStatic PE information: section name: .dmpewo
            Source: DUI70.dll.5.drStatic PE information: section name: .kerz
            Source: DUI70.dll.5.drStatic PE information: section name: .skdwx
            Source: DUI70.dll.5.drStatic PE information: section name: .diq
            Source: DUI70.dll.5.drStatic PE information: section name: .cbuheu
            Source: DUI70.dll.5.drStatic PE information: section name: .hwca
            Source: DUI70.dll.5.drStatic PE information: section name: .mkabuo
            Source: DUI70.dll.5.drStatic PE information: section name: .vstkx
            Source: DUI70.dll.5.drStatic PE information: section name: .zpzkgm
            Source: DUI70.dll.5.drStatic PE information: section name: .qkdzqp
            Source: DUI70.dll.5.drStatic PE information: section name: .arp
            Source: DUI70.dll.5.drStatic PE information: section name: .burypb
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fltwtj
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .sfplio
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rpg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .bewzc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .vksvaw
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wmhg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .kswemc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .kaxfk
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .wualk
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qdxz
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .rkyg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .psul
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .pyjm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .eoadme
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fnz
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .gwheg
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .fcd
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .dwk
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hgy
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .nfm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qmfqd
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .buzyfh
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .piwc
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .nnrqzz
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hycwe
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .unt
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hoj
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .xufjr
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .ukllwd
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .dmpewo
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .kerz
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .skdwx
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .diq
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .cbuheu
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .hwca
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .mkabuo
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .vstkx
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .zpzkgm
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .qkdzqp
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .arp
            Source: WTSAPI32.dll.5.drStatic PE information: section name: .enn
            Source: DUI70.dll0.5.drStatic PE information: section name: .qkm
            Source: DUI70.dll0.5.drStatic PE information: section name: .cvjb
            Source: DUI70.dll0.5.drStatic PE information: section name: .tlmkv
            Source: DUI70.dll0.5.drStatic PE information: section name: .wucsxe
            Source: DUI70.dll0.5.drStatic PE information: section name: .fltwtj
            Source: DUI70.dll0.5.drStatic PE information: section name: .sfplio
            Source: DUI70.dll0.5.drStatic PE information: section name: .rpg
            Source: DUI70.dll0.5.drStatic PE information: section name: .bewzc
            Source: DUI70.dll0.5.drStatic PE information: section name: .vksvaw
            Source: DUI70.dll0.5.drStatic PE information: section name: .wmhg
            Source: DUI70.dll0.5.drStatic PE information: section name: .kswemc
            Source: DUI70.dll0.5.drStatic PE information: section name: .kaxfk
            Source: DUI70.dll0.5.drStatic PE information: section name: .wualk
            Source: DUI70.dll0.5.drStatic PE information: section name: .qdxz
            Source: DUI70.dll0.5.drStatic PE information: section name: .rkyg
            Source: DUI70.dll0.5.drStatic PE information: section name: .psul
            Source: DUI70.dll0.5.drStatic PE information: section name: .pyjm
            Source: DUI70.dll0.5.drStatic PE information: section name: .eoadme
            Source: DUI70.dll0.5.drStatic PE information: section name: .fnz
            Source: DUI70.dll0.5.drStatic PE information: section name: .gwheg
            Source: DUI70.dll0.5.drStatic PE information: section name: .fcd
            Source: DUI70.dll0.5.drStatic PE information: section name: .dwk
            Source: DUI70.dll0.5.drStatic PE information: section name: .hgy
            Source: DUI70.dll0.5.drStatic PE information: section name: .nfm
            Source: DUI70.dll0.5.drStatic PE information: section name: .qmfqd
            Source: DUI70.dll0.5.drStatic PE information: section name: .buzyfh
            Source: DUI70.dll0.5.drStatic PE information: section name: .piwc
            Source: DUI70.dll0.5.drStatic PE information: section name: .nnrqzz
            Source: DUI70.dll0.5.drStatic PE information: section name: .hycwe
            Source: DUI70.dll0.5.drStatic PE information: section name: .unt
            Source: DUI70.dll0.5.drStatic PE information: section name: .hoj
            Source: DUI70.dll0.5.drStatic PE information: section name: .xufjr
            Source: DUI70.dll0.5.drStatic PE information: section name: .ukllwd
            Source: DUI70.dll0.5.drStatic PE information: section name: .dmpewo
            Source: DUI70.dll0.5.drStatic PE information: section name: .kerz
            Source: DUI70.dll0.5.drStatic PE information: section name: .skdwx
            Source: DUI70.dll0.5.drStatic PE information: section name: .diq
            Source: DUI70.dll0.5.drStatic PE information: section name: .cbuheu
            Source: DUI70.dll0.5.drStatic PE information: section name: .hwca
            Source: DUI70.dll0.5.drStatic PE information: section name: .mkabuo
            Source: DUI70.dll0.5.drStatic PE information: section name: .vstkx
            Source: DUI70.dll0.5.drStatic PE information: section name: .zpzkgm
            Source: DUI70.dll0.5.drStatic PE information: section name: .qkdzqp
            Source: DUI70.dll0.5.drStatic PE information: section name: .arp
            Source: DUI70.dll0.5.drStatic PE information: section name: .bzhioz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .qkm
            Source: UxTheme.dll0.5.drStatic PE information: section name: .cvjb
            Source: UxTheme.dll0.5.drStatic PE information: section name: .tlmkv
            Source: UxTheme.dll0.5.drStatic PE information: section name: .wucsxe
            Source: UxTheme.dll0.5.drStatic PE information: section name: .fltwtj
            Source: UxTheme.dll0.5.drStatic PE information: section name: .sfplio
            Source: UxTheme.dll0.5.drStatic PE information: section name: .rpg
            Source: UxTheme.dll0.5.drStatic PE information: section name: .bewzc
            Source: UxTheme.dll0.5.drStatic PE information: section name: .vksvaw
            Source: UxTheme.dll0.5.drStatic PE information: section name: .wmhg
            Source: UxTheme.dll0.5.drStatic PE information: section name: .kswemc
            Source: UxTheme.dll0.5.drStatic PE information: section name: .kaxfk
            Source: UxTheme.dll0.5.drStatic PE information: section name: .wualk
            Source: UxTheme.dll0.5.drStatic PE information: section name: .qdxz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .rkyg
            Source: UxTheme.dll0.5.drStatic PE information: section name: .psul
            Source: UxTheme.dll0.5.drStatic PE information: section name: .pyjm
            Source: UxTheme.dll0.5.drStatic PE information: section name: .eoadme
            Source: UxTheme.dll0.5.drStatic PE information: section name: .fnz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .gwheg
            Source: UxTheme.dll0.5.drStatic PE information: section name: .fcd
            Source: UxTheme.dll0.5.drStatic PE information: section name: .dwk
            Source: UxTheme.dll0.5.drStatic PE information: section name: .hgy
            Source: UxTheme.dll0.5.drStatic PE information: section name: .nfm
            Source: UxTheme.dll0.5.drStatic PE information: section name: .qmfqd
            Source: UxTheme.dll0.5.drStatic PE information: section name: .buzyfh
            Source: UxTheme.dll0.5.drStatic PE information: section name: .piwc
            Source: UxTheme.dll0.5.drStatic PE information: section name: .nnrqzz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .hycwe
            Source: UxTheme.dll0.5.drStatic PE information: section name: .unt
            Source: UxTheme.dll0.5.drStatic PE information: section name: .hoj
            Source: UxTheme.dll0.5.drStatic PE information: section name: .xufjr
            Source: UxTheme.dll0.5.drStatic PE information: section name: .ukllwd
            Source: UxTheme.dll0.5.drStatic PE information: section name: .dmpewo
            Source: UxTheme.dll0.5.drStatic PE information: section name: .kerz
            Source: UxTheme.dll0.5.drStatic PE information: section name: .skdwx
            Source: UxTheme.dll0.5.drStatic PE information: section name: .diq
            Source: UxTheme.dll0.5.drStatic PE information: section name: .cbuheu
            Source: UxTheme.dll0.5.drStatic PE information: section name: .hwca
            Source: UxTheme.dll0.5.drStatic PE information: section name: .mkabuo
            Source: UxTheme.dll0.5.drStatic PE information: section name: .vstkx
            Source: UxTheme.dll0.5.drStatic PE information: section name: .zpzkgm
            Source: UxTheme.dll0.5.drStatic PE information: section name: .qkdzqp
            Source: UxTheme.dll0.5.drStatic PE information: section name: .arp
            Source: UxTheme.dll0.5.drStatic PE information: section name: .dtzmlx
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qkm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .cvjb
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .tlmkv
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wucsxe
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fltwtj
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .sfplio
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .rpg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .bewzc
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .vksvaw
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wmhg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .kswemc
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .kaxfk
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .wualk
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qdxz
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .rkyg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .psul
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .pyjm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .eoadme
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fnz
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .gwheg
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fcd
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .dwk
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .hgy
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .nfm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qmfqd
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .buzyfh
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .piwc
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .nnrqzz
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .hycwe
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .unt
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .hoj
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .xufjr
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .ukllwd
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .dmpewo
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .kerz
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .skdwx
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .diq
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .cbuheu
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .hwca
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .mkabuo
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .vstkx
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .zpzkgm
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .qkdzqp
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .arp
            Source: WTSAPI32.dll0.5.drStatic PE information: section name: .fvbg
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1398404 GetSystemDirectoryW,PathCchAppend,LoadLibraryW,GetProcAddress,24_2_00007FF6A1398404
            Source: DUI70.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x290845
            Source: 2epPHr8ygJ.dllStatic PE information: real checksum: 0x7d786c40 should be: 0x244206
            Source: DUI70.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x28c253
            Source: WTSAPI32.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x23e442
            Source: UxTheme.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x240d62
            Source: UxTheme.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x244584
            Source: MFC42u.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x250c17
            Source: OLEACC.dll.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x24602e
            Source: WTSAPI32.dll0.5.drStatic PE information: real checksum: 0x7d786c40 should be: 0x23f518
            Source: msdt.exe.5.drStatic PE information: 0xFF860234 [Fri Nov 6 17:41:08 2105 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: initial sampleStatic PE information: section name: .text entropy: 7.73364605679
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\EPV\MDMAppInstaller.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\3AoDbJo\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\29qb\MFC42u.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\YVP8cq\DUI70.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\n7Is\UxTheme.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\n7Is\SnippingTool.exeJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\p1G0zp\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\EPV\WTSAPI32.dllJump to dropped file
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1327020 GetWindow,IsWindowVisible,GetWindowThreadProcessId,GetDesktopWindow,GetWindow,GetWindowThreadProcessId,GetParent,GetWindow,GetClassNameW,CompareStringOrdinal,SetForegroundWindow,IsIconic,ShowWindow,24_2_00007FF6A1327020
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CAD40 SetForegroundWindow,IsIconic,#6632,27_2_00007FF74C9CAD40
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exe TID: 6108Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll64.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005C340 GetSystemInfo,0_2_000000014005C340
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000000014005D290 FindFirstFileExW,0_2_000000014005D290
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B2770 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,18_2_00007FF68F2B2770
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7784 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,18_2_00007FF68F2B7784
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CA65C memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,18_2_00007FF68F2CA65C
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B6720 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,18_2_00007FF68F2B6720
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2CBD48 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,18_2_00007FF68F2CBD48
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B7C3C GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,18_2_00007FF68F2B7C3C
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B6494 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,#13,GetLastError,GetProcessHeap,HeapFree,18_2_00007FF68F2B6494
            Source: explorer.exe, 00000005.00000000.356856219.0000000000B7D000.00000004.00000020.sdmpBinary or memory string: War&Prod_VMware_SATA
            Source: explorer.exe, 00000005.00000000.347682374.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.347826219.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
            Source: explorer.exe, 00000005.00000000.301297684.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.347682374.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: explorer.exe, 00000005.00000000.301297684.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
            Source: explorer.exe, 00000005.00000000.347682374.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729442890 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,33_2_00007FF729442890
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A1398404 GetSystemDirectoryW,PathCchAppend,LoadLibraryW,GetProcAddress,24_2_00007FF6A1398404
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BC070 GetProcessHeap,HeapFree,18_2_00007FF68F2BC070
            Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_0000000140048AC0 LdrLoadDll,FindClose,0_2_0000000140048AC0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2D5E58 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00007FF68F2D5E58
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2D6140 SetUnhandledExceptionFilter,18_2_00007FF68F2D6140
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A13DA9E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_00007FF6A13DA9E4
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CF570 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_00007FF74C9CF570
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: 27_2_00007FF74C9CF960 SetUnhandledExceptionFilter,27_2_00007FF74C9CF960
            Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeCode function: 31_2_00007FF7EAC335B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00007FF7EAC335B4
            Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeCode function: 31_2_00007FF7EAC33330 SetUnhandledExceptionFilter,31_2_00007FF7EAC33330
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729453DF0 SetUnhandledExceptionFilter,33_2_00007FF729453DF0
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeCode function: 33_2_00007FF729453BA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,33_2_00007FF729453BA4

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\explorer.exeFile created: UxTheme.dll.5.drJump to dropped file
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DD4EFE0 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8DD4E000 protect: page execute readJump to behavior
            Source: C:\Windows\System32\rundll32.exeMemory protected: C:\Windows\explorer.exe base: 7FFC8BAD2A20 protect: page execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\System32\rundll32.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Uses Atom Bombing / ProGate to inject into other processesShow sources
            Source: C:\Windows\System32\rundll32.exeAtom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F29FF54 memset,GetModuleFileNameW,GetLastError,memset,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError,18_2_00007FF68F29FF54
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1Jump to behavior
            Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000005.00000000.340115746.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
            Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000005.00000000.315672936.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000005.00000000.347826219.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\loaddll64.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exeQueries volume information: unknown VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exeQueries volume information: unknown VolumeInformation
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: GetUserPreferredUILanguages,GetLastError,GetUserPreferredUILanguages,GetLocaleInfoEx,27_2_00007FF74C9CBB04
            Source: C:\Users\user\AppData\Local\29qb\FXSCOVER.exeCode function: GetLocaleInfoW,27_2_00007FF74C9B5218
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2BA0D0 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree,18_2_00007FF68F2BA0D0
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F2B9BE4 GetSystemTime,18_2_00007FF68F2B9BE4
            Source: C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exeCode function: 24_2_00007FF6A132C718 memset,GetVersionExW,24_2_00007FF6A132C718
            Source: C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exeCode function: 18_2_00007FF68F297970 GetProcessHeap,HeapAlloc,GetUserNameExW,GetLastError,SysFreeString,GetProcessHeap,HeapFree,18_2_00007FF68F297970

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1Native API1Valid Accounts1Valid Accounts1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesScreen Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsExploitation for Privilege Escalation11Valid Accounts1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Access Token Manipulation1Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection313Access Token Manipulation1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection313LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRundll321Proc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing2/etc/passwd and /etc/shadowSystem Information Discovery35Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Timestomp1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 492879 Sample: 2epPHr8ygJ Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 53 Changes memory attributes in foreign processes to executable or writable 10->53 55 Uses Atom Bombing / ProGate to inject into other processes 10->55 57 Queues an APC in another process (thread injection) 10->57 19 explorer.exe 3 55 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 33 C:\Users\user\AppData\Local\...\UxTheme.dll, PE32+ 19->33 dropped 35 C:\Users\user\AppData\Local\...\OLEACC.dll, PE32+ 19->35 dropped 37 C:\Users\user\AppData\Local\...\WTSAPI32.dll, PE32+ 19->37 dropped 39 13 other files (2 malicious) 19->39 dropped 49 Benign windows process drops PE files 19->49 51 Accesses ntoskrnl, likely to find offsets for exploits 19->51 25 CameraSettingsUIHost.exe 19->25         started        27 FXSCOVER.exe 19->27         started        29 WMPDMC.exe 19->29         started        31 11 other processes 19->31 signatures8 process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            2epPHr8ygJ.dll63%MetadefenderBrowse
            2epPHr8ygJ.dll80%ReversingLabsWin64.Infostealer.Dridex
            2epPHr8ygJ.dll100%AviraHEUR/AGEN.1114452
            2epPHr8ygJ.dll100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll100%AviraHEUR/AGEN.1114452
            C:\Users\user\AppData\Local\29qb\MFC42u.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dll100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\29qb\MFC42u.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dll100%Joe Sandbox ML
            C:\Users\user\AppData\Local\29qb\FXSCOVER.exe0%ReversingLabs
            C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe0%ReversingLabs
            C:\Users\user\AppData\Local\EPV\MDMAppInstaller.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\EPV\MDMAppInstaller.exe0%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            18.2.msdt.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            3.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            7.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            24.2.WMPDMC.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.loaddll64.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            33.2.MDMAppInstaller.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            31.2.CameraSettingsUIHost.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            27.2.FXSCOVER.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            2.2.rundll32.exe.140000000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:492879
            Start date:29.09.2021
            Start time:04:16:18
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 16m 31s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:2epPHr8ygJ (renamed file extension from none to dll)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:41
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.expl.evad.winDLL@47/17@0/0
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 25.3% (good quality ratio 14.2%)
            • Quality average: 42%
            • Quality standard deviation: 42.5%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Override analysis time to 240s for rundll32
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 23.211.5.146, 23.211.6.115, 20.54.110.249, 40.112.88.60, 173.222.108.226, 173.222.108.210, 80.67.82.235, 80.67.82.211, 20.50.102.62, 52.168.117.173, 204.79.197.200, 13.107.21.200
            • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, onedsblobprdeus16.eastus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, storeedgefd.dsx.mp.microsoft.com, www.bing.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing behavior and disassembly information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtEnumerateKey calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/492879/sample/2epPHr8ygJ.dll

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):232960
            Entropy (8bit):5.805361894084464
            Encrypted:false
            SSDEEP:6144:v4J/ihC4Tb5//JfI+QL+ooODUwq306Q/:v4khC4h/qiooT06Q/
            MD5:BEAB16FEFCB7F62BBC135FB87DF7FDF2
            SHA1:EAF18190494496329573CAA3F95CACA6EF0FB6F6
            SHA-256:E3C66F68737611DFD051F1D6EEB371FDE89B129925A85695B9F90CDE3E04BD96
            SHA-512:FF4E756B1D928C97523ADE2B30FAB56219659AA22E7F5D71CB3238A2C39E1C704C6A046C2DC14FA5207CE8E8C75CD7EF5416B36A1452D97D929A5686C75D2C83
            Malicious:false
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).I.H...H...H...,...H...,...H...,...H...,...H...H...K...,...H...,...H...,...H..Rich.H..................PE..d.....3..........."............................@.....................................0....`.......... ..................................................h1...`..........................T....................c..(....b...............d...............................text...~........................... ..`.rdata....... ......................@..@.data........@.......&..............@....pdata.......`.......6..............@..@.rsrc...h1.......2...N..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\29qb\MFC42u.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2375680
            Entropy (8bit):3.307144052468244
            Encrypted:false
            SSDEEP:12288:cVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1B:pfP7fWsK5z9A+WGAW+V5SB6Ct4bnbB
            MD5:398142F4F319978D81B066C4B32612FD
            SHA1:5FCECC4283DA8E1E2EB206CEFECC9D13357A7D8F
            SHA-256:CDDB19126576C0D00777D57CA3344C2EBA8CECE763FC2452E809CF5A4364D63B
            SHA-512:D1DFB588830C8B22EC1331F800C106ED478C105B8ABD2AA566F73A6D703967B80F073187538E5D4877EB6E233750516807996F2F35D3663BDB8E7DE31129C63A
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ......... .....p..........@.............................@$.....@lx}..b...........................................#..l...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\3AoDbJo\CameraSettingsUIHost.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):32104
            Entropy (8bit):6.224595599643794
            Encrypted:false
            SSDEEP:768:HYxSW1tZfZjtM2mpgc8WtCpZswKro1PDg:HhAhty8WteuwKrwPDg
            MD5:34F32BC06CDC7AF56607D351B155140D
            SHA1:88EF25BC91BCC908AF743ECA254D6251E5564283
            SHA-256:47238D9ED75D01FD125AC76B500FEEF7F8B27255570AD02D18A4F049B05DF3BD
            SHA-512:D855414779125F4E311ACF4D5EFC8ACA4452323CABD1694798CA90FD5BD76DC70B5D06790A2AE311E7DD19190DCCB134F6EF96AB1B7CF5B8A40AD642B72D5144
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._Lp..-...-...-...U...-..tI...-..tI...-..tI...-..tI...-...-..K-..tI...-..tI..-..tI...-..Rich.-..........................PE..d....\YN.........."......*...2.......0.........@.................................................... ......................................._.......................Z..h#...........X..T...................`S..(...`R...............S...............................text....(.......*.................. ..`.imrsiv......@...........................rdata.......P......................@..@.data........p.......J..............@....pdata...............L..............@..@.rsrc................P..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\3AoDbJo\DUI70.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2633728
            Entropy (8bit):3.8005044128188974
            Encrypted:false
            SSDEEP:12288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1CU:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnbC
            MD5:A4D0716F7F499CCCF83BA8E0FB29D4E2
            SHA1:CA00387B979B614425C60DF845F9F87AD1EDDBB1
            SHA-256:20A3D3BB83BCE7336E9D31B92299C61E79DFC815B4A3C37DE32B7E1614C1EF0C
            SHA-512:6BF8425A1ED939CE9E5E219A90918941F56BF0F6413020099F936B4827B7AD9BBBDF579CEBB10597B8452142EA8023BC5140D4154E9A609926CD0C5171D3C7C1
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ..........$.....p..........@.............................0(.....@lx}..b...........................................#.dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\EPV\MDMAppInstaller.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):145920
            Entropy (8bit):5.742854541048038
            Encrypted:false
            SSDEEP:3072:SfzsWjBQoVY9ZxvMlkD6F+UoOxsjlpfzX6:SfzsCBhy9dXUo+epfz
            MD5:E2C777B6E3CE4C15C5657429A63787A3
            SHA1:DFFC902982B618201D0DC46B91F1565DC7D04377
            SHA-256:7E02DBE7D9D4CE4DA15AD56123B0B9809F004F5C64917910BB55C8073DAA92B8
            SHA-512:2600F0CAE24C02DC64415E5A305AF7BB5B0CE97D9466F06D40430CFD03CE609A598BA10799E4D4A7EB7B1D95DD674F4E2522FA3767133786ED78FE5D7A2B3B05
            Malicious:false
            Antivirus:
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OK7..*Y..*Y..*Y.dNZ..*Y.dN]..*Y.dN\..*Y.dNX.(*Y..*X..*Y.dNP..*Y.dN...*Y.dN[..*Y.Rich.*Y.........PE..d....$.6.........."......@...........:.........@....................................(.....`.......... ..........................................@....`.......@..4............p..........T....................R..(....Q..............8R......H...@....................text...k>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..4....@......................@..@.didat.......P......................@....rsrc........`.......0..............@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\EPV\WTSAPI32.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.27294767517255
            Encrypted:false
            SSDEEP:12288:gVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:FfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:8DB032A6D9DDD2BAA3ED320CEF8C2A08
            SHA1:2A5CCB19D2ADA45A32D72AEFAA414AABB6CF5446
            SHA-256:CB603FEBEACCBAE1DD74906F57812816870BB6C1EE761896196BE34C1F7F6D3E
            SHA-512:6090358986F74FDFD82EC3446108355380877278D260126E5806873387C26D216CEE8EA2975FCD58468F4E10F1699B21129E7503BC90006468C00ACE15EB056B
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\Ga7Wl\OLEACC.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.2683033173933906
            Encrypted:false
            SSDEEP:12288:DVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Y:SfP7fWsK5z9A+WGAW+V5SB6Ct4bnbY
            MD5:982EC567CB31453D1E35B04D8409B52D
            SHA1:D69502DF46D30A78D23E04E137773E62371093A8
            SHA-256:C19021A9DBF344BDDACAE9829C9000721D2D628D18BD1B5026D9871BAACC01C1
            SHA-512:951AE537DF79D2619B34CB16F1D91E8D3B4C0531A24B1F780B9E04FA36A6573290FC599A04D5E3B4AEAECDC7DED6AC847DFBBF10C92A26B5AB9C286870B3B109
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1517568
            Entropy (8bit):6.62150533612437
            Encrypted:false
            SSDEEP:24576:esSffc55l2PlDph6LYq3BRf6Te8+n3wAJF1/Mk+F6uwY6V0qRr8kmHVJZh/u:cct2PpphUlxRn3wAblMk+F6+6S2r8/Hu
            MD5:4085FDA375E50214142BD740559F5835
            SHA1:22D548F1E0F4832AAEE3D983A156FDABD3021DA4
            SHA-256:93F61516B7FD3CE8F1E97F25B760BDF62AE58CC7714B559FEFC2C75AD1130804
            SHA-512:7712F8E551D475A9D2FF3BED9992A2B3D53AB01F61DCB7313320181F9EB6B5B84558CCA45AE95150267128C8B228F806F869157B7F4961755076DD83F02E3BDF
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@..................-......*......+....../...../.A.....'.X...........,....Rich...................PE..d...D..9.........."................. ..........@..........................................`.......... ............................................... ..x.......l............0...S..`Y..T....................G..(....F..............8G...............................text.............................. ..`.rdata..Pg.......h..................@..@.data...p=...@.......,..............@....pdata..l............D..............@..@.didat..............................@....rsrc...x.... ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):32104
            Entropy (8bit):6.224595599643794
            Encrypted:false
            SSDEEP:768:HYxSW1tZfZjtM2mpgc8WtCpZswKro1PDg:HhAhty8WteuwKrwPDg
            MD5:34F32BC06CDC7AF56607D351B155140D
            SHA1:88EF25BC91BCC908AF743ECA254D6251E5564283
            SHA-256:47238D9ED75D01FD125AC76B500FEEF7F8B27255570AD02D18A4F049B05DF3BD
            SHA-512:D855414779125F4E311ACF4D5EFC8ACA4452323CABD1694798CA90FD5BD76DC70B5D06790A2AE311E7DD19190DCCB134F6EF96AB1B7CF5B8A40AD642B72D5144
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._Lp..-...-...-...U...-..tI...-..tI...-..tI...-..tI...-...-..K-..tI...-..tI..-..tI...-..Rich.-..........................PE..d....\YN.........."......*...2.......0.........@.................................................... ......................................._.......................Z..h#...........X..T...................`S..(...`R...............S...............................text....(.......*.................. ..`.imrsiv......@...........................rdata.......P......................@..@.data........p.......J..............@....pdata...............L..............@..@.rsrc................P..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\YVP8cq\DUI70.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2633728
            Entropy (8bit):3.800299841930037
            Encrypted:false
            SSDEEP:12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1dxU:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnbX
            MD5:17E828A46EC95B705ACB6C84AB94B185
            SHA1:72EC4302A7294E85E1D9056104EC79707B442D71
            SHA-256:486A5F4F055BDBD3F7BD24EAB732B3FD0442546D7B92465A5390C54B2BDBE5A1
            SHA-512:ABAEDD3967C43F6CD4C28D65781ED9B66F983DE2ECC82B78FA33F6D1F8AFAAB5F0C2E1D0063F90304F9BE59561757C8EA0CB838164CA3F7D9AA9FE90E158B447
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ..........$.....p..........@.............................0(.....@lx}..b...........................................#.dQ...c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\lqtTrEDJ\UxTheme.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.2750663836012137
            Encrypted:false
            SSDEEP:12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:736A10FD3C6CE99CFBF1C6ABBD831EC0
            SHA1:14DDC140087E71EA3D09E0D7BBA3D28CDD3A84C9
            SHA-256:C2B9B1D0F44BAB227E9A96EF8FB2C274EBE4952C1684F78E829E6569A591E8E0
            SHA-512:18B9C044A61CF7D52F503056B2EEF7F9EEB15C781319247C11E8E5049D5BAA8B5940AE3115B8220C32741CF3DA9018EC3343E12D0F1A4BB05822313DC3E05F2B
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):1560576
            Entropy (8bit):6.10038070749878
            Encrypted:false
            SSDEEP:24576:tnPfp054tZwxDl6XH4qvIReK1odddGdBnyE0k26kVZnBm:VC4tAqNK7utRB
            MD5:8BE43BAF1F37DA5AB31A53CA1C07EE0C
            SHA1:F2C9EB38775B91C4DE45AA25CDDDB86F5F056BF5
            SHA-256:BD59B4362F8590C5009B28830FF11B339B37FF142FB873204368905A9C843A08
            SHA-512:B30BDD7C3B71D58140F642196D5E44ED4C8B11A35DB65D37414C49F7FE64DD0C63DDEE4A0FDF5E75BB0BEB69FE0AA1D609C252F05D5661E7DCD4B6A4274151C7
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+..eo..6o..6o..6...7m..6...7q..6...7@..6o..6...6...7\..6...7k..6..X6n..6...7n..6Richo..6................PE..d...4............."......b...r.......].........@...................................._.....`.......... ............................................... ..P........"...................^..T............................................................................text....`.......b.................. ..`.rdata...^.......`...f..............@..@.data...p...........................@....pdata...".......$..................@..@.rsrc...P.... ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\n7Is\SnippingTool.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):3292160
            Entropy (8bit):4.311007815185121
            Encrypted:false
            SSDEEP:24576:+oNva52v20/OB1b1v+YMTvlcZbbAbn3ItpG:VNtv20/OB1hXulc10L4tp
            MD5:9012F9C6AC7F3F99ECDD37E24C9AC3BB
            SHA1:7B8268C1B847301C0B5372C2A76CCE326C74991E
            SHA-256:4E30A8C88C755944145F2BC6C935EE5107C56832772F2561229E20CEAB1D10D2
            SHA-512:B76D2BE02A22990E224DBC5AED9E5B701EAC52C1376529DE3E90B084CD6860B88D746CD61093E93FC932E12FBAF45B4CA342CC0D9C9DAE4EAFE05921D83A7397
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$...w...w...w...w...w...v...w...v...w...v...w...v...w...w'..w...v...w..mw...w..ow...w...v...wRich...w................PE..d.....i..........."..........v/.....0..........@..............................2.....I.2...`.......... ..............................................P..(;...0................2.|...`...T.......................(....................................................text...9........................... ..`.rdata..............................@..@.data....0..........................@....pdata.......0......................@..@.rsrc...(;...P...<..................@..@.reloc..|.....2......82.............@..B........................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\n7Is\UxTheme.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.2750673255668703
            Encrypted:false
            SSDEEP:12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:C401C2CF9605DA0077E39E9FD982AAB2
            SHA1:41591B2FECD88829322510FCBE2FF086DEAF2152
            SHA-256:ACF6D1FFB4192FB21AB2BB66F3A4B308D663C50A9DF0C6DD7E3AB85CB1D6AAC4
            SHA-512:58D1A313B0E465FA0E8AF80A52F5E889234DAC96CDE712AFEF2AD72EE66A88B9D682E6D59F86F05048ECB02C77DFF7E97A24A28C5692E823D14617992B3DA11A
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (GUI) x86-64, for MS Windows
            Category:dropped
            Size (bytes):145920
            Entropy (8bit):5.742854541048038
            Encrypted:false
            SSDEEP:3072:SfzsWjBQoVY9ZxvMlkD6F+UoOxsjlpfzX6:SfzsCBhy9dXUo+epfz
            MD5:E2C777B6E3CE4C15C5657429A63787A3
            SHA1:DFFC902982B618201D0DC46B91F1565DC7D04377
            SHA-256:7E02DBE7D9D4CE4DA15AD56123B0B9809F004F5C64917910BB55C8073DAA92B8
            SHA-512:2600F0CAE24C02DC64415E5A305AF7BB5B0CE97D9466F06D40430CFD03CE609A598BA10799E4D4A7EB7B1D95DD674F4E2522FA3767133786ED78FE5D7A2B3B05
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......OK7..*Y..*Y..*Y.dNZ..*Y.dN]..*Y.dN\..*Y.dNX.(*Y..*X..*Y.dNP..*Y.dN...*Y.dN[..*Y.Rich.*Y.........PE..d....$.6.........."......@...........:.........@....................................(.....`.......... ..........................................@....`.......@..4............p..........T....................R..(....Q..............8R......H...@....................text...k>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..4....@......................@..@.didat.......P......................@....rsrc........`.......0..............@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\p1G0zp\WTSAPI32.dll
            Process:C:\Windows\explorer.exe
            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Category:dropped
            Size (bytes):2351104
            Entropy (8bit):3.2729222229531643
            Encrypted:false
            SSDEEP:12288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            MD5:1DCCF5FE0D84A190E5BF899F8A7B9756
            SHA1:57D56E0B17572DB5567A024D8CB98262274D1A78
            SHA-256:8FD2ECE82FD5D6F8C7A30750244B6D807EE6F9070041C9AACC23744F91CC4D82
            SHA-512:D2E4ED5961F911C1820D06627EEFDA63405B12778BBDBACB513701BDEEB65174C6C01B16D61545BA41DD77E1103DD3DF722F77527506211ECA4A05CD531403A5
            Malicious:false
            Reputation:unknown
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|..[.K./}...I.h}..u.Y.k|.......|..W"...|..b.L.t|...|...}......N|..2%...|..Rich.|..............................................................................................................PE..d.3..DN^.........." ................p..........@..............................#.....@lx}..b...........................................#......c..........h.......................$#................................................... ...............................text............................... ..`.rdata...O... ...P... ..............@..@.data....x...p.......p..............@....pdata..,...........................A..@.rsrc...............................@..@.reloc..$#.......0..................@..B.qkm....J....@.......@..............@..@.cvjb...f...
            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
            Process:C:\Windows\explorer.exe
            File Type:data
            Category:dropped
            Size (bytes):4442
            Entropy (8bit):5.472108940713795
            Encrypted:false
            SSDEEP:48:FvsFUX4yDNOP9rabqEYMlyArpk4Bg+V0vsFUS7lpYic2GgRyH55/ih3JG:FvsFLyROVWbyoq4aq0vsF/YiVMZ5//
            MD5:D00E62BE1032486720C1432BA5ACB4A0
            SHA1:380D71B17E1B328A1A78D0A19611FD83FC828209
            SHA-256:DF84CB1D13B859AE2B0E609DB35D9323906348008DAB0EFB2189ED8EE092796F
            SHA-512:0CC14D07D7683706545CFCA3D5912B0AA8528EB26B227BD727A9F028F791EAF0E664C774F3A455D7D1D8283AD9788458AF18219DE7FF848907D1C4BC3B4658D1
            Malicious:false
            Reputation:unknown
            Preview: ........................................user.........................................user.....................RSA1..................d......5(...-.R4.....D.#.=..m..)J..........q<.L4.qm.T^....]0,I...m=.....B...!.#W.RN.l.1A..N..<.1..w.lh%.%B.l.......|.....................z..O......A\..1..F..:M...F....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....M..u....yJ..?.>..{.../.t;...f............ ...,......o.0...z...m4...*..Q.L......&.h...l........mmD.=.om 5.\9./...y.Z.;.M.....!.g.<_..Af(.Vvh...4z.YK!...Y3.U.....]......yiX.P..D....KW1...vV./....(.Wm..ui*.$..x&.YDP!z..R.j.x....Cl.3.../(8.p.j...3u....).....lK.Ja...f...R.U..3.A8...r....00o....\..._.<..\q..}.(.G/..P.....2@..XE.Y.sR....!.NY...M].......8.M..SW......}/...P.U..U....Z.Mx.......$..R.nqK\}%..&#...Ti.EoR.}7G]w.%1...#.Vx.*.|V7X.u..U.,P..qi.#[....G.Yu8.<..=..h...#b.~..3d]......J..R..>..6...~.C[V."...+..L....inM.l~...._...f.I........5h\.`....m..$6.f.e..T6....)...j.j.X%.s...Ef.S..6..uj...1l.._

            Static File Info

            General

            File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
            Entropy (8bit):3.2709448630625264
            TrID:
            • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
            • Win64 Executable (generic) (12005/4) 10.17%
            • Generic Win/DOS Executable (2004/3) 1.70%
            • DOS Executable Generic (2002/1) 1.70%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
            File name:2epPHr8ygJ.dll
            File size:2347008
            MD5:31058530a762dc9f9bb34d28203f5314
            SHA1:28c5d0fc080868ebb37050a565796f19a48eee87
            SHA256:2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991
            SHA512:25d0a92ea515cd45e6a9dac030e39a30e72a64cf7eb6473daa35ad7cf5bc9db272c7511bd2675907091a8f06993d15511c9d13bf1d60edbf221629c235e57282
            SSDEEP:12288:xVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:AfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............|...|...|....K.#}...'...}......{}....X.#}....f..|....g..}..*...a|.......}....N..}..*...E}..[.I.E|...'..U}....N.+}..[.K.P|.

            File Icon

            Icon Hash:74f0e4ecccdce0e4

            Static PE Info

            General

            Entrypoint:0x140041070
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x140000000
            Subsystem:windows cui
            Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Time Stamp:0x5E4E44CC [Thu Feb 20 08:35:24 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:0
            File Version Major:5
            File Version Minor:0
            Subsystem Version Major:5
            Subsystem Version Minor:0
            Import Hash:6668be91e2c948b183827f040944057f

            Entrypoint Preview

            Instruction
            dec eax
            xor eax, eax
            dec eax
            add eax, 5Ah
            dec eax
            mov dword ptr [00073D82h], ecx
            dec eax
            lea ecx, dword ptr [FFFFECABh]
            dec eax
            mov dword ptr [00073D7Ch], edx
            dec eax
            add eax, ecx
            dec esp
            mov dword ptr [00073D92h], ecx
            dec esp
            mov dword ptr [00073DA3h], ebp
            dec esp
            mov dword ptr [00073D7Ch], eax
            dec esp
            mov dword ptr [00073D85h], edi
            dec esp
            mov dword ptr [00073D86h], esi
            dec esp
            mov dword ptr [00073D8Fh], esp
            dec eax
            mov ecx, eax
            dec eax
            sub ecx, 5Ah
            dec eax
            mov dword ptr [00073D89h], esi
            dec eax
            test eax, eax
            je 00007F439494D61Fh
            dec eax
            mov dword ptr [00073D45h], esp
            dec eax
            mov dword ptr [00073D36h], ebp
            dec eax
            mov dword ptr [00073D7Fh], ebx
            dec eax
            mov dword ptr [00073D70h], edi
            dec eax
            test eax, eax
            je 00007F439494D5FEh
            jmp ecx
            dec eax
            add edi, ecx
            dec eax
            mov dword ptr [FFFFEC37h], ecx
            dec eax
            xor ecx, eax
            jmp ecx
            retn 0008h
            ud2
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push ebx
            dec eax
            sub esp, 00000080h
            mov eax, F957B016h
            mov byte ptr [esp+7Fh], 00000037h
            mov edx, dword ptr [esp+78h]
            inc ecx
            mov eax, edx
            inc ecx
            or eax, 5D262B0Ch
            inc esp
            mov dword ptr [esp+78h], eax
            dec eax
            mov dword ptr [eax+eax+00h], 00000000h

            Rich Headers

            Programming Language:
            • [LNK] VS2012 UPD4 build 61030
            • [ASM] VS2013 UPD2 build 30501
            • [ C ] VS2012 UPD2 build 60315
            • [C++] VS2013 UPD4 build 31101
            • [RES] VS2012 UPD3 build 60610
            • [LNK] VS2017 v15.5.4 build 25834
            • [ C ] VS2017 v15.5.4 build 25834
            • [ASM] VS2010 build 30319
            • [EXP] VS2015 UPD1 build 23506
            • [IMP] VS2008 SP1 build 30729
            • [RES] VS2012 UPD4 build 61030
            • [LNK] VS2012 UPD2 build 60315
            • [C++] VS2015 UPD1 build 23506
            • [ C ] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x23c0100x12e.arp
            IMAGE_DIRECTORY_ENTRY_IMPORT0xa63900xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x468.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc10000x2324.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x420000xc0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x407960x41000False0.776085486779data7.73364605679IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x420000x64fd00x65000False0.702390160891data7.86574512659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa70000x178b80x18000False0.0694580078125data3.31515306295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .pdata0xbf0000x12c0x1000False0.06005859375PEX Binary Archive0.581723022719IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0xc00000x8800x1000False0.139892578125data1.23838501563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xc10000x23240x3000False0.0498046875data4.65321444248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .qkm0xc40000x74a0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .cvjb0xc50000x1e660x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .tlmkv0xc70000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wucsxe0xc80000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fltwtj0x10e0000x12670x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .sfplio0x1100000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rpg0x1110000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .bewzc0x1570000x11240x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vksvaw0x1590000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wmhg0x15a0000x12780x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kswemc0x15c0000x36d0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kaxfk0x15d0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .wualk0x15f0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qdxz0x1600000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rkyg0x1610000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .psul0x1620000x1af0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .pyjm0x1630000x1f70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .eoadme0x1640000x7fd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fnz0x1650000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .gwheg0x1660000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .fcd0x1ac0000x3220x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .dwk0x1ad0000x9cd0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hgy0x1ae0000xae70x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .nfm0x1af0000x46e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qmfqd0x1b00000xd570x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .buzyfh0x1b10000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .piwc0x1b20000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .nnrqzz0x1b30000x337310x34000False0.0010751577524data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hycwe0x1e70000x3890x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .unt0x1e80000xf90x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hoj0x1e90000x1030x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .xufjr0x1ea0000xbde0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .ukllwd0x1eb0000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .dmpewo0x1ec0000x5430x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .kerz0x1ed0000x7360x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .skdwx0x1ee0000x8960x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .diq0x1ef0000x197d0x2000False0.0037841796875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .cbuheu0x1f10000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .hwca0x1f20000x451740x46000False0.0010498046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .mkabuo0x2380000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .vstkx0x2390000x23b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .zpzkgm0x23a0000x13e0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .qkdzqp0x23b0000x21b0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .arp0x23c0000x13e0x1000False0.046142578125data0.648489048708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0xc00a00x370dataEnglishUnited States
            RT_MANIFEST0xc04100x56ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            USER32.dllLookupIconIdFromDirectoryEx, WaitForInputIdle, GetParent, GetFocus
            SETUPAPI.dllCM_Get_Resource_Conflict_DetailsW
            KERNEL32.dllDeleteCriticalSection, DeleteTimerQueue, TerminateJobObject, GetFileInformationByHandle, GetThreadLocale, GetNamedPipeServerProcessId, GetConsoleFontSize
            GDI32.dllCreateBitmapIndirect, GetPolyFillMode
            CRYPT32.dllCertGetCTLContextProperty
            ADVAPI32.dllAddAccessDeniedObjectAce
            SHLWAPI.dllChrCmpIW

            Exports

            NameOrdinalAddress
            CreateXmlReader10x140008798
            CreateXmlReaderInputWithEncodingCodePage20x140020784
            CreateXmlReaderInputWithEncodingName30x14002bc1c
            CreateXmlWriter40x140029708
            CreateXmlWriterOutputWithEncodingCodePage50x14001c9ec
            CreateXmlWriterOutputWithEncodingName60x14003a458

            Version Infos

            DescriptionData
            LegalCopyright Microsoft Corporation. All rights reserv
            InternalNamebitsp
            FileVersion7.5.7600.16385 (win7_rtm.090713-
            CompanyNameMicrosoft Corporati
            ProductNameMicrosoft Windows Operating S
            ProductVersion6.1.7600
            FileDescriptionBackground Intellig
            OriginalFilenamekbdy
            Translation0x0409 0x04b0

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 29, 2021 04:17:06.724128008 CEST5860453192.168.2.38.8.8.8
            Sep 29, 2021 04:17:06.754452944 CEST53586048.8.8.8192.168.2.3
            Sep 29, 2021 04:17:07.487791061 CEST5166853192.168.2.38.8.8.8
            Sep 29, 2021 04:17:07.518738031 CEST53516688.8.8.8192.168.2.3
            Sep 29, 2021 04:17:09.690196037 CEST5220653192.168.2.38.8.8.8
            Sep 29, 2021 04:17:09.717344046 CEST53522068.8.8.8192.168.2.3
            Sep 29, 2021 04:17:35.525028944 CEST5684453192.168.2.38.8.8.8
            Sep 29, 2021 04:17:35.545466900 CEST53568448.8.8.8192.168.2.3
            Sep 29, 2021 04:17:57.420173883 CEST5804553192.168.2.38.8.8.8
            Sep 29, 2021 04:17:57.453303099 CEST53580458.8.8.8192.168.2.3
            Sep 29, 2021 04:17:58.125361919 CEST5745953192.168.2.38.8.8.8
            Sep 29, 2021 04:17:58.144586086 CEST53574598.8.8.8192.168.2.3
            Sep 29, 2021 04:17:58.614105940 CEST5787553192.168.2.38.8.8.8
            Sep 29, 2021 04:17:58.655271053 CEST53578758.8.8.8192.168.2.3
            Sep 29, 2021 04:17:58.987204075 CEST5415453192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.023452044 CEST53541548.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.249288082 CEST5280653192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.268824100 CEST53528068.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.490173101 CEST5391053192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.507291079 CEST53539108.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.565119982 CEST6402153192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.587596893 CEST53640218.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.663503885 CEST6078453192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.689112902 CEST53607848.8.8.8192.168.2.3
            Sep 29, 2021 04:17:59.966314077 CEST5114353192.168.2.38.8.8.8
            Sep 29, 2021 04:17:59.985924959 CEST53511438.8.8.8192.168.2.3
            Sep 29, 2021 04:18:00.483161926 CEST5600953192.168.2.38.8.8.8
            Sep 29, 2021 04:18:00.525046110 CEST53560098.8.8.8192.168.2.3
            Sep 29, 2021 04:18:01.174349070 CEST5902653192.168.2.38.8.8.8
            Sep 29, 2021 04:18:01.195708036 CEST53590268.8.8.8192.168.2.3
            Sep 29, 2021 04:18:01.960509062 CEST4957253192.168.2.38.8.8.8
            Sep 29, 2021 04:18:01.984606028 CEST53495728.8.8.8192.168.2.3
            Sep 29, 2021 04:18:02.354680061 CEST6082353192.168.2.38.8.8.8
            Sep 29, 2021 04:18:02.374551058 CEST53608238.8.8.8192.168.2.3
            Sep 29, 2021 04:18:17.424494982 CEST5213053192.168.2.38.8.8.8
            Sep 29, 2021 04:18:17.447173119 CEST53521308.8.8.8192.168.2.3
            Sep 29, 2021 04:18:51.252121925 CEST5510253192.168.2.38.8.8.8
            Sep 29, 2021 04:18:51.285401106 CEST53551028.8.8.8192.168.2.3
            Sep 29, 2021 04:19:28.960732937 CEST5623653192.168.2.38.8.8.8
            Sep 29, 2021 04:19:28.988595963 CEST53562368.8.8.8192.168.2.3
            Sep 29, 2021 04:19:52.368725061 CEST5652753192.168.2.38.8.8.8
            Sep 29, 2021 04:19:52.388040066 CEST53565278.8.8.8192.168.2.3
            Sep 29, 2021 04:19:59.085726976 CEST4955953192.168.2.38.8.8.8
            Sep 29, 2021 04:19:59.120529890 CEST53495598.8.8.8192.168.2.3

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: loaddll64.exe PID: 6180 Parent PID: 1140

            General

            Start time:04:17:15
            Start date:29/09/2021
            Path:C:\Windows\System32\loaddll64.exe
            Wow64 process (32bit):false
            Commandline:loaddll64.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll'
            Imagebase:0x7ff7904b0000
            File size:1136128 bytes
            MD5 hash:E0CC9D126C39A9D2FA1CAD5027EBBD18
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:moderate

            Chronological Activities

            Analysis Process: cmd.exe PID: 6256 Parent PID: 6180

            General

            Start time:04:17:15
            Start date:29/09/2021
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Imagebase:0x7ff6da2c0000
            File size:273920 bytes
            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 4524 Parent PID: 6180

            General

            Start time:04:17:16
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReader
            Imagebase:0x7ff755610000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.394275962.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 4364 Parent PID: 6256

            General

            Start time:04:17:16
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe 'C:\Users\user\Desktop\2epPHr8ygJ.dll',#1
            Imagebase:0x7ff755610000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.294861665.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: explorer.exe PID: 3352 Parent PID: 4524

            General

            Start time:04:17:17
            Start date:29/09/2021
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff720ea0000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 2528 Parent PID: 6180

            General

            Start time:04:17:19
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingCodePage
            Imagebase:0x7ff755610000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.301872328.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: rundll32.exe PID: 1012 Parent PID: 6180

            General

            Start time:04:17:23
            Start date:29/09/2021
            Path:C:\Windows\System32\rundll32.exe
            Wow64 process (32bit):false
            Commandline:rundll32.exe C:\Users\user\Desktop\2epPHr8ygJ.dll,CreateXmlReaderInputWithEncodingName
            Imagebase:0x7ff755610000
            File size:69632 bytes
            MD5 hash:73C519F050C20580F8A62C849D49215A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000009.00000002.309477044.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:high

            Chronological Activities

            Analysis Process: msdt.exe PID: 5044 Parent PID: 3352

            General

            Start time:04:18:05
            Start date:29/09/2021
            Path:C:\Windows\System32\msdt.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\msdt.exe
            Imagebase:0x7ff783610000
            File size:1560576 bytes
            MD5 hash:8BE43BAF1F37DA5AB31A53CA1C07EE0C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:moderate

            Chronological Activities

            Analysis Process: msdt.exe PID: 4768 Parent PID: 3352

            General

            Start time:04:18:07
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\lqtTrEDJ\msdt.exe
            Imagebase:0x7ff68f290000
            File size:1560576 bytes
            MD5 hash:8BE43BAF1F37DA5AB31A53CA1C07EE0C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.423955889.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: WMPDMC.exe PID: 5144 Parent PID: 3352

            General

            Start time:04:18:18
            Start date:29/09/2021
            Path:C:\Windows\System32\WMPDMC.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\WMPDMC.exe
            Imagebase:0x7ff7ccb30000
            File size:1517568 bytes
            MD5 hash:4085FDA375E50214142BD740559F5835
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: WMPDMC.exe PID: 4864 Parent PID: 3352

            General

            Start time:04:18:19
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\Ga7Wl\WMPDMC.exe
            Imagebase:0x7ff6a1300000
            File size:1517568 bytes
            MD5 hash:4085FDA375E50214142BD740559F5835
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000018.00000002.451585055.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: FXSCOVER.exe PID: 1752 Parent PID: 3352

            General

            Start time:04:18:31
            Start date:29/09/2021
            Path:C:\Windows\System32\FXSCOVER.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\FXSCOVER.exe
            Imagebase:0x7ff7d1710000
            File size:232960 bytes
            MD5 hash:BEAB16FEFCB7F62BBC135FB87DF7FDF2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: FXSCOVER.exe PID: 5664 Parent PID: 3352

            General

            Start time:04:18:37
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\29qb\FXSCOVER.exe
            Imagebase:0x7ff74c9b0000
            File size:232960 bytes
            MD5 hash:BEAB16FEFCB7F62BBC135FB87DF7FDF2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001B.00000002.489814069.0000000140001000.00000020.00020000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 0%, ReversingLabs

            Chronological Activities

            Analysis Process: SystemPropertiesAdvanced.exe PID: 4636 Parent PID: 3352

            General

            Start time:04:18:49
            Start date:29/09/2021
            Path:C:\Windows\System32\SystemPropertiesAdvanced.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\SystemPropertiesAdvanced.exe
            Imagebase:0x7ff755020000
            File size:83968 bytes
            MD5 hash:82ED6250B9AA030DDC13DC075D2C16E3
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: CameraSettingsUIHost.exe PID: 5424 Parent PID: 3352

            General

            Start time:04:18:50
            Start date:29/09/2021
            Path:C:\Windows\System32\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\CameraSettingsUIHost.exe
            Imagebase:0x7ff716360000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: CameraSettingsUIHost.exe PID: 6136 Parent PID: 3352

            General

            Start time:04:18:54
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\YVP8cq\CameraSettingsUIHost.exe
            Imagebase:0x7ff7eac30000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001F.00000002.526607967.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: MDMAppInstaller.exe PID: 6636 Parent PID: 3352

            General

            Start time:04:19:07
            Start date:29/09/2021
            Path:C:\Windows\System32\MDMAppInstaller.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\MDMAppInstaller.exe
            Imagebase:0x7ff772c80000
            File size:145920 bytes
            MD5 hash:E2C777B6E3CE4C15C5657429A63787A3
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: MDMAppInstaller.exe PID: 5904 Parent PID: 3352

            General

            Start time:04:19:08
            Start date:29/09/2021
            Path:C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\p1G0zp\MDMAppInstaller.exe
            Imagebase:0x7ff729440000
            File size:145920 bytes
            MD5 hash:E2C777B6E3CE4C15C5657429A63787A3
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.555412391.0000000140001000.00000020.00020000.sdmp, Author: Joe Security

            Chronological Activities

            Analysis Process: SystemPropertiesComputerName.exe PID: 388 Parent PID: 3352

            General

            Start time:04:19:20
            Start date:29/09/2021
            Path:C:\Windows\System32\SystemPropertiesComputerName.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\SystemPropertiesComputerName.exe
            Imagebase:0x7ff6ea710000
            File size:83968 bytes
            MD5 hash:BEE134E1F23AFD3AE58191D265BB9070
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: eudcedit.exe PID: 1132 Parent PID: 3352

            General

            Start time:04:19:21
            Start date:29/09/2021
            Path:C:\Windows\System32\eudcedit.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\eudcedit.exe
            Imagebase:0x7ff77e6d0000
            File size:353280 bytes
            MD5 hash:0ED10F2F98B80FF9F95EED2B04CFA076
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: CameraSettingsUIHost.exe PID: 2984 Parent PID: 3352

            General

            Start time:04:19:21
            Start date:29/09/2021
            Path:C:\Windows\System32\CameraSettingsUIHost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\CameraSettingsUIHost.exe
            Imagebase:0x7ff716360000
            File size:32104 bytes
            MD5 hash:34F32BC06CDC7AF56607D351B155140D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            Chronological Activities

            Disassembly

            Code Analysis

            Reset < >

              Analysis Process: loaddll64.exe PID: 6180 Parent PID: 1140 loaddll64.exeCOMMON

              Executed Functions

              Function 00000001400495B0, Relevance: 8.7, APIs: 2, Strings: 2, Instructions: 1727COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: }*$}*
              • API String ID: 0-2047341001
              • Opcode ID: f218d88ecbe768a3c2e15b48e098ea3b44daa8c6dba81671f269a0c6fd7b68aa
              • Instruction ID: dfe71950bb4b00d773a2c1e4d7d9ca62016f185058a51a46645e99606ce0912a
              • Opcode Fuzzy Hash: f218d88ecbe768a3c2e15b48e098ea3b44daa8c6dba81671f269a0c6fd7b68aa
              • Instruction Fuzzy Hash: CDF2E476601B8481EB269F17D5503EE77A1F78EBC8F9A4025EB0A077B5DB38C945C348
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140036F30, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: ConsoleEntryFreePoint
              • String ID: )8GV$d
              • API String ID: 3550414006-3589632123
              • Opcode ID: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
              • Instruction ID: d510f836e5bc92855b025e221ee4853bd72dbb3d22a76ed0b2795177c136f2ac
              • Opcode Fuzzy Hash: d05d8187567b24d43b5378db4c26f8457bb6311b4b9be5c519ef70a53fb6d972
              • Instruction Fuzzy Hash: 2C91983230064096EB26EB66D0513EE23A5AB9C7D4F914526BB1E47BFBEE34CA05C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005C340, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 886COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: InfoSystem
              • String ID: sy;$sy;
              • API String ID: 31276548-3660992706
              • Opcode ID: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
              • Instruction ID: 6e6b9d6b41ba510f9365bd6ae70f9dc3139515c8db1fe8c3f4a6c85962f57752
              • Opcode Fuzzy Hash: 4ba7a1a776c1b2a8194e3aee1005776fcb25fed3b21deabde970c8a1fedf5655
              • Instruction Fuzzy Hash: 2A82DB72215B848AEB26CF27D4507E977E1F789BC4F498426EB4A077B6DB39C941C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014004BD40, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 789COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: }*$}*
              • API String ID: 0-2047341001
              • Opcode ID: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
              • Instruction ID: 589d9863290c94d963c78ae1aba4b537ce1e649f887b860e334c2c2edf70769e
              • Opcode Fuzzy Hash: 7295418c03dacbe62c915b6dd4b980e4d41f822c5e8600d002afc3f8743a909a
              • Instruction Fuzzy Hash: B872E172211B8081EBA68F23D4547ED77A1F78DBC4F8A5125EB4A477B6EB38C944C348
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005D290, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: FileFindFirst
              • String ID: .
              • API String ID: 1974802433-248832578
              • Opcode ID: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
              • Instruction ID: 4bac0f1caae8588fed560e2f4dd75fe3b4005a9d196e6938d52e54566134f4c2
              • Opcode Fuzzy Hash: 676bd74008c321f1f054d2561c231ee4757c1d63a5241c01311e4a1111e2dca9
              • Instruction Fuzzy Hash: C841A43260564085FB76DB26E1003AD73A1A748BF8F184713EF69177E9DB7AC982C742
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140026CC0, Relevance: 2.9, Strings: 2, Instructions: 362COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: )8GV$)8GV
              • API String ID: 0-993736920
              • Opcode ID: a474c31cc31dbb2bad411d4c623e5f6703c0a81594d7db2d3b405b35e95b2219
              • Instruction ID: e7db99c2ed76c24e9271fdfca30502f9120cd4f12b6678b2f47d4e41cadbe873
              • Opcode Fuzzy Hash: a474c31cc31dbb2bad411d4c623e5f6703c0a81594d7db2d3b405b35e95b2219
              • Instruction Fuzzy Hash: 3BF18F7272064095EB52EB72D8913EE6365FB993C8F900426BB0E47AFADF34CA45C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006A4B0, Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: InformationQuerySystem
              • String ID:
              • API String ID: 3562636166-0
              • Opcode ID: 9f41864b2900007f84f8b1ad90144004543c6c2abfbff0cc5a6841cbcca8c7da
              • Instruction ID: ba306794fc56961ae9be9e8108b60f4a03202e28571258f9feaa1cffdeadac3d
              • Opcode Fuzzy Hash: 9f41864b2900007f84f8b1ad90144004543c6c2abfbff0cc5a6841cbcca8c7da
              • Instruction Fuzzy Hash: 25B16E36601B409AE712EF26D9403EE33A6F7497C8F645825EB4E47BA6DF38D524CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140048AC0, Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: FileFindLoadNext
              • String ID:
              • API String ID: 50669962-0
              • Opcode ID: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
              • Instruction ID: 5bbbb247b64301f03cc62f5655f26b2922a91791dd430743fbd3ba68f8766a4f
              • Opcode Fuzzy Hash: aa0438968589772fc8f2a9ec3ebe64abc64651e75ec2b3921e4afd98a3b5e278
              • Instruction Fuzzy Hash: 07819D3261568092FB22EB26E4513EE6365FBD83D4F814521FB4A57AEBEF38C605C704
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140035270, Relevance: 1.7, APIs: 1, Instructions: 181COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CloseExitProcess
              • String ID:
              • API String ID: 3487036407-0
              • Opcode ID: 6e17fe50e6f561acc205664f4a43b7bf662508175e8116978b7861a4b69f8d5b
              • Instruction ID: 3d479053040576d7404e3dfab4813d6254088c9544e20b556efee73ce8d776a8
              • Opcode Fuzzy Hash: 6e17fe50e6f561acc205664f4a43b7bf662508175e8116978b7861a4b69f8d5b
              • Instruction Fuzzy Hash: 5771BF32710A5096FB16EB72D4513EE2365AB883D9F844522BF5E53AFADF35C906C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140046C90, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
              • Instruction ID: acc9ee73913d888b71121e4cedfe861758cf19cabea33dd7822bbf7d3cf7603a
              • Opcode Fuzzy Hash: daec19cacdd098f1244212ea8e14a5d3e1bd9439d57025bc9e494c2d8b520846
              • Instruction Fuzzy Hash: 42E08CA1741A0041EF265276D0803A812809B4D7B4E194B209A7D0B3E0EA3888898716
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400524B0, Relevance: .8, Instructions: 815COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
              • Instruction ID: bccbce3911ab829ef3288d496869760cb1404da12fac801df191153d1e38d36e
              • Opcode Fuzzy Hash: b1fe821b06c1a4823bb9271ec043e796f757224c870123343ecb03a76390b80a
              • Instruction Fuzzy Hash: 9172CD72601B9485FB26CF17D4503E967A1FB8EFC4F998426EB0A077A5EB39C945C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140065B80, Relevance: .2, Instructions: 183COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
              • Instruction ID: 84a8ec628d281786b49b5e6f6f6dec0d0376b1c45e732984354cafa0c8984479
              • Opcode Fuzzy Hash: ef59d8dad7016460516c65c54e0757d465c5ab080b3c9532efa0d5a42b826e15
              • Instruction Fuzzy Hash: D761947121164102FE76B72399047EE5292AFAD3E4F650B21BF6E47BF9EE38C9018740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140034870, Relevance: .2, Instructions: 170COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff70e36bafc14066583f36dccf9ed98aecf1f3ce13f55bc2722bc0c9a53d6bef
              • Instruction ID: 713527809b35fed6260ebd230ad48717dd4fa7a304d79e310e96a8de0daf9cee
              • Opcode Fuzzy Hash: ff70e36bafc14066583f36dccf9ed98aecf1f3ce13f55bc2722bc0c9a53d6bef
              • Instruction Fuzzy Hash: 5A717D32B04B4095FB12EBB2E4913DF67A5FBC8388F954025BB4957AAADF38D445CB04
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140061360, Relevance: 6.3, APIs: 4, Instructions: 290registryCOMMON
              Download Yara Rule
              APIs
              • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061459
              • RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00000001400614B4
              • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 0000000140061539
              • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 0000000140061664
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close$EnumOpen
              • String ID:
              • API String ID: 138425441-0
              • Opcode ID: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
              • Instruction ID: 4377045c35190c944746a6ea10b9b47c13ce871b5e3b3a15cce40fdff127085f
              • Opcode Fuzzy Hash: 672031fc434e6626b90ea1da62f3c38a687c8b9296ffac50e7f6928d6a85a361
              • Instruction Fuzzy Hash: 5BC1A43120568082FE629B16E8503EEA791E7C97E0F6C4A21FB6E47BE5DE78C941C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005F9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON
              Download Yara Rule
              APIs
              • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000000014005FA4B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: DescriptorSecurity$ConvertString
              • String ID: 4aX
              • API String ID: 3907675253-4042356595
              • Opcode ID: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
              • Instruction ID: 5c7b4eddd96f597e19123db416744eb931adcf52cf9da5c093af566d74744993
              • Opcode Fuzzy Hash: a1249fc2010d9d5d05952f0359ba200457e66aefbced3d07103a2c3463c61beb
              • Instruction Fuzzy Hash: EC216D72214B4582EA12EF66E1403DEB3A0FB8C7C4F844525EB8D07B6AEF39D625C745
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DAE0, Relevance: 3.1, APIs: 2, Instructions: 142COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
              • Instruction ID: c5574eec75406f68cf122a08b4571db932f63f1e1c7d3e43579234279b4bb767
              • Opcode Fuzzy Hash: 44297aa2126b14dcd4d9c9accf23e52108ed4399094c5e3af94dd8103b7f7b57
              • Instruction Fuzzy Hash: A151D03130464182FA72EA63A4507EA77A2BB8CBD4F154527BF5A077E2EF7AC801C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DD30, Relevance: 3.1, APIs: 2, Instructions: 122fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
              • Instruction ID: 869152f87e2051f324d9e8f0f01270def7d2743b76a8e6c9a5e95a296a3a7e26
              • Opcode Fuzzy Hash: 00f6d0f3771a8cfa98223a140d65de6735ec101d3a44d5ddd75e2d9def7749f0
              • Instruction Fuzzy Hash: A541583161464087EA62DB3AA4447AAB3A1FBD87E0F144712BB6D4B7F5DF39C802DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DBB9, Relevance: 3.1, APIs: 2, Instructions: 79filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
              • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$CreateTime
              • String ID:
              • API String ID: 1043708186-0
              • Opcode ID: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
              • Instruction ID: 944ab0cbe82d54181631abf043b2a82f72de4fdca767e43f24bb2c72b9c0c91f
              • Opcode Fuzzy Hash: 8a0a731fb1e22280383dc4c244850d697ffee92b9dbadae0b2290ba2595e9be9
              • Instruction Fuzzy Hash: 8D21B431214A4581EA72DB66A0407EA3795F78CBE4F184617EFAE077E5DF7AC806C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DBD2, Relevance: 3.1, APIs: 2, Instructions: 77filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
              • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$CreateTime
              • String ID:
              • API String ID: 1043708186-0
              • Opcode ID: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
              • Instruction ID: bee1728ae0ee1a0caa625709e376bb4aadd3217f15d1bcce0d190476addee932
              • Opcode Fuzzy Hash: d6d835041d1b41abb3b5fe648f8f275da576c4891ed88a603463ed8b7f508fb5
              • Instruction Fuzzy Hash: BE21D332311A4581EA72DA66A0407EA3795B78CBE4F184527AF9D077E5DE7AC806C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DBE8, Relevance: 3.1, APIs: 2, Instructions: 76filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
              • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$CreateTime
              • String ID:
              • API String ID: 1043708186-0
              • Opcode ID: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
              • Instruction ID: a00dbcca095f64b26cda9c271166364bdf2e86a9b80154192fb139b54d898421
              • Opcode Fuzzy Hash: 6bbc7cb38f56b555cae5d46dc9eb85d7f0e424b0d62445df59964c24eed4e9f3
              • Instruction Fuzzy Hash: 5521E532315A4581EA72DB62A0407EE3791F78CBE4F184517AFAD077E5DE7AC806C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140060D10, Relevance: 3.1, APIs: 2, Instructions: 76registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060D85
              • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014004890D), ref: 0000000140060DE8
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: QueryValue
              • String ID:
              • API String ID: 3660427363-0
              • Opcode ID: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
              • Instruction ID: 09cc4365fb23fa9fe14c599ab373ea3e5ec1bde103bfdbf39ccb6e9a9538c2db
              • Opcode Fuzzy Hash: 0af55b123fcd85ad11f65efe4d0ac2719b06ecdcd8a99680970ae4064010c44f
              • Instruction Fuzzy Hash: F521A37671569046EF52CB56E8003AFA391EB897F4F184621BF9C07BE8EA38D582C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005DBF8, Relevance: 3.1, APIs: 2, Instructions: 73filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DC5C
              • SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,?,000000014005DF81), ref: 000000014005DCE2
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$CreateTime
              • String ID:
              • API String ID: 1043708186-0
              • Opcode ID: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
              • Instruction ID: 68fcab11a3bde380270331896f94efb0ab36e54eb9d04e7f46ecdc112822b6b1
              • Opcode Fuzzy Hash: eb6f16229e65501cd5258548e2b4ff06530ad065b40e2a3bf9e2a9b945b11f61
              • Instruction Fuzzy Hash: 6821C132315A4541EA72DB62A0407EA3795F78CBE4F184627EFAD077E5DE7AC806C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140046F60, Relevance: 1.7, APIs: 1, Instructions: 216COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: ComputerName
              • String ID:
              • API String ID: 3545744682-0
              • Opcode ID: 6fbd370f509e15ded848fb55215db030cd5a070b2eb2f404213be6c4e10dd337
              • Instruction ID: 560481d37deeb2f3cc02cd101c0a384bc9ca8e36dca6fa428839860d024f360c
              • Opcode Fuzzy Hash: 6fbd370f509e15ded848fb55215db030cd5a070b2eb2f404213be6c4e10dd337
              • Instruction Fuzzy Hash: EDA15D3271064099EB12EFB6C4913EE2365A7987C8F915126BF0D67AFAEF34C609C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005FDA0, Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CreateMutex
              • String ID:
              • API String ID: 1964310414-0
              • Opcode ID: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
              • Instruction ID: 2cd33cf12082532a652157af79f02d7873b375395221c82c38bac87e111ef697
              • Opcode Fuzzy Hash: 6be956e981540fc735b56164f72d0aea79e48331418f8fd9eaab398243b5d8cf
              • Instruction Fuzzy Hash: 6E51B2326117408AEB66EB22A0013EE6291EB9DBC4F580535FF4E477E6DF39C802D790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005D1F0, Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: FileFindNext
              • String ID:
              • API String ID: 2029273394-0
              • Opcode ID: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
              • Instruction ID: fe48dd106ee2d63de4642147a978de6f9e341aec22c75ad1205c2678dbe1ece1
              • Opcode Fuzzy Hash: ff4ac6c2ef48f38791092f6d6c449714fc18167456ec2ef2bc1084d7df7feef3
              • Instruction Fuzzy Hash: 80115B7561034082FF76DA6691047E933E1EB697C8F051013EF59472E9EB36C8D2C751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140060BA0, Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: EnumValue
              • String ID:
              • API String ID: 2814608202-0
              • Opcode ID: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
              • Instruction ID: 650aff04d41c3b1619de3e88208a4500c6b85af191ab70c767efd2679610bbe3
              • Opcode Fuzzy Hash: a3c12b60ccc1d223e9782810bc36042d204e1f874336debb41352ff4bff3a234
              • Instruction Fuzzy Hash: 1C112E72204B8486D7219F12E84039EB7A5F788B90FA89529EB8D43B58DF39D991CB44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140046690, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CreateHeap
              • String ID:
              • API String ID: 10892065-0
              • Opcode ID: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
              • Instruction ID: 54976bf3431427af6da968cf6b263ec8d4a99ac7c2bea2f2fd5649cd882baac1
              • Opcode Fuzzy Hash: 21b05e3ef22cad88cebd019d8e45e363c17e6ba0707ecabdd33f955b9f4b15ed
              • Instruction Fuzzy Hash: B901D635706A8082EB528712FA4039A73A0F78C3C4F198524EF884B7A5EF38C8518B44
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140046730, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: BoundaryDeleteDescriptor
              • String ID:
              • API String ID: 3203483114-0
              • Opcode ID: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
              • Instruction ID: 7e2fcedd46cf55f04110c2a11ced308778be976df41b62f125aabd7639a18320
              • Opcode Fuzzy Hash: 7b0e43f28c4f526d6edd5220e1ccf75e5ddb2081b4342278c18d43c75b4d1ee9
              • Instruction Fuzzy Hash: 70F0F878A4730141FE6A63B354543A511821FCC7C4F0E8834AF095B7A6EE38CD518699
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 0000000140071DC0, Relevance: 5.7, Strings: 4, Instructions: 682COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU
              • API String ID: 0-2165971703
              • Opcode ID: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
              • Instruction ID: a95f611128f1d5d13a9bca75b656ea52fec65ffdb08565925219bb8e60db198b
              • Opcode Fuzzy Hash: 203c99bb3d64071a34d91be2023c6ff0f734778017a54347eb9ef20583df3fc0
              • Instruction Fuzzy Hash: 2252BE727046848AEB6A8F6AD5503ED7BA1F3087D8F144116FF569BAE8D73CC981C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140031DF0, Relevance: 5.3, Strings: 4, Instructions: 270COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: GC,$GC,$GC,$GC,
              • API String ID: 0-2774350030
              • Opcode ID: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
              • Instruction ID: dd0ba4053c6bdb050c0e262549aa376da4335980b2dde8bb0cc8774c9fa84b1c
              • Opcode Fuzzy Hash: 98649618faad92dfac345ced2ac743c97f2c410892ae2dd8dadb9da2da6be478
              • Instruction Fuzzy Hash: 39B14A3232168096EA16EB22D4513EFA765FBDC7C4F854425FB4E57ABAEE38C605C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140057950, Relevance: 4.5, Strings: 2, Instructions: 1977COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: }*$}*
              • API String ID: 0-2047341001
              • Opcode ID: e9887d82a581d5bcb5ea5d841605ffb3677de7d06064effe96893209b5a6e0e0
              • Instruction ID: 7c281f25cbc51a2c663274e483e0a5d4adc9f9b548fde4e06667abda5a9e2262
              • Opcode Fuzzy Hash: e9887d82a581d5bcb5ea5d841605ffb3677de7d06064effe96893209b5a6e0e0
              • Instruction Fuzzy Hash: 6E03CB72201B8482EB26CF23D4543ED67A1F78DBC4F994416EF4A177A6EB3AC945C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400263C0, Relevance: 4.3, Strings: 3, Instructions: 519COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: )8GV$)8GV$@
              • API String ID: 0-2802744955
              • Opcode ID: f984950c61b0be198d0d8ef7b9bd5c68dab9f7d96fdb049334a6dcd13fc514d1
              • Instruction ID: d4403fa2ef2757ed15b0d897a8d3d48ae9d82dee7601a7ae60b507309942f45e
              • Opcode Fuzzy Hash: f984950c61b0be198d0d8ef7b9bd5c68dab9f7d96fdb049334a6dcd13fc514d1
              • Instruction Fuzzy Hash: 8F326E72610A8095FB22EB72D8513EE6365FB997C8F940026BB4E476FADF34CA05C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140035520, Relevance: 3.9, Strings: 3, Instructions: 117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: GC,$GC,${QN
              • API String ID: 0-3150587038
              • Opcode ID: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
              • Instruction ID: 9244b60d004d0bd22f383007071d62e4da67c70af0efad37e4d475a9577969ab
              • Opcode Fuzzy Hash: fd0f7604477b89c46016288274ae5da6e1d22dae5e6d5d6e9033f3dbe6d447d0
              • Instruction Fuzzy Hash: D851B3726017408AEB26AF72A0517DF3392EB98398F559529FB4E0BBE9DF39C401C741
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140025DB0, Relevance: 2.9, Strings: 2, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: 0$GC,
              • API String ID: 0-3557465234
              • Opcode ID: c501a18cd752f9cb014cd0278b4cdcaf861e6727db0c1722d954af001bda1d39
              • Instruction ID: 8e8f5bced65d739128878f1be46f709eb140c798bd495bd8ba2efbba04664ca7
              • Opcode Fuzzy Hash: c501a18cd752f9cb014cd0278b4cdcaf861e6727db0c1722d954af001bda1d39
              • Instruction Fuzzy Hash: 90F1C132705B8086EB56DB26A5503EE77A5F788BC8F544029FF8A47BA9DF38C845C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002FB20, Relevance: 2.7, Strings: 2, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: cLpS$cLpS
              • API String ID: 0-581437482
              • Opcode ID: ee193233b973f877082caca428861b37c4d86ff6b56278014f21858ccd893e61
              • Instruction ID: d6b56411a1e340b191dd7f08d0c8a8920ca136b0ade9766ce73097337fe28e3c
              • Opcode Fuzzy Hash: ee193233b973f877082caca428861b37c4d86ff6b56278014f21858ccd893e61
              • Instruction Fuzzy Hash: F5916E32700A41A6FB12EB72D5513ED2366AB983D8F900126BF1D97AFADF34D919D340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140039140, Relevance: 2.1, Strings: 1, Instructions: 866COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: D
              • API String ID: 0-2746444292
              • Opcode ID: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
              • Instruction ID: a2166a60d7ca2b4a0d1872d5e3506bb785f107662951e93f9f6f62b20c08bf0e
              • Opcode Fuzzy Hash: 0452af0be93170f0712028ec6d1a4f1ed763d309de66f3c97f53239ecee0938c
              • Instruction Fuzzy Hash: 32827E3222468186EB13EB26D4907EF6365FBD8794F904612FB5A47AFADF38C605C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014000C5C0, Relevance: 2.1, Strings: 1, Instructions: 865COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: GET
              • API String ID: 0-1805413626
              • Opcode ID: 7e3fe9c835123137e7994c8653e7c08a3558767b49a174a2f2baf5109dfd3d57
              • Instruction ID: e67aa13565bd515be4758c424d677281e7e48e69fdea67d752e56d6b70eb8f16
              • Opcode Fuzzy Hash: 7e3fe9c835123137e7994c8653e7c08a3558767b49a174a2f2baf5109dfd3d57
              • Instruction Fuzzy Hash: 7182CFB262568082FB52EB26E491BEE6761F7C97C8F851022FB4A576E7CF38C505C701
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140015120, Relevance: 2.1, APIs: 1, Instructions: 555COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CloseEnvironmentExpandStrings
              • String ID:
              • API String ID: 1839112984-0
              • Opcode ID: 45e4f39da0bad21561b5064be163dd8534aff24f975c135ffc3a62d6c7fd4cf0
              • Instruction ID: c0dbe0ee55e83fb6c0f3bef3624a57e5635b4c6ed11a4d6c977be8f15ec7e338
              • Opcode Fuzzy Hash: 45e4f39da0bad21561b5064be163dd8534aff24f975c135ffc3a62d6c7fd4cf0
              • Instruction Fuzzy Hash: CB427E32710A4096FB12EB72D4913EE6765EB983D8F814422BB4D4BAFAEF34C645C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140019D20, Relevance: 2.0, APIs: 1, Instructions: 546COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6da2f6b40be5cb4caad041cea4c20132c4a1eb0253d64999caca2514d47107b
              • Instruction ID: abc698a25be580435ac5d46bd6b01b3c7dd535f90f9c32282677b8a643a0cbd6
              • Opcode Fuzzy Hash: c6da2f6b40be5cb4caad041cea4c20132c4a1eb0253d64999caca2514d47107b
              • Instruction Fuzzy Hash: 3C427D3271068095FB22EB76D8513EE2361EB993C8F904121BB0E5BAFAEF79C545C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140019580, Relevance: 2.0, APIs: 1, Instructions: 455COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d55e6ff695c84508ed02b27d22c5d1646ac3a5a8fb92b3388cd1b19458530e75
              • Instruction ID: 0bcce83d19b55e388762cc41cc2fbdfa61478623d1bee2f25155124e52c32027
              • Opcode Fuzzy Hash: d55e6ff695c84508ed02b27d22c5d1646ac3a5a8fb92b3388cd1b19458530e75
              • Instruction Fuzzy Hash: 8A128E3271468095FB22EB72D8913EE2355EB997C4F804026BB4E5BAFADF35C605C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400139D0, Relevance: 1.8, Strings: 1, Instructions: 571COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: CreateMutex
              • String ID: m
              • API String ID: 1964310414-3775001192
              • Opcode ID: 83a09d534449ac11e8f9d29df2c8c3de6a115e25db9c089ae122d0662c7311ab
              • Instruction ID: 0a9d90af75a6ede7406656d6adb6787827cf479cbe6b14872f7c626c13ea0b6d
              • Opcode Fuzzy Hash: 83a09d534449ac11e8f9d29df2c8c3de6a115e25db9c089ae122d0662c7311ab
              • Instruction Fuzzy Hash: 6A529B32710A80A6F74EEB32C5913EE7369F788384F904026AB2947AE6DF34D576C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014001D100, Relevance: 1.7, Strings: 1, Instructions: 497COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: s( j
              • API String ID: 0-1450404818
              • Opcode ID: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
              • Instruction ID: 6f5b3d0b06e06ce3defbe5b62ba999e8dce43b7996f1ec96da6707378b1ebcba
              • Opcode Fuzzy Hash: 19985d2dc72a707ec5f83c91129fc97538500d80b5f4466283615156a38f1139
              • Instruction Fuzzy Hash: 14325632715B9085EB16EF66D8513ED73A5FB88B88F454026EB4E5BBAADF38C505C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140033BB0, Relevance: 1.7, Strings: 1, Instructions: 454COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: U
              • API String ID: 0-3372436214
              • Opcode ID: 3732fceddae09335df837bb95b41a37c580f4685dd49a4f122a806ee52e607ff
              • Instruction ID: 04dcf981b535b3d5a04f4e0f983876b723d65533687fb2a3abc72c4897885b35
              • Opcode Fuzzy Hash: 3732fceddae09335df837bb95b41a37c580f4685dd49a4f122a806ee52e607ff
              • Instruction Fuzzy Hash: 7A22A032714A8095FB22EB76D4913EE2761EB993D4F900122BB4E5BAFADF38C545C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140023530, Relevance: 1.7, Strings: 1, Instructions: 430COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: Content-Type
              • API String ID: 0-2058190213
              • Opcode ID: be166dffc27dae0f28fefab07ac9e8bc422439760b6c1762e901f21d4935f0ff
              • Instruction ID: 8ed0294b40edec3e111ebf6e63eddced9ff886ac8d86313f53d4d34ac86a637b
              • Opcode Fuzzy Hash: be166dffc27dae0f28fefab07ac9e8bc422439760b6c1762e901f21d4935f0ff
              • Instruction Fuzzy Hash: D0128B7271064096EB26EB72D0953EE63A5EB9D7C8F804029FB4E576B6DF34C909C341
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400389A0, Relevance: 1.6, Strings: 1, Instructions: 322COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID: 0
              • API String ID: 3535843008-4108050209
              • Opcode ID: 5efda3073f98ba850d64a6a6b6fb973051fc5223a8b2b59b7862bd26d1a0a119
              • Instruction ID: 021d52728ad99ff4b45c00a2ee63d530dbb35c35c3e7b67721d4418a9cae59c0
              • Opcode Fuzzy Hash: 5efda3073f98ba850d64a6a6b6fb973051fc5223a8b2b59b7862bd26d1a0a119
              • Instruction Fuzzy Hash: A4D1483271064185EB22EB66D8503EF6365FB987C8F944421FF4E57AAAEF34CA05C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400205A0, Relevance: 1.5, Strings: 1, Instructions: 271COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: d615a8395c91a4f270b16f16243a88213025be9c74bd528c78ddbcfbe443d7c5
              • Instruction ID: 091f4e73938a5afec608f70625f4eed5baac112ec883e15b973b01c59944fd94
              • Opcode Fuzzy Hash: d615a8395c91a4f270b16f16243a88213025be9c74bd528c78ddbcfbe443d7c5
              • Instruction Fuzzy Hash: 8FB1903271164156FB26EB72C0513EE2365A78C7C8F554429BF0E67BEAEE34D906C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140023140, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: tI*k
              • API String ID: 0-257501792
              • Opcode ID: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
              • Instruction ID: 2b3e36108f388e75195695150bf3b7502d87346db4925aa772ee75e92517338c
              • Opcode Fuzzy Hash: b15996fbae463eef0efc9f4e5c4cbf386dde064011b2806a6f0ecd12f6b98297
              • Instruction Fuzzy Hash: C891B332710A41C6FB12EB73D4913ED2365AB987C8F815026BF0E67AABDE34C605C391
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140078570, Relevance: 1.4, Strings: 1, Instructions: 149COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID: ERCP
              • API String ID: 0-1384759551
              • Opcode ID: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
              • Instruction ID: 36d71a898891e4cfc692b0c24b63e4f8a605753b41eb4ec31f3d0d909baacb04
              • Opcode Fuzzy Hash: 9a8959bd3d8286152fe3b07e5e9b9c99826fd1463cb640f02497020a3b8cf481
              • Instruction Fuzzy Hash: 8541C2677244554AE3189F2598213BE2391F7E8781B008838BBC7C3B99E97CCE41C754
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014004F940, Relevance: .9, Instructions: 873COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dcdaca1a3c271cd417c85bb097e58509ad96e32764cb2952681562445dcde157
              • Instruction ID: fc2f62d5942ef41123ea32f2955be4f6aadf7052ab01c2248917173129c7cd0f
              • Opcode Fuzzy Hash: dcdaca1a3c271cd417c85bb097e58509ad96e32764cb2952681562445dcde157
              • Instruction Fuzzy Hash: 8A82BD72301B8486EB269F23D4503EE67A5F78DFC4F964022EB4A577A6DB38C945C384
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140054BA0, Relevance: .8, Instructions: 797COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
              • Instruction ID: 8249503d4e55669e8e7119aec1729776b7b2f3ca46fae70a891a003f6664f3d4
              • Opcode Fuzzy Hash: 0b6290f3f4936625c1500c9bb5ab49f73b0f0e92f6783c0cfd327242af27f29f
              • Instruction Fuzzy Hash: 3472DF32201B9486EB26DB17E4603ED77A5FB9DBC5F894012EB4A477B6DB3AC941C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140016E80, Relevance: .7, Instructions: 739COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 2b8a8e0ce6ea76fc5cbfefb7c9d7d90e7aa636387741d01d84db68111b4c969a
              • Instruction ID: 4fdb0601fab6f7a848b28641239d596080eab1ec2c6ff824b21f12e2ef69b5a1
              • Opcode Fuzzy Hash: 2b8a8e0ce6ea76fc5cbfefb7c9d7d90e7aa636387741d01d84db68111b4c969a
              • Instruction Fuzzy Hash: 48722D32724A4095EB02EB76D4913EE6765EB983C4FC05012BB4E879BBEF38C649C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014004EB60, Relevance: .7, Instructions: 687COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
              • Instruction ID: d53d10191d1a85c044aba7f3ec212ac92ce5176a248edb2932ce54add84afe44
              • Opcode Fuzzy Hash: bbf02e0b346a645ce41284f4b25ae6de0e0561089bc0c4212f6de5587c4ccb21
              • Instruction Fuzzy Hash: 9D52BE72601B8081EB269F23D4543EE77A1F78CBC4F8A5426EB4A577B6DB38D845C348
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014007BD50, Relevance: .7, Instructions: 677COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
              • Instruction ID: 9c06e88039ccf999e040ad7794a2e2d02b6699145a9792014979c24fd1337f6c
              • Opcode Fuzzy Hash: dd1d6ac494662c45c571e96f77a6e8211c4f0b163f6c515dcb42af03e52a945a
              • Instruction Fuzzy Hash: B4623CB76206548BD7668F26C080B6C37B1F35DFA8F25521ADF0A43799CB39D891CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014003B220, Relevance: .6, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
              • Instruction ID: acd1ff4a64a9c803ec812a22a8ce79600e1464d52fdb42fb628072365476121f
              • Opcode Fuzzy Hash: c541702096c1ae675d9f8552b841f1df762d73269a6d039e8a3e529e919bb3f5
              • Instruction Fuzzy Hash: 64429E31301A8141FA23EB6698513EF6391EB8C7E8F544616BF5A5BBEAEE38C505C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140024440, Relevance: .6, Instructions: 566COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
              • Instruction ID: 78f3400fd7e206f6a511ea736ed45412fb3e7259efd4ed926287f6c9bd4c6aa7
              • Opcode Fuzzy Hash: fc2a6e3d2e1231b3fe707f0d0f35a30ce2f56e53bfff03d4db06bbddff5caabd
              • Instruction Fuzzy Hash: E6427C32204A8096EB66EB32D0513EE67A4E79D3C8F914026F79A876F7DF38C945C741
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140018630, Relevance: .6, Instructions: 558COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c67c5e806fb826b8d3ebdb94475328f9d826e39b56b942e69a134813b1c65f0
              • Instruction ID: 8108868c1ca7c4f1afbe8bd34af9d7f1e96dfbbf12b1edd0cffad3fdf1fa0b6f
              • Opcode Fuzzy Hash: 4c67c5e806fb826b8d3ebdb94475328f9d826e39b56b942e69a134813b1c65f0
              • Instruction Fuzzy Hash: 3F429E3231068095FB22EB72D8913EE6765EB983D8F844122BB0D97AFADF34C645C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140023BF0, Relevance: .5, Instructions: 545COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
              • Instruction ID: 183f2e46b23aa86a2c091461a645f9a581571388db0d92becfc597eb429af356
              • Opcode Fuzzy Hash: 060d71c651ab3aed04444553114f4ea5a7531cc3ca58c37faf4133b09f387ec2
              • Instruction Fuzzy Hash: 0732AB3271064089EB16EB36D4513EE27A5EB8CBD8F555126FF0E877BADE38C4868340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400123C0, Relevance: .5, Instructions: 544COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 582d75fe1c79095535a2e02f27075811b67c45d37963b68eab4503b49cd75f0f
              • Instruction ID: 71edd40f2b1ab928f6f3b4ddf8d26af45cb7d1258c95c78617a62a1a74f3288a
              • Opcode Fuzzy Hash: 582d75fe1c79095535a2e02f27075811b67c45d37963b68eab4503b49cd75f0f
              • Instruction Fuzzy Hash: BF32AC3261068195EB12EB26D4913EE2765FB983C8F814122FB4E57AFBEF38C645C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014000B120, Relevance: .5, Instructions: 531COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
              • Instruction ID: 3ba19fba285517c5acd5c21b3c9b7592edaf423ca2de06bba8230fcf7af2400b
              • Opcode Fuzzy Hash: e8328b10af82aab1ef65ff433d7820bced4cba86e0066b221c3c838f9fd1e431
              • Instruction Fuzzy Hash: 3C429B72624A8095FB12EB62D4957EE2365FB983C8F814022FB0D57ABBDF34C649C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400381A0, Relevance: .5, Instructions: 525COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
              • Instruction ID: eb795f204498a8d956ef0de19ff8bd43d97085c04d8ed5933d3115b51340510f
              • Opcode Fuzzy Hash: 7ee38f4c6dee734349d5b0dcc202e437ae908f573234f4aff5f510a5883c84b0
              • Instruction Fuzzy Hash: 7022793270064186EA23EB2AD4957EF63A5EB88BD4F554626FF0A477F6EE34C506C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014003A2E0, Relevance: .5, Instructions: 521COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
              • Instruction ID: 697e8bd1027fccc09012cb901671f32632dfdae7722e2c733c5167ca59ce0a7a
              • Opcode Fuzzy Hash: 1e8d1907d2a62ce1ae108db488a351868ceb64fffc9dd42578434a0f34ae656a
              • Instruction Fuzzy Hash: AE227C3271064186EA23EB26D4513EF63A1FB89BD4F544625EB4A577F6EF38C50AC340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B390, Relevance: .5, Instructions: 458COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
              • Instruction ID: 5c003effdee5129b35cf12aebe167f862a01b0c8d0d2f43ab9f1123e32a30f31
              • Opcode Fuzzy Hash: 71b3dc1032e7b852d429d3288fc6d56ff3ef19d98c02d1d103b4f123b92fc1f1
              • Instruction Fuzzy Hash: 8C0203B21082A489F7768B26C9413FA7BE2E759788F254906FB8A435F5D738C9C1D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014000DDF0, Relevance: .5, Instructions: 456COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
              • Instruction ID: c2c66f55aa66479377f68c186b881699d763759fa92e2ffabb716b860ed1a50b
              • Opcode Fuzzy Hash: 2e375be9be99e9838cc7803ed6e7672458d2ec84ccfc9a0c18b017f9565b827c
              • Instruction Fuzzy Hash: CD224D72710A8091EB12EB72D4913EE6765FB987C8F904116FB4E876BAEF38C245C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140005C40, Relevance: .4, Instructions: 450COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
              • Instruction ID: 217fabc6e38e1d640ccd999207fddb20e056db183073941d35cbdb4b11e649c3
              • Opcode Fuzzy Hash: f513173c25ae17789a403cea68c9e18d94625c6d02a52581dcb230289bad16b3
              • Instruction Fuzzy Hash: 10229B72620A8091EB12EB62E4957EE2365F79D7C4F814022FB4E576BBDF38C609C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140067A40, Relevance: .4, Instructions: 440COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
              • Instruction ID: 3448a1cfdf5732c1482eebf940cb1862e5db89764351cf67f11e8459266109f6
              • Opcode Fuzzy Hash: 6ed167cb2d41bf65051b1e1e6ca4fc372791feb4efe79826a7b7afb1d034e643
              • Instruction Fuzzy Hash: CD026C727006418AEB12DF26D4907EE73A6F788BC4F614525EB0E977AADF34D90AC740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014000BB40, Relevance: .4, Instructions: 438COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
              • Instruction ID: a963730c34943060851cd64ea719675db259de8104656558a9074d2de6a51302
              • Opcode Fuzzy Hash: 8296aae514971c10519780c04e533f569930ad849b100b0340065f0f39cb86db
              • Instruction Fuzzy Hash: 41128F7222468096FB52EB22D4917EE6765FBD93C8F811022FB4E57AABDF38C505C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140069010, Relevance: .4, Instructions: 431COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$ClosePointerRead
              • String ID:
              • API String ID: 2610616218-0
              • Opcode ID: 7143a5c6610a1d6c64d90f9f482d46906b2fb304c1b882e3a2c027de9ff018e4
              • Instruction ID: 5afa6d75f76fbbc9d7f53df6043056336d1db5d7591574d5123318d553f9c856
              • Opcode Fuzzy Hash: 7143a5c6610a1d6c64d90f9f482d46906b2fb304c1b882e3a2c027de9ff018e4
              • Instruction Fuzzy Hash: 19124E3272469096EB12EF72D8913DE6765FB987C8F815022BB0D57AABDF34C605C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014001E170, Relevance: .4, Instructions: 401COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 6fe5d38ad1f8690ed4216c8729f4cdddbe586800c401b9c27fb863a53c2b00d8
              • Instruction ID: ac8bef764291a5126b18a53dad73757551fec454a5992e6944e07fe4b855ac86
              • Opcode Fuzzy Hash: 6fe5d38ad1f8690ed4216c8729f4cdddbe586800c401b9c27fb863a53c2b00d8
              • Instruction Fuzzy Hash: 2A023B32724A80A2FB52EB72D4913EE6764FB983C4F815022BB4D57AEADF35C545C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140002980, Relevance: .4, Instructions: 389COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: 4f031dda890f5b6590393d19acee77402144b9c4bbfec744419d7f2e8af65a5e
              • Instruction ID: 5d574d698b33f004de0812fa71b34c36bbdae31478704d480fb686f148b39898
              • Opcode Fuzzy Hash: 4f031dda890f5b6590393d19acee77402144b9c4bbfec744419d7f2e8af65a5e
              • Instruction Fuzzy Hash: EB024C72324A8096FB12EB62D4913EE6765EB983D4FC15022BB4E57AEBDF34C605C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140010880, Relevance: .4, Instructions: 372COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
              • Instruction ID: f0fb79f68922493fed5bc905321703954c20a875d362dace52344ff7232635a8
              • Opcode Fuzzy Hash: 8d8f91d721c478637f80766b80e37fef242b82150883bd374cc6845ff3be0a72
              • Instruction Fuzzy Hash: D7029272320AA19AEB42DF36C8917EE2724F748789F805016FF4B57AAAEF35C545C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014001D910, Relevance: .4, Instructions: 369COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$ClosePointerRead
              • String ID:
              • API String ID: 2610616218-0
              • Opcode ID: 5ad00df89051eaa49967073b66a19c6f1da8073d71a21332a449de5316238ce7
              • Instruction ID: 9c3e8f75c9e591130820bb2956cb3806339feb13e112d9af22726fcddd3bd126
              • Opcode Fuzzy Hash: 5ad00df89051eaa49967073b66a19c6f1da8073d71a21332a449de5316238ce7
              • Instruction Fuzzy Hash: 12026C32314A8095FB52EB72D4917EE2765EB983C4F805022BB4E97AEBDF35C649C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140033540, Relevance: .4, Instructions: 364COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfb671b366bed9e4c2a3244232a6f4841e324ae8991314f0a71ea1274cc59bec
              • Instruction ID: d0d419901b6e3c3183ee3913f1137c5e588d0fadc92f77f7791849e6aeb29d3b
              • Opcode Fuzzy Hash: cfb671b366bed9e4c2a3244232a6f4841e324ae8991314f0a71ea1274cc59bec
              • Instruction Fuzzy Hash: 8A029132614A8095EB22EF32D4913EE6765FB98388F904412FB4E57AFADF34C649C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140017B40, Relevance: .3, Instructions: 331COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8628cbc9b8bcec906eb13e1749cf98f7733fb765f57ce8d6e25bc333673632f2
              • Instruction ID: fccd9241a873054b7c24d42fb58abb6f012b2f7f19fe3a4c061a127f88627f2a
              • Opcode Fuzzy Hash: 8628cbc9b8bcec906eb13e1749cf98f7733fb765f57ce8d6e25bc333673632f2
              • Instruction Fuzzy Hash: 41E18E3271068095FB12EB76D8917EE6765EB983C8F804021BB0D5BAEBEF35C645C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002CB80, Relevance: .3, Instructions: 331COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c0f4076e790a67f6d98515807fb9bce675ae33bef5415c9236f66c5c68241f2
              • Instruction ID: 02ee9b89192d395c78975687d30e6fb06be8b995001c736011e159ca0d17724c
              • Opcode Fuzzy Hash: 8c0f4076e790a67f6d98515807fb9bce675ae33bef5415c9236f66c5c68241f2
              • Instruction Fuzzy Hash: E2E13D32714A4095EB02EB66D4913EE6765FB983D8F900012FB4D97AFAEF34CA49C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400018D0, Relevance: .3, Instructions: 320COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e31cd9d0c2abe67ba1f982af43b8ae355da1bd35b9ac6401d5f88127279679d0
              • Instruction ID: 95da75048f27146dafc5de9d612871b80806eb61125b8034b1f63b71f4cba504
              • Opcode Fuzzy Hash: e31cd9d0c2abe67ba1f982af43b8ae355da1bd35b9ac6401d5f88127279679d0
              • Instruction Fuzzy Hash: 47F12C3262498096EB12EB62D8513ED6365FBD8388F814522BB4E479FBEF74CA05C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014003AAC0, Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88ffde5285e374d450e796d5cd304a5fa7d017e996fe3ac39e62eede96bb0df1
              • Instruction ID: cf5fdc312f2229dc6ff813412d90ddbabd12b8e4de7574aebc9877f7d05b411a
              • Opcode Fuzzy Hash: 88ffde5285e374d450e796d5cd304a5fa7d017e996fe3ac39e62eede96bb0df1
              • Instruction Fuzzy Hash: 28D19032711A4195EB12EB76D4903EE23A1EB993C4F844425BF4E57BEAEF38C605C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140064080, Relevance: .3, Instructions: 304COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
              • Instruction ID: bf23390ce128f79092fde7b2b9043ef6653a4f1b38eae35900255c6e9c132ad5
              • Opcode Fuzzy Hash: 16253b5d55ff71ace7e49d720cc951c571e11621ee8e21fa8c6a30ce5dfdcbdc
              • Instruction Fuzzy Hash: ABC1D4231282D04BD7569B3764503FAAE91E79A3C8F280655FFC997AEBD63CC2149B10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002D0D0, Relevance: .3, Instructions: 298COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7584585ec3b4b53ec8fb5b27a8843822aad1f1e51d0aa4fbe30674dd8de1ab0d
              • Instruction ID: d0d512be425b72175eef7d799d9923e381f6a995b1e0446f0295c878f1c0c086
              • Opcode Fuzzy Hash: 7584585ec3b4b53ec8fb5b27a8843822aad1f1e51d0aa4fbe30674dd8de1ab0d
              • Instruction Fuzzy Hash: CED13972724A4091EB02EB76D4913EE6765F7983C8F904016BB4D97ABAEF38C605C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140030530, Relevance: .3, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
              • Instruction ID: 96955b53f7f5b4430e01eb0035ad3df088e7672fa3a311151148bede835f9000
              • Opcode Fuzzy Hash: da2952e0823b3d5a59f73c7ab384f762a6d9a624e53a469d815e2d2c0d7a72ca
              • Instruction Fuzzy Hash: E7C16136B0564089FB22EB76D0613EF27A1AB9C388F554425BF4E976FADE34C506C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002A110, Relevance: .3, Instructions: 291COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: FileFindNext
              • String ID:
              • API String ID: 2029273394-0
              • Opcode ID: f2e071e7f6ab674ec47851a4750d1b7c0b6bf997477befec93a155f2d50e3c60
              • Instruction ID: 08807915bc927436db1a901aa043915a979950c5e23cf508b5f0d65b77d78aa9
              • Opcode Fuzzy Hash: f2e071e7f6ab674ec47851a4750d1b7c0b6bf997477befec93a155f2d50e3c60
              • Instruction Fuzzy Hash: 0CD17032614A8096EB02EB26D4513EE6364FBD97C4F815122FB4D57AEBDF38CA05C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005F490, Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
              • Instruction ID: f96005f1b71c62cd91ec633b0fa556b6f093996ab6e40a041e3cbd638a23d0d9
              • Opcode Fuzzy Hash: 29c98a7c03b056bf897b50c999e530441a062f43ea8ff7e63b9bd448889a0739
              • Instruction Fuzzy Hash: C1C1BD3270164096FB12EF76D4413ED23A4EB883A8F484622BF2D57AE6EF38D955D350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140022D00, Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
              • Instruction ID: 38de139323f3e079e5738bdd278af51575638bb101dd3218b17e6965c0953cb4
              • Opcode Fuzzy Hash: 005ad93020e0817431c5e85dbe6d11178de2602f8c4bd9af456519582a9ff990
              • Instruction Fuzzy Hash: 1DB16A3671062094FB46EBA2D8A17DE2365BB89BC8F825025FF0D67BA7DE38C505C354
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140031540, Relevance: .3, Instructions: 274COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f425d040841da7f8aca5576ff87e7ae9262ef18f39f843680b29a7b76c8902f7
              • Instruction ID: bfe4e87f351d28bd3d3693bc96d2151355ab9388d993d4a46e39ffd0a3f78ad6
              • Opcode Fuzzy Hash: f425d040841da7f8aca5576ff87e7ae9262ef18f39f843680b29a7b76c8902f7
              • Instruction Fuzzy Hash: E6C16332704A809AFB22EBB2D4513EE2365AB9C3D8F854521BF1E676EADF30C505C354
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140062B00, Relevance: .3, Instructions: 270COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
              • Instruction ID: f23c3879964f3f83b961310f1bad7f7be1ef7afa2b68ec7d59790f469601a501
              • Opcode Fuzzy Hash: bcfd4a30f1a27aef1054c36b1d99c0610af0cc08103e55e4b01f0e7caa7c836f
              • Instruction Fuzzy Hash: A9A10231211E8145EBA79A2798543EF27A6AB8C3D4F645825FF0E5B6E9EF34C901C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B41B, Relevance: .3, Instructions: 258COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
              • Instruction ID: c0d98bc7e162404dc537a7c1af49e5fbe25e03b535df8b2493956c53732576b9
              • Opcode Fuzzy Hash: 16274a22d167cb7459d5025cfc47ed7afc639167fa2c9c1057ca1fd72c03709f
              • Instruction Fuzzy Hash: B2A114F31182A486FB778A2685413FA7FE2E719789F254402FB8A435F6C63CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140066020, Relevance: .3, Instructions: 255COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
              • Instruction ID: d17e179c4ad3c1814a715198efb3da372d22ab0628f3c9d9f6a3a053a6971865
              • Opcode Fuzzy Hash: 39a77b3ded0776d671925a3aad9e7cc492f01908de9f9e7db45f2ad695b1e2ca
              • Instruction Fuzzy Hash: 79A1903271164045EB22EB7298507EE67E6AB9C3C8F550925BF4D47BEAEF34CA068310
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140007A60, Relevance: .3, Instructions: 255COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
              • Instruction ID: 7cb660c1bafc6db3c15f0a4866a94b05aa7759728bb06ab0739d07cd917ce7e2
              • Opcode Fuzzy Hash: 8bb3ae0ca8b09634f6b3eb7f35d10a75bd1e51e3d218a5b4533eb8f41dc86bd2
              • Instruction Fuzzy Hash: 33B18C7262464191EB12EB62E4913EE6365FB9C7C4F801022FB4E47ABBDF38C649C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B43D, Relevance: .2, Instructions: 250COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
              • Instruction ID: ff1b56ecf022c2229069a5389c0477a62f006b84fd5f9f69eebb894724ab9066
              • Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
              • Instruction Fuzzy Hash: 44A125F21182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B424, Relevance: .2, Instructions: 248COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
              • Instruction ID: f965aa676d2cc64f6a485257af634002c7fef1377d4791c8bed9b1b7e56d6411
              • Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
              • Instruction Fuzzy Hash: 79A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B42D, Relevance: .2, Instructions: 248COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
              • Instruction ID: 86c182e730ead1fa639f737d8458d4edb1cdee6041daaa12aedc2aef895c7c0c
              • Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
              • Instruction Fuzzy Hash: 83A115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B436, Relevance: .2, Instructions: 248COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
              • Instruction ID: 7a8579acbe1e06e5dcc528155c10978c06d1d02f61772b3afab02cdca005db6d
              • Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
              • Instruction Fuzzy Hash: 3EA115F31182A489FB778A2685413FA7FE2E719789F254402FB8A435F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014006B446, Relevance: .2, Instructions: 248COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
              • Instruction ID: 9b5f4d2890da7bc9148b0c777fb781a5a0913674a9f0c1f21bc34f13756e8484
              • Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
              • Instruction Fuzzy Hash: 37A114F31182A489FB778A2685413FA7FE2E719789F254402FB8A475F6C23CC985D720
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140069A50, Relevance: .2, Instructions: 236COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f08ee0d756057847edd0d181a5b9af1eeafec0c3c2ab46f94514504cf2ba2413
              • Instruction ID: 9e8436de532ad8a8b9d83a7ce7f67d33a1e65f1b543d517c902b78be038a8119
              • Opcode Fuzzy Hash: f08ee0d756057847edd0d181a5b9af1eeafec0c3c2ab46f94514504cf2ba2413
              • Instruction Fuzzy Hash: 6FA19F3271464095EB22EB72D4913EE63A5A78C7C8F914426FF0D57AFAEE38C609C750
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140001010, Relevance: .2, Instructions: 229COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
              • Instruction ID: 891caef274385c1d9a1a05b5f8e139ad0eea2bdcde326525a3acf11d5ee056db
              • Opcode Fuzzy Hash: b042d90c0f8c1feaf42d72467fc8ea1d5898c5b9afd74594c11dc23e78b13021
              • Instruction Fuzzy Hash: 79918D7270164095EB16EF66E4507EE23A5ABDC7C4F448425BF4E97BA6EE34C906C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002EA00, Relevance: .2, Instructions: 221COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ffbe6308135d328368ba6e9feb645de76e7bbd7f117e61bb4bfab8f265377797
              • Instruction ID: 09ec91f3f7d35e473cfa3e72b303784d96220d522314983c3d838af10b8059fe
              • Opcode Fuzzy Hash: ffbe6308135d328368ba6e9feb645de76e7bbd7f117e61bb4bfab8f265377797
              • Instruction Fuzzy Hash: C4A16E32314A8095FB22EB72D8513EE2365EB987D4F940426BB4D57AFADF34CA05C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140018300, Relevance: .2, Instructions: 211COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
              • Instruction ID: 9282ef7f3f2e177ec3162a27807bc3d77d508fe5c2bed51c5ff564ba7b898efa
              • Opcode Fuzzy Hash: ce67bfafa3a41e60d72f08d4a165a2184096e63d57257d43e1b540ba17e5e704
              • Instruction Fuzzy Hash: 99912232B15A4099FB12EBB2D4913ED23659B9C7C8F814525BF0DA76EBEE34C609C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002E1B0, Relevance: .2, Instructions: 210COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 32bffcc2ddfcb3d691dc0d2c9b892c77d94147a7b8145dc7682b20892f7e7318
              • Instruction ID: a01e236db0e61280ae7bc249da652572acbbc64743681568c883ee8cb5c556df
              • Opcode Fuzzy Hash: 32bffcc2ddfcb3d691dc0d2c9b892c77d94147a7b8145dc7682b20892f7e7318
              • Instruction Fuzzy Hash: D7916C3272468092FB12EB62D4957DE6365FB9C7C4F811022BB4D43AABDF78C544CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140064E80, Relevance: .2, Instructions: 194COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
              • Instruction ID: 348a5c641c523964159132b8cb670365254cd557f13034448bd6fc243d7f1d42
              • Opcode Fuzzy Hash: bede4ae264e8185b0f9f24becd31f8195eff363a0612df846459a6d3a9af60c0
              • Instruction Fuzzy Hash: AB81503271064095FB12EB76D8913EE63A5AB9D7C8F944621BF0D4BAEAEF34C605C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140016100, Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5a72caf03c22970d4fef77dedbe1bee6898f8b085468b7394fac77d0cc2e7ab
              • Instruction ID: 4362bffb4ce140633d60009826b42a117c21897de7dbf4a94b418fc321f1d931
              • Opcode Fuzzy Hash: c5a72caf03c22970d4fef77dedbe1bee6898f8b085468b7394fac77d0cc2e7ab
              • Instruction Fuzzy Hash: 35812032714A809AFB12EB72D4513ED2365EB9C388F814425BB4E67AEBEF35C605C354
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140032650, Relevance: .2, Instructions: 183COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 2ea0aee7501054cc679b21b17b3ec8bdf9c6d9fd89a4ddb5a7d9a4c31d441e67
              • Instruction ID: a8b049447ef23dc7a2f3147d56ae0c312f8ac6a7955db6ed7517384e00930876
              • Opcode Fuzzy Hash: 2ea0aee7501054cc679b21b17b3ec8bdf9c6d9fd89a4ddb5a7d9a4c31d441e67
              • Instruction Fuzzy Hash: 0371893270264096FB66AB7294503EE6391EB9C7C8F054526BB1D47BEAEF39C905C360
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400663F0, Relevance: .2, Instructions: 181COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
              • Instruction ID: 4c1290556f20f3e20b66d81894b0d385f6ea8bc2319cc982c81cb2944955426d
              • Opcode Fuzzy Hash: 53d7b3c9e63ec17fbb3decf34851c1318d937a82485f1e960baa699eab580419
              • Instruction Fuzzy Hash: 6E61B031301A4041EA66E737A9517EF97929F9D7D0FA44621BF5E877FAEE38C9028700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014005D850, Relevance: .2, Instructions: 169COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
              • Instruction ID: 50d9e92313d7fbe24902196c924c1612cff9653e99501bbf2772a847790ebefc
              • Opcode Fuzzy Hash: 17ec1b3edf0780c5c25e1336ba948ef3e7aec6e0b63b2610df3acb1851feab05
              • Instruction Fuzzy Hash: 7D618D3271464496FB22EB72C0913EE23A5ABDC7C8F854422BF4D57AEAEE35C501C791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140001620, Relevance: .2, Instructions: 166COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
              • Instruction ID: f8f81a1e6eeb4aa67bd22a5a7a70358e1ddf5b3241a247c9d5674b6b5ab46101
              • Opcode Fuzzy Hash: e611ef6babe13b88f779e8dc5a7611e7c7a64f37548e21c7e35d19833addd5d9
              • Instruction Fuzzy Hash: 9061C43262465091FB21EB26E0517EE6360FBCD7C4F815122BB5D47AEAEF79C541CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400319F0, Relevance: .2, Instructions: 155COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 2d057d9775497d8ce77184132c21eb618076589cfab5adda7cc754a5fd0d3834
              • Instruction ID: f33abad4c1c8ba015261be05896130ca5dc3e7c07ce7e813c180037223ea8262
              • Opcode Fuzzy Hash: 2d057d9775497d8ce77184132c21eb618076589cfab5adda7cc754a5fd0d3834
              • Instruction Fuzzy Hash: 08718E32714A809AEB12EF76D4913EE7761F798388F844026FB4D47AAADF74C548CB10
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400688A0, Relevance: .2, Instructions: 150COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$ClosePointerRead
              • String ID:
              • API String ID: 2610616218-0
              • Opcode ID: d3a452de0128449f2e5039728471469ce51d7081f01deae87ca1d54060856238
              • Instruction ID: 125c4d10a522e701d1fb6d0f1aef761f583aa31ccbb75f1db25899523a723602
              • Opcode Fuzzy Hash: d3a452de0128449f2e5039728471469ce51d7081f01deae87ca1d54060856238
              • Instruction Fuzzy Hash: 0151633271468052FB22EBB6E4513EE6761EBD83C4F951122BB4D47AEADE38C544CB01
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140031340, Relevance: .1, Instructions: 132COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
              • Instruction ID: 50cb9f747c07e87171e39f534f7bbd71060f83f950b2ada1a46c15cbddfc577a
              • Opcode Fuzzy Hash: f431bbfb257fb34b4f249f0b6c1a5781a1840d33aa954166e75b638a15f3be8f
              • Instruction Fuzzy Hash: A0511B32700A4096FB12EB76D4917EE2365AB9C7C8F954421BF0DA7AEADF34C605C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002F840, Relevance: .1, Instructions: 125COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
              • Instruction ID: 9602d307e9de31d357e639a9611a18ab9b6f2b9e1d5f0c6a8a00986c6f50d329
              • Opcode Fuzzy Hash: e1a38846fc5b12dd28166e38272f044d4b391af603d2f1471411a8db1635f5ab
              • Instruction Fuzzy Hash: 7F51AD32200A40A2EA22EB22D9957FE63A5F7DC7D0F854626FB0D836B6DF34C556D710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000000014002DDE0, Relevance: .1, Instructions: 125COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID: File$PointerRead
              • String ID:
              • API String ID: 3154509469-0
              • Opcode ID: d96108c4bde49195b51d10af4498cce92db92bc86361a98dabd69ade9e6efc75
              • Instruction ID: aca98edda921e0e11dbb2b437e66833b6d9475281c93859f86ded24665675a69
              • Opcode Fuzzy Hash: d96108c4bde49195b51d10af4498cce92db92bc86361a98dabd69ade9e6efc75
              • Instruction Fuzzy Hash: E5516E3271465095FB52EB76E4913EE6761EBD8388F850026BB4E479EADF38C948CB04
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00000001400611A0, Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
              • Instruction ID: fec891e6c53086f7b9094a78f95b73510c7007b912bc3ef8a41aa8e11e9acb14
              • Opcode Fuzzy Hash: 8619ee3f9ccd1f320a5fbfbf5c9367aa5b7df2049cee1b1ea35a7e4b7e812f95
              • Instruction Fuzzy Hash: 01413D31B2066095FB12EB7798513EE13A6ABDC7C4F994421BF0E97AEADE38C5058314
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140022A00, Relevance: .1, Instructions: 118COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
              • Instruction ID: 4d6ce7f696a26fe9a74b6bb9734e6d6bbac3d85ccec2ef1c97bdec5ab73240ea
              • Opcode Fuzzy Hash: 9a10d479a193238a188e8adb5c0a2baa624421bbad2986b298b06f84ca2b66ec
              • Instruction Fuzzy Hash: FC51D732610B9085E785DF36E4813DD33A9F748F88F58413AAB8D4B7AADF348152C764
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140022340, Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
              • Instruction ID: 1e1e8128ca37617077ad8d3bddb138d765a5f71e348f586f351b06e9a9582713
              • Opcode Fuzzy Hash: 8d0bc628afaa724f2a407568f7776cab89400c990b0d91b82c0bf42df1747497
              • Instruction Fuzzy Hash: 5C51C773611B9085E745DF36E8813DD37A8F748F88F58413AEB894B6AADF308156C760
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140063BD0, Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
              • Instruction ID: 5f416d68214368cc8d497caad67b5ad9eebcd67f96a0df70edf52f54e079c757
              • Opcode Fuzzy Hash: a990b53e0665ad0886faa979631976ec8b00dc7985899795eb44eacb3e5b3434
              • Instruction Fuzzy Hash: DE31F53221099842FBA6471B9C613F93292E79C3E4F649625FB8E537F4D67DC8038B80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000000140005370, Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.315620644.0000000140001000.00000020.00020000.sdmp, Offset: 0000000140000000, based on PE: true
              • Associated: 00000000.00000002.315579663.0000000140000000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315814640.0000000140080000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.315865629.0000000140092000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.315876509.0000000140094000.00000002.00020000.sdmp Download File
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
              • Instruction ID: 604a730c127844f2816d2636316060c5dd02da03d6f4240a24423d76594c64fe
              • Opcode Fuzzy Hash: 5bce42950a1e8a62078921d64ca997753bf7c09f413ca20ce6f360246a445e94
              • Instruction Fuzzy Hash: 55313F32610B9091E749DB36D9813DD73A9F78CB84FA58526A39847AA6DF35C177C300
              Uniqueness

              Uniqueness Score: -1.00%

              Analysis Process: rundll32.exe PID: 4524 Parent PID: 6180 rundll32.exeCOMMON

              Executed Functions

              Function 0000024EC1AF2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.394726211.0000024EC1AF0000.00000040.00000001.sdmp, Offset: 0000024EC1AF0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 27e6887879de85674adc076377e6aa0d711eac573488ca85b26bd1e69159c96f
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: CDB15876618BC486EB30CB1AE44079EB7A1F7D9B90F118226DEC957B58CB7DC8428F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000024EC1AF2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000024EC1AF29A8), ref: 0000024EC1AF20A7
              Memory Dump Source
              • Source File: 00000002.00000002.394726211.0000024EC1AF0000.00000040.00000001.sdmp, Offset: 0000024EC1AF0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 38ff78cdef048755a157fdcde1f9a90423091069da98fe6f51bd6b4eee65a2e4
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 75312B72615B9086DB90DF1AE49475ABBA0F389BD4F215126EF8D87B18DF3AC446CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 4364 Parent PID: 6256 rundll32.exeCOMMON

              Executed Functions

              Function 0000013EDF8B2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000003.00000002.295128758.0000013EDF8B0000.00000040.00000001.sdmp, Offset: 0000013EDF8B0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 116895eaa347438d25edf7556f6e0d0a68b0ef7ff9cc08999695a6ed73f3e479
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: BDB15376618BC486D770CF5AE440BDEB7A0F7C9B80F108026EE8957B98CB79C9568F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000013EDF8B2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000013EDF8B29A8), ref: 0000013EDF8B20A7
              Memory Dump Source
              • Source File: 00000003.00000002.295128758.0000013EDF8B0000.00000040.00000001.sdmp, Offset: 0000013EDF8B0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 6d015ac8edc63ac34052b173b82e196eb79e1df136762835f8f97d7b147b0250
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 24315C76715B8086D790DF1AE45479A7BA0F389BC4F204026EF8D87B58DF3AC446CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 2528 Parent PID: 6180 rundll32.exeCOMMON

              Executed Functions

              Function 000001970B0F2252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.302821541.000001970B0F0000.00000040.00000001.sdmp, Offset: 000001970B0F0000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: ce20f145b360c5d202b7cc88ad64dd330347e75dc5c61648aa743cd53ae74720
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 4AB155B6618BC586DB30CF1AE4907DEB7A1F7C9B80F148126EE8953B58CB79C9518F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000001970B0F2057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001970B0F29A8), ref: 000001970B0F20A7
              Memory Dump Source
              • Source File: 00000007.00000002.302821541.000001970B0F0000.00000040.00000001.sdmp, Offset: 000001970B0F0000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: def6ec57dbf4587ac9f250b4577fe6ec9221567e7fa20cb7e2076c2100740840
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 39314C72715B8086D780DF1AE49479A7BA0F789BC4F204026EF8D97B58DF39C442CB00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: rundll32.exe PID: 1012 Parent PID: 6180 rundll32.exeCOMMON

              Executed Functions

              Function 000001746F722252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000009.00000002.309689799.000001746F720000.00000040.00000001.sdmp, Offset: 000001746F720000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 2def91e5c23b6780bc0ab1db956d12929512d425a1eb22476507c32a53583570
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 5AB13276618BC486E7708B5AE440BDAB7A1F7CAB80F508026EECD57B58DB79C841CF40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 000001746F722057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000001746F7229A8), ref: 000001746F7220A7
              Memory Dump Source
              • Source File: 00000009.00000002.309689799.000001746F720000.00000040.00000001.sdmp, Offset: 000001746F720000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 6f2650e90d8efef600d34c5f0274ddd57d7f0208f712ba6e7e612134e177f1dc
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: EC312572615B8086D790DB5AE45479A7BA0F389BC4F608026FF8D87B28DF3AC4428B00
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Analysis Process: msdt.exe PID: 4768 Parent PID: 3352 msdt.exeCOMMON

              Executed Functions

              Function 0000023517612252, Relevance: 6.2, APIs: 4, Instructions: 230memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000012.00000002.424212007.0000023517610000.00000040.00000001.sdmp, Offset: 0000023517610000, based on PE: true
              Similarity
              • API ID: ProtectVirtual$NodeRemove
              • String ID:
              • API String ID: 3879549435-0
              • Opcode ID: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction ID: 8c29b5591b8d05e572325a826e89c4b91280c83363e9dafa01b625cfb9e71de0
              • Opcode Fuzzy Hash: 75ec9f23c294f1b91f48f20b57dd5cc1f886561a981db544c7b3bcf3c6961842
              • Instruction Fuzzy Hash: 91B142B6618BD48ADB70CB1AE44479AB7A1F7C9B80F108026EECD57B58DB7DC9418F40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0000023517612057, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,00000235176129A8), ref: 00000235176120A7
              Memory Dump Source
              • Source File: 00000012.00000002.424212007.0000023517610000.00000040.00000001.sdmp, Offset: 0000023517610000, based on PE: true
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction ID: 75239d49a9f5909deb81e5678c34cfba12969778b5dfb6dd644c84f98b227654
              • Opcode Fuzzy Hash: e198c79539a4ed8551c2286ff6a3e0dfce1ca71c07a98c6b4ee2f43e3e4de89f
              • Instruction Fuzzy Hash: 74315C72615B90C6DB80DF1AE45475A7BA0F389BC4F208026EF8D87B18DF3AC442CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00007FF68F2B7784, Relevance: 77.3, APIs: 36, Strings: 8, Instructions: 284memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$Free$AllocCloseHandle$memset
              • String ID: %s%s$%s*$%s\%s$CleanupFiles$Dwz ERROR: %s:%d - hr = 0x%08X$Dwz IGNORED: %s:%d - hr = 0x%08X$Dwz WARNING: %s:%d - hr = 0x%08X$inuse
              • API String ID: 949893886-1400879981
              • Opcode ID: 72ad246eca37b2a8801fe3070bfaf1211acad4e10c299fbe1e0aff2aae0fc676
              • Instruction ID: 4182fab7b0a091017b95847db4d05e82dea02638919002f8e583c32cd937f6f1
              • Opcode Fuzzy Hash: 72ad246eca37b2a8801fe3070bfaf1211acad4e10c299fbe1e0aff2aae0fc676
              • Instruction Fuzzy Hash: B6D13930B08A46C6FB64ABA5AA747FA2390BF44B94F50463DDD9EC66A4DF3CE544C304
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2BC878, Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 278memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$Alloc$Free$CloseHandlePrintReport_vsnprintfmemset
              • String ID: %systemroot%\system32\msdt.exe$Dwz ERROR: %s:%d - hr = 0x%08X$DwzSubmitWERReport$ScriptedDiagFailure$WorkerThread
              • API String ID: 1967476393-1460565312
              • Opcode ID: 342e52f7592ca2200cf51eee07368d17e223aa790f454d36fcb07156884d2eef
              • Instruction ID: 7140264620eaee85d1e689ea6ce02f1419173bed622ce358b976a10a7d03a22b
              • Opcode Fuzzy Hash: 342e52f7592ca2200cf51eee07368d17e223aa790f454d36fcb07156884d2eef
              • Instruction Fuzzy Hash: 42C19D71B48746C6E7209BA1AA746E923A0FF54B80F40493ADE4ED7795EF3CE501C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C97D8, Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 437memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$FreeProcess$AllocCurrentDirectoryStringVariant$ClearErrorInitLast
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$PackageCollection::LoadConfigFile$cfg:PackageConfiguration/cfg:Execution/cfg:Package[@Path]
              • API String ID: 208484768-1728884388
              • Opcode ID: 9dd2570d8fbfce6deb03f66c1bb3794cb01fd2f2961fb99bdf972a2c1c19e2e8
              • Instruction ID: ef91c98a71c01cbf44192b99872de101a4be2e4949ba7b3b9a786155b5ee9fdf
              • Opcode Fuzzy Hash: 9dd2570d8fbfce6deb03f66c1bb3794cb01fd2f2961fb99bdf972a2c1c19e2e8
              • Instruction Fuzzy Hash: F1124B72B08A46C6EB10ABE6E9646E93BA5BF48B88F54013ACE4DD7754DF3DE511C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B2050, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 183memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$AllocFreePrint_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$UploadFilePage::OnWizNext$lstView
              • API String ID: 1684767720-1100023230
              • Opcode ID: 727ac3b7d6a3fcccc12ed899efdb848544940eeac1a570ee92b6137261012cd2
              • Instruction ID: f1a07b07c6eef8174fead88a77983331807531fed8cd3ecedbad4d542fb702c1
              • Opcode Fuzzy Hash: 727ac3b7d6a3fcccc12ed899efdb848544940eeac1a570ee92b6137261012cd2
              • Instruction Fuzzy Hash: 11719F31B08A86C2E721AB96AA247E92751FF84B90F90463ACE5DC7BD5DF3CD445C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2BA0D0, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 124memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$DescriptorFreeProcessSecurity$AllocConvertErrorLastLocalPrintString_vsnprintf
              • String ID: D:(A;;GA;;;BA)(A;;GA;;;SY)$Dwz ERROR: %s:%d - hr = 0x%08X$ServerElevationPipe::Initialize$\\.\pipe\%s
              • API String ID: 3662569577-2018940365
              • Opcode ID: 1bef88f00b4cf9a115f66e3bbe096e2a81b62290c02ed941cc5359402c5f85a6
              • Instruction ID: 1f68afc92370f3b90de0e20e9823c77fbe8d2722efef22071a509cd276d70b45
              • Opcode Fuzzy Hash: 1bef88f00b4cf9a115f66e3bbe096e2a81b62290c02ed941cc5359402c5f85a6
              • Instruction Fuzzy Hash: 2D518931B08B0AC6E720ABA1E9646A933A0BF88B94F50023DDE5EC3794DF3DD545C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B37E0, Relevance: 28.5, APIs: 7, Strings: 9, Instructions: 489windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectInitializeMessage@MultipleObjectsPage@PropSendSheet_TaskUninitializeWait
              • String ID: DownloadFile$Dwz ERROR: %s:%d - hr = 0x%08X$Dwz IGNORED: %s:%d - hr = 0x%08X$KillUI$Packages_DifferentRCs$Packages_ReleaseEngine$ReloadPackages$WorkerTaskComplete$WorkerThread
              • API String ID: 2512504573-3478808443
              • Opcode ID: 051ca35c59bcbcfdffb7c6fdb93e34c07fc64e5e2e79d53dcdbc1550d6994947
              • Instruction ID: 99375ce48e6976b3d95e3a999e33559d4f8004d8d026904e67c7c95a694ce6e4
              • Opcode Fuzzy Hash: 051ca35c59bcbcfdffb7c6fdb93e34c07fc64e5e2e79d53dcdbc1550d6994947
              • Instruction Fuzzy Hash: 40123330F0C643C1FA2166E996B16F92791BF54784F50083EDE0EC6696EE6DED21C352
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B2770, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 126memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$AllocFreePrint_vsnprintfmemset
              • String ID: %s%s$%s\*$Dwz ERROR: %s:%d - hr = 0x%08X$UploadFilePage::AddPath
              • API String ID: 734778969-2039928992
              • Opcode ID: d6cdfca798e08aaf93fc79777b0e23fcccea400e8a0b87f47a996fcc68c8bd04
              • Instruction ID: 12a4429087bb2b34c5403c1de8106c62030666344b0f0322578801905e023b7c
              • Opcode Fuzzy Hash: d6cdfca798e08aaf93fc79777b0e23fcccea400e8a0b87f47a996fcc68c8bd04
              • Instruction Fuzzy Hash: 6B517C71B08B47C6EB11ABA1AA746F92390BF84B84F90453ADE8DC76D5EF2CE505C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29FF54, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 174memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorHeapLastmemset$FileFreeModuleNamePrintProcess_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$Mode::Elevate$runas
              • API String ID: 350542464-1412466692
              • Opcode ID: 44a04d8cf705d431bdf867afe567e0b09ac6af72af3c1f04dbce01264a2a567f
              • Instruction ID: b1296995ef4579b641274c809ed83a1f1cf0922cf76fa66cf5a0d73e98704e31
              • Opcode Fuzzy Hash: 44a04d8cf705d431bdf867afe567e0b09ac6af72af3c1f04dbce01264a2a567f
              • Instruction Fuzzy Hash: E0818832A08B46C6E710EBA2EA606E973E4FF48B90F50413ADA4D97B64DF3CE415C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B3120, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 152memoryclipboardCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ClipboardHeap$GlobalProcessStream$AllocCloseCreateDataEmptyErrorFreeFromLastOpen
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$UploadFilePage::Copy
              • API String ID: 3475565003-1169734580
              • Opcode ID: 4d3ba93f554e71d0d6fb4357c7eb4c9a2538c595bf2019a302a1495ce222ee54
              • Instruction ID: 20d09955f26b1c556ab6bfe6d73ab25104ba1becaa321e88c845b55312a91c4d
              • Opcode Fuzzy Hash: 4d3ba93f554e71d0d6fb4357c7eb4c9a2538c595bf2019a302a1495ce222ee54
              • Instruction Fuzzy Hash: 3F517D75B08B46C2FB20ABE6AA646BA6751BF94B84F40453DCD4DCB794DE2DE811C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2AC0E4, Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 271memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$FreeProcess$AllocPrintString_vsnprintf
              • String ID: <Answers />$Answers::LoadSupportAnswers$Dwz ERROR: %s:%d - hr = 0x%08X$Interaction$Value
              • API String ID: 3645034916-4109931451
              • Opcode ID: cf9bc0298f04c21c71eb111bdac6a5ab6332367b680763bcc07550faa5b64d3b
              • Instruction ID: 723cd211ca658f6abf6d0cda273f4d334afaca319e8d1bc624f0995d45f9ccf9
              • Opcode Fuzzy Hash: cf9bc0298f04c21c71eb111bdac6a5ab6332367b680763bcc07550faa5b64d3b
              • Instruction Fuzzy Hash: 8EC18136B48B46C6EB15ABA5EA606E927A1FF48B98F40013ACE4DD7798DF3CD405C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29D838, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106commemoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$AllocClearCreateInitInstanceString
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$DwzXmlLoad
              • API String ID: 3126708813-134523199
              • Opcode ID: c4fba298d34dc62bcc4a7c513ee7c5c7ba6a37ee867deb5808897c88eb7715de
              • Instruction ID: b433174c708fce7fd69da61a96250e473695a9aecded7df8140c89e36294c396
              • Opcode Fuzzy Hash: c4fba298d34dc62bcc4a7c513ee7c5c7ba6a37ee867deb5808897c88eb7715de
              • Instruction Fuzzy Hash: 69419F35B48A8AC6EB119FA5E9649E82360FF58B88F50423ADE8DD7765DF3CD542C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2BC070, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32 ref: 00007FF68F2BC30A
              • HeapFree.KERNEL32 ref: 00007FF68F2BC318
                • Part of subcall function 00007FF68F2BC5A0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00007FF68F2BC3B0), ref: 00007FF68F2BC63B
                • Part of subcall function 00007FF68F2BC5A0: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00007FF68F2BC3B0), ref: 00007FF68F2BC64C
                • Part of subcall function 00007FF68F2BC5A0: SysFreeString.OLEAUT32 ref: 00007FF68F2BC7A3
                • Part of subcall function 00007FF68F2BC5A0: SysFreeString.OLEAUT32 ref: 00007FF68F2BC7B7
                • Part of subcall function 00007FF68F2BC5A0: SysFreeString.OLEAUT32 ref: 00007FF68F2BC7CB
                • Part of subcall function 00007FF68F2BC5A0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00007FF68F2BC3B0), ref: 00007FF68F2BC7DB
                • Part of subcall function 00007FF68F2BC5A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00007FF68F2BC3B0), ref: 00007FF68F2BC7E9
                • Part of subcall function 00007FF68F29CF60: _vsnprintf.MSVCRT ref: 00007FF68F29CF9F
                • Part of subcall function 00007FF68F29CF60: DbgPrintEx.NTDLL ref: 00007FF68F29CFD8
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Free$ProcessString$AllocPrint_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$DwzSqmCustomTelemetry
              • API String ID: 2372522076-2889146382
              • Opcode ID: bb8824388bcfb81662fc20f27e3fd4b583010680fcea4fb07d22ff65223d62c7
              • Instruction ID: f1496b5e3ebd7e2d7bf84c489979184e72620643ac4dad3687092cd6e569c9df
              • Opcode Fuzzy Hash: bb8824388bcfb81662fc20f27e3fd4b583010680fcea4fb07d22ff65223d62c7
              • Instruction Fuzzy Hash: 24817772B48B06C6EB24ABA5DA606E833A5BF44B84F50093ADE1DD7799DF3CE505C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C7034, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 194memoryfileCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: HeapHttp$ErrorLast$CloseHandle$FileFreeProcess$AllocGlobalmemset$CreateDataHeadersQueryReadReceiveResponseSizeWrite
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$PUT$h$msde/10.0
              • API String ID: 1329048128-1230979049
              • Opcode ID: 5db53b70e00f5b61f8059cbc45d1ed4dbc176924dbc01fd5d0a774b531c5c70a
              • Instruction ID: 6884f39fcfe62fda6419d8c2794c4bad0a7069942772498fd5a0ff9f7aabca99
              • Opcode Fuzzy Hash: 5db53b70e00f5b61f8059cbc45d1ed4dbc176924dbc01fd5d0a774b531c5c70a
              • Instruction Fuzzy Hash: 51815D31B08B56C9F710ABE69AA47B923A4BF44B94F10423DEE5983A94DF3DD445C310
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2A07C0, Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 341memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$FreeProcess$AllocString$Create$Eventmemset$ErrorLastThreadwcscmp
              • String ID: DefaultMode::Run$Dwz ERROR: %s:%d - hr = 0x%08X$Microsoft Corporation
              • API String ID: 1980556756-1853833513
              • Opcode ID: 666b36764250319b450659fff2bd7c97335796081de6ea6ad17cd2cc731b5963
              • Instruction ID: d036caf75e59900980f8266ff2b2624807809351a66f49955c624e3788df6257
              • Opcode Fuzzy Hash: 666b36764250319b450659fff2bd7c97335796081de6ea6ad17cd2cc731b5963
              • Instruction Fuzzy Hash: 55D13731B09647C6FA64ABE69A706B927D1BF44BA4F10453DC90EEB7A5EE3CE441C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CA85C, Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 282memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$Free$Alloc$Stringtowlower$memset
              • String ID: %s%s.debugreport.xml$%s%udebugreport.xml$Met ERROR: %s:%d - hr = 0x%08X$PackageCollection::DumpReport$debugreport.xml$resultreport.xml
              • API String ID: 2561523108-1109220371
              • Opcode ID: 8032bdc70fd7a54d23034ed4c01ab21ecfe7a7c246eabdc4bdbde1297c52ba27
              • Instruction ID: 141af807eae398d6aaf858ced39558b7f448e9477fef37eb2bc96c84aa7656c4
              • Opcode Fuzzy Hash: 8032bdc70fd7a54d23034ed4c01ab21ecfe7a7c246eabdc4bdbde1297c52ba27
              • Instruction Fuzzy Hash: 72B14C71B08A46C2FB15ABA6DA705F927A1BF54B88F10413ACE4ED7794EE7CE502C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B7084, Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 128memorythreadCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$ErrorLastToken$CurrentFreeOpenThread$AllocCloseConvertHandleInformationString
              • String ID: 2$D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)$Dwz ERROR: %s:%d - hr = 0x%08X$GetCurrentUserSid
              • API String ID: 2414413640-4022598621
              • Opcode ID: 8acdbc2a174283f9bdc159d6f33c651a3ec99160904e6c41abfaf54c690d4580
              • Instruction ID: 34fb8006eb7d30fcde4c842cce10656c900af3a487269fbfb7020b41415b87e5
              • Opcode Fuzzy Hash: 8acdbc2a174283f9bdc159d6f33c651a3ec99160904e6c41abfaf54c690d4580
              • Instruction Fuzzy Hash: 4E514A30F08B4BC6F710ABE6AA746BA6390BF84B94F40453DDD49D6694DF6CE845C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2AE7E8, Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 275memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeHeapString$AllocProcess
              • String ID: %s%c%s$+$Configuration::LoadKeywordsFromFile$Dwz ERROR: %s:%d - hr = 0x%08X
              • API String ID: 3351553325-1006213432
              • Opcode ID: dd31a2ad60831b7173fad545eb3a67f58b2df66b44e9967d818a3644d3e0b646
              • Instruction ID: d44bc8da4a3e825e886888e1a3fd23f89ee2c3a0f4cf5bc0df28f80089996a22
              • Opcode Fuzzy Hash: dd31a2ad60831b7173fad545eb3a67f58b2df66b44e9967d818a3644d3e0b646
              • Instruction Fuzzy Hash: 24C1E935B09E46C5EB15ABE6EA742BD27A1BF44B88F04443ACE0EA7764DE3CD446D300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29A0D0, Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 175memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$FreeProcess$AllocDescendent@DirectElement@FindStringV12@
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$FinalLinksPage::SetupRootCauseResult$checkicon$failicon$rcpic$txtResult$warningicon
              • API String ID: 3080287452-3118468517
              • Opcode ID: 25450a2b412c6d72c57cd831d82a9e03b6855d05c52f35c8060cde0854ba460a
              • Instruction ID: 7807130b6c82e0794a24e208d018d61ab14b6f59a36fcb5dba9599a620118938
              • Opcode Fuzzy Hash: 25450a2b412c6d72c57cd831d82a9e03b6855d05c52f35c8060cde0854ba460a
              • Instruction Fuzzy Hash: 3D714831B18B47C2FA21AB96AA74BB92790BF58B84F404139DD4ECB794DF2DE541DB00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29A8E0, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 193memorywindowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectElement@$Heap$Descendent@FindFreeProcessV12@Visible@$Add@All@AllocCreateElement@2@1Parser@RemoveStringV12@@V32@@
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$FinalElevationPage::SetupRootCauseResult$rcpic$shieldicon$txtResult
              • API String ID: 194711208-1564018982
              • Opcode ID: abdef38ce9570efa7dcb3ccf7af531c393f608c976f6c65715179a561e37becd
              • Instruction ID: bc57b3686c5d72d799492ea9f839775af9cb61fd643aea56f6c0cac777814915
              • Opcode Fuzzy Hash: abdef38ce9570efa7dcb3ccf7af531c393f608c976f6c65715179a561e37becd
              • Instruction Fuzzy Hash: 2C812B31B08B16C2FB15ABA69A74BB923A1BF58B88F004539CD4DDB754EF2CE506C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CD05C, Relevance: 31.8, APIs: 10, Strings: 8, Instructions: 259COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeString$Print_vsnprintf
              • String ID: ./ID$./Status$/Rootcauses/Rootcause$Detected$Fixed$Met ERROR: %s:%d - hr = 0x%08X$Not Fixed$Package::UpdateRootCausesWithVerifyXml
              • API String ID: 1465492589-3160399566
              • Opcode ID: 0d21c24f7856bd373f8e9bea4467a36be92157ff7e177b0d4e8470b56639ba2b
              • Instruction ID: ebf0f7da66950c5a48d1cd22eae20ac6ee6814da7a44df118947e981d36c88a7
              • Opcode Fuzzy Hash: 0d21c24f7856bd373f8e9bea4467a36be92157ff7e177b0d4e8470b56639ba2b
              • Instruction Fuzzy Hash: 5BC14736B08A46C6EB249BE5DA602F92760FF44B88F50023ADE1D97B98DF7CE445C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2A2F70, Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 234memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Defer@DirectElement@Process$AllocFreePrintStart_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$InteractivityPage::OnSetActive$http://$https://$linkContainer$mshelp://$rtf$txtDescription
              • API String ID: 1540969374-1596492424
              • Opcode ID: dc27a5d2d320fcf958ec7a4a20ec144664260e4df7a24989202ba1996ddd9eb0
              • Instruction ID: 497171436b7db0d6d4dc4fac3e147d5ff3db926a88b2b8dc6504e4716c3363de
              • Opcode Fuzzy Hash: dc27a5d2d320fcf958ec7a4a20ec144664260e4df7a24989202ba1996ddd9eb0
              • Instruction Fuzzy Hash: 79A14A31B08646C1FA15ABA29B607F92790BF44BD8F40423ACE1DD7B95DF2DE925C341
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B989C, Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 219memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$String$Heap$Process$AllocPrint_vsnprintf
              • String ID: Category$Dwz ERROR: %s:%d - hr = 0x%08X$Icon$Keyword$LoadHistoryXml$Name$Publisher$SupportKey$SupportProvider
              • API String ID: 701262114-3704760214
              • Opcode ID: a73b9080561afe5fe909a286b226fddd868e909cf047707f557b28fdd6c42c2f
              • Instruction ID: a856d5f8aefd0852c695e6594f64bbee62cc1722e6c53b7ec75ee97ea034c838
              • Opcode Fuzzy Hash: a73b9080561afe5fe909a286b226fddd868e909cf047707f557b28fdd6c42c2f
              • Instruction Fuzzy Hash: 7C915930B0DA4BC1EA11ABE6AA706F93390BF45B84F50453EDD0EDB696EE6CE505C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2A57D0, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 218memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$AllocDefer@DirectElement@Free$PrintStart_vsnprintf
              • String ID: %s%s$CommandLinkPage::OnSetActive$Dwz ERROR: %s:%d - hr = 0x%08X$Dwz IGNORED: %s:%d - hr = 0x%08X$cl1$cl2$cl3
              • API String ID: 4115621960-205329970
              • Opcode ID: f3a20b910a55502691a1d53d4553ca184c49cc47c9cb15c48e2fde7c3128eb23
              • Instruction ID: fc3e21fef79bbc3136346dc6367d89bd167fa13fe1e9020df662e6f656383d3a
              • Opcode Fuzzy Hash: f3a20b910a55502691a1d53d4553ca184c49cc47c9cb15c48e2fde7c3128eb23
              • Instruction Fuzzy Hash: 19A13C31B08A46C5F710ABA6E6617EA27A1BF44B88F40453ACD4DEBB99DF3CE505C344
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2AE0D8, Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 141memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$String$Heap$Process_wcsnicmp$malloc
              • String ID: Configuration::LoadFromProvider$Dwz ERROR: %s:%d - hr = 0x%08X$http://$https://
              • API String ID: 865431186-3253336862
              • Opcode ID: 8c00c8d7d1eb20b0323f8d104a1e7a9fd7fe2714dc8a08c89cf15b8af2fb101c
              • Instruction ID: 66b0d2e8a2ae1e9f27041a724be37aff6f6efcf149ec9b91c5726a97178d848e
              • Opcode Fuzzy Hash: 8c00c8d7d1eb20b0323f8d104a1e7a9fd7fe2714dc8a08c89cf15b8af2fb101c
              • Instruction Fuzzy Hash: 7961FA75B09A56C5FB55AFA2DA602EC23A4FF48B88F044139DA4D97A48DF3CE556C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2A1040, Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 238memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$AllocFree$Print_vsnprintf
              • String ID: /DiagnosticResults/Name$DetailsMode::Run$Dwz ERROR: %s:%d - hr = 0x%08X$resultreport.xml$results.xml
              • API String ID: 1676906759-954303890
              • Opcode ID: 75e8b72256b7fb967f028772a023df68ac0d8fa3f1c5fef56c22147ee89ea762
              • Instruction ID: ab32c46980d96f64398349c1bec1ca4e339d254e4de6d2671bccc279b99412db
              • Opcode Fuzzy Hash: 75e8b72256b7fb967f028772a023df68ac0d8fa3f1c5fef56c22147ee89ea762
              • Instruction Fuzzy Hash: F1A14971B08A46C2FB11EBE2EA606FA6391BF44B94F40413AD94DEBB95DE7CE505C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F296F60, Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 212memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Defer@DirectElement@FreeHeapString$AllocProcessStart
              • String ID: ConsentPage::OnSetActive$Dwz ERROR: %s:%d - hr = 0x%08X$http://$https://$linkContainer$linkInteraction$mshelp://$txtConsDescription
              • API String ID: 2719159082-3886039679
              • Opcode ID: dce354cb6e5937553796a2145d6285af0ea3846c9ab0d5687ebff35c1008af7a
              • Instruction ID: 8f7e681e7bd2d15135b2af85880be44a89b5528dea8043747d715e10e74d10f7
              • Opcode Fuzzy Hash: dce354cb6e5937553796a2145d6285af0ea3846c9ab0d5687ebff35c1008af7a
              • Instruction Fuzzy Hash: DF911E31B08656C5FB209BA5DA60AF927A0FF44B98F504239DD4DC7794EF2DE542C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CB91C, Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 139memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Free$Process$DescriptorErrorLastSecurityString$AllocConvertCreateKnownLocalPrintWell_vsnprintf
              • String ID: D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)$D:(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GA;;;%s)$Met ERROR: %s:%d - hr = 0x%08X$MetCreateSddl$MetCreateSecurityDescriptor$MetIsAdminToken
              • API String ID: 1454803486-2440399710
              • Opcode ID: 1bc8b24ca0565906fa6a78e6d98740be311e17c659376cd52f29c94b9f42fb43
              • Instruction ID: 55b8e0af36044de24461fc2c714bed7ad3e4184117903f4c3ee8c16042c0bd3b
              • Opcode Fuzzy Hash: 1bc8b24ca0565906fa6a78e6d98740be311e17c659376cd52f29c94b9f42fb43
              • Instruction Fuzzy Hash: FA516C76B0874AC2F710ABA5AA606FA6791BF84784F50003EDD4EC7655EF3CE609C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B0124, Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 330memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$HeapStringVariant$ClearEnvironmentExpandInitLibraryLoadProcessStrings
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$Provider::GetMetadata
              • API String ID: 3486057824-2990193657
              • Opcode ID: 3a8cea353f938bb07838961e5f76a3f6a388280bbdb1b295cacd987878217258
              • Instruction ID: 5eb441f5e9aeee7aa0ab73298fa53d316f2ba7c0671781f08bf4d942169fb47c
              • Opcode Fuzzy Hash: 3a8cea353f938bb07838961e5f76a3f6a388280bbdb1b295cacd987878217258
              • Instruction Fuzzy Hash: 41E11936B08A4AC6EB16DBE6D5A06ED23A1BF48B98F404539DE0DE7794DE2CE505C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29E840, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 244memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$Free$AllocArraySafe$Destroy$CreateElementPrint_vsnprintfmemset
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$EngineCallback::Interact$EngineCallback::LoadSecurityBoundarySafe$EngineCallback::LoadSupportKey
              • API String ID: 84429861-1579081319
              • Opcode ID: d16cd9927cf4312b7a51ccf5fd711dcc41d383910682b5934f0c976dbf11aaaa
              • Instruction ID: 55b3ff0bd356fb6060c7914d994651a2625cafca0a18e24a14b47751cbe9ea9a
              • Opcode Fuzzy Hash: d16cd9927cf4312b7a51ccf5fd711dcc41d383910682b5934f0c976dbf11aaaa
              • Instruction Fuzzy Hash: AFB16F36B08A56C6FB20ABE1EA20AE927A1BF44B88F00013ADE4DD7755DF3CE555C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29211C, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 103memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Class$Direct$Base@$Info$Info@2@$Heap$Lock@$CritE__@@ProcessPropertyRegister@$AllocElement@Exist@FactoryFreeInitialize@N@@@U32@
              • String ID: CCRichEdit
              • API String ID: 2849904843-1599404506
              • Opcode ID: a262d8a8cb98e2fe7ad6c631b534efe2f3585264fbba35b2cf5102cbf3d44e8e
              • Instruction ID: 0b09d50ac4980c599d3fea096bc63c0df30b1501fdad103809351b9e22fb7375
              • Opcode Fuzzy Hash: a262d8a8cb98e2fe7ad6c631b534efe2f3585264fbba35b2cf5102cbf3d44e8e
              • Instruction Fuzzy Hash: 4D411F35B09B4AC2E714ABA5EAB46A97361FF88B95F04413DCA4E837A4DF3CE505C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29192C, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 100memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Class$Direct$Info$Info@2@$Element@$Base@Heap$Lock@Ptr@$CritE__@@ProcessPropertyRegister@$AllocExist@FactoryFreeInitialize@N@@@U32@
              • String ID: MsdtListView
              • API String ID: 1731092042-1508462088
              • Opcode ID: afa950dc268197d14c23dc42620c494d7494ff5aea0c924da0c41bfdabc5291c
              • Instruction ID: a734fecc32df47ae409d08eeb9c83beef12512823bccc939755856592eb9a61e
              • Opcode Fuzzy Hash: afa950dc268197d14c23dc42620c494d7494ff5aea0c924da0c41bfdabc5291c
              • Instruction Fuzzy Hash: 67413035B09A4AC2E710ABA2EA746E92361BF49B95F40413DCA4E877A4DF3CE509C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B50D8, Relevance: 25.6, APIs: 10, Strings: 7, Instructions: 137memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$_wcsicmp$Alloc$Free
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$ValidateSupportKey$WorkerThread$s:ExpiredTokenException$s:InvalidLocaleException$s:InvalidTokenException$s:NoDiagnosticException
              • API String ID: 1921090231-2739067165
              • Opcode ID: 8a41b473dce673f46b44c91cd2907cd479d91a51e457b8a85d486a6545b87412
              • Instruction ID: 758480e93d201f67d12218d0f8a09b4ffcdda8cdb62f020f1dd0a33649202307
              • Opcode Fuzzy Hash: 8a41b473dce673f46b44c91cd2907cd479d91a51e457b8a85d486a6545b87412
              • Instruction Fuzzy Hash: 89515731B09B46C2F760ABAAAA612B927A0BF44B84F40443DCE0D8B799DF3CE545C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D07D0, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 262memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$String$Heap$Process
              • String ID: ./Name$./Parameter$./Value$Met ERROR: %s:%d - hr = 0x%08X$MetSubstituteXmlParameters
              • API String ID: 1137075025-3451192413
              • Opcode ID: cbf8b1c2c97c424ee8ca069dfe88793e547a585993960519b3158098dbe16a96
              • Instruction ID: d0ee36c03ca469aa779f39c1f1d2b7681946c3b37b45f59da3785db88533bf08
              • Opcode Fuzzy Hash: cbf8b1c2c97c424ee8ca069dfe88793e547a585993960519b3158098dbe16a96
              • Instruction Fuzzy Hash: 31C11936B19A5AC6EB15EBA5D9647ED2760BF48B98F00413ACE4E9B768DF7CD404C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F293118, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 102memorythreadCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Direct$AllocErrorHeapHost@Last$CurrentDestroy@Element@Element@2@FreeHookInitialize@PrintProcessThreadValueWindows_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$WebBrowser::Create
              • API String ID: 2209618965-1243644046
              • Opcode ID: b9a6f8ed0200f7371e918287441cc920306e3616c774ebc04c90dfcde9a0f3b1
              • Instruction ID: 901a31aa8bc997a9bce20c7f18546ff0b8c3b2b09f905d46d3a00f4cf9bd7205
              • Opcode Fuzzy Hash: b9a6f8ed0200f7371e918287441cc920306e3616c774ebc04c90dfcde9a0f3b1
              • Instruction Fuzzy Hash: 36415D35B08B4AC6E720ABA5EA207E96395BF84B94F04023DC95DC77A4DF3CE914C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2A3790, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 166memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$FreeProcess$AllocPrintString_vsnprintfmemset
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$InteractivityPage::LoadRTF
              • API String ID: 20843794-916780754
              • Opcode ID: 4a721d38b8d6c4ed1ea390e933713b72233d0eb73648276f78d823b4109a5e9a
              • Instruction ID: 3bb2b32ed0f838025b6a12a15aa26fc1094f033ca669f5d0672e4b0d84fffa85
              • Opcode Fuzzy Hash: 4a721d38b8d6c4ed1ea390e933713b72233d0eb73648276f78d823b4109a5e9a
              • Instruction Fuzzy Hash: 2861A176F08A47C5EB14ABA2A9206F927A0BF44B98F144139DE0DEB794DF3DD905C344
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29DFC8, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$Alloc$FreeVariant$Clear$Init
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$DwzXmlCreateElement
              • API String ID: 2512696500-2138915912
              • Opcode ID: ac0c3c29e0d6bbdf4b8c5e62a012988d49afdca5f38e993b0b2e37b2b00d0675
              • Instruction ID: 33be2526ba3c859a33a5a8344652a901d908db2466a68e0675aa5e9f9055f217
              • Opcode Fuzzy Hash: ac0c3c29e0d6bbdf4b8c5e62a012988d49afdca5f38e993b0b2e37b2b00d0675
              • Instruction Fuzzy Hash: E6513635B08F4AC5EB15ABA2DA64AF82360BF58BC8F14013ACE0D97B58DF29D445C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C6088, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 100memoryregistryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$AllocFreeProcessString$CloseOpen
              • String ID: DisplayName$Icon$Microsoft$PrivacyLink$Software\Microsoft\MSDE\Support\%s\$URL
              • API String ID: 3553575344-1793076966
              • Opcode ID: f3523e9828c340da1b9715ac9960a87dd796ca5df112e65ec9e657958c4a28d1
              • Instruction ID: f077c9aab86c9945e89200f2b1a18f40320041ab7fb5382cff03231854de8670
              • Opcode Fuzzy Hash: f3523e9828c340da1b9715ac9960a87dd796ca5df112e65ec9e657958c4a28d1
              • Instruction Fuzzy Hash: E0414271B08B46D2E7109BE6AA706EA6B90FF84B94F400039DE4DD7B56EEBCE505C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B8768, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91libraryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$ErrorLastLibraryLoadMetricsStringSystem$Image_wtol
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$DwzLoadSmallIcon
              • API String ID: 1288365690-3182917273
              • Opcode ID: 4e1c00d5485fbea7ebaa19b9856d6f56aae0421ca27d4f35b1aa39137ab4494d
              • Instruction ID: 83d7edb124a4396f2f74b27ce2844c6873eabeed968730085a54967ff0cd3487
              • Opcode Fuzzy Hash: 4e1c00d5485fbea7ebaa19b9856d6f56aae0421ca27d4f35b1aa39137ab4494d
              • Instruction Fuzzy Hash: A141AD36A0864AC2E710AB91E9243F967A0FF84BA4F540639DE5DC76D4CF7CE945C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2AB104, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 185memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00007FF68F2AEF90), ref: 00007FF68F2AB13D
              • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,Dwz ERROR: %s:%d - hr = 0x%08X,00000001), ref: 00007FF68F2AB14E
              • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,Dwz ERROR: %s:%d - hr = 0x%08X,00000001), ref: 00007FF68F2AB356
              • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,Dwz ERROR: %s:%d - hr = 0x%08X,00000001), ref: 00007FF68F2AB364
              • SysFreeString.OLEAUT32 ref: 00007FF68F2AB372
                • Part of subcall function 00007FF68F29CF60: _vsnprintf.MSVCRT ref: 00007FF68F29CF9F
                • Part of subcall function 00007FF68F29CF60: DbgPrintEx.NTDLL ref: 00007FF68F29CFD8
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$FreeProcess$AllocPrintString_vsnprintf
              • String ID: /Packages/Interaction[@ID='%s']$Answers::AddCatchAllAnswer$Dwz ERROR: %s:%d - hr = 0x%08X$Packages$Value
              • API String ID: 3645034916-714125347
              • Opcode ID: 154ac189f3ed065b317c945407c0dca7739b1f6a1093bd60688cfff9272c3df7
              • Instruction ID: 1682bc5a0c68be4d70a703d223c15434a7579581d8cadaad810b42e4522fe121
              • Opcode Fuzzy Hash: 154ac189f3ed065b317c945407c0dca7739b1f6a1093bd60688cfff9272c3df7
              • Instruction Fuzzy Hash: 42716D31B08A46C5EB15ABE6EA606FA2791BF48BC8F44413ADE4DE7794DE3CE541C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F296050, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 100windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Direct$Element@$Defer@FreeMessageSendString$Button@Click@Descendent@ExecuteFindPrintShellStartV12@_vsnprintfmemset
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$PackageContentsPage::OnListenedEvent$btnPrivacy$lstView
              • API String ID: 655088897-4236795132
              • Opcode ID: f5634f34459210dc89b7d9ca281fcd13a07a2d093729ce740b1e37d5f7e12cbc
              • Instruction ID: 67d6cbfb313a0ad5d7c26af10cbd6dfc5dc23c4409154a0f4739af323a0bfa4e
              • Opcode Fuzzy Hash: f5634f34459210dc89b7d9ca281fcd13a07a2d093729ce740b1e37d5f7e12cbc
              • Instruction Fuzzy Hash: 55414B32B04A4ACAFB10AFA5DA60BE827A1BF45758F404239DA1DD76D9EF7CE505C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B88D8, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 81libraryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$ErrorLastLibraryLoadString$Image_wtol
              • String ID: @$Dwz ERROR: %s:%d - hr = 0x%08X$DwzLoadIcon
              • API String ID: 835965209-3183829312
              • Opcode ID: 18998da981f9cf377ea9a916c4b732f4d1ba5757abe7850abc2664786356a908
              • Instruction ID: f437c15f1ec698422895151ee4af57a4717a077af30f8488c3455689cf0cfb4f
              • Opcode Fuzzy Hash: 18998da981f9cf377ea9a916c4b732f4d1ba5757abe7850abc2664786356a908
              • Instruction Fuzzy Hash: B0419D32A08A86C2E720AB91E9643F877A0FF84BA5F500639DA9DC76D4CF7CD945C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2A2134, Relevance: 18.1, APIs: 12, Instructions: 118memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$String$Heap$DestroyImageList_Process
              • String ID:
              • API String ID: 2605455605-0
              • Opcode ID: a691cb800941535bfa4d61fb511a504fdc14bcec2580e8fd23f7271f1d0f3b13
              • Instruction ID: 87208f8c90dd31ee919d90ddf9da25e24677a65e9063a6fa9fb4b03306ee00fa
              • Opcode Fuzzy Hash: a691cb800941535bfa4d61fb511a504fdc14bcec2580e8fd23f7271f1d0f3b13
              • Instruction Fuzzy Hash: 93515D35605B45C6EB04AFA1DAA06B833A4FF45F91F044239CE5DA3BA8CF38D455D314
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C7F80, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 182memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$Free$AllocPrint_vsnprintf
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$MetExtractCab$PackageCollection::AddPackageCab
              • API String ID: 1593095059-112362098
              • Opcode ID: a208802f2bb6f870410322db790ed110215e220bd5cc39b2d8c279ebd6351cf7
              • Instruction ID: 710f64f58b75f551957a8d124cf51a80c31bf15044639f81e065841c519c1171
              • Opcode Fuzzy Hash: a208802f2bb6f870410322db790ed110215e220bd5cc39b2d8c279ebd6351cf7
              • Instruction Fuzzy Hash: 4D716B71B08A56C1F7109BA2AA606F92BA1BF44BC4F60803ADD0DDBB95DF7DE541C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2A7860, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$FreeProcess$AllocPrintString_vsnprintf
              • String ID: ./CommandLine$./ExtensionPoint/ButtonText$Dwz ERROR: %s:%d - hr = 0x%08X$InteractivityUIPage::Initialize
              • API String ID: 3645034916-2990690655
              • Opcode ID: f9f5e0354f46cdb98b0f38ee60c670293afa42d1721898cd09901702d37574cb
              • Instruction ID: 5279a8f3516118d3daeacc0d3ba87d6e5ad0fc3881b9370133120e5dd8ea8335
              • Opcode Fuzzy Hash: f9f5e0354f46cdb98b0f38ee60c670293afa42d1721898cd09901702d37574cb
              • Instruction Fuzzy Hash: D8713C71B08A4BD5EB159BA6DA607F927A0BF44BC8F10403ADE0DDBB95EE2DE501C344
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29F8D4, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 134memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(?,?,00000000,?,00000001,00007FF68F29E8D2), ref: 00007FF68F29F8F3
              • HeapAlloc.KERNEL32(?,?,00000000,?,00000001,00007FF68F29E8D2), ref: 00007FF68F29F904
              • GetProcessHeap.KERNEL32(?,?,00000000,?,00000001,00007FF68F29E8D2), ref: 00007FF68F29FA8D
              • HeapFree.KERNEL32(?,?,00000000,?,00000001,00007FF68F29E8D2), ref: 00007FF68F29FA9B
                • Part of subcall function 00007FF68F29CF60: _vsnprintf.MSVCRT ref: 00007FF68F29CF9F
                • Part of subcall function 00007FF68F29CF60: DbgPrintEx.NTDLL ref: 00007FF68F29CFD8
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$AllocFreePrint_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$EngineCallback::LoadPackageLocations
              • API String ID: 1684767720-3434742549
              • Opcode ID: e2dbe648acfc686d76009324669ebcc4644337987c91e171cd8d1bb26c21e51a
              • Instruction ID: c929f555c53485a91195939bb67b7cda5c71095e96a7e9ed5177520044eea6f5
              • Opcode Fuzzy Hash: e2dbe648acfc686d76009324669ebcc4644337987c91e171cd8d1bb26c21e51a
              • Instruction Fuzzy Hash: 2C516975B08A57C2EA54AB92AA20AF977517F48BC4F40003DDD4DDBB99EE3CE501C344
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D0034, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$AllocVariant$ClearFree$Init
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$MetXmlSetAttribute
              • API String ID: 3732423892-31679065
              • Opcode ID: f64330a0e4e8c455a05744e7e2c4572dba07cd07954fe43ad993f7b77884796d
              • Instruction ID: 37d3b667211ec12a77250a968a2d57fdf8d2dc1b0e0eb397862ecf6bafe89b1d
              • Opcode Fuzzy Hash: f64330a0e4e8c455a05744e7e2c4572dba07cd07954fe43ad993f7b77884796d
              • Instruction Fuzzy Hash: CD418C35B08B4AD1EB15EBE2AA646F823A0BF58B94F200039CD0D97769DF3DE901C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D37CC, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 84memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$Free$Alloc
              • String ID: %s\%s
              • API String ID: 3689955550-4073750446
              • Opcode ID: ada9ac99bb95525eb6e9b9b0e176c9675fc79fc8ea885e3a9a2ba1e67f2a732b
              • Instruction ID: 52b7ea45f94d700e14d78c1bd09e47fb58dcd0c5f4617edf26171950a1755f25
              • Opcode Fuzzy Hash: ada9ac99bb95525eb6e9b9b0e176c9675fc79fc8ea885e3a9a2ba1e67f2a732b
              • Instruction Fuzzy Hash: 3F315735B08B4AC6F714AB96EA643AA67A0BF89BC0F444039DA4D87B65DF3DE444C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D1748, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$String$Heap$Process
              • String ID: Met DEBUG: %s:%d - %s$RootCause::~RootCause$m_Extension not null on object destructor
              • API String ID: 1137075025-1270205383
              • Opcode ID: 755f75b40a35005d7510871fd327e930df9f257ef337134161028ad4e4a06616
              • Instruction ID: 8dcc782185ea52fd9ec3983ab30509cdfce693772bbc3cf6d5152d4d587f54c6
              • Opcode Fuzzy Hash: 755f75b40a35005d7510871fd327e930df9f257ef337134161028ad4e4a06616
              • Instruction Fuzzy Hash: 0B41FA36A09A49C2FB55EFA5E6643A96360FF48F88F140139CA4D87669CF3CD454C344
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B6F78, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 72memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(?,?,?,?,00000000,00007FF68F2B6BE8), ref: 00007FF68F2B6F93
              • HeapAlloc.KERNEL32(?,?,?,?,00000000,00007FF68F2B6BE8), ref: 00007FF68F2B6FA1
              • CreateWellKnownSid.ADVAPI32(?,?,?,?,00000000,00007FF68F2B6BE8), ref: 00007FF68F2B6FE6
              • GetLastError.KERNEL32(?,?,?,?,00000000,00007FF68F2B6BE8), ref: 00007FF68F2B6FF0
              • GetProcessHeap.KERNEL32(?,?,?,?,00000000,00007FF68F2B6BE8), ref: 00007FF68F2B705E
              • HeapFree.KERNEL32(?,?,?,?,00000000,00007FF68F2B6BE8), ref: 00007FF68F2B706C
                • Part of subcall function 00007FF68F29CF60: _vsnprintf.MSVCRT ref: 00007FF68F29CF9F
                • Part of subcall function 00007FF68F29CF60: DbgPrintEx.NTDLL ref: 00007FF68F29CFD8
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$AllocCreateErrorFreeKnownLastPrintWell_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$IsAdminToken
              • API String ID: 2867770909-1472459344
              • Opcode ID: 9944982d7b4d331b9607d0e6eb600066513b1693ae5f26e03b7f1c9fc3c607df
              • Instruction ID: 925c1875beb9cc77776539dddcc1030f38c630c2508a7788ef3860051160a552
              • Opcode Fuzzy Hash: 9944982d7b4d331b9607d0e6eb600066513b1693ae5f26e03b7f1c9fc3c607df
              • Instruction Fuzzy Hash: A1217C71B0874AC6E710AFE6AAA02E667A0BF44B80F60493ECE4AC6655DE3CE544C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B1F40, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Direct$Button@Click@Descendent@Element@ErrorExecuteFindLastShellV12@memset
              • String ID: /name Microsoft.Troubleshooting /page historyPage$Dwz ERROR: %s:%d - hr = 0x%08X$UploadCompletePage::OnListenedEvent$control.exe$linkHistory$open
              • API String ID: 319910338-2884894803
              • Opcode ID: d813ca70a07d2ec97b8619daa3d98ffcd358ea33773491dd585a8171f77c6010
              • Instruction ID: 672a78f754266f2e74b524aae951ecb4df5425104428c68c114d9852dab3175c
              • Opcode Fuzzy Hash: d813ca70a07d2ec97b8619daa3d98ffcd358ea33773491dd585a8171f77c6010
              • Instruction Fuzzy Hash: 79312772B08B46D9E7109BA1D6607E923A4FF58788F90853ADA4DC26A8EF3CD548C350
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CE07C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeHeapString$AllocPrintProcess_vsnprintf
              • String ID: ./cfg:RequiredContext/cfg:Parameter$Met ERROR: %s:%d - hr = 0x%08X$Package::set_Prereqs
              • API String ID: 2709600863-466739713
              • Opcode ID: 0be44f01c25e20b9f3da52e52b479e09b57935bedc95ff545bbc223e6ee7f5ec
              • Instruction ID: 8a8ecb9e122503bfaddb8399726236b1e2f2a8e373de632ac508ec9ced86a900
              • Opcode Fuzzy Hash: 0be44f01c25e20b9f3da52e52b479e09b57935bedc95ff545bbc223e6ee7f5ec
              • Instruction Fuzzy Hash: 41713776B08A56C6EB149FA6DA247F92BA1BF44B84F14413ADE0D97758DF3CE801C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C0780, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 123windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32 ref: 00007FF68F2C08AA
              • WaitForMultipleObjects.KERNEL32(?,?,00000000,WorkerThread,00000000,00000000,00000000,?,?,00007FF68F2C019F), ref: 00007FF68F2C08C5
              • SetEvent.KERNEL32(?,?,00000000,WorkerThread,00000000,00000000,00000000,?,?,00007FF68F2C019F), ref: 00007FF68F2C08F7
              • GetLastError.KERNEL32(?,?,00000000,WorkerThread,00000000,00000000,00000000,?,?,00007FF68F2C019F), ref: 00007FF68F2C0901
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorEventLastMessageMultipleObjectsPostWait
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$PageManager::Pause$Resolution_GetScriptless$TryPauseResolution$W
              • API String ID: 2689860443-1371766782
              • Opcode ID: 5465ab98749e23d30729fea53edb5b9178b15e0bb3f851db833e0e030c7375c4
              • Instruction ID: 0e7f51bfedcb97a1da8355bd452eee805b7e285b2f9c2e90bd3691bb5115d2cc
              • Opcode Fuzzy Hash: 5465ab98749e23d30729fea53edb5b9178b15e0bb3f851db833e0e030c7375c4
              • Instruction Fuzzy Hash: 60516A71B08746C6F720EFA6AAA0AA96790BF44BA4F50413EDE4DC7695DF3CE504CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B17D0, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 100windowCOMMON
              Download Yara Rule
              APIs
              • ?Click@Button@DirectUI@@SA?AVUID@@XZ.DUI70 ref: 00007FF68F2B1818
              • ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70 ref: 00007FF68F2B1864
                • Part of subcall function 00007FF68F29419C: StrToID.DUI70 ref: 00007FF68F2941B7
                • Part of subcall function 00007FF68F29419C: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF68F2941C3
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Direct$Button@Click@Descendent@Element@FindMessage@Page@PropSendSheet_TaskV12@
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$UploadConsentPage::OnListenedEvent$W$linkFixed$linkPrivacy$linkReview$linkUpload
              • API String ID: 2282446303-2575714792
              • Opcode ID: d3786281e2046711f9f0fbb7575ae99d17b1bc7450765212a6eb91756ee43c3b
              • Instruction ID: 0ae662c353481ceb93b9d638e576c0119c76e5cc6e048e0b4656d0cc9ad4bbb7
              • Opcode Fuzzy Hash: d3786281e2046711f9f0fbb7575ae99d17b1bc7450765212a6eb91756ee43c3b
              • Instruction Fuzzy Hash: 87410831A08A86C2F710DBE6E6206F96390FF54788F50453ADE4CC7A9AEF6CE555C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F297850, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 73windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Direct$Element@$Defer@$Button@Click@Descendent@FindLayoutPos@StartV12@Visible@
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$ErrorPage::OnListenedEvent$errordetails$linkError
              • API String ID: 2145222042-723601927
              • Opcode ID: d94bb87f2efd919c504ebd7de95d798326021d644864443479e9e0cb4bab208d
              • Instruction ID: 31dd872816b682fc69378f120e84ef14f6a7ae807430ad6efb5a53d1c574f26f
              • Opcode Fuzzy Hash: d94bb87f2efd919c504ebd7de95d798326021d644864443479e9e0cb4bab208d
              • Instruction Fuzzy Hash: 2E316B31B08A46C2FB00AB91E664BF92761FF91B98F508139DA9DC7694DF2DE446C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2948D8, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$AllocFreePrint_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$WizardPage::CloseButton
              • API String ID: 1684767720-2539655254
              • Opcode ID: cb1cd0a03ccf1c559b3f0298527f18d4b574339a7842c171bc726903b7365fd1
              • Instruction ID: 0ecd7d330f89964becf28a979124dcda571a18623ed988fc32f0c6754916cb3b
              • Opcode Fuzzy Hash: cb1cd0a03ccf1c559b3f0298527f18d4b574339a7842c171bc726903b7365fd1
              • Instruction Fuzzy Hash: CB215170B08A5AC2F714AB92EA34AE92750BF85BC4F40853DC94987B59DF3CD505C780
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C67B8, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 142memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$Free$AllocHeap$CreateInitInstanceProcessVariant
              • String ID: //QueryQueueResult$//detail$//faultcode$//faultstring$WorkerThread
              • API String ID: 4185271-2418404203
              • Opcode ID: 785b8a6a8d224f7245c48af70cc72981c2d6aca796acbcdd21d95d4d17546004
              • Instruction ID: 377da4df46c4bbca8244de6ec57bd22b39804b7933d6f42489945d0516d14e3e
              • Opcode Fuzzy Hash: 785b8a6a8d224f7245c48af70cc72981c2d6aca796acbcdd21d95d4d17546004
              • Instruction Fuzzy Hash: B8512A36B04B56C6EB059BA6DAA43F92BA0FF44B88F10443ADE0D8BB55DF38E455C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2AB89C, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 130memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$Free$AllocArrayElementSafe
              • String ID: Answers::SetValuesInXML$Dwz ERROR: %s:%d - hr = 0x%08X$Value
              • API String ID: 2068732172-3905522104
              • Opcode ID: 10b6a2cf154dc553beb62ad3d98d18b57f013fbe75d7e1fddf812d33c0046f83
              • Instruction ID: 05ee1a6d98c51ebed83c58c5d50e73a2e6f15b70f57b5bac657e749e9d27e434
              • Opcode Fuzzy Hash: 10b6a2cf154dc553beb62ad3d98d18b57f013fbe75d7e1fddf812d33c0046f83
              • Instruction Fuzzy Hash: FD515D36B08B46C6EB14AFA5D9A42B927A0FF48B88F10453ACE0D97B59DF3DD445C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C8860, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeString
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$PackageCollection::Verify
              • API String ID: 3341692771-3786943113
              • Opcode ID: 3f143fe7258b69150b09126d7efcf6263453affbb11ec3c707cc963f16660793
              • Instruction ID: d02037c75fc4a64dd99733b6f781fff58280df16df106b5da136dcafc0f1ef90
              • Opcode Fuzzy Hash: 3f143fe7258b69150b09126d7efcf6263453affbb11ec3c707cc963f16660793
              • Instruction Fuzzy Hash: B3516D31B08B4AC6EB119BA6DAA47F927A0BF54B89F10413ADA4EC7794DF3CE444C305
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F299040, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectElement@$Defer@$Descendent@FindMessagePostStartV12@
              • String ID: DetailsPage::OnSetActive$Dwz ERROR: %s:%d - hr = 0x%08X$backward$details$forward
              • API String ID: 2697460164-1518310049
              • Opcode ID: 646aaae4dd4c62deae0e6118011c2445f2fbd1ded0a9a099b447df0b5da8dfdf
              • Instruction ID: 8eab69448405c0ddf13ebeaa68cfbbc92ef461a8ff9fd0ece4b7bdd614774f52
              • Opcode Fuzzy Hash: 646aaae4dd4c62deae0e6118011c2445f2fbd1ded0a9a099b447df0b5da8dfdf
              • Instruction Fuzzy Hash: 44313731B08B46C9FB109BA5E960BE93360FF55BA8F500639DA6D87699DF3DE045C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D3F68, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$ErrorLastProcess$AllocByteCharFreeMultiWide
              • String ID:
              • API String ID: 2263581960-0
              • Opcode ID: 1872c952b04ef767dc20283f82709cd6cf8503239f2b07eee0b3ca54cb9b07ba
              • Instruction ID: 1d97930047f2c3cd65d790e58a38d4de8e572f53404493dbf1f202b4c5fc4f41
              • Opcode Fuzzy Hash: 1872c952b04ef767dc20283f82709cd6cf8503239f2b07eee0b3ca54cb9b07ba
              • Instruction Fuzzy Hash: 99317F31B09B4AC6E354ABE69A643B967A4BF88BD1F14423DDA5987B94DF3CD414C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D30A0, Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Process$AllocByteCharErrorFreeLastMultiWide_errno_wremove
              • String ID:
              • API String ID: 1837395576-0
              • Opcode ID: f8a92f16998a33e163a232937612a2a83dda18187ba285b0505185c23d219067
              • Instruction ID: b985a92643999084ec6c327ce7088a74bc23483ec05a5dcd763e87406e905146
              • Opcode Fuzzy Hash: f8a92f16998a33e163a232937612a2a83dda18187ba285b0505185c23d219067
              • Instruction Fuzzy Hash: D4115E35A08B46C6F714BBA2E9641A977A0BF88BE0F58453CDA9E877A4DF3CD444C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2BF89C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeString
              • String ID: WorkerThread
              • API String ID: 3341692771-3089291781
              • Opcode ID: d35f52b086066b58c1738b6acd829e62ddd6665000c7bf9e1ffa0bdcb66ca51f
              • Instruction ID: feb0a1ef78174ea6faf09fd5b3f283b7cc07537e42d160af99b70435656f2db4
              • Opcode Fuzzy Hash: d35f52b086066b58c1738b6acd829e62ddd6665000c7bf9e1ffa0bdcb66ca51f
              • Instruction Fuzzy Hash: 2D312D31B09B67D5EE59ABD257252B96790BF84F81F08843CDD8E83799EE3DE841C200
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D1078, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Variant$ClearInit
              • String ID: AddMetaHeaderAndDumpReport$Met ERROR: %s:%d - hr = 0x%08X
              • API String ID: 2610073882-2807655612
              • Opcode ID: e95a948aeadc8d00cdbb1a1ea7242e59b3a3a020d1c3e86a81584f37acf5fb3a
              • Instruction ID: 187317fc763788d30be95fae4b7241e6e4283f22772238166e4eeb41bb012b1f
              • Opcode Fuzzy Hash: e95a948aeadc8d00cdbb1a1ea7242e59b3a3a020d1c3e86a81584f37acf5fb3a
              • Instruction Fuzzy Hash: F031AA31B08A5AC6F711EBE6EA602F92364BF54B88F504139DE0D97B95DF39D946C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F298770, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69COMMON
              Download Yara Rule
              APIs
              • ?StartDefer@Element@DirectUI@@QEAAXPEAK@Z.DUI70 ref: 00007FF68F2987A2
                • Part of subcall function 00007FF68F293B90: ?StartDefer@Element@DirectUI@@QEAAXPEAK@Z.DUI70 ref: 00007FF68F293BBB
                • Part of subcall function 00007FF68F293B90: ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70 ref: 00007FF68F293C79
                • Part of subcall function 00007FF68F293B90: ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70 ref: 00007FF68F293C8E
                • Part of subcall function 00007FF68F293B90: ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70 ref: 00007FF68F293CB8
                • Part of subcall function 00007FF68F293B90: ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70 ref: 00007FF68F293CE8
                • Part of subcall function 00007FF68F293B90: GetProcessHeap.KERNEL32 ref: 00007FF68F293CF3
                • Part of subcall function 00007FF68F293B90: HeapFree.KERNEL32 ref: 00007FF68F293D01
                • Part of subcall function 00007FF68F293B90: GetTickCount64.KERNEL32 ref: 00007FF68F293DEE
                • Part of subcall function 00007FF68F293B90: ?EndDefer@Element@DirectUI@@QEAAXK@Z.DUI70 ref: 00007FF68F293E05
              • ?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ.DUI70 ref: 00007FF68F29884F
              • ?EndDefer@Element@DirectUI@@QEAAXK@Z.DUI70 ref: 00007FF68F298865
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Direct$Defer@Element@Message@Page@PropSendSheet_Task$HeapStart$Count64Destroy@FreeParser@ProcessTick
              • String ID: 7$CustomizePage::OnSetActive$Dwz ERROR: %s:%d - hr = 0x%08X
              • API String ID: 2400597636-1287420483
              • Opcode ID: e6327d58fcc9d6954d8ad17cb8c7ecabb303d7bfa8f16ff2b72f6983a2380040
              • Instruction ID: 85c14e98f1917886ee737e8d84a4c8821b4f2e7ad153f40a51a261c3dca32cc9
              • Opcode Fuzzy Hash: e6327d58fcc9d6954d8ad17cb8c7ecabb303d7bfa8f16ff2b72f6983a2380040
              • Instruction Fuzzy Hash: 7A316C32B08606C5FB00AFA5D961BF82761BF44B98F680A39CA1DCB699CF7CD001C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29F75C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ArrayElementFreeSafeString_wcsicmp
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$EngineCallback::Disconnected$Remote
              • API String ID: 3202088984-893721283
              • Opcode ID: f58940c93dff684e840911ba707fe738041381e1d794cb238176ee0f39ee16d4
              • Instruction ID: 8094ad313a8dd25f64e475796e1faad94e541768b58f2c5a0dc7f5bba0541e67
              • Opcode Fuzzy Hash: f58940c93dff684e840911ba707fe738041381e1d794cb238176ee0f39ee16d4
              • Instruction Fuzzy Hash: A6116D75B08B46C2EB90AF95E6A08F873A4FF44B84B940139CA1CC3654DF6CE945C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F292060, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Direct$Base@Heap$AllocDestroy@Element@Element@2@Initialize@Process
              • String ID: RICHEDIT50W
              • API String ID: 573562081-2936175183
              • Opcode ID: ff7dfbf6831b7f35a04f8b5a9ece5916188025db8f142389a3ddb5b3842566f9
              • Instruction ID: ebef8d73f546723c21e6bd03c7117232a02683512c122ba8e228b52b22b1b842
              • Opcode Fuzzy Hash: ff7dfbf6831b7f35a04f8b5a9ece5916188025db8f142389a3ddb5b3842566f9
              • Instruction Fuzzy Hash: D5116D35B49B46C1E704AB56A9203A9B3A4BF89BE0F284238CA5D9B7A4DF3CD451C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29D0F0, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 91COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$DwzStrTruncate
              • API String ID: 0-3290953684
              • Opcode ID: 53bb3d4eb03367246fc558b0ddd67a840e12bb1ed4ebdf64021bf74f4904bafc
              • Instruction ID: 5fb1b3db66d2b2ecd8635812022828d006e3a58c5d7de232ff80363fbb1bf90f
              • Opcode Fuzzy Hash: 53bb3d4eb03367246fc558b0ddd67a840e12bb1ed4ebdf64021bf74f4904bafc
              • Instruction Fuzzy Hash: 5331D371B08747C2F710AB92AA60AE96760BF44B90F80463DDE8CCB796DE3CE141D340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F291F90, Relevance: 9.0, APIs: 6, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Direct$HeapListView@$AllocBase@Destroy@Element@Element@2@Initialize@ProcessStyle@
              • String ID:
              • API String ID: 606962050-0
              • Opcode ID: 7ea2a10e58e3ab66e5ab3554113733f55b3971687eacb6b53e04e0e614be1150
              • Instruction ID: 846b4c90078abae10f26cfe7e65f8f4f07bb328e01f2a4fecc8b3491e9f7caff
              • Opcode Fuzzy Hash: 7ea2a10e58e3ab66e5ab3554113733f55b3971687eacb6b53e04e0e614be1150
              • Instruction Fuzzy Hash: 61115435708B46C5E6146F95B9203A5B350BF98BE4F544238DD9D87BA4DF7CD446C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B590C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00007FF68F2C19B8: GetProcessHeap.KERNEL32 ref: 00007FF68F2C1D0C
                • Part of subcall function 00007FF68F2C19B8: HeapFree.KERNEL32 ref: 00007FF68F2C1D1A
                • Part of subcall function 00007FF68F2C19B8: GetProcessHeap.KERNEL32 ref: 00007FF68F2C1D20
                • Part of subcall function 00007FF68F2C19B8: HeapAlloc.KERNEL32 ref: 00007FF68F2C1D31
                • Part of subcall function 00007FF68F2C19B8: GetProcessHeap.KERNEL32 ref: 00007FF68F2C1D91
                • Part of subcall function 00007FF68F2C19B8: HeapFree.KERNEL32 ref: 00007FF68F2C1D9F
                • Part of subcall function 00007FF68F2C19B8: GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000068,00000000,00007FF68F2A09A0), ref: 00007FF68F2C1DD6
                • Part of subcall function 00007FF68F2C19B8: HeapFree.KERNEL32(?,?,?,?,00000000,00000068,00000000,00007FF68F2A09A0), ref: 00007FF68F2C1DE4
                • Part of subcall function 00007FF68F2C19B8: SysFreeString.OLEAUT32 ref: 00007FF68F2C1DF3
              • SetEvent.KERNEL32(?,?,?,?,00000001,00007FF68F2B3DD9), ref: 00007FF68F2B5967
                • Part of subcall function 00007FF68F29CF60: _vsnprintf.MSVCRT ref: 00007FF68F29CF9F
                • Part of subcall function 00007FF68F29CF60: DbgPrintEx.NTDLL ref: 00007FF68F29CFD8
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$FreeProcess$AllocEventPrintString_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$PageManager::Intro$SkipIntro
              • API String ID: 1756159536-3630606640
              • Opcode ID: 839b35def466edb2750a2620d787cdb7c39d3d8929ad0b5a996ea3e82a5c39e4
              • Instruction ID: 8fc6983bec75306f72baa3de234601b713adeec9b50612840b4b6f46d3766801
              • Opcode Fuzzy Hash: 839b35def466edb2750a2620d787cdb7c39d3d8929ad0b5a996ea3e82a5c39e4
              • Instruction Fuzzy Hash: 56314731B08A47C6F7216BEA96B12F82390BF84B94F54053ECA4DCA299DF2DE545C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B6928, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 42COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorFileLastNameTemp
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$GetTemporaryFileName$Pkg
              • API String ID: 110269551-1835466015
              • Opcode ID: ad61d857f14ca2c03dc08d82086399a4f7e6665ba9a1f5651e77678f9331f452
              • Instruction ID: 82a9a3e93a44e89c96f13b412cafd39f94388ca78c55c9a559bd2762f9b0f5e1
              • Opcode Fuzzy Hash: ad61d857f14ca2c03dc08d82086399a4f7e6665ba9a1f5651e77678f9331f452
              • Instruction Fuzzy Hash: 69118231B08A86C6E760ABA5FAB47EA2390FF88784F80053ADA4DC7655EF3CD544C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2BA050, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33synchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,?,?,?,00000000,00007FF68F2B9F07), ref: 00007FF68F2BA05D
              • ResetEvent.KERNEL32(?,?,?,?,00000000,00007FF68F2B9F07), ref: 00007FF68F2BA078
                • Part of subcall function 00007FF68F29CF60: _vsnprintf.MSVCRT ref: 00007FF68F29CF9F
                • Part of subcall function 00007FF68F29CF60: DbgPrintEx.NTDLL ref: 00007FF68F29CFD8
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EventObjectPrintResetSingleWait_vsnprintf
              • String ID: ClientElevationPipe::WaitOnIO$Dwz ERROR: %s:%d - hr = 0x%08X
              • API String ID: 3932786043-1649900042
              • Opcode ID: 628a881b96e47b2cee5d58ca8a2675d87f4d490be1bb5d0bc1af3c3df1c10b4d
              • Instruction ID: f1469f107e0ca3352be35b9b98c9c0e7cbca74333b2552acfe0742c3da19e065
              • Opcode Fuzzy Hash: 628a881b96e47b2cee5d58ca8a2675d87f4d490be1bb5d0bc1af3c3df1c10b4d
              • Instruction Fuzzy Hash: 84F01930B0864BC6F7106BE5DAA03F52350BF44B84F50093DCE09CB290EE2DE549C710
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F29AF98, Relevance: 7.6, APIs: 6, Instructions: 107memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(?,?,00000000,00007FF68F29AED8,?,?,?,00007FF68F29AC31), ref: 00007FF68F29AFFC
              • HeapAlloc.KERNEL32(?,?,00000000,00007FF68F29AED8,?,?,?,00007FF68F29AC31), ref: 00007FF68F29B00A
              • memcpy.MSVCRT ref: 00007FF68F29B03E
              • GetProcessHeap.KERNEL32(?,?,00000000,00007FF68F29AED8,?,?,?,00007FF68F29AC31), ref: 00007FF68F29B0A5
              • HeapReAlloc.KERNEL32(?,?,00000000,00007FF68F29AED8,?,?,?,00007FF68F29AC31), ref: 00007FF68F29B0BB
              • HeapAlloc.KERNEL32(?,?,00000000,00007FF68F29AED8,?,?,?,00007FF68F29AC31), ref: 00007FF68F29B0D6
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Heap$Alloc$Process$memcpy
              • String ID:
              • API String ID: 3525955220-0
              • Opcode ID: 351013153e6137833f2c9d16367383fdfb3cbfa66d0e58e474c20255a06f206d
              • Instruction ID: a6f1297c74c3e9f6e143d710c6c23827f8e29f33e5d47f5b6e051af3e6c18baa
              • Opcode Fuzzy Hash: 351013153e6137833f2c9d16367383fdfb3cbfa66d0e58e474c20255a06f206d
              • Instruction Fuzzy Hash: 0F41F635B05B4AC6EB28AFA6926067963D0FF88B80B14853DCA3D97780DF7DE951C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D391C, Relevance: 7.6, APIs: 5, Instructions: 54COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLastwcschr$CreateDirectory
              • String ID:
              • API String ID: 4150684019-0
              • Opcode ID: 2bca136dfa02ac2cb7d224067af1f674b4bc708f642d4760b5c1f4f46372f0e7
              • Instruction ID: c3d81be15ee9c1917032a81785dcdf474057245af5e181bfa085ed4e4a693f4b
              • Opcode Fuzzy Hash: 2bca136dfa02ac2cb7d224067af1f674b4bc708f642d4760b5c1f4f46372f0e7
              • Instruction Fuzzy Hash: 7E115131A19746C2FB55AB9699602B973E4BF88B88F14413DDA4EC7354EF3CD815C344
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CF7B0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$AllocFree
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$MetXmlGetNodeText
              • API String ID: 344208780-4128850798
              • Opcode ID: fb26ad803ff21c48d029fd30d86dd50c1bd79c3e23b34ba3aec6e6f59c15322a
              • Instruction ID: 21df0e259a5675d0d107bfbfc7cfef4ffca0a6d4056d7732a1f30da3d84a3f61
              • Opcode Fuzzy Hash: fb26ad803ff21c48d029fd30d86dd50c1bd79c3e23b34ba3aec6e6f59c15322a
              • Instruction Fuzzy Hash: 9D416D36B09756C2FA209B95E6607B967A0FF54F84F14423ACA0DD7798DF2DE801D310
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CF90C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$AllocFree
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$MetXmlGetNodes
              • API String ID: 344208780-2658473382
              • Opcode ID: c1923674d82f0e25f514b7c6c5ff1bed4a28a29a6561cf5f41a379a59e9131da
              • Instruction ID: 4a7e301922cc4f7114d33c89ccc57df1f4397de6ca750ba08a54b4432fea395a
              • Opcode Fuzzy Hash: c1923674d82f0e25f514b7c6c5ff1bed4a28a29a6561cf5f41a379a59e9131da
              • Instruction Fuzzy Hash: F9311935B08B9AD1EE259B96E6606F9A760BF58F84F14413ACE4D87768DF3DE801C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D4798, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeString_wcsicmp
              • String ID: Node Parsing mismatch: was %ws, expected %ws$SdpXmlCheckNode
              • API String ID: 2098340043-1254778330
              • Opcode ID: 3eb7d983148798d037ecf1ad3ac15a8495b835a92bbc9dbfa3d059012f4a267e
              • Instruction ID: c7e66b98a85e7e4da4003f5e796387c856da90dc5c68ee6db99565d058e5a4aa
              • Opcode Fuzzy Hash: 3eb7d983148798d037ecf1ad3ac15a8495b835a92bbc9dbfa3d059012f4a267e
              • Instruction Fuzzy Hash: FB116035B28A4AC2FA90AB96EA60BB55350FF45BC8F105039ED0ECBB85DE1CD510C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CF074, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$PackageInfo::set_ID
              • API String ID: 0-3774600460
              • Opcode ID: 1d508036eb4cda9baee937de9ebf749bbda09d2dd8cc4ae0340bc98ef0fbb053
              • Instruction ID: 715c3bfda28a649028a15eff35545fa0c410714e526220285ce759884dae799d
              • Opcode Fuzzy Hash: 1d508036eb4cda9baee937de9ebf749bbda09d2dd8cc4ae0340bc98ef0fbb053
              • Instruction Fuzzy Hash: 5911AC35B08B92C2EB149B95EA603B92360FF04B84F504539DA4C8BB99EF3DE912C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CF118, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$PackageInfo::set_Name
              • API String ID: 0-1427089372
              • Opcode ID: 15bc7745339ff87a3085c98cca31159b53b62e31fcf7ee00396adb322428120b
              • Instruction ID: 6ff55849dfc47c781428530fcc5ec65adb42e84c67c54300bed12682de156ca6
              • Opcode Fuzzy Hash: 15bc7745339ff87a3085c98cca31159b53b62e31fcf7ee00396adb322428120b
              • Instruction Fuzzy Hash: 94117C35B08A52C2EB149B95EA607F92760FF58B84F604139DA0C8BB95DF6CE552C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2950D0, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00007FF68F2941EC: StrToID.DUI70 ref: 00007FF68F294207
                • Part of subcall function 00007FF68F2941EC: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF68F294213
              • SendMessageW.USER32 ref: 00007FF68F295134
                • Part of subcall function 00007FF68F29CF60: _vsnprintf.MSVCRT ref: 00007FF68F29CF9F
                • Part of subcall function 00007FF68F29CF60: DbgPrintEx.NTDLL ref: 00007FF68F29CFD8
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Descendent@DirectElement@FindMessagePrintSendV12@_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$IntroPage::OnWizNext$cbAuto
              • API String ID: 54982245-4048064425
              • Opcode ID: c426c2a2d3a500963fa01cdc030a9551ee4354016f0bad482ce5622874d61a07
              • Instruction ID: 2e7041d0a3dfb0dbab55bbd955b8c6ec75db6b4b49a75ccd1a49af7f82306b5a
              • Opcode Fuzzy Hash: c426c2a2d3a500963fa01cdc030a9551ee4354016f0bad482ce5622874d61a07
              • Instruction Fuzzy Hash: C701C831B08686C2E7109B95EA505D97760FF44BE0F90423ACA2C837E5DF3CE501C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CC738, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$AllocFree
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$Package::set_PackageLocation
              • API String ID: 344208780-2223905976
              • Opcode ID: fea3c19ba327a8dd06c7c1d9e61142a6db8c3186a14388fa7906e2bc22f55ba0
              • Instruction ID: bb91fa0d341c9a10bb02ba49a3cfcb4ef03c17355fccf17dc754051fe05765a1
              • Opcode Fuzzy Hash: fea3c19ba327a8dd06c7c1d9e61142a6db8c3186a14388fa7906e2bc22f55ba0
              • Instruction Fuzzy Hash: 9D017139B08B82C2EB149B95A6201A46360FF48B84F604639DE8CC7B54DF3CD425C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F295FD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • ?StartDefer@Element@DirectUI@@QEAAXPEAK@Z.DUI70 ref: 00007FF68F295FF3
                • Part of subcall function 00007FF68F293B90: ?StartDefer@Element@DirectUI@@QEAAXPEAK@Z.DUI70 ref: 00007FF68F293BBB
                • Part of subcall function 00007FF68F293B90: ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70 ref: 00007FF68F293C79
                • Part of subcall function 00007FF68F293B90: ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70 ref: 00007FF68F293C8E
                • Part of subcall function 00007FF68F293B90: ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70 ref: 00007FF68F293CB8
                • Part of subcall function 00007FF68F293B90: ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70 ref: 00007FF68F293CE8
                • Part of subcall function 00007FF68F293B90: GetProcessHeap.KERNEL32 ref: 00007FF68F293CF3
                • Part of subcall function 00007FF68F293B90: HeapFree.KERNEL32 ref: 00007FF68F293D01
                • Part of subcall function 00007FF68F293B90: GetTickCount64.KERNEL32 ref: 00007FF68F293DEE
                • Part of subcall function 00007FF68F293B90: ?EndDefer@Element@DirectUI@@QEAAXK@Z.DUI70 ref: 00007FF68F293E05
                • Part of subcall function 00007FF68F295678: memset.MSVCRT ref: 00007FF68F2956C7
                • Part of subcall function 00007FF68F295678: memset.MSVCRT ref: 00007FF68F2956D6
                • Part of subcall function 00007FF68F295678: GetProcessHeap.KERNEL32 ref: 00007FF68F2956F9
                • Part of subcall function 00007FF68F295678: HeapAlloc.KERNEL32 ref: 00007FF68F29570A
              • ?EndDefer@Element@DirectUI@@QEAAXK@Z.DUI70 ref: 00007FF68F29603E
                • Part of subcall function 00007FF68F29CF60: _vsnprintf.MSVCRT ref: 00007FF68F29CF9F
                • Part of subcall function 00007FF68F29CF60: DbgPrintEx.NTDLL ref: 00007FF68F29CFD8
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Direct$Defer@Element@HeapMessage@Page@PropSendSheet_Task$ProcessStartmemset$AllocCount64FreePrintTick_vsnprintf
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$PackageContentsPage::OnSetActive
              • API String ID: 2542996858-696832293
              • Opcode ID: d23ba4267bd12663895183d0dc19e8e07611390098132bf6265521ce2881185c
              • Instruction ID: 8befdba781b5048e3aebda7841aaed7b65d82a4c9e728773d9991fdc54cbc8f4
              • Opcode Fuzzy Hash: d23ba4267bd12663895183d0dc19e8e07611390098132bf6265521ce2881185c
              • Instruction Fuzzy Hash: 9601A731B45606C2E710AB95D9246F93760BF85B60F140338DA6DC72D4DF3CD845C380
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C0FAC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$AllocFree
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$Packages_SetPrivacyLink
              • API String ID: 344208780-793645142
              • Opcode ID: 9e5a05ebb20b38e4315cd0cf078dab004df095717c6226aac106ef3f96280693
              • Instruction ID: eb9a93ebdafacb670bb792c098441c2679564ca548f8889cbc872d4692e4ac8d
              • Opcode Fuzzy Hash: 9e5a05ebb20b38e4315cd0cf078dab004df095717c6226aac106ef3f96280693
              • Instruction Fuzzy Hash: C3017835B0CA86C2EB24EB90E6203B96760FF84B98F100139DE4CC7A98DF2ED485C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C1030, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: String$AllocFree
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$Packages_SetPublisher
              • API String ID: 344208780-2766634805
              • Opcode ID: 37004a1f7839b3be07bf489de25962773b661981e75543875a32216e55d979df
              • Instruction ID: e1bcc5c7d9a44a9270ecc2221923446daf8fb9544f20ff207aa321a2fa086587
              • Opcode Fuzzy Hash: 37004a1f7839b3be07bf489de25962773b661981e75543875a32216e55d979df
              • Instruction Fuzzy Hash: 5A018B35B08A86C1EB10EBA0E6703B96360FF84BC8F604139DE4D86A98DF2ED485C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F295F50, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00007FF68F29419C: StrToID.DUI70 ref: 00007FF68F2941B7
                • Part of subcall function 00007FF68F29419C: ?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z.DUI70 ref: 00007FF68F2941C3
              • ?SetEnabled@Element@DirectUI@@QEAAJ_N@Z.DUI70 ref: 00007FF68F295F8C
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectElement@$Descendent@Enabled@FindV12@
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$IntroPage::EnablePrivacyButton$btnPrivacy
              • API String ID: 4067655880-1010810150
              • Opcode ID: dc0d5b84dec560f5ea5c5a6a20f4cc1546e37e5075f38b370573475e7112751c
              • Instruction ID: 2067ffc569d184b66d37fabcac62b5ea6d46784c4551802ef7959d43dc263e1d
              • Opcode Fuzzy Hash: dc0d5b84dec560f5ea5c5a6a20f4cc1546e37e5075f38b370573475e7112751c
              • Instruction Fuzzy Hash: F2F08176B08B46C2E7016799E5607E96350FF84754F904139EA4CC7655DFACD544C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F298914, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123windowCOMMON
              Download Yara Rule
              APIs
              • ?PropSheet_SendMessage@TaskPage@DirectUI@@IEAA_JI_K_J@Z.DUI70(?,?,?,?,00000000,00007FF68F298E8F,?,?,?,?,00000000,00007FF68F298FBC), ref: 00007FF68F298AA7
                • Part of subcall function 00007FF68F29CF60: _vsnprintf.MSVCRT ref: 00007FF68F29CF9F
                • Part of subcall function 00007FF68F29CF60: DbgPrintEx.NTDLL ref: 00007FF68F29CFD8
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectMessage@Page@PrintPropSendSheet_Task_vsnprintf
              • String ID: CustomizePage::ResolutionsChecked$Dwz ERROR: %s:%d - hr = 0x%08X
              • API String ID: 1129277966-3714242847
              • Opcode ID: 7ac077c99aa7683e6c45cd3019606f2a68d86ee9f5c1c4fa7ba3a96a6e7cf133
              • Instruction ID: 2ca985f8b1fbe07e0a94d01869b503e9ba6193cd5586fddadebabf79456546de
              • Opcode Fuzzy Hash: 7ac077c99aa7683e6c45cd3019606f2a68d86ee9f5c1c4fa7ba3a96a6e7cf133
              • Instruction Fuzzy Hash: 74519E32B08A46C6F714AF95DA60AF96791BF84B80FA84539CA4DCB395DF3CE441C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D4848, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FreeString
              • String ID: SdpXmlGetAttribute
              • API String ID: 3341692771-740192764
              • Opcode ID: 2f34531b84c09ac0790225a2dd1ca62caf26cfd636cfe55fbce16e2c26a62afc
              • Instruction ID: ce7f066b7581677755ac4d1ea247658dced2b75de189c4427c3192c1cb6f0ba6
              • Opcode Fuzzy Hash: 2f34531b84c09ac0790225a2dd1ca62caf26cfd636cfe55fbce16e2c26a62afc
              • Instruction Fuzzy Hash: FE414F31B18B4AC2EB95AB96DA647B86760BF95FC4F104139CA4DCBB64DF2ED910C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2BB8B8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Streammemset
              • String ID: (null)
              • API String ID: 1493320709-3941151225
              • Opcode ID: a519e9575c6bdb5bd15fc02c0742a2dd31579b770d27169e3c49a2530ffc1f78
              • Instruction ID: aac926e330d1c0c2ae7f363b7963c48c5b1ddd09384478f50666bd5d47308e90
              • Opcode Fuzzy Hash: a519e9575c6bdb5bd15fc02c0742a2dd31579b770d27169e3c49a2530ffc1f78
              • Instruction Fuzzy Hash: 87413272A05A06CAEB10DFA4E5A03ED33B1FB08358F51453ADA0D97BA8DF78D559C740
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F294738, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Descendent@DirectElement@FindV12@
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$WizardPage::SetNamedValues
              • API String ID: 894778106-2087978502
              • Opcode ID: a7567c830e7c8b92d41901f1190814e0f38ac10023a3e23260975f9daa1065fb
              • Instruction ID: 831ac11585ea42a63af49c24a92fadac8a295557578b9e7261f50f5c7b05c26f
              • Opcode Fuzzy Hash: a7567c830e7c8b92d41901f1190814e0f38ac10023a3e23260975f9daa1065fb
              • Instruction Fuzzy Hash: 2F119D75B18B4AC2E7209B92E660BE96750FF89F84F408239DA4CCB785DF2CE611C701
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B4848, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$UpdateUIProgressValue
              • API String ID: 3850602802-1543068197
              • Opcode ID: a687c99e08c653c6b5e0753e2bf3f39854a9c4999685b9e818e908b5a819207e
              • Instruction ID: 79a22e3c47fcf66c8d653820a08078a3dc3f1209b1181ba6ea73ae9a24a2cd9c
              • Opcode Fuzzy Hash: a687c99e08c653c6b5e0753e2bf3f39854a9c4999685b9e818e908b5a819207e
              • Instruction Fuzzy Hash: 37115E31B08B86C2E6109F96EAA01A96361FF48BC0F54443ADE5D83B69DF6CE561C340
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2B48F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$UpdateUIProgressColor
              • API String ID: 3850602802-551045880
              • Opcode ID: e3b932f9a7d6321821be932a296183fe220f3bfa31fdd760b7a81b81032fc349
              • Instruction ID: 24a3066789f14995002bcd1031b034c623e79bf0a976233c68f7fa8b0ff80f33
              • Opcode Fuzzy Hash: e3b932f9a7d6321821be932a296183fe220f3bfa31fdd760b7a81b81032fc349
              • Instruction Fuzzy Hash: 90015E71B08A86C2FB109BD6E6A06A96761FF44BD4F54443ADE4DC3B65CF2CE951C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2C10FC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocString
              • String ID: Dwz ERROR: %s:%d - hr = 0x%08X$Packages_ID
              • API String ID: 2525500382-1606748242
              • Opcode ID: 887d9547f25ad355a14de9212127cbb6f8f60e695e937aa67604374dc1d65fb1
              • Instruction ID: f151ab66306321be7bb129138c54e0d2bf883f2578f6bc58048deb9270132ba3
              • Opcode Fuzzy Hash: 887d9547f25ad355a14de9212127cbb6f8f60e695e937aa67604374dc1d65fb1
              • Instruction Fuzzy Hash: 8F014630B48A46C2FE20EBD19A322F86360BF89B80F50053DCD4DC6795EEADE141C711
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2CEF80, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocString
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$PackageInfo::get_Version
              • API String ID: 2525500382-1125107410
              • Opcode ID: be16f49250237faa9e4da517c139ba336d23c190e779d4c8104c5ecc16113eea
              • Instruction ID: ced413b6535965a2e850a820921ac9cc3b3bed4284af916652347029a0f5db32
              • Opcode Fuzzy Hash: be16f49250237faa9e4da517c139ba336d23c190e779d4c8104c5ecc16113eea
              • Instruction Fuzzy Hash: B2F06275B09A46C2FB245B95A6606F857A0FF44784F60403DEE4CCB755DE3DE954C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D2840, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocString
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$Resolution::get_ID
              • API String ID: 2525500382-3785958729
              • Opcode ID: 4805eaf9652a747d53131fe390cf695ec33f95672ccf40c25c066617bf50fab9
              • Instruction ID: 7d131b2f56f40dbd20c7f5ab9b842f71cf7d603ecc6f6b268c7a6a02296b0131
              • Opcode Fuzzy Hash: 4805eaf9652a747d53131fe390cf695ec33f95672ccf40c25c066617bf50fab9
              • Instruction Fuzzy Hash: 3CF06271B0864AC2EB106B94A6546B46361BF48784F60403DDA4CC7395DF2ED864C714
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D28B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocString
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$Resolution::get_Name
              • API String ID: 2525500382-1706880978
              • Opcode ID: 9e62fc252b5452c8760a4e5a51e9cfa06f9ac34214cb1766dd98f3e95bce3272
              • Instruction ID: 7a3ee6be3374ead84667eb186e99b262b87629f8e30b8d57da938e2617decd6f
              • Opcode Fuzzy Hash: 9e62fc252b5452c8760a4e5a51e9cfa06f9ac34214cb1766dd98f3e95bce3272
              • Instruction Fuzzy Hash: B5F0F071B0864AC1EB106BA4E6A06F463A0BF54788F30413ECA4CCB399DE3ED854C700
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D2920, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocString
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$Resolution::get_Description
              • API String ID: 2525500382-2418961911
              • Opcode ID: 47ec653252e48ff9d390fbd7d75357068ad44569e1f5b134e73f09e4e613c625
              • Instruction ID: 62984b2f830522f9c6840221226446eddff3747725f8fb756331934148c9d66d
              • Opcode Fuzzy Hash: 47ec653252e48ff9d390fbd7d75357068ad44569e1f5b134e73f09e4e613c625
              • Instruction Fuzzy Hash: F7F0F071B08646C2EB106B94E2A0BF46361BF44B88F708039DA8CCB3A9DE3DD815C300
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00007FF68F2D1910, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.426079974.00007FF68F291000.00000020.00020000.sdmp, Offset: 00007FF68F290000, based on PE: true
              • Associated: 00000012.00000002.426058478.00007FF68F290000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426183937.00007FF68F2D8000.00000002.00020000.sdmp Download File
              • Associated: 00000012.00000002.426210414.00007FF68F2EE000.00000004.00020000.sdmp Download File
              • Associated: 00000012.00000002.426223827.00007FF68F2EF000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocString
              • String ID: Met ERROR: %s:%d - hr = 0x%08X$RootCause::get_ID
              • API String ID: 2525500382-778912759
              • Opcode ID: ffb55b2e8b4d1c758feccfaaab75cbd2768f831b30f18a3d0708accb3d505182
              • Instruction ID: 7f5071eef16ecfe7950a7b01af927945677cfeffa7e5acbdbb2293ec0f4fd391
              • Opcode Fuzzy Hash: ffb55b2e8b4d1c758feccfaaab75cbd2768f831b30f18a3d0708accb3d505182
              • Instruction Fuzzy Hash: 61F06275B08646C2FB10ABA4F6606F863A0BF54B8CF604139DA4CCB765DE2DE954C704
              Uniqueness

              Uniqueness Score: -1.00%