Play interactive tour

Edit tour

Windows Analysis Report cyr8VsVRxv.exe

Overview

General Information

Sample Name:	cyr8VsVRxv.exe
Analysis ID:	502334
MD5:	e60399a0e9761e7653376e878875ef3a
SHA1:	a2d96bbe0837fcb7a1057e69c8b77960a81ae2b9
SHA256:	881003326302ab243f71138e2e39517677c9117fd73e50f8989ee9b39e86407b
Tags:	BitRATexeRAT
Infos:
Most interesting Screenshot:

Detection

BitRAT

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected BitRAT

Hides threads from debuggers

Machine Learning detection for sample

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Installs a global mouse hook

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cyr8VsVRxv.exe (PID: 6912 cmdline: 'C:\Users\user\Desktop\cyr8VsVRxv.exe' MD5: E60399A0E9761E7653376E878875EF3A)

cyr8VsVRxv.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\cyr8VsVRxv.exe' MD5: E60399A0E9761E7653376E878875EF3A)

cleanup

Malware Configuration

Threatname: BitRat

{"Host": "185.250.148.54", "Port": "4898", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "5e868314c93c46157fbd5b1adce630ff", "Tor Process Name": "tor"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000000.940036093.0000000000400000.00000040.00000001.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
Process Memory Space: cyr8VsVRxv.exe PID: 6952	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.0.cyr8VsVRxv.exe.400000.1.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.0.cyr8VsVRxv.exe.400000.2.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.2.cyr8VsVRxv.exe.400000.0.raw.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security
1.2.cyr8VsVRxv.exe.400000.0.unpack	JoeSecurity_BitRAT	Yara detected BitRAT	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: BitRat {"Host": "185.250.148.54", "Port": "4898", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "5e868314c93c46157fbd5b1adce630ff", "Tor Process Name": "tor"}

Machine Learning detection for sample

Show sources

Source: cyr8VsVRxv.exe

Joe Sandbox ML: detected

Source: cyr8VsVRxv.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: cyr8VsVRxv.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source:	Binary string: C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe
Source:	Binary string: `C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

IPs: 185.250.148.54

Source: Joe Sandbox View

ASN Name: FIRSTDC-ASRU FIRSTDC-ASRU

Source: global traffic

TCP traffic: 192.168.2.4:49754 -> 185.250.148.54:4898

Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.250.148.54

Source: cyr8VsVRxv.exe, cyr8VsVRxv.exe, 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp

String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Code function: 1_2_00415782 WSARecv,

1_2_00415782

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Windows user hook set: 0 mouse low level NULL

Jump to behavior

Source: cyr8VsVRxv.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_004113B9	1_2_004113B9
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_0068C54E	1_2_0068C54E
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_0040EA72	1_2_0040EA72
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_0068DCD0	1_2_0068DCD0
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_1_00693097	1_1_00693097
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_1_006B126E	1_1_006B126E
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_1_0068D297	1_1_0068D297
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_1_006AE329	1_1_006AE329

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: String function: 00411DDD appears 171 times
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: String function: 0068A19C appears 129 times
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: String function: 0068B440 appears 34 times
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: String function: 006B9C3C appears 413 times
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: String function: 006909D0 appears 86 times

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Code function: 0_2_037C0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

0_2_037C0110

Source: cyr8VsVRxv.exe, 00000001.00000003.747429579.0000000003316000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs cyr8VsVRxv.exe

Source: cyr8VsVRxv.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: cyr8VsVRxv.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe'
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Process created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe'
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Process created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe'	Jump to behavior

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winEXE@3/0@0/1

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Mutant created: \Sessions\1\BaseNamedObjects\afb3e877cc714e505f82dd992f785161

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Code function: 1_2_00422D5E __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource,

1_2_00422D5E

Source: cyr8VsVRxv.exe	String found in binary or memory: id-cmc-addExtensions
Source: cyr8VsVRxv.exe	String found in binary or memory: set-addPolicy

Source: cyr8VsVRxv.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: cyr8VsVRxv.exe

Static file information: File size 1776128 > 1048576

Source: cyr8VsVRxv.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19ce00

Source: cyr8VsVRxv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cyr8VsVRxv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cyr8VsVRxv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cyr8VsVRxv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cyr8VsVRxv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cyr8VsVRxv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: cyr8VsVRxv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe
Source:	Binary string: `C:\dezovegoj\xezanapabala96\hexixobuvukuhe\juhubag4\rodoy\h.pdb source: cyr8VsVRxv.exe

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_03649666 push ebp; iretd	0_2_0364966D
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_0364A461 push cs; ret	0_2_0364A463
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_0364B56E push C042A0DCh; iretd	0_2_0364B573
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_0364F177 push ss; retf	0_2_0364F17A
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_0364B9E7 push ebp; ret	0_2_0364B9E8
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_036498C4 push esi; iretd	0_2_036498C5
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_0364B5A7 push ebx; ret	0_2_0364B5AF
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_0364B1BA push esp; ret	0_2_0364B1C6
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_0365048F push ss; retf	0_2_036504AE
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_0068A4A9 push ecx; ret	1_2_0068A4BC
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_0068B486 push ecx; ret	1_2_0068B499
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_006B9C3C push eax; ret	1_2_006B9C5A
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_006B9CDC push ecx; ret	1_2_006B9CEC
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_1_0069909D pushad ; retf 0071h	1_1_006990A0

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Code function: 0_2_00584E90 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00584E90

Source: initial sample

Static PE information: section name: .text entropy: 7.95314540909

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112	Thread sleep count: 4452 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112	Thread sleep time: -44520s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7124	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7128	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7088	Thread sleep count: 446 > 30	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7088	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112	Thread sleep time: -10322220s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 5460	Thread sleep time: -10163890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 6616	Thread sleep time: -20288198s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 6008	Thread sleep time: -10144098s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7116	Thread sleep time: -10332116s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7112	Thread sleep time: -61408101s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe TID: 7116	Thread sleep time: -61398210s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Thread sleep count: Count: 4452 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10322220	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10163890	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10144099	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10144098	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10332116	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 61408101	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 61398210	Jump to behavior

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Window / User API: threadDelayed 4452			Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Window / User API: threadDelayed 446			Jump to behavior

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Code function: 1_2_004090D7 new,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_004090D7

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10322220	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10163890	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10144099	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10144098	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 10332116	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 61408101	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread delayed: delay time: 61398210	Jump to behavior

Source: cyr8VsVRxv.exe, 00000001.00000000.940880200.0000000000AEA000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Code function: 0_2_0057F2F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0057F2F0

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

0_2_00584E90

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Code function: 1_2_0040F6F5 __EH_prolog,GetProcessHeap,

1_2_0040F6F5

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_036470A3 push dword ptr fs:[00000030h]	0_2_036470A3
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_037C0042 push dword ptr fs:[00000030h]	0_2_037C0042
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_006A482C mov eax, dword ptr fs:[00000030h]	1_2_006A482C

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_0057F2F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0057F2F0
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 0_2_00581390 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00581390
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_0068A7EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0068A7EA
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_2_00694A7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00694A7C
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: 1_1_0068B743 SetUnhandledExceptionFilter,	1_1_0068B743

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Memory written: C:\Users\user\Desktop\cyr8VsVRxv.exe base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

0_2_037C0110

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Process created: C:\Users\user\Desktop\cyr8VsVRxv.exe 'C:\Users\user\Desktop\cyr8VsVRxv.exe'

Jump to behavior

Source: cyr8VsVRxv.exe, 00000001.00000000.936422512.0000000000AEA000.00000004.00000020.sdmp	Binary or memory string: Program Managerc
Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: cyr8VsVRxv.exe, 00000001.00000003.916727219.00000000033C9000.00000004.00000001.sdmp	Binary or memory string: Program Managerrr
Source: cyr8VsVRxv.exe, 00000001.00000000.942578555.00000000033C9000.00000004.00000001.sdmp	Binary or memory string: Program ManagerVtr
Source: cyr8VsVRxv.exe, 00000001.00000000.936422512.0000000000AEA000.00000004.00000020.sdmp	Binary or memory string: Program Managerw
Source: cyr8VsVRxv.exe, 00000001.00000002.944500030.0000000001070000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: cyr8VsVRxv.exe, 00000001.00000000.942578555.00000000033C9000.00000004.00000001.sdmp	Binary or memory string: Program Manager8u`

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: EnumSystemLocalesW,	1_1_006AB108
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: EnumSystemLocalesW,	1_1_006B4238
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: EnumSystemLocalesW,	1_1_006B4283
Source: C:\Users\user\Desktop\cyr8VsVRxv.exe	Code function: EnumSystemLocalesW,	1_1_006B431E

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Code function: 1_2_0040EA72 cpuid

1_2_0040EA72

Source: C:\Users\user\Desktop\cyr8VsVRxv.exe

Code function: 0_2_00585D60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00585D60

Stealing of Sensitive Information:

Yara detected BitRAT

Show sources

Source: Yara match	File source: 1.0.cyr8VsVRxv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cyr8VsVRxv.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cyr8VsVRxv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cyr8VsVRxv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.940036093.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cyr8VsVRxv.exe PID: 6952, type: MEMORYSTR

Remote Access Functionality:

Yara detected BitRAT

Show sources

Source: Yara match	File source: 1.0.cyr8VsVRxv.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.cyr8VsVRxv.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cyr8VsVRxv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cyr8VsVRxv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.940036093.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cyr8VsVRxv.exe PID: 6952, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection212	Virtualization/Sandbox Evasion131	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection212	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery121	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	Virtualization/Sandbox Evasion131	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery23	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cyr8VsVRxv.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.cyr8VsVRxv.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.1.cyr8VsVRxv.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.cyr8VsVRxv.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.cyr8VsVRxv.exe.37c15a0.1.unpack	100%	Avira	HEUR/AGEN.1127349	Download File
1.0.cyr8VsVRxv.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.haxx.se/docs/http-cookies.html	cyr8VsVRxv.exe, cyr8VsVRxv.exe, 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.250.148.54	unknown	Russian Federation		48430	FIRSTDC-ASRU	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502334
Start date:	13.10.2021
Start time:	20:06:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	cyr8VsVRxv.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@3/0@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 32.1% (good quality ratio 28.8%) Quality average: 74.3% Quality standard deviation: 34.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 95.100.218.79, 20.82.210.154, 2.20.178.56, 2.20.178.10, 2.20.178.24, 2.20.178.33, 20.54.110.249, 40.112.88.60, 20.189.173.22 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:07:30	API Interceptor	1066x Sleep call for process: cyr8VsVRxv.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FIRSTDC-ASRU	F75rJPKdGb.exe	Get hash	malicious	Browse	37.221.67.54
	Compensation-54975366-09272021.xls	Get hash	malicious	Browse	185.250.148.213
	Compensation-54975366-09272021.xls	Get hash	malicious	Browse	185.250.148.213
	xls.xls	Get hash	malicious	Browse	185.250.148.213
	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse	185.250.148.213
	Compensation-2100058996-09272021.xls	Get hash	malicious	Browse	185.250.148.213
	Compensation-1657705079-09272021.xls	Get hash	malicious	Browse	185.250.148.213
	Compensation-1214892625-09272021.xls	Get hash	malicious	Browse	185.250.148.213
	#Qbot downloader.xls	Get hash	malicious	Browse	185.250.148.213
	Compensation-2308017-09272021.xls	Get hash	malicious	Browse	185.250.148.213
	Compensation-1730406737-09272021.xls	Get hash	malicious	Browse	185.250.148.213
	8AcNX5GzVY.exe	Get hash	malicious	Browse	37.221.67.56
	zfpLjnr5P9.exe	Get hash	malicious	Browse	37.221.66.251
	fK5LTFDKXC.exe	Get hash	malicious	Browse	37.221.67.53
	lHCBcjZBib.exe	Get hash	malicious	Browse	37.221.66.254
	Cx1HKT0xhO.exe	Get hash	malicious	Browse	37.221.66.245
	4i2nattkLT.exe	Get hash	malicious	Browse	37.221.66.245
	Z9GkJvygEk.exe	Get hash	malicious	Browse	37.221.66.253
	F1MwWrwBR7.exe	Get hash	malicious	Browse	37.221.66.253
	vq0sPlNJDK	Get hash	malicious	Browse	37.221.67.190

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.8289147667830745
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cyr8VsVRxv.exe
File size:	1776128
MD5:	e60399a0e9761e7653376e878875ef3a
SHA1:	a2d96bbe0837fcb7a1057e69c8b77960a81ae2b9
SHA256:	881003326302ab243f71138e2e39517677c9117fd73e50f8989ee9b39e86407b
SHA512:	5226acef95bcc436f5a7d75bb9888fa6cc1bb2cc7638ebde597fd3e75c155eae029dae6dfb4223cddbcc5a31e4d402e8d88e97eaed83e9adc73ee4265b306264
SSDEEP:	24576:aGAASJ+e1ne+6Iyc0mauZEpTZIc1h9A+1TcVDka13/n/nMFaWaiEpwqnyGpXS28X:xAALe8+68auZuZ6SMJPIaoE2qne28X
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................U.......`.......a.......X...............d.......Q.......V.....Rich............PE..L....yd_...................

File Icon


Icon Hash:	aadaae9ee6a68aa4

Static PE Info

General
Entrypoint:	0x57fba0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5F6479E1 [Fri Sep 18 09:12:01 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	e9d1f1739ab48fbfe7c7128688524302

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007FF858CE2DCBh
call 00007FF858CDCC26h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0059C7A0h
push 005839F0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF98h
push ebx
push esi
push edi
mov eax, dword ptr [0059E094h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00401060h]
cmp dword ptr [0180FE4Ch], 00000000h
jne 00007FF858CDCC20h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
call dword ptr [00401118h]
call 00007FF858CDCDA3h
mov dword ptr [ebp-6Ch], eax
call 00007FF858CE42DBh
test eax, eax
jne 00007FF858CDCC1Ch
push 0000001Ch
call 00007FF858CDCD60h
add esp, 04h
call 00007FF858CE3C38h
test eax, eax
jne 00007FF858CDCC1Ch
push 00000010h
call 00007FF858CDCD4Dh
add esp, 04h
push 00000001h
call 00007FF858CE0983h
add esp, 04h
call 00007FF858CE3B4Bh
mov dword ptr [ebp-04h], 00000000h
call 00007FF858CE372Fh
test eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19d2f4	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1411000	0x2f00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1414000	0x1b74	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17bc38	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19cde8	0x19ce00	False	0.94209927528	data	7.95314540909	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x19e000	0x1272e50	0x1c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1411000	0x2f00	0x3000	False	0.710693359375	data	6.15087485918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1414000	0xfa9a	0xfc00	False	0.0944475446429	data	1.19488524626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x14111b0	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_STRING	0x1413908	0x53a	data	Divehi; Dhivehi; Maldivian	Maldives
RT_STRING	0x1413e48	0xb8	data	Divehi; Dhivehi; Maldivian	Maldives
RT_ACCELERATOR	0x1413770	0x68	data	Divehi; Dhivehi; Maldivian	Maldives
RT_GROUP_ICON	0x1413758	0x14	data
RT_VERSION	0x14137d8	0x130	data	Divehi; Dhivehi; Maldivian	Maldives

Imports

DLL

Import

KERNEL32.dll

GetEnvironmentVariableW, FileTimeToDosDateTime, CreateTimerQueue, SearchPathW, GetDriveTypeW, InterlockedDecrement, GetSystemWindowsDirectoryW, AddConsoleAliasW, FlushViewOfFile, FreeEnvironmentStringsA, OutputDebugStringW, GetModuleHandleW, CreateActCtxW, GlobalAlloc, LoadLibraryW, GetCalendarInfoA, GetSystemWow64DirectoryW, SetSystemTimeAdjustment, GetVersionExW, VerifyVersionInfoA, GetModuleFileNameW, CompareStringW, lstrlenW, SetThreadPriority, GetStartupInfoW, OpenMutexW, IsDBCSLeadByteEx, GetCurrentDirectoryW, GetLongPathNameW, SetLastError, GetProcAddress, SetVolumeLabelW, WriteProfileSectionA, GetConsoleDisplayMode, SearchPathA, GetPrivateProfileStringA, _hwrite, RegisterWaitForSingleObject, AddAtomW, SetCurrentDirectoryW, SetFileApisToANSI, AddAtomA, HeapWalk, GetModuleFileNameA, WTSGetActiveConsoleSessionId, CreateIoCompletionPort, QueryMemoryResourceNotification, FreeEnvironmentStringsW, RequestWakeupLatency, FillConsoleOutputAttribute, VirtualProtect, GetCPInfoExA, SetProcessShutdownParameters, GetVersionExA, DeleteFileW, CloseHandle, CreateFileW, InterlockedIncrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, DecodePointer, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, GetCommandLineW, HeapSetInformation, RaiseException, ExitProcess, GetLastError, WriteFile, GetStdHandle, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, HeapValidate, IsBadReadPtr, OutputDebugStringA, WriteConsoleW, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, SetHandleCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, HeapCreate, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, HeapAlloc, HeapReAlloc, HeapSize, HeapQueryInformation, HeapFree, RtlUnwind, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, GetStringTypeW, SetFilePointer, GetConsoleCP, GetConsoleMode, SetStdHandle, FlushFileBuffers

USER32.dll

GetMessageTime

Version Infos

Description	Data
Translation	0x0151 0x0013

Possible Origin

Language of compilation system	Country where language is spoken	Map
Divehi; Dhivehi; Maldivian	Maldives

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 20:07:30.711514950 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:30.758821964 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:30.758970022 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:30.759442091 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:30.827857971 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:30.827891111 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:30.828079939 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:30.838993073 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:30.889060020 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:30.889386892 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:30.938378096 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:30.987140894 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:31.034024000 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:31.080993891 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:31.805027962 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:31.867099047 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:32.819533110 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:32.899820089 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:33.784775972 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:33.851253986 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:33.851547003 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:33.929734945 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:37.084112883 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:37.131033897 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:37.273688078 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:37.321962118 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:37.323036909 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:37.325232983 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:37.398427963 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:37.401083946 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:37.401117086 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:37.401238918 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:37.425049067 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:37.474675894 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:37.475023985 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:37.525681019 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:37.581367016 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:37.628494978 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:37.675175905 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:38.353804111 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:38.447212934 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:39.210942984 CEST	4898	49754	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:39.210982084 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:39.211061954 CEST	49754	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:39.269007921 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:39.370589018 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:39.452477932 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:40.692504883 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:40.777170897 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:40.777388096 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:40.851496935 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:41.544320107 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:41.591337919 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:41.693121910 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:41.744394064 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:41.744584084 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:41.745227098 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:41.808670998 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:41.813227892 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:41.813250065 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:41.813385010 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:41.822876930 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:41.874445915 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:41.875013113 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:41.924489975 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:41.972357988 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:42.019402027 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:42.066124916 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:42.776170969 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:42.835926056 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:43.790879965 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:43.867511034 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:44.770369053 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:44.836095095 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:44.836246967 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:44.898262024 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:45.663104057 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:45.710114002 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:45.800564051 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:45.848062992 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:45.848191023 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:45.849114895 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:45.916897058 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:45.924381971 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:45.924412966 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:45.924501896 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:45.940974951 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:45.990441084 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:45.990950108 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:46.046947956 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:46.097796917 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:46.147550106 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:46.191638947 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:46.884495974 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:46.960819006 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:47.900516033 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:47.976464033 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:48.880309105 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:48.962372065 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:48.963999987 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:49.039004087 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:49.230907917 CEST	4898	49755	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:49.231035948 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:49.231061935 CEST	4898	49756	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:49.231261969 CEST	49756	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:49.236109972 CEST	49755	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:49.270855904 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:49.351511002 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:49.931850910 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:50.023288965 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.320164919 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:50.372019053 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.452198982 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:50.499346972 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.499463081 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:50.500046015 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:50.570398092 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.576942921 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.576982021 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.577157021 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:50.593074083 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:50.644330025 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.644733906 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:50.711395979 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.819004059 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.863782883 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:50.911150932 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:50.946973085 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:51.010371923 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:51.525070906 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:51.586189032 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:51.963718891 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:52.038917065 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:52.540118933 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:52.616955996 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:52.979408026 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:53.054461956 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:53.521456957 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:53.585911989 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:53.586065054 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:53.648832083 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.030692101 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:54.101459980 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.417406082 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:54.464649916 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.506009102 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:54.554610014 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.554800034 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:54.555474997 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:54.617084980 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.668771029 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.668823957 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.669895887 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:54.688357115 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:54.834487915 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.835649014 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:54.913759947 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.918831110 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:54.959270954 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:55.006160975 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:55.040028095 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:55.132996082 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:55.589087009 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:55.679656982 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:56.082468033 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:56.174093962 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:56.605405092 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:56.695110083 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:57.075979948 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:57.163846016 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:57.584415913 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:57.665843010 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:57.666043043 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:57.742933989 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.088634968 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:58.381197929 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.493654966 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:58.540507078 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.615174055 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:58.662113905 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.662246943 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:58.663631916 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:58.726162910 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.726244926 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.726262093 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.726314068 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:58.740643978 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:58.790091991 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.791727066 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:58.840262890 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.880091906 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:58.926919937 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:58.974289894 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:59.131131887 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:59.211016893 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:59.243288040 CEST	4898	49760	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:59.243365049 CEST	49760	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:59.243386984 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:59.243407011 CEST	4898	49761	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:59.243468046 CEST	49761	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:59.243760109 CEST	4898	49757	185.250.148.54	192.168.2.4
Oct 13, 2021 20:07:59.243906975 CEST	49757	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:59.286495924 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:59.698065996 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:07:59.773197889 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:00.123177052 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:00.210697889 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:00.730019093 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:00.820219994 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:01.138652086 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:01.226326942 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:01.693855047 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:01.773142099 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:01.773294926 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:01.868041992 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.150593996 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:02.241815090 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.566091061 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:02.613225937 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.653531075 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:02.701273918 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.701564074 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:02.702729940 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:02.773436069 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.775757074 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.775779009 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.775919914 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:02.791155100 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:02.841831923 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.842396975 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:02.896749973 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.897125006 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:02.946295023 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:02.990401030 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:03.169260025 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:03.257659912 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:03.760886908 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:03.835948944 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:03.836015940 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:03.898432016 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:04.183206081 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:04.257683992 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:04.760968924 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:04.836328030 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:04.836451054 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:04.898381948 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:05.197686911 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:05.273231983 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:05.725004911 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:05.789274931 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:05.789386034 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:05.874901056 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:05.875123978 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:05.950517893 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:06.217577934 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:06.288902044 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:06.522550106 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:06.570365906 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:06.741333008 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:06.788558960 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:06.788743973 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:06.789552927 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:06.861979961 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:06.862015009 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:06.862179995 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:06.878046989 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:06.927133083 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:06.927819014 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:06.977509975 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:06.977886915 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:07.025029898 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:07.068397999 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:07.230258942 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:07.304452896 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:07.826010942 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:07.898411989 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:07.898566008 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:07.960839987 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:08.247107029 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:08.322917938 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:08.841434956 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:08.914043903 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:08.914181948 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:08.976444960 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:09.258012056 CEST	4898	49763	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:09.258160114 CEST	49763	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:09.258658886 CEST	4898	49762	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:09.258758068 CEST	49762	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:09.259912014 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:09.260390043 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:09.335764885 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:09.819727898 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:09.899379969 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:09.899480104 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:09.977196932 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:10.280991077 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:10.352032900 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:10.696610928 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:10.745263100 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:10.805670023 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:10.852574110 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:10.852974892 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:10.853656054 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:10.929492950 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:10.934210062 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:10.934264898 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:10.934402943 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:10.951806068 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:11.005510092 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:11.006563902 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:11.057668924 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:11.058065891 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:11.105005026 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:11.148086071 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:11.299762011 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:11.367094994 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:11.891521931 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:11.961097956 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:11.961178064 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:12.038985014 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:12.311145067 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:12.382900953 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:12.929043055 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:13.008063078 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:13.016170025 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:13.086505890 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:13.326292992 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:13.398341894 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:13.975559950 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:14.054949999 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:14.055145025 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:14.117151976 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:14.340845108 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:14.415254116 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:14.805403948 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:14.852411032 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:14.916471004 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:14.963682890 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:14.963896990 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:14.964581966 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:15.030870914 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:15.030896902 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:15.031007051 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:15.045748949 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:15.095923901 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:15.096415997 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:15.145415068 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:15.145771980 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:15.193166971 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:15.193629980 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:15.258220911 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:15.358078003 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:15.429807901 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:15.999382973 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:16.070190907 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:16.070415020 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:16.148396015 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:16.372834921 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:16.445530891 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:17.012249947 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:17.085932970 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:17.086093903 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:17.148724079 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:17.385446072 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:17.460922956 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:18.109101057 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:18.185614109 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:18.185795069 CEST	49767	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:18.233853102 CEST	4898	49767	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:18.932955980 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:18.979851961 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:18.979950905 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:18.980722904 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.057935953 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:19.058126926 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:19.058140993 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:19.058259010 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.068516970 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.117779016 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:19.118269920 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.169455051 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:19.169759989 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.216725111 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:19.257028103 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.276165009 CEST	4898	49766	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:19.276428938 CEST	4898	49764	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:19.276436090 CEST	49766	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.276541948 CEST	49764	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.304024935 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:19.350759983 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.419617891 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:19.492491007 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:20.011013985 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:20.085972071 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:20.139651060 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:20.210952997 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:20.211066961 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:20.289485931 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:20.434565067 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:20.507759094 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:21.030231953 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:21.101773024 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:21.153584003 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:21.226520061 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:21.226986885 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:21.304523945 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:21.448292017 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:21.507719994 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:22.007850885 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:22.070394039 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:22.070547104 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:22.149914980 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:22.171530008 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:22.243037939 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:22.244625092 CEST	49768	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:22.301043987 CEST	4898	49768	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:22.890690088 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:22.938035011 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:22.938200951 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:22.938769102 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:23.008364916 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:23.010238886 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:23.010262012 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:23.010365963 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:23.024652958 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:23.079200029 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:23.083801031 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:23.133419037 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:23.133785963 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:23.181837082 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:23.185731888 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:23.258080959 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:23.258164883 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:23.325953007 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:23.480218887 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:23.555763006 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:23.966372967 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:24.038909912 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:24.073745966 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:24.148574114 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:24.202977896 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:24.262932062 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:24.265331984 CEST	49769	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:24.316684008 CEST	4898	49769	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:27.133747101 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:27.182658911 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:27.182797909 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:27.183440924 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:27.260113955 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:27.260149956 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:27.260252953 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:27.272130966 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:27.325503111 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:27.325947046 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:27.375520945 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:27.375816107 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:27.422957897 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:27.423235893 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:27.498390913 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:27.543435097 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:27.617069006 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:28.215189934 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:28.291256905 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:28.291404963 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:28.367173910 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:28.559410095 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:28.632788897 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:29.231509924 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:29.289108038 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:29.289271116 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:29.367245913 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:29.367335081 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:29.429565907 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:29.574475050 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:29.652646065 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:30.248832941 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:30.320992947 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:30.321111917 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:30.398798943 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:30.590423107 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:30.663783073 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:31.218095064 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:31.274553061 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:31.305908918 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:31.355021954 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:31.355479956 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:31.356245041 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:31.428203106 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:31.428231955 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:31.428323984 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:31.437581062 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:31.486799002 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:31.488065958 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:31.537292957 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:31.586070061 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:31.606408119 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:31.633404970 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:31.679570913 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:31.679862022 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:32.387792110 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:32.461190939 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:32.621861935 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:32.697473049 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:33.404194117 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:33.476489067 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:33.637191057 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:33.711267948 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:34.383644104 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:34.460916042 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:34.460988998 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:34.540529966 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:34.652967930 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:34.730112076 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:35.167187929 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.214384079 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:35.327135086 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.378678083 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:35.379304886 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.379895926 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.445652008 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:35.445682049 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:35.445873976 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.462591887 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.511600018 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:35.512003899 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.562908888 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:35.563348055 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.610130072 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:35.664664984 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.668164968 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:35.726556063 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:36.402720928 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:36.476767063 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:36.476947069 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:36.538983107 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:36.687179089 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:36.757639885 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:37.419717073 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:37.491995096 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:37.492120981 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:37.571245909 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:37.702764988 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:37.773824930 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:38.399641991 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:38.476857901 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:38.476953983 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:38.539212942 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:38.539431095 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:38.617110968 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:38.716543913 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:38.788997889 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.212960005 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.259687901 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.305071115 CEST	4898	49772	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.305270910 CEST	49772	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.306119919 CEST	4898	49774	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.306214094 CEST	49774	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.306909084 CEST	4898	49780	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.306987047 CEST	49780	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.317186117 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.363944054 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.364077091 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.364757061 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.429599047 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.436372995 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.436405897 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.436567068 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.453187943 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.502186060 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.502614021 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.570214033 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.633209944 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.633439064 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.681360960 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.681729078 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.757724047 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:39.757824898 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:39.820245028 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:40.388262033 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:40.461203098 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:40.462058067 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:40.538997889 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:40.541610956 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:40.624418974 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:40.748574972 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:40.820322037 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:41.403875113 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:41.476557016 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:41.476727962 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:41.539180040 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:41.539273977 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:41.617388964 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:41.763763905 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:41.835895061 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:42.421078920 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:42.492247105 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:42.495398998 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:42.570547104 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:42.571965933 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:42.650582075 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:42.778354883 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:42.836139917 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:43.150223017 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.197072029 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:43.280658960 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.328558922 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:43.329385996 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.330218077 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.413695097 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:43.413743019 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:43.422127008 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.427531958 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.482934952 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:43.486634016 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.549118996 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:43.555852890 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.603092909 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:43.603888035 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.680212975 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:43.795778036 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:43.867655039 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:44.382509947 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:44.461880922 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:44.467221975 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:44.556184053 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:44.556987047 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:44.625116110 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:44.625595093 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:44.697618008 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:44.819968939 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:44.900017977 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:45.388700008 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:45.461343050 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:45.466449022 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:45.545531034 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:45.551561117 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:45.617389917 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:45.617626905 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:45.682385921 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:45.829262018 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:45.914275885 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:46.369178057 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:46.445744038 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:46.453669071 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:46.539310932 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:46.543710947 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:46.617249966 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:46.627265930 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:46.711302042 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:46.842880011 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:46.914519072 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.150882959 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.200126886 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.273732901 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.322721004 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.323072910 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.324265957 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.399111032 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.404203892 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.405570984 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.421035051 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.472352982 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.472989082 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.522675037 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.522948980 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.570578098 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.570951939 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.648461103 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.648705006 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.726449966 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:47.858164072 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:47.929809093 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:48.356818914 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:48.429882050 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:48.451841116 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:48.523401976 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:48.527329922 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:48.601569891 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:48.601790905 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:48.679672003 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:48.679864883 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:48.758045912 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:48.876136065 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.027308941 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:49.321363926 CEST	4898	49783	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:49.321439028 CEST	49783	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.321537971 CEST	4898	49782	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:49.321597099 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:49.321643114 CEST	49782	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.369899988 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.374923944 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.445246935 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:49.467957973 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.539279938 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:49.539376974 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.617111921 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:49.619472980 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.696064949 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:49.696588993 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.757978916 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:49.894303083 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:49.964102030 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:50.354089975 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:50.429629087 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:50.430059910 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:50.508900881 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:50.509175062 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:50.586654902 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:50.586751938 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:50.648308039 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:50.650441885 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:50.726723909 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:50.727350950 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:50.804569960 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:50.905750036 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:50.976672888 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:51.151211977 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:51.199377060 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:51.607861996 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:51.656450987 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:51.656636000 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:51.657135963 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:51.723299026 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:51.723331928 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:51.723453045 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:51.741566896 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:51.791090965 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:51.795023918 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:51.867130041 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:51.919836044 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:51.993798018 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:52.024759054 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:52.025226116 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:52.072228909 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:52.119359970 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:52.711891890 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:52.789218903 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:52.789340019 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:52.867397070 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:52.936347008 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:53.007811069 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:53.702438116 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:53.773716927 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:53.773833036 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:53.836288929 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:53.952680111 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:54.023463011 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:54.682477951 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:54.757816076 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:54.758884907 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:54.820384979 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:54.969408035 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.039036036 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.511157990 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.557986021 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.598469019 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.645629883 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.645869017 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.646631956 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.710813999 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.714082956 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.714112997 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.714194059 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.730669022 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.780096054 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.780641079 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.831269979 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.831747055 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.882312059 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.882791996 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:55.983473063 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:55.983721018 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:56.054647923 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:56.669759035 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:56.742185116 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:56.748925924 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:56.820245981 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:56.820430994 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:56.898432016 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:57.002583981 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:57.070255041 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:57.686600924 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:57.757858038 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:57.790724039 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:57.878658056 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:57.881200075 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:57.961042881 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:58.017177105 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:58.101541996 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:58.706646919 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:58.774027109 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:58.780165911 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:58.852262974 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:58.852335930 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:58.929871082 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:59.035525084 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:59.103005886 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:59.337059021 CEST	4898	49785	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:59.337148905 CEST	49785	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:59.345318079 CEST	4898	49784	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:59.345403910 CEST	49784	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:08:59.345455885 CEST	4898	49786	185.250.148.54	192.168.2.4
Oct 13, 2021 20:08:59.463512897 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:00.474771023 CEST	49786	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:00.566329002 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:00.613679886 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:00.613864899 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:00.614583015 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:00.683779001 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:00.690733910 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:00.690763950 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:00.693361044 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:00.706310987 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:00.757574081 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:00.758007050 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:00.810173988 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:01.026170015 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:01.073466063 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:01.233990908 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:01.640608072 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:01.742682934 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:02.655301094 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:02.743442059 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:03.638160944 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:03.726671934 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:03.726803064 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:03.820441008 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:04.465420961 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:04.513576984 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:04.563616037 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:04.610827923 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:04.611351013 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:04.611613035 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:04.680424929 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:04.682518005 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:04.682647943 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:04.682749033 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:04.692763090 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:04.744467974 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:04.744901896 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:04.794431925 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:04.838973999 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:04.886253119 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:04.932754993 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:05.642564058 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:05.711406946 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:05.711509943 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:05.789227009 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:06.654452085 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:06.726638079 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:06.726840019 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:06.804815054 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:07.636653900 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:07.710997105 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:07.711076975 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:07.789784908 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:07.789861917 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:07.867513895 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:08.464802980 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:08.512063980 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:08.581108093 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:08.628385067 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:08.628607035 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:08.629277945 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:08.697746992 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:08.697782993 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:08.697866917 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:08.713766098 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:08.763572931 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:08.764045954 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:08.817898989 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:08.818270922 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:08.865998983 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:08.866530895 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:08.929867983 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:09.528038979 CEST	4898	49788	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:09.528110981 CEST	4898	49806	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:09.528139114 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:09.528250933 CEST	49788	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:09.528441906 CEST	49806	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:09.609503031 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:09.655162096 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:09.742533922 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:09.742636919 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:09.836338043 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:09.836484909 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:09.914462090 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:10.672677994 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:10.762527943 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:10.762600899 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:10.856008053 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:10.856096029 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:10.964699030 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:11.652650118 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:11.742620945 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:11.742918968 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:11.836096048 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:11.837532043 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:11.914532900 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:12.496259928 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:12.543284893 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:12.549674034 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:12.597259998 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:12.597470045 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:12.597795963 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:12.664673090 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:12.669531107 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:12.669560909 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:12.669737101 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:12.678155899 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:12.728399038 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:12.730830908 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:12.780229092 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:12.780311108 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:12.827533007 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:12.827733040 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:12.898497105 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:13.624845028 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:13.695596933 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:13.719180107 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:13.789014101 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:13.789098978 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:13.867209911 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:13.867296934 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:13.929805040 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:14.640991926 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:14.712112904 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:14.784468889 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:14.851761103 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:14.855792046 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:14.929666996 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:14.947707891 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:15.008301973 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:16.074745893 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:16.148701906 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:16.148821115 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:16.226852894 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:17.250510931 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:17.320311069 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:17.320384026 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:17.373294115 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:17.398611069 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:17.420649052 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:17.783205986 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:17.829999924 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:17.830136061 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:17.830612898 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:17.898941994 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:17.899400949 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:17.899445057 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:17.899516106 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:17.912823915 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:17.964066029 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:17.964991093 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:18.013756990 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:18.058881998 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:18.105587006 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:18.152690887 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:18.252125025 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:18.320530891 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:18.320621014 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:18.398890972 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:18.859486103 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:18.945576906 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:19.268359900 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:19.336237907 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:19.336523056 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:19.368102074 CEST	4898	49822	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:19.368259907 CEST	49822	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:19.369273901 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:19.369554996 CEST	4898	49820	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:19.369652033 CEST	49820	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:19.383419991 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:19.418467045 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:19.878689051 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:19.961385012 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:20.286170959 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:20.367383003 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:20.367681980 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:20.445628881 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:20.856810093 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:20.945420980 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:20.945523977 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:21.024350882 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:21.299325943 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:21.383380890 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:21.383476973 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:21.461436987 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:21.653676033 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:21.705461979 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:21.749385118 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:21.796700954 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:21.796905994 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:21.798101902 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:21.865488052 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:21.865514994 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:21.865624905 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:21.885950089 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:21.935499907 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:21.935944080 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:22.008223057 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:22.092515945 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:22.092952013 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:22.140372992 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:22.184305906 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:22.317648888 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:22.386217117 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:22.386471987 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:22.461173058 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:22.829871893 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:22.898616076 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:22.923885107 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:23.008099079 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:23.332568884 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:23.398456097 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:24.353507996 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:24.405395031 CEST	4898	49827	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:24.407814980 CEST	49827	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:29.385637045 CEST	4898	49823	185.250.148.54	192.168.2.4
Oct 13, 2021 20:09:29.385864019 CEST	49823	4898	192.168.2.4	185.250.148.54
Oct 13, 2021 20:09:34.224539995 CEST	49827	4898	192.168.2.4	185.250.148.54

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cyr8VsVRxv.exe PID: 6912 Parent PID: 5596

General

Start time:	20:07:23
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\cyr8VsVRxv.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\cyr8VsVRxv.exe'
Imagebase:	0x400000
File size:	1776128 bytes
MD5 hash:	E60399A0E9761E7653376E878875EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cyr8VsVRxv.exe PID: 6952 Parent PID: 6912

General

Start time:	20:07:26
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\cyr8VsVRxv.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\cyr8VsVRxv.exe'
Imagebase:	0x400000
File size:	1776128 bytes
MD5 hash:	E60399A0E9761E7653376E878875EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BitRAT, Description: Yara detected BitRAT, Source: 00000001.00000000.935850278.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BitRAT, Description: Yara detected BitRAT, Source: 00000001.00000000.940036093.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BitRAT, Description: Yara detected BitRAT, Source: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: cyr8VsVRxv.exe PID: 6912 Parent PID: 5596 cyr8VsVRxv.exeCOMMON

Executed Functions

Function 037C0110, Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 037C0156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 037C016C
CreateProcessA.KERNELBASE(?,00000000), ref: 037C0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 037C0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 037C0283
GetThreadContext.KERNELBASE(00000000,?), ref: 037C029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 037C02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 037C02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 037C0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 037C032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 037C0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 037C03BF
SetThreadContext.KERNELBASE(00000000,?), ref: 037C03E1
ResumeThread.KERNELBASE(00000000), ref: 037C03ED
ExitProcess.KERNEL32(00000000), ref: 037C0412

Memory Dump Source

Source File: 00000000.00000002.682304239.00000000037C0000.00000040.00000001.sdmp, Offset: 037C0000, based on PE: false

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 2875986403-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 08022fc2c52410ccf10e102956c3cb33591bc0a6d66c70efa8d13f76ffd38d27
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 1EB1B574A00208EFDB44CF98C895F9EBBB5BF88314F248158E909AB391D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 037C0420, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 037C0533

Strings

d, xrefs: 037C0584
0, xrefs: 037C0492
saodkfnosa9uin, xrefs: 037C04DA
mfoaskdfnoa, xrefs: 037C0520, 037C0523

Memory Dump Source

Source File: 00000000.00000002.682304239.00000000037C0000.00000040.00000001.sdmp, Offset: 037C0000, based on PE: false

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 1bb839c6ee43764948b6d4d85439266cca7f5cba4b850a9ed770c2c0d47250be
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: A6510870D083C8DBEB11CB98D849BEDBFB66F11708F14409CD5446F286C3BA9659CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 037C05B0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 037C05EC

Strings

apfHQ, xrefs: 037C05E2, 037C05E5
o, xrefs: 037C0600

Memory Dump Source

Source File: 00000000.00000002.682304239.00000000037C0000.00000040.00000001.sdmp, Offset: 037C0000, based on PE: false

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 1e970bbb119985ee805d316eb059e13fc5800e2602b290397a8da90b9d72e667
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: A4011E70C0428CEADB10DFA8C5187AEBFB5AF41308F18809DC4192B242D7769B58CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 036477C6, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32First.KERNEL32(00000000,00000224), ref: 0364780E

Memory Dump Source

Source File: 00000000.00000002.682124399.0000000003647000.00000040.00000001.sdmp, Offset: 03647000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 7bc5fe514e0c7d3f393026b9eed13b04b301d12d9fbff40dfb359b810714fed6
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: F5F0F635A003146FD7207BF8AD8CFAFB6ECEF49625F140538E662A11C0DB70E8458660

Uniqueness

Uniqueness Score: -1.00%

Function 00586BF0, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,?,0058060B,?,?,00586D60), ref: 00586BF7

Memory Dump Source

Source File: 00000000.00000002.681456904.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.681451549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681862805.000000000059E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.681972580.0000000001811000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: da0a947f49fd1a991ddf29e8fd88592b6f9035889d3c3b3a3d299e7cf9a48551
Instruction ID: c10cd7bfd8b795218fc63ed26db8fa49c190e0d415890ae5be79bdd0fb43e7af
Opcode Fuzzy Hash: da0a947f49fd1a991ddf29e8fd88592b6f9035889d3c3b3a3d299e7cf9a48551
Instruction Fuzzy Hash: 94A0123104420863C2001282680AB017A0CD3C8761F040010F21C05051096154004055

Uniqueness

Uniqueness Score: -1.00%

Function 0057FBA0, Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t3;

				E00585D60(); // executed
				return L0057FBC0(_t3);
			}

0x0057fba5
0x0057fbb0

APIs

___security_init_cookie.LIBCMTD ref: 0057FBA5

Memory Dump Source

Source File: 00000000.00000002.681456904.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.681451549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681862805.000000000059E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.681972580.0000000001811000.00000002.00020000.sdmp Download File

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 8c3d19325268ee85e998b233214f8b109a8eb9b03c9c684d72697f6574214dc4
Instruction ID: 2d1aa3ff557af9e27bd1a8647477aee8e7c92614a0d5666023ceca55f3c9535b
Opcode Fuzzy Hash: 8c3d19325268ee85e998b233214f8b109a8eb9b03c9c684d72697f6574214dc4
Instruction Fuzzy Hash: BAA00211405A4E16816173A6542F90B7E8D68C07547D940217D1C521032C54A90692E6

Uniqueness

Uniqueness Score: -1.00%

Function 03647485, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 036474D6

Memory Dump Source

Source File: 00000000.00000002.682124399.0000000003647000.00000040.00000001.sdmp, Offset: 03647000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 47efb8a1156b74398fc3993adcf3e2a6d477d6a27c992b63a1043a79be34d731
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: F8112B79A00208EFDB01DF98CA85E99BBF5AF08351F058094F9589F361D775EA90DF84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00581390, Relevance: 7.6, APIs: 5, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00581390(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				long _t15;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t29;
				void* _t34;

				_t25 = __esi;
				_t24 = __edi;
				_t22 = __edx;
				_t20 = __ecx;
				_t19 = __ebx;
				_t6 = __eax;
				_t34 = _t20 -  *0x59e094; // 0xa71e38d1
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x5a0540 = _t6;
				 *0x5a053c = _t20;
				 *0x5a0538 = _t22;
				 *0x5a0534 = _t19;
				 *0x5a0530 = _t25;
				 *0x5a052c = _t24;
				 *0x5a0558 = ss;
				 *0x5a054c = cs;
				 *0x5a0528 = ds;
				 *0x5a0524 = es;
				 *0x5a0520 = fs;
				 *0x5a051c = gs;
				asm("pushfd");
				_pop( *0x5a0550);
				 *0x5a0544 =  *_t29;
				 *0x5a0548 = _v0;
				 *0x5a0554 =  &_a4;
				 *0x5a0490 = 0x10001;
				_t11 =  *0x5a0548; // 0x0
				 *0x5a0444 = _t11;
				 *0x5a0438 = 0xc0000409;
				 *0x5a043c = 1;
				_t21 =  *0x59e094; // 0xa71e38d1
				_v812 = _t21;
				_t23 =  *0x59e098; // 0x58e1c72e
				_v808 = _t23;
				 *0x5a0488 = IsDebuggerPresent();
				_push(1);
				E00581370(_t12);
				SetUnhandledExceptionFilter(0);
				_t15 = UnhandledExceptionFilter(0x404c4c);
				if( *0x5a0488 == 0) {
					_push(1);
					E00581370(_t15);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00581390
0x00581390
0x00581390
0x00581390
0x00581390
0x00581390
0x00581390
0x00581396
0x00581398
0x00581398
0x0058900b
0x00589010
0x00589016
0x0058901c
0x00589022
0x00589028
0x0058902e
0x00589035
0x0058903c
0x00589043
0x0058904a
0x00589051
0x00589058
0x00589059
0x00589062
0x0058906a
0x00589072
0x0058907d
0x00589087
0x0058908c
0x00589091
0x0058909b
0x005890a5
0x005890ab
0x005890b1
0x005890b7
0x005890c3
0x005890c8
0x005890ca
0x005890d4
0x005890df
0x005890ec
0x005890ee
0x005890f0
0x005890f5
0x0058910d

APIs

IsDebuggerPresent.KERNEL32 ref: 005890BD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005890D4
UnhandledExceptionFilter.KERNEL32(00404C4C), ref: 005890DF
GetCurrentProcess.KERNEL32(C0000409), ref: 005890FD
TerminateProcess.KERNEL32(00000000), ref: 00589104

Memory Dump Source

Source File: 00000000.00000002.681456904.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.681451549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.681862805.000000000059E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.681972580.0000000001811000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8e69eaa074b1a33f2524762d9831728c8c8e594d8dc93a1cbb008df0ce3bfd55
Instruction ID: 4b7441d8c79d15cc8013d13e06238bdd58a67b250805f762de3be23ed99da68c
Opcode Fuzzy Hash: 8e69eaa074b1a33f2524762d9831728c8c8e594d8dc93a1cbb008df0ce3bfd55
Instruction Fuzzy Hash: A42123B8C21204DFD744DF24FD896543BA4BB6E315F10242AEA09973B0E7B11588EF4A

Uniqueness

Uniqueness Score: -1.00%

Function 036470A3, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682124399.0000000003647000.00000040.00000001.sdmp, Offset: 03647000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 31ecc6757917f723829709ff37d2ca033acb82b887c65302cc0e17f62b33a968
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: E611A1B2740200AFD754DF55DCC0FA677EAEB89620B1980A9ED18CB312D776EC42C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 037C0042, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682304239.00000000037C0000.00000040.00000001.sdmp, Offset: 037C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: ecdb93134105ad974988914969a9201f29cd4808d3021f0dad146e6da2c75cba
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 38117C72350204EFEB54DE65DC94EA673EAFB88320B1A816DE908CB311D676E841C7A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cyr8VsVRxv.exe PID: 6952 Parent PID: 6912 cyr8VsVRxv.exeCOMMON

Executed Functions

Function 004090D7, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 174libraryloaderCOMMON

Download Yara Rule

APIs

new.LIBCMT ref: 004D0330
GetModuleHandleA.KERNEL32(?), ref: 004D039F
GetProcAddress.KERNEL32(00000000,?), ref: 004D0426
GetModuleHandleA.KERNEL32(?,00000000,00000024), ref: 004D04D5
GetProcAddress.KERNEL32(00000000), ref: 004D04DC
GetNativeSystemInfo.KERNELBASE(?), ref: 004D04EE
GetSystemInfo.KERNEL32(?), ref: 004D04FA

Strings

e, xrefs: 004D0364
P5z, xrefs: 004D0525
M, xrefs: 004D03C8

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleInfoModuleProcSystem$Native
String ID: M$P5z$e
API String ID: 4128499644-1312674376
Opcode ID: 6059c55413afe13201a9d1f51a227954356b2c27813fec0b7ce903919615dda1
Instruction ID: 7f076f262e4bb91a6750fffe37d8c54c711c44c40eb3a28a00d27e8eef38a7fb
Opcode Fuzzy Hash: 6059c55413afe13201a9d1f51a227954356b2c27813fec0b7ce903919615dda1
Instruction Fuzzy Hash: 7C512A319083819AE314DF3CD9857AAF7E4FFA9304F105A1FFAC4D60A2EB74A5858716

Uniqueness

Uniqueness Score: -1.00%

Function 00415782, Relevance: 1.6, APIs: 1, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 004157A1

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: c62c7c3c7b8fe5f77f2d802cc1d1c4721b2ce0b15eb23c3f888527f01b87accb
Instruction ID: 5bea4bdaf11f897f62dfeb54fd0e94af83be17af8b353cdab7f5e046acebae1d
Opcode Fuzzy Hash: c62c7c3c7b8fe5f77f2d802cc1d1c4721b2ce0b15eb23c3f888527f01b87accb
Instruction Fuzzy Hash: 1211E5B1A0070AEFDB208F95C8824FBF768EB80764F20416BF82553380D7785D908795

Uniqueness

Uniqueness Score: -1.00%

Function 0068B743, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(0068B74F,0068A313), ref: 0068B748

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9e571a7bfe55dc44121ef552ecc30a39e0c65cc364c38c9e4d4dd934ef22e33c
Instruction ID: 7c3c688dd84fc5c79c8d0d8d4f09160fe98b9c6a4f8d69937d1295496e1a9fcd
Opcode Fuzzy Hash: 9e571a7bfe55dc44121ef552ecc30a39e0c65cc364c38c9e4d4dd934ef22e33c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00571F0B, Relevance: 61.4, APIs: 3, Strings: 32, Instructions: 171COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00571F10
new.LIBCMT ref: 00571F37

Part of subcall function 005717F8: __EH_prolog.LIBCMT ref: 005717FD
Part of subcall function 005717F8: new.LIBCMT ref: 0057182A
Part of subcall function 005717F8: RtlInitializeCriticalSection.NTDLL(0000001C), ref: 0057184D
Part of subcall function 005717F8: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00571F4A,?,?,?,0040F09B), ref: 00571864

_wprintf.LEGACY_STDIO_DEFINITIONS ref: 00571F78

Strings

IYUV, xrefs: 00571FE7
Y411, xrefs: 0057201F
YUY2, xrefs: 00571FBD
IYUV, xrefs: 00571FE2
Y211, xrefs: 00572036
MJPG, xrefs: 00572061
Y411, xrefs: 0057201A
I420, xrefs: 00572099
AYUV, xrefs: 00572058
YV12, xrefs: 00571FFE
Dz, xrefs: 00571FAF
`Dz, xrefs: 00571F27
UYVY, xrefs: 00571FF0
YVYU, xrefs: 00571FC6
YUYV, xrefs: 00571FD4
YUY2, xrefs: 00571FB8
Y41P, xrefs: 0057202D
YVU9, xrefs: 00572011
Y41P, xrefs: 00572028
PDz, xrefs: 0057208B
0Dz, xrefs: 0057206F
YVYU, xrefs: 00571FCB
YUYV, xrefs: 00571FD9
@Dz, xrefs: 0057207D
YVU9, xrefs: 0057200C
UYVY, xrefs: 00571FF5
AYUV, xrefs: 00572053
***** VIDEOINPUT LIBRARY - %2.04f - TFW07 *****, xrefs: 00571F73
Y211, xrefs: 0057203B
YV12, xrefs: 00572003
I420, xrefs: 0057209E
MJPG, xrefs: 00572066

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$CreateCriticalEventInitializeSection_wprintf
String ID: ***** VIDEOINPUT LIBRARY - %2.04f - TFW07 *****$0Dz$@Dz$AYUV$AYUV$I420$I420$IYUV$IYUV$MJPG$MJPG$PDz$UYVY$UYVY$Y211$Y211$Y411$Y411$Y41P$Y41P$YUY2$YUY2$YUYV$YUYV$YV12$YV12$YVU9$YVU9$YVYU$YVYU$`Dz$Dz
API String ID: 550282347-4100050760
Opcode ID: 14738bc5c8039185295264d065c2f7682aa518b2c46b38245d9382e2969ddd98
Instruction ID: f9716c8469a36a553641a67d4dd0ff90e87979c69e3c6f18fd75f9a9b42338b5
Opcode Fuzzy Hash: 14738bc5c8039185295264d065c2f7682aa518b2c46b38245d9382e2969ddd98
Instruction Fuzzy Hash: B941F762D00D9487D713CF48A8063436AA3AFD7B24B1A8275BD182F250E7FF8D9296C4

Uniqueness

Uniqueness Score: -1.00%

Function 00414734, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 121synchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 00414749
GetLastError.KERNEL32(?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 0041475B

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 0041479E
GetLastError.KERNEL32(?,?,00414B24,00000000,00000000,?,?,00000000,00000000), ref: 004147B0
GetLastError.KERNEL32(?,?,?,?,?,?,?,00414B24,00000000), ref: 00414816
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00414B24,00000000), ref: 0041482C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00414B24,00000000), ref: 0041483A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,00414B24,00000000), ref: 0041486C
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,00414B24,00000000), ref: 00414873

Strings

thread.entry_event, xrefs: 0041477E
thread.exit_event, xrefs: 004147D3
thread, xrefs: 00414852

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseErrorLast$CreateEventHandle$ChangeFindH_prologNotificationObjectSingleWait
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 915737812-3017686385
Opcode ID: 0b96f98799cca959d87e872a5c5f4159a8fb997fda2d4c03f0d5b9555a85e16c
Instruction ID: 0b79e7f0c15327e9da17b43a34241b3698589d770cc40297c089d4d07e25d328
Opcode Fuzzy Hash: 0b96f98799cca959d87e872a5c5f4159a8fb997fda2d4c03f0d5b9555a85e16c
Instruction Fuzzy Hash: CE41A974A00214AFDB10EFA5C8457AFBBB5EF84354F10807AF805A7391DBB49D46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004152CD, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004152D2
RtlEnterCriticalSection.NTDLL(?), ref: 004152E6
CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00415309
GetLastError.KERNEL32 ref: 00415316

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 00415363
new.LIBCMT ref: 00415371
new.LIBCMT ref: 0041538A
RtlLeaveCriticalSection.NTDLL(?), ref: 004153CE

Strings

timer, xrefs: 00415331

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalH_prologSectionTimerWaitable$CreateEnterErrorLastLeave
String ID: timer
API String ID: 80991882-1792073242
Opcode ID: cdb135c908b685f4243a48fc5eced90cd833a3d47e2270d03613246561c0a4f8
Instruction ID: 81198b5b4e12bd1187ba2ab20eed8b98814ca33eefdc30da37c94bbb21581d96
Opcode Fuzzy Hash: cdb135c908b685f4243a48fc5eced90cd833a3d47e2270d03613246561c0a4f8
Instruction Fuzzy Hash: 253173B1904344EFDB00DF69C8857EEBBB9EF48314F10816EE845AB242D7B48A85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 006A6A70, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 006A108E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003), ref: 006A10C0

_free.LIBCMT ref: 006A6B7B
_free.LIBCMT ref: 006A6B92
_free.LIBCMT ref: 006A6BB1
_free.LIBCMT ref: 006A6BCC
_free.LIBCMT ref: 006A6BE3

Strings

q, xrefs: 006A6AC3
Dq, xrefs: 006A6B55
?bj, xrefs: 006A6AA0, 006A6C22

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID: ?bj$Dq$q
API String ID: 3033488037-3547961992
Opcode ID: 5251d4837e6f79bcf17ab473c28d3ef4f7df9047631bea94ae626e0855dd0cfa
Instruction ID: 7a1734845ed0d2fd7cab5b6e1943e8e73dea9ce3dd0b3db60d63e8c5fff4bd08
Opcode Fuzzy Hash: 5251d4837e6f79bcf17ab473c28d3ef4f7df9047631bea94ae626e0855dd0cfa
Instruction Fuzzy Hash: DE51D371A00604AFDB20EF29CC41AAA77F6EF56720B18456DF909D72A0E731ED518F94

Uniqueness

Uniqueness Score: -1.00%

Function 006A1145, Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 006A1171
__cftoe.LIBCMT ref: 006A11A3

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 46abc8fd5b1475584886ca636aa4ac3fff205b6cb58d539d5738d323b5435c41
Instruction ID: 6c4d8a21c2b0057faf7a83bc6a2778fe9a345346067d6ae0cb15526d35af0ab0
Opcode Fuzzy Hash: 46abc8fd5b1475584886ca636aa4ac3fff205b6cb58d539d5738d323b5435c41
Instruction Fuzzy Hash: 5051C672900205ABDF64BB598C41FAE77EBAF4B320F24421DF914DA292DB31DD418E68

Uniqueness

Uniqueness Score: -1.00%

Function 004B02E0, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004B02E5
std::_Lockit::_Lockit.LIBCPMT ref: 004B02F4

Part of subcall function 004211A8: __EH_prolog.LIBCMT ref: 004211AD
Part of subcall function 004211A8: std::_Lockit::_Lockit.LIBCPMT ref: 004211C1
Part of subcall function 004211A8: std::_Lockit::~_Lockit.LIBCPMT ref: 004211E1

std::locale::_Getfacet.LIBCPMT ref: 004B0314
__CxxThrowException@8.LIBVCRUNTIME ref: 004B034B
std::_Facet_Register.LIBCPMT ref: 004B0361
std::_Lockit::~_Lockit.LIBCPMT ref: 004B036E

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: c0e17db30a694421d04265faf59378f693b64b9600864ea3d7819ed5d6e79e0d
Instruction ID: 78f492c9bfe4b46bd4934e7f848da8e9cd49b79d55c67d64c25b280fc1e3c0ca
Opcode Fuzzy Hash: c0e17db30a694421d04265faf59378f693b64b9600864ea3d7819ed5d6e79e0d
Instruction Fuzzy Hash: 8B11A772E005299BCB14FBA4D805AEE7775FF44721F50421EF81567291DB389A01C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 006A9EDF, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00694D4A,00787350,00000010), ref: 006A9EE3
_free.LIBCMT ref: 006A9F16
_free.LIBCMT ref: 006A9F3E
SetLastError.KERNEL32(00000000), ref: 006A9F4B
SetLastError.KERNEL32(00000000), ref: 006A9F57
_abort.LIBCMT ref: 006A9F5D

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2e1125a4d395500076837f07b62313655053a4d322a9ef81fbd2da14ccf06a3c
Instruction ID: 03aad5339883804ce446e218d1ca7b61a586081420759cef5190cc053f6b339b
Opcode Fuzzy Hash: 2e1125a4d395500076837f07b62313655053a4d322a9ef81fbd2da14ccf06a3c
Instruction Fuzzy Hash: 2AF0CD365486016AFF5137356C45B5A22179FC3771B340129F614D62E2EF75CC424D78

Uniqueness

Uniqueness Score: -1.00%

Function 006A9EDF, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00694D4A,00787350,00000010), ref: 006A9EE3
_free.LIBCMT ref: 006A9F16
_free.LIBCMT ref: 006A9F3E
SetLastError.KERNEL32(00000000), ref: 006A9F4B
SetLastError.KERNEL32(00000000), ref: 006A9F57
_abort.LIBCMT ref: 006A9F5D

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2e1125a4d395500076837f07b62313655053a4d322a9ef81fbd2da14ccf06a3c
Instruction ID: 03aad5339883804ce446e218d1ca7b61a586081420759cef5190cc053f6b339b
Opcode Fuzzy Hash: 2e1125a4d395500076837f07b62313655053a4d322a9ef81fbd2da14ccf06a3c
Instruction Fuzzy Hash: 2AF0CD365486016AFF5137356C45B5A22179FC3771B340129F614D62E2EF75CC424D78

Uniqueness

Uniqueness Score: -1.00%

Function 00415C9C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00415CB4
_strlen.LIBCMT ref: 00415CE1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001), ref: 00415D02
WSAStringToAddressW.WS2_32(?,?,00000000,?,00000080), ref: 00415D17

Strings

255.255.255.255, xrefs: 00415D4C

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressByteCharErrorLastMultiStringWide_strlen
String ID: 255.255.255.255
API String ID: 211062275-2422070025
Opcode ID: a34b3e0147113994be48e77c40f6aeb01e510548854bc99b354f8fbc08dd0987
Instruction ID: 90f16403a3ccad3dd7e36331342522bdd81ba9cbe8a4690d11ee0a9552b0ec44
Opcode Fuzzy Hash: a34b3e0147113994be48e77c40f6aeb01e510548854bc99b354f8fbc08dd0987
Instruction Fuzzy Hash: C7411731A00614EBDB206B64DC46BEEB769EF81334F20831BF9299B2D1D778598187C5

Uniqueness

Uniqueness Score: -1.00%

Function 00414B9F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

RtlDeleteCriticalSection.NTDLL(?), ref: 00414C08
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,006BAFEF,000000FF,?,00414B54), ref: 00414C21
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,006BAFEF,000000FF,?,00414B54), ref: 00414C3C

Part of subcall function 00414F2A: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 00414F51
Part of subcall function 00414F2A: GetLastError.KERNEL32 ref: 00414F5B

Part of subcall function 004146D0: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004146EE
Part of subcall function 004146D0: CloseHandle.KERNEL32(?), ref: 004146F7
Part of subcall function 004146D0: TerminateThread.KERNEL32(?,00000000), ref: 00414711

Part of subcall function 0041B25A: CloseHandle.KERNEL32(?,?,00000000,?,00414B30,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0041B26A

Strings

IKA, xrefs: 00414BBF
yFA, xrefs: 00414C45

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$CompletionCriticalDeleteErrorLastMultipleObjectsPostQueuedSectionStatusTerminateThreadWait
String ID: IKA$yFA
API String ID: 1875059124-2675676849
Opcode ID: c9c403bba2a3b1cfd1f17263a9afe307d88bdf25b9f6a4988cd36673c4186596
Instruction ID: 87ecea2992fb7e7ac7017cbf84a817d9d6a6f21c01299ea272fee8c8fe13b94b
Opcode Fuzzy Hash: c9c403bba2a3b1cfd1f17263a9afe307d88bdf25b9f6a4988cd36673c4186596
Instruction Fuzzy Hash: CD21C031400784EBD721EF65CA057DEBBF5EF40714F14455EE08257A91CBB82A88CB96

Uniqueness

Uniqueness Score: -1.00%

Function 007E2730, Relevance: 7.7, APIs: 5, Instructions: 212librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 007E287A
GetProcAddress.KERNEL32(?,007CDFF9), ref: 007E288F
ExitProcess.KERNEL32(?,007CDFF9), ref: 007E28A0
VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,00000000), ref: 007E28EE
VirtualProtect.KERNELBASE(00400000,00001000), ref: 007E2903

Memory Dump Source

Source File: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: ac061ebf76bf3026c94eebb1a8fce0bdaf7623fe25c8d2942cd87ad875987468
Instruction ID: 14096f60a3daa40f2c0e4d355d03d0e3fddd8428fe91065abeb18193f247b64d
Opcode Fuzzy Hash: ac061ebf76bf3026c94eebb1a8fce0bdaf7623fe25c8d2942cd87ad875987468
Instruction Fuzzy Hash: D8610872A563D25BD7258E79CCC0661B7A8FB593207280738DAE5C73C7EBA85807C760

Uniqueness

Uniqueness Score: -1.00%

Function 006A5B5C, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A5BCE
_free.LIBCMT ref: 006A5BEE

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: be8943407bce04aae76bd1d451bf57b1cb50652c9b20bd453014df5c09148e43
Instruction ID: 39285974b7beede999f61587a776756efcc8bd5e2c2af604e75fe132b50d0e39
Opcode Fuzzy Hash: be8943407bce04aae76bd1d451bf57b1cb50652c9b20bd453014df5c09148e43
Instruction Fuzzy Hash: 6B41D472A007049FDB20EF78C880A59B7B2EF85324B2545ADE916EB341DB30ED01CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0041369B, Relevance: 7.6, APIs: 5, Instructions: 128timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004136A0

Part of subcall function 004138F8: __EH_prolog.LIBCMT ref: 004138FD
Part of subcall function 004138F8: GetTickCount64.KERNEL32 ref: 0041391A

GetSystemTimes.KERNELBASE(?,?,?), ref: 0041370A
GetCurrentProcess.KERNEL32(?,?,?,?), ref: 00413724
GetProcessTimes.KERNELBASE(00000000), ref: 0041372B
GetTickCount64.KERNEL32 ref: 00413823

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Count64H_prologProcessTickTimes$CurrentSystem
String ID:
API String ID: 2284428309-0
Opcode ID: 236d7e2644c345143adb0c189a4fec71ec096c75c1f097dc3eab28c4d6001a43
Instruction ID: a254041eaa7e4b0b50e61da91e07f6796d4f1d516a85174cce91633ffafc66c9
Opcode Fuzzy Hash: 236d7e2644c345143adb0c189a4fec71ec096c75c1f097dc3eab28c4d6001a43
Instruction Fuzzy Hash: 08510AF5D002589FCB14DFE9D8819DEBBB9FB89701F00852AE505E7312E7385986CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00414441, Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414446
RtlEnterCriticalSection.NTDLL ref: 00414456
RtlLeaveCriticalSection.NTDLL ref: 00414484
RtlEnterCriticalSection.NTDLL ref: 004144AD
RtlLeaveCriticalSection.NTDLL ref: 004144F7

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 48a8dd1e56f148ea3e8c9edaf9ab52552c3326993aacd736f61a3b6608c45d46
Instruction ID: e37c270583d34f6fdcbed936fd6dc41b70da8ade8f22dd1501a04d0a02904186
Opcode Fuzzy Hash: 48a8dd1e56f148ea3e8c9edaf9ab52552c3326993aacd736f61a3b6608c45d46
Instruction Fuzzy Hash: D231AC759042559FDB10CF68C98479ABBB5FF88710F20864EE85597301C7B9ED81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004146D0, Relevance: 7.5, APIs: 5, Instructions: 36synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 004146EE
CloseHandle.KERNEL32(?), ref: 004146F7
TerminateThread.KERNEL32(?,00000000), ref: 00414711
QueueUserAPC.KERNELBASE(004146A3,?,00000000), ref: 0041471E
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00414729

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Wait$CloseHandleMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 3892215915-0
Opcode ID: 3ec5ae4b6e7c796421652c2a7545122f5017f0dce0ab16dcd00dd9a7be1801ad
Instruction ID: 1e819aa565a8910f63e950dfc57558bee440c737e81045b7b22afa792695e07a
Opcode Fuzzy Hash: 3ec5ae4b6e7c796421652c2a7545122f5017f0dce0ab16dcd00dd9a7be1801ad
Instruction Fuzzy Hash: DDF09630504704EFE7509F64DC49FA67BF9EB49721F104269F52ED66E0DBB1AC808B60

Uniqueness

Uniqueness Score: -1.00%

Function 00694F05, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,?,Function_00294D25,00000000,?,00000000), ref: 00694F4E
GetLastError.KERNEL32(?,?,?,00414806,00000000,00000000,0041487E), ref: 00694F5A
__dosmaperr.LIBCMT ref: 00694F61

Strings

~HA, xrefs: 00694F28

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID: ~HA
API String ID: 2744730728-2555717699
Opcode ID: 012f35cf20328ae3c923eebbffb2d189a03c25afb4f31a3854c950dbbcf6196d
Instruction ID: a28228cb249d192a0490e985ea7e308233fdceaf7abf6463b4ce0b4950d670d3
Opcode Fuzzy Hash: 012f35cf20328ae3c923eebbffb2d189a03c25afb4f31a3854c950dbbcf6196d
Instruction Fuzzy Hash: F501693650521AABDF259FA1DC05E9F3B6FEFC4360F010028F80486A10DF318812C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 006AB96D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE ref: 006AB9C0
LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 006AB9DE

Strings

0A, xrefs: 006AB9BA
LCMapStringEx, xrefs: 006AB988

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: String
String ID: 0A$LCMapStringEx
API String ID: 2568140703-1841893537
Opcode ID: ea4460510015f5977b781a5df97bf006a9c03b4116b64c3ed7a6936ed41caf73
Instruction ID: 78663075d4456955a6bdf8df67ea3bbf43c27e8d08bc1616b7ad118f32a7fa07
Opcode Fuzzy Hash: ea4460510015f5977b781a5df97bf006a9c03b4116b64c3ed7a6936ed41caf73
Instruction Fuzzy Hash: 15012532640209BBDF026F90DD06DEE3FA3EF0A760F004118FE0866261CB768971AF85

Uniqueness

Uniqueness Score: -1.00%

Function 0041487E, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414883
SetEvent.KERNEL32(00000000), ref: 00414897
SetEvent.KERNEL32(?), ref: 004148B4
SleepEx.KERNELBASE(000000FF,00000001), ref: 004148BE

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Event$H_prologSleep
String ID:
API String ID: 1765829285-0
Opcode ID: 2a203f42bc5b33d3a13a3af4d886ce5b736f630bb6aebf30fe298175220b8e56
Instruction ID: 485320c20e7a0a70c1a616592e1f4c203106a78677124a96d5512a3dd4e7ad03
Opcode Fuzzy Hash: 2a203f42bc5b33d3a13a3af4d886ce5b736f630bb6aebf30fe298175220b8e56
Instruction Fuzzy Hash: 12F04F71600214EFDB10DF98D8C9B98BBB1FF09321F108258F5199B292C7749A80CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00694D25, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00787350,00000010), ref: 00694D38
RtlExitUserThread.NTDLL(00000000), ref: 00694D3F

Strings

0A, xrefs: 00694D74

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorExitLastThreadUser
String ID: 0A
API String ID: 1750398979-187954893
Opcode ID: aa497236cf176ef17a3b454ef00a04b474a789f811a1e7152174b5b94ede9673
Instruction ID: 2efdd878437aebd3bf93266263e471f643659c3a6f6777dfb9798e7ab1f8543b
Opcode Fuzzy Hash: aa497236cf176ef17a3b454ef00a04b474a789f811a1e7152174b5b94ede9673
Instruction Fuzzy Hash: 8CF08C74500205AFDB44BB70C84AAAD3B6AFF45700F10014CF5026B692CB75AD41DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0068FF18, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 0068FF2D
FlsAlloc.KERNELBASE(00000000), ref: 0068FF45

Strings

FlsAlloc, xrefs: 0068FF26

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: Alloctry_get_function
String ID: FlsAlloc
API String ID: 591514613-671089009
Opcode ID: c75b79da33dff981c52511f85961eddfbb7a3d3d2c8f6d7456505168a018d1dd
Instruction ID: d7de959523191e80f7d9c821fc02f7df97250b6a143e331cfe953e884debabc1
Opcode Fuzzy Hash: c75b79da33dff981c52511f85961eddfbb7a3d3d2c8f6d7456505168a018d1dd
Instruction Fuzzy Hash: 62D02B71BC133973D71133C91C02EE8768ACB10BB2F000171FF0836282D9E5144053C9

Uniqueness

Uniqueness Score: -1.00%

Function 006AC888, Relevance: 4.7, APIs: 3, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,006B23C9,00000000,?,?,?,006ACAD9,?,?,00000100), ref: 006AC8E2
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,006ACAD9,?,?,00000100,5EFC4D8B,?,?), ref: 006AC968
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006ACA62

Part of subcall function 006A108E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003), ref: 006A10C0

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeap
String ID:
API String ID: 2584219951-0
Opcode ID: 72298755ae8e85920eadb3a2ff0cd674ba881fd99c10826d076de7dbc2809b50
Instruction ID: 86292834f738c96dbc1cf993336d3d24c26be9c074e51f227bd2506d47692d73
Opcode Fuzzy Hash: 72298755ae8e85920eadb3a2ff0cd674ba881fd99c10826d076de7dbc2809b50
Instruction Fuzzy Hash: B151F67260021AABEB25AF64CC41EFF77ABEF42760F144229FE04D6254EB34DC40DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00414C58, Relevance: 4.6, APIs: 3, Instructions: 116timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414C5D
SetWaitableTimer.KERNELBASE(00000001,?,00000001,00000000,00000000,00000000), ref: 00414C8C
GetQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 00414D4C

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CompletionH_prologQueuedStatusTimerWaitable
String ID:
API String ID: 2995059299-0
Opcode ID: a5d252669b9f60b85a81388a257bfec91c7b689e5e5c4f13bc946e12480acd58
Instruction ID: 7d45d137beb1f6b2b34f5553cb745bb15eb055e86ce864ac407ad0ee56832f04
Opcode Fuzzy Hash: a5d252669b9f60b85a81388a257bfec91c7b689e5e5c4f13bc946e12480acd58
Instruction Fuzzy Hash: 11416972A0060A9FDB15DF90D880BEFB3BAFF84315F00052ED412A6640DB78A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004155BD, Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00415614
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 00415675
closesocket.WS2_32 ref: 0041567F

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: closesocket$ioctlsocket
String ID:
API String ID: 1937125420-0
Opcode ID: f970fa329fb201515a75755932be49706c74111033a6c082b1986b8d9337fbe5
Instruction ID: 0867f8573ec13ec267d5fb650704c9035aa2dc82b8724a08c876cf7a7597308c
Opcode Fuzzy Hash: f970fa329fb201515a75755932be49706c74111033a6c082b1986b8d9337fbe5
Instruction Fuzzy Hash: 8B213B31900619ABCB10EB64CCC1AFE7775AF80318F04816AEC15AB2C1EB785D85C798

Uniqueness

Uniqueness Score: -1.00%

Function 00694F05, Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(?,?,Function_00294D25,00000000,?,?), ref: 00694F4E
GetLastError.KERNEL32 ref: 00694F5A
__dosmaperr.LIBCMT ref: 00694F61

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: b8fd8f3789dc8bd2e385652533ec21c1c6a3ffa27c53ae8b00089fa9dcce7491
Instruction ID: a28228cb249d192a0490e985ea7e308233fdceaf7abf6463b4ce0b4950d670d3
Opcode Fuzzy Hash: b8fd8f3789dc8bd2e385652533ec21c1c6a3ffa27c53ae8b00089fa9dcce7491
Instruction Fuzzy Hash: F501693650521AABDF259FA1DC05E9F3B6FEFC4360F010028F80486A10DF318812C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 004160FF, Relevance: 4.5, APIs: 3, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416104
RtlEnterCriticalSection.NTDLL(?), ref: 00416121
RtlLeaveCriticalSection.NTDLL(?), ref: 00416160

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$EnterH_prologLeave
String ID:
API String ID: 367238759-0
Opcode ID: d0c113fbeb00a019116e248b927bd9237ee2790a523a3c3fc403efa86fd83a73
Instruction ID: de7e618a69ece48fe05348024f7aad34e8c204bac18a713b4793032de90bd1dd
Opcode Fuzzy Hash: d0c113fbeb00a019116e248b927bd9237ee2790a523a3c3fc403efa86fd83a73
Instruction Fuzzy Hash: F20180B1901704EFC724DF29D980A9BBBF5FF48710B10462EE84693B02D774E985CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00694DD9, Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9F63: GetLastError.KERNEL32(?,?,?,0069C0D2,006A0714,?,006A9F0D,00000001,00000364,?,00694D4A,00787350,00000010), ref: 006A9F68
Part of subcall function 006A9F63: _free.LIBCMT ref: 006A9F9D
Part of subcall function 006A9F63: SetLastError.KERNEL32(00000000), ref: 006A9FD1

RtlExitUserThread.NTDLL(?,?,?,00694F97,?,?,00694D82,00000000), ref: 00694DEB
CloseHandle.KERNEL32(?,?,?,00694F97,?,?,00694D82,00000000), ref: 00694E13
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00694F97,?,?,00694D82,00000000), ref: 00694E29

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibraryUser_free
String ID:
API String ID: 1765993807-0
Opcode ID: 0b684379a3635da3496ba8be5a775a66397e6181a37d77da4e3ed34cfb2c9944
Instruction ID: 1797eb193d2ac906eade3a6409676f5f76e6e4c1304b61f1546358f000c6dd65
Opcode Fuzzy Hash: 0b684379a3635da3496ba8be5a775a66397e6181a37d77da4e3ed34cfb2c9944
Instruction Fuzzy Hash: C4F05E384007416BDF216B75D888EAB7A9FAF05364F194714F824C7AA1DF70DD96CA90

Uniqueness

Uniqueness Score: -1.00%

Function 006B1E97, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,00000000,00000000), ref: 006B1EBC

Strings

, xrefs: 006B1F01

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 9a354b30f942c5c146e91af63f080870ef58fe06ff53fd1a3d000cefed33f9b4
Instruction ID: 127a3761c65d230116edd3e04dbc93aa2196663a2f028c5c1a58481174b760d6
Opcode Fuzzy Hash: 9a354b30f942c5c146e91af63f080870ef58fe06ff53fd1a3d000cefed33f9b4
Instruction Fuzzy Hash: 4E412DF050434DAADF218E548C94AF6BBEFDB46304F5404EDE59A8B142D3359E85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 004051D5, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004051DC

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 004051D6, 004051DB, 004051E3

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: da4809e68cd2a0465343711a6865424bd576fcfbab4ebac054e9145fb4f27f39
Instruction ID: a72b6a1d3d66b53a737fe09d3f5f2c3c5e8c4145830486a641d466840165291e
Opcode Fuzzy Hash: da4809e68cd2a0465343711a6865424bd576fcfbab4ebac054e9145fb4f27f39
Instruction Fuzzy Hash: 44C04C129D56312E394532953807DEE024E9E56720B16006FF544655D35C891D8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A24C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040A253

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040A24D, 0040A25A

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 0f90911267e85b02a8f1117a6a0848b9658601ab6909a3cfcf81942666d886ce
Instruction ID: 0057e7b996f07cbecae86091c4394cb40fbf005e9b2a5c44e7be6a6a3eddf1eb
Opcode Fuzzy Hash: 0f90911267e85b02a8f1117a6a0848b9658601ab6909a3cfcf81942666d886ce
Instruction Fuzzy Hash: 47C04C529956302D394533693C07DEE068E8D56720B16016FF540A55D35D891C8185FF

Uniqueness

Uniqueness Score: -1.00%

Function 00402213, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040221A

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00402214, 00402219, 00402221

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: ae8cc7881e232a0f652d18f76399ed3235f94e58f7283621dd95d04a155cd665
Instruction ID: c393f2c3f4ed60259a07d8ef2066c57b9609af5342ce6087124609bbc4b4f2a9
Opcode Fuzzy Hash: ae8cc7881e232a0f652d18f76399ed3235f94e58f7283621dd95d04a155cd665
Instruction Fuzzy Hash: 34C04C625996313D394533A57C17DEA024E8D5A720B16007FF540655D25C891C8182FF

Uniqueness

Uniqueness Score: -1.00%

Function 00402239, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00402240

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200, xrefs: 0040223A, 0040223F, 00402247

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 4D5A6B65726E656C33320000504500004C01030000000000000000000000000078000F030B01000000000000000000000000000014310000000000000C00000000004000001000000002000004000000010000000400000000000000A631000014010000000000000300000000001000001000000000000000000000000000000200
API String ID: 4000879885-1544901093
Opcode ID: 7c23013c29d5340e316868287d73bc5f74196c70cc18484d68debd35bbe8a54e
Instruction ID: b331fccb048b4c8ee2da9397841e484c74ccb636dbe33c2963b62e9c23243bac
Opcode Fuzzy Hash: 7c23013c29d5340e316868287d73bc5f74196c70cc18484d68debd35bbe8a54e
Instruction Fuzzy Hash: 07C04C226959216D395D32553C07DEE064E8D56321B16017FFA406A5D25C892DD142FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D34F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040D356

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040D350, 0040D35D

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 7588a9227e2ba7f396f5d8b58619ef0ead7ad0bf2a51ad7e71421bbc3ee97a7b
Instruction ID: 788e81043146d34a204da95c6aaf527042f0c320375d9e9c5808827149d451a4
Opcode Fuzzy Hash: 7588a9227e2ba7f396f5d8b58619ef0ead7ad0bf2a51ad7e71421bbc3ee97a7b
Instruction Fuzzy Hash: 08C04C125956302D394533A53C07DEA128E8D56724B16107FB945655D25C981D8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040B3E9

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040B3E3, 0040B3F0

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: bf4ba7625c184d5fbeae433e11246c62e775676d2754eba7717d128837ffd617
Instruction ID: 9ea7e63911cbe7384143c5be40584d122255df295a60662729e35affd5050ccb
Opcode Fuzzy Hash: bf4ba7625c184d5fbeae433e11246c62e775676d2754eba7717d128837ffd617
Instruction Fuzzy Hash: 99C04C525956302D398533553807DEA125E8D96720B16006FF544656D65D891C8185FE

Uniqueness

Uniqueness Score: -1.00%

Function 00403451, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00403458

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00403452, 00403457, 0040345F

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 2cbdd131894ffef946dab4a8e4d23c9a3bb33341cc3026922f2b053176ea4dc7
Instruction ID: e4219eabbc0be6cdcb4523690851dbfc945d72fc796d06143663a067f437321e
Opcode Fuzzy Hash: 2cbdd131894ffef946dab4a8e4d23c9a3bb33341cc3026922f2b053176ea4dc7
Instruction Fuzzy Hash: 6FC04C1659663029395532593C17DEE024E8D56720B56007FF540A65D35E891C8182FE

Uniqueness

Uniqueness Score: -1.00%

Function 004086E7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004086EE

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

47dc917e44dfc7bfdd18b6637f270b92f1da6c3c2af30c972753dba7f7215571a11c965de69a8ef895fc7389a9e034b96f2e3691bad96c6aeda479aabc9f766df831f771d205ef47976274e78fa01170f29f6faa36a02d6ee8997fe3722ee492, xrefs: 004086E8, 004086ED, 004086F5

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 47dc917e44dfc7bfdd18b6637f270b92f1da6c3c2af30c972753dba7f7215571a11c965de69a8ef895fc7389a9e034b96f2e3691bad96c6aeda479aabc9f766df831f771d205ef47976274e78fa01170f29f6faa36a02d6ee8997fe3722ee492
API String ID: 4000879885-3785019384
Opcode ID: 8ae7c0d2361245e4be810130cb3b56ea7b620d6a9c22e1820614216836a0449b
Instruction ID: 74496edd26b83049336a924a703b8acea00f5dc567d2fb9a3aafc87a4f3f1b70
Opcode Fuzzy Hash: 8ae7c0d2361245e4be810130cb3b56ea7b620d6a9c22e1820614216836a0449b
Instruction Fuzzy Hash: 59C04C225965312D3D4933993807EEE129E9D46320B15006FF540A65D25C892C8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040869B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004086A2

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040869C, 004086A1, 004086A9

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 40a983e4a4280baa7655bafb6d2d2a8d832577045c9cb0c7f885f607d078e079
Instruction ID: 0288b0a33f127923fdc175bcc9e4f226d07a171e5f468928065520b70e5e6145
Opcode Fuzzy Hash: 40a983e4a4280baa7655bafb6d2d2a8d832577045c9cb0c7f885f607d078e079
Instruction Fuzzy Hash: 2EC04C165956312D3D853355380BDEF024E9D9A720B16017FB940656D26D892C8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040180D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00401814

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040180E, 00401813, 0040181B

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: a68020ad38012fbfa2bda710afa97ee6495d10b25889b467a365ce2f715f64d7
Instruction ID: fd182bead98460bf8a69c0a98c1d47d876b4f272ad37733376e36c40a964e083
Opcode Fuzzy Hash: a68020ad38012fbfa2bda710afa97ee6495d10b25889b467a365ce2f715f64d7
Instruction Fuzzy Hash: C3C04C525996302D3D4533657817DEA029E9D5A720B16007FF545A65D25C881C8192FE

Uniqueness

Uniqueness Score: -1.00%

Function 004048E3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004048EA

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 004048E4, 004048E9, 004048F1

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: e4c33713f7c0d8eb196035b3be2a4e5c3f132ee8d4d7487d223c4f1dee873545
Instruction ID: 12941ef5300d5d3ca1d48400a836db727a3aa57d222af7125f71995f6a6bb9da
Opcode Fuzzy Hash: e4c33713f7c0d8eb196035b3be2a4e5c3f132ee8d4d7487d223c4f1dee873545
Instruction Fuzzy Hash: 31C04C125966302D3D8532653817EEE025E8D56721F1A006FF544695D25C891C8192FE

Uniqueness

Uniqueness Score: -1.00%

Function 00409981, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00409988

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00409982, 0040998F

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: beba80fd58e5b587f47a4ed5c464be3a99ebb83612b74d4eba3df3a46a6d3be0
Instruction ID: 1b29e55c750c172269f35e3fd5b5890a0a68579d4ef95ad94b1982a3a30d14aa
Opcode Fuzzy Hash: beba80fd58e5b587f47a4ed5c464be3a99ebb83612b74d4eba3df3a46a6d3be0
Instruction Fuzzy Hash: 3FC04C12599A702D395532553817DEE024E8D57B20B56007FF650A55D25C891C8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 00402ADE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00402AE5

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00402ADF, 00402AE4, 00402AEC

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: bcc13b8172af80887791968cf30f8d96d6ccb4203f99a6cbf392a5a3cf026126
Instruction ID: 663f77395931ad928d018b832c8a80838be7224243435c2140bfc78c987bc14c
Opcode Fuzzy Hash: bcc13b8172af80887791968cf30f8d96d6ccb4203f99a6cbf392a5a3cf026126
Instruction Fuzzy Hash: 11C04C125D56302D39853255380BDEE025E8D56720B16007FFA40655D65C891D8186FF

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040CA8B

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040CA85, 0040CA92

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 287b84d13889efde8cca7907352a77c164b2a5b67db57b134d014ece428b0e41
Instruction ID: 4ffc46775f5eb4f1bce176144216cd53af0bd79fecfd64caa3f21755272c7365
Opcode Fuzzy Hash: 287b84d13889efde8cca7907352a77c164b2a5b67db57b134d014ece428b0e41
Instruction Fuzzy Hash: 9BC04C225957312D3D8573A57C07DEA124E8D56720B16017FB685655D25C882C8185FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB17, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040AB1E

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040AB18, 0040AB1D, 0040AB25

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: e8605e5bf7c78a59952ee91db430a7e58e852ccba2f8ff0a9681d160eefbe788
Instruction ID: ad4ebcbc0a8346865d7247a4bd0e6c99cbf8780e4a0df1b70d48cffb608485de
Opcode Fuzzy Hash: e8605e5bf7c78a59952ee91db430a7e58e852ccba2f8ff0a9681d160eefbe788
Instruction Fuzzy Hash: E1C04C525957302D394533953907DEA024E8D5A721B1600BFF540655D25C892C8185FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF4F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040BF56

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 0040BF50, 0040BF5D

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 6f489991e63d02db7c030a730181241519817afeb63eaf2d51041a352a699ae4
Instruction ID: 3436170ea041aa1e5de0fee85609c1d8a8328f22e981a0665eda8f3eee515125
Opcode Fuzzy Hash: 6f489991e63d02db7c030a730181241519817afeb63eaf2d51041a352a699ae4
Instruction Fuzzy Hash: 74C04C22999A302D3D4533A97C07DEA028E8D56730B16017FB541656D65D882C8185FE

Uniqueness

Uniqueness Score: -1.00%

Function 00403F53, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00403F5A

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00403F54, 00403F59, 00403F61

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: 1f8d07de3b8293c2db2f74311815593bd55e8264e9872c5660290aa532d92aa2
Instruction ID: c9f98c8cbfcdd9fab2be9cf57d1fce3192d82ac0d695ce3633eb1dbab1b9471e
Opcode Fuzzy Hash: 1f8d07de3b8293c2db2f74311815593bd55e8264e9872c5660290aa532d92aa2
Instruction Fuzzy Hash: D2C04C125956302D399532993C07DEE024E9D56720B56016FF544655D25C891C81C1FE

Uniqueness

Uniqueness Score: -1.00%

Function 00408F66, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00408F6D

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

/coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg, xrefs: 00408F67, 00408F74

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: /coFG/G7r2k4nLa9Dxqg8fU0knZm7yrvNwiVIi0fOHHHRYpsrlEn9pLmdUmi2V2ax5We/KjwIgUdBApyuqLiLzHQuSpGKKsvvmbXJY6BXU0DZ0hv3PoXXuLC+MQamS4I0UTPeHe+JWoyXXnADjlKlMEVFYr54w29k2l4idOBZWc37KX7Wg7qO6URKfvUjC9J3v3dkWFhmQgYHhipetPMnYHvFXsttKMs670QxpyOXwAWaGwLsGyC9ySXBFDOqTC0UoRg
API String ID: 4000879885-2292685684
Opcode ID: d0df9ad225740ea60e40c3e86f9fba31da7a46985dd40a631572549cfeab507e
Instruction ID: 25b6a108980f8320795cb07f9d76a86d19351f6e50c10c6e81196ad634ecde63
Opcode Fuzzy Hash: d0df9ad225740ea60e40c3e86f9fba31da7a46985dd40a631572549cfeab507e
Instruction Fuzzy Hash: BDC04C125A56302E398532A53D07DEA025E8D56720B16016FF545696D25C892C8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 006B21EC, Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 006B1DBF: GetOEMCP.KERNEL32(00000000,?,?,006B2048,?), ref: 006B1DEA

IsValidCodePage.KERNEL32(-00000030,00000000,?,00000001,?,?,006B208D,?,00000000,00000000,00000000,00000001), ref: 006B2260
GetCPInfo.KERNEL32(00000000,006B208D,?,?,006B208D,?,00000000,00000000,00000000,00000001), ref: 006B2273

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 0bd20bbff2b34b71c8b9416204152a215615d764a0787a6332574048888e2d71
Instruction ID: fb087fcb42d24d1158d57fd9c824aeaec27df0fa1b83d64e4782d6a8756a940f
Opcode Fuzzy Hash: 0bd20bbff2b34b71c8b9416204152a215615d764a0787a6332574048888e2d71
Instruction Fuzzy Hash: FE5136F09003479EDB218F75C8A46FBBBE6EF41310F14456ED496CB251D6399AC68B90

Uniqueness

Uniqueness Score: -1.00%

Function 006B202B, Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 006A9EDF: GetLastError.KERNEL32(?,?,00694D4A,00787350,00000010), ref: 006A9EE3
Part of subcall function 006A9EDF: _free.LIBCMT ref: 006A9F16
Part of subcall function 006A9EDF: SetLastError.KERNEL32(00000000), ref: 006A9F57
Part of subcall function 006A9EDF: _abort.LIBCMT ref: 006A9F5D

Part of subcall function 006B214A: _abort.LIBCMT ref: 006B217C
Part of subcall function 006B214A: _free.LIBCMT ref: 006B21B0

Part of subcall function 006B1DBF: GetOEMCP.KERNEL32(00000000,?,?,006B2048,?), ref: 006B1DEA

_free.LIBCMT ref: 006B20A3
_free.LIBCMT ref: 006B20D9

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 5cded6ff8f800b6ac6c580bb2159d0b8c3175153d460269ac32fbc8fc2689d71
Instruction ID: 4d00f6da9702504c5a9917946fb21b39046e43499657e0ddc5f07e926363d174
Opcode Fuzzy Hash: 5cded6ff8f800b6ac6c580bb2159d0b8c3175153d460269ac32fbc8fc2689d71
Instruction Fuzzy Hash: A331E271904209AFDB10FB69D850BEDB7F6EF42320F2540ADE9049B2A1DB369D81CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004219C9, Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004219CE
new.LIBCMT ref: 004219EB

Part of subcall function 00421976: __EH_prolog.LIBCMT ref: 0042197B
Part of subcall function 00421976: __Getctype.LIBCPMT ref: 004219A1

Part of subcall function 00421059: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00421081
Part of subcall function 00421059: std::_Lockit::~_Lockit.LIBCPMT ref: 0042110D

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prologstd::_$GetctypeLocinfo::_Locinfo_dtorLockitLockit::~_
String ID:
API String ID: 4122330132-0
Opcode ID: b1b090d675cc00cb21eca32efbf5c1ae8e7c5696a35b0b42d348e107ef4bd08d
Instruction ID: fbde2bd1481ce7c7b2cb5b6156cb7aef1863e66f145bda6bb614e2272a6a618c
Opcode Fuzzy Hash: b1b090d675cc00cb21eca32efbf5c1ae8e7c5696a35b0b42d348e107ef4bd08d
Instruction Fuzzy Hash: 3201C4B1A00229ABCB10EFA9E8817DEFB75FF64320F60422FE419A7291D7740A00C794

Uniqueness

Uniqueness Score: -1.00%

Function 00414D9D, Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

CreateIoCompletionPort.KERNELBASE(?,?,00000000,00000000), ref: 00414DB0
GetLastError.KERNEL32 ref: 00414DBA

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CompletionCreateErrorLastPort
String ID:
API String ID: 826170474-0
Opcode ID: 0395236f40c99d132699d23732010481dfda0b7b115359d0289d3860ae94fd5e
Instruction ID: 3ef129dfe6b8358e7d9be018ffa25797f26216bf5c787367d69216dd716af2eb
Opcode Fuzzy Hash: 0395236f40c99d132699d23732010481dfda0b7b115359d0289d3860ae94fd5e
Instruction Fuzzy Hash: B8016771A0060CAF8B11DFA9988059FBBA6EE45394714807AFC05E7211D6758E068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 006A10DC, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A10FD

Part of subcall function 006A108E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003), ref: 006A10C0

RtlReAllocateHeap.NTDLL(00000000,?,?,00000004), ref: 006A1139

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 82856c9a945a5109aee5276d69ee04f10a8b6d03164f0c80b4fa7489bd98f00a
Instruction ID: c5cbd700ae049f8d96cd2395215c452c62e4477a8341e6aedb05efd4ec93b030
Opcode Fuzzy Hash: 82856c9a945a5109aee5276d69ee04f10a8b6d03164f0c80b4fa7489bd98f00a
Instruction Fuzzy Hash: F9F0F632A0021566DB717A21AC41BAB776B9FD3772F14411DFA289F291DE30DC418DB5

Uniqueness

Uniqueness Score: -1.00%

Function 00415A23, Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00415A36
setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 00415A69

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Socketsetsockopt
String ID:
API String ID: 4073417641-0
Opcode ID: 3b90072e8cb81b3ca05c6826c9d39db1d776a69f4c37158aedfab5e15434e4a0
Instruction ID: 663e49da4d4856ef2d3da6e005abff95531b9732195f4b7834f121d04bb2196b
Opcode Fuzzy Hash: 3b90072e8cb81b3ca05c6826c9d39db1d776a69f4c37158aedfab5e15434e4a0
Instruction Fuzzy Hash: 57F0B43A690218BBE63056188C8AFEE7659CB89B70F104316FE21A62C096F45D414195

Uniqueness

Uniqueness Score: -1.00%

Function 0040F48D, Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9d6a7a2a6c329b8c658a31af58da615f691074d5fde15becd13cb46ea05feb
Instruction ID: 3225706cb2ef8621140827d6974cb5288cc4a64a16b81056c02bd44edeb2d36d
Opcode Fuzzy Hash: 5f9d6a7a2a6c329b8c658a31af58da615f691074d5fde15becd13cb46ea05feb
Instruction Fuzzy Hash: 1BF0E2712142055ACB2CDB78985567B3B469F64324B208B3FFD2ADA9C0D739DD88830C

Uniqueness

Uniqueness Score: -1.00%

Function 006A56BB, Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A5709

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b9742bbe7b9556604d46a3243ed97c985161ed97882457251a5875c9d3f87ad7
Instruction ID: 9d87ef3127ffdf576d9d7f13a8106a8b15ddc1ccf6949d9cf51d36c13b1f1551
Opcode Fuzzy Hash: b9742bbe7b9556604d46a3243ed97c985161ed97882457251a5875c9d3f87ad7
Instruction Fuzzy Hash: B1E0E522601D1591D6A1B2396C527AF02C76BC3371B61433EF922D61E1CF749C434EB9

Uniqueness

Uniqueness Score: -1.00%

Function 00413F49, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__Thrd_start.LIBCPMT ref: 00413F58

Part of subcall function 00582E5D: std::_Throw_Cpp_error.LIBCPMT ref: 00582E84

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Cpp_errorThrd_startThrow_std::_
String ID:
API String ID: 1816819587-0
Opcode ID: 482491daaff7d305f77c0e5da6f056b282fd6e02cfe2d2002e2a29a61db142d5
Instruction ID: 001f3e7be6932ec7b589c578a32a9158c350cf8eb1f041a732ff9f2af810380e
Opcode Fuzzy Hash: 482491daaff7d305f77c0e5da6f056b282fd6e02cfe2d2002e2a29a61db142d5
Instruction Fuzzy Hash: E5E0D8319582117AEF1D2A259C07DE77E989F00B21B10847FF84A50461E95AEED24648

Uniqueness

Uniqueness Score: -1.00%

Function 0069018E, Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0068FF18: try_get_function.LIBVCRUNTIME ref: 0068FF2D
Part of subcall function 0068FF18: FlsAlloc.KERNELBASE(00000000), ref: 0068FF45

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006901AC
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 006901B7

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocValue___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 2703957606-0
Opcode ID: f5314db63b4823537c7ac08097087e9ce7a53253570d2759e5becbc8da32da43
Instruction ID: 330209987fdeb9edc37eb07acaacb252a5683f641a712071c5c970b247beff8d
Opcode Fuzzy Hash: f5314db63b4823537c7ac08097087e9ce7a53253570d2759e5becbc8da32da43
Instruction Fuzzy Hash: 7CD0C9A594C3216D7D9437F43812A9A238F5953BB07B1076FF220D6AC2EB549045A229

Uniqueness

Uniqueness Score: -1.00%

Function 00416319, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041631E

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a7c11de10b17c89fc47b0469581b3710ff41b2bdb42303edd2173ccc73ffcf01
Instruction ID: bc131b28d82ea61ad7cf9e497848dc32f686f21abaa468e28f58667315e49527
Opcode Fuzzy Hash: a7c11de10b17c89fc47b0469581b3710ff41b2bdb42303edd2173ccc73ffcf01
Instruction Fuzzy Hash: D9319C3290450D9BCF10DF68C4416EEBBB1AF45324F11820EFC796B291C779AA96DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004121EC, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004121F1

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 01bc7834e8b5f3e57b7f0d53bb6f91b8a71fb1b6a96fe8f70097f0bbe7feafd5
Instruction ID: 106f691d2cd4d388acc72c086b2a8801f6c7c68005dff5bca8a06f5e902c6d40
Opcode Fuzzy Hash: 01bc7834e8b5f3e57b7f0d53bb6f91b8a71fb1b6a96fe8f70097f0bbe7feafd5
Instruction Fuzzy Hash: DE213771E042049BDB24CFA8DA407EEB7B1EF44720F10066EE821A73C0C3B46995C799

Uniqueness

Uniqueness Score: -1.00%

Function 00415A77, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,?,?,00000004), ref: 00415B03

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 229b2676438b68199630548ea13f135a547bc85ac154036ae7c02f03ae255c6f
Instruction ID: ee03ee346e80de96060b2f7dc48de22909011d28722b388b5a7a22666c16ff3a
Opcode Fuzzy Hash: 229b2676438b68199630548ea13f135a547bc85ac154036ae7c02f03ae255c6f
Instruction Fuzzy Hash: B011EF31644A17DBCF218E54C8806EB7B60AF853A1F108327F9689B2C0C778ECD187CA

Uniqueness

Uniqueness Score: -1.00%

Function 004145F9, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlDeleteCriticalSection.NTDLL(?), ref: 00414659

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: bf155099e04156ad86a8d380fd1935318f383b76e2125f10cad28c543f011656
Instruction ID: c205b92e4670c4d4a9239502f0aa17f7a91c955e2e12e1d5caf8899e845fa433
Opcode Fuzzy Hash: bf155099e04156ad86a8d380fd1935318f383b76e2125f10cad28c543f011656
Instruction Fuzzy Hash: E511CE32600B10DFC724CF08D844B9AB7A4EF4AB20F15025EE91597780CB38AC418B88

Uniqueness

Uniqueness Score: -1.00%

Function 006AD212, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 006A06C2: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 006A0703

_free.LIBCMT ref: 006AD27E

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 0b4b008072a0e56ba964d3cb1c982bf154756b4c010919c59faccb9bc52cd31d
Instruction ID: de701bcb4e7da6ad01a614126fa720557e4334c76fb898aacb5b1f89e02d314f
Opcode Fuzzy Hash: 0b4b008072a0e56ba964d3cb1c982bf154756b4c010919c59faccb9bc52cd31d
Instruction Fuzzy Hash: CC01BE722003056BE731DF65D845A59FBDEFB86370F25051DE695536C0EA30AD05CB74

Uniqueness

Uniqueness Score: -1.00%

Function 004158E1, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 004158F9

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 844c422e5eb378a7e0d29b4a214563c5546f25862673e465dbfc040dc78f2f9b
Instruction ID: 9da11206683b960042a778e75a57ea9168890d1a14d1c1e5e2c37e50e1839dcd
Opcode Fuzzy Hash: 844c422e5eb378a7e0d29b4a214563c5546f25862673e465dbfc040dc78f2f9b
Instruction Fuzzy Hash: 69012FF0A00208FFDB209F61C8808EAB76CEB84374B10022BF80593380C738AD508796

Uniqueness

Uniqueness Score: -1.00%

Function 004AC8DD, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AC8E2

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f42449693ef1a47b6df4a5e2534d95c0e25e22352c546430f63f561eba1047ef
Instruction ID: c14727fb24beb689e6f6779a32a4015c6038887e017dff5ea0652d04006fa9ed
Opcode Fuzzy Hash: f42449693ef1a47b6df4a5e2534d95c0e25e22352c546430f63f561eba1047ef
Instruction Fuzzy Hash: F8115771A01249CFCB61DF58C904B9ABBF5FF08314F1085AEE8988B351D3B19A40CB80

Uniqueness

Uniqueness Score: -1.00%

Function 006A61EB, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 006A06C2: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 006A0703

_free.LIBCMT ref: 006A620B

Part of subcall function 006A071F: RtlFreeHeap.NTDLL(00000000,00000000,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?), ref: 006A0735
Part of subcall function 006A071F: GetLastError.KERNEL32(?,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?,?), ref: 006A0747

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 6b1f8bd94c4273aadb7b854072cbc8c97564ee9b6a700488982b58c6107e65c2
Instruction ID: bb89b7d528f2712ec30a3681f1e6c367861aa7c75418f4437e72bf37ab3f4555
Opcode Fuzzy Hash: 6b1f8bd94c4273aadb7b854072cbc8c97564ee9b6a700488982b58c6107e65c2
Instruction Fuzzy Hash: 9DF01971A01209AFD750EB68C442B9ABBF4EB49710F10416AED18A7341EB71AE108BD5

Uniqueness

Uniqueness Score: -1.00%

Function 006A06C2, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 006A0703

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3c23660a21ad2e462de00a57121c1483a83682750325c3113940d13b4d1180a9
Instruction ID: 7e934bd5066ccc049f0f0c22338a0c4756a715c0b7e1c58434b19cc306e23a6d
Opcode Fuzzy Hash: 3c23660a21ad2e462de00a57121c1483a83682750325c3113940d13b4d1180a9
Instruction Fuzzy Hash: BDF0E931248624A7FF21BE619C05B9B375FAF837B0F145111F8099A690CA31EC118EE5

Uniqueness

Uniqueness Score: -1.00%

Function 006A06C2, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 006A0703

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3c23660a21ad2e462de00a57121c1483a83682750325c3113940d13b4d1180a9
Instruction ID: 7e934bd5066ccc049f0f0c22338a0c4756a715c0b7e1c58434b19cc306e23a6d
Opcode Fuzzy Hash: 3c23660a21ad2e462de00a57121c1483a83682750325c3113940d13b4d1180a9
Instruction Fuzzy Hash: BDF0E931248624A7FF21BE619C05B9B375FAF837B0F145111F8099A690CA31EC118EE5

Uniqueness

Uniqueness Score: -1.00%

Function 006A108E, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000003,00000003), ref: 006A10C0

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b22095144da70cbec31f193c9388207d853bd3e62e9af16367f76d79eb0748f
Instruction ID: 057aafb766249f32bd5b599ce166dd7925d9ac491e62c583bfb90a4e987c2369
Opcode Fuzzy Hash: 6b22095144da70cbec31f193c9388207d853bd3e62e9af16367f76d79eb0748f
Instruction Fuzzy Hash: 31E030251452A196EA7136659D04B9B3A9B9F433F0F150110A8459F292DE64AC818EB6

Uniqueness

Uniqueness Score: -1.00%

Function 006A108E, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000003,00000003), ref: 006A10C0

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b22095144da70cbec31f193c9388207d853bd3e62e9af16367f76d79eb0748f
Instruction ID: 057aafb766249f32bd5b599ce166dd7925d9ac491e62c583bfb90a4e987c2369
Opcode Fuzzy Hash: 6b22095144da70cbec31f193c9388207d853bd3e62e9af16367f76d79eb0748f
Instruction Fuzzy Hash: 31E030251452A196EA7136659D04B9B3A9B9F433F0F150110A8459F292DE64AC818EB6

Uniqueness

Uniqueness Score: -1.00%

Function 004AF07A, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 004227D5: new.LIBCMT ref: 0042280B
Part of subcall function 004227D5: std::locale::_Init.LIBCPMT ref: 00422815

Part of subcall function 004AFD21: __EH_prolog.LIBCMT ref: 004AFD26

std::ios_base::_Addstd.LIBCPMT ref: 004AF0B9

Part of subcall function 004226AE: __EH_prolog.LIBCMT ref: 004226B3
Part of subcall function 004226AE: __CxxThrowException@8.LIBVCRUNTIME ref: 004226D9

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$AddstdException@8InitThrowstd::ios_base::_std::locale::_
String ID:
API String ID: 2564750599-0
Opcode ID: 3d901c01a1426a53dd42f28859e6fb9d9d7944a74d665e030c051e79394bef60
Instruction ID: 7018a0c775b5a882920073ae86af83c4afe5ed78168e96d6e9dcefd3a99bd23a
Opcode Fuzzy Hash: 3d901c01a1426a53dd42f28859e6fb9d9d7944a74d665e030c051e79394bef60
Instruction Fuzzy Hash: B2F0EC326043146BE734A6B59449B5B7BD4AF11334F00441FF48257A82DAF9F4448B95

Uniqueness

Uniqueness Score: -1.00%

Function 004AFD21, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004AFD26

Part of subcall function 00422763: __EH_prolog.LIBCMT ref: 00422768

Part of subcall function 004B02E0: __EH_prolog.LIBCMT ref: 004B02E5
Part of subcall function 004B02E0: std::_Lockit::_Lockit.LIBCPMT ref: 004B02F4
Part of subcall function 004B02E0: std::locale::_Getfacet.LIBCPMT ref: 004B0314
Part of subcall function 004B02E0: std::_Lockit::~_Lockit.LIBCPMT ref: 004B036E

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$Lockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3055501177-0
Opcode ID: c1d3582962254c774d239df827e698910983ea97e75e998fbf88abde84892987
Instruction ID: ca78f803e55544c0ed65db2b3ac897056a71d1f714b11054642c2cd8e851af7c
Opcode Fuzzy Hash: c1d3582962254c774d239df827e698910983ea97e75e998fbf88abde84892987
Instruction Fuzzy Hash: 1FE06CB1900118EBCB18EFA4D94AAEEB779EF54311F10425EF415A3192D7345E01C6B8

Uniqueness

Uniqueness Score: -1.00%

Function 0041569D, Relevance: 1.5, APIs: 1, Instructions: 24networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 004156BD

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: connect
String ID:
API String ID: 1959786783-0
Opcode ID: f08251cb2a754f7f2434fc7b6e2151aa4a8a2ff67c4da2180d2909c61758b2f6
Instruction ID: 94b5bfe2314bff8fdf9ce2e0ce22ba35234059b5c56646d24ec5b8d3069aba9e
Opcode Fuzzy Hash: f08251cb2a754f7f2434fc7b6e2151aa4a8a2ff67c4da2180d2909c61758b2f6
Instruction Fuzzy Hash: 89E08631601914678A1066B86C518E9775A8F80B79B04C716BE3D4B7D0CA35DC9096D4

Uniqueness

Uniqueness Score: -1.00%

Function 004107B6, Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,00000002), ref: 004107D9

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: f12ed0640048525d821b22233eadc94aaa0895087cee4c8538a79ba317e0a674
Instruction ID: e110cca691539e17059a820ccb334c71c76e8421bb90a4e7a02472f114fcb635
Opcode Fuzzy Hash: f12ed0640048525d821b22233eadc94aaa0895087cee4c8538a79ba317e0a674
Instruction Fuzzy Hash: 02D02B309252144FC710E6385C06575739EE707331F200335DC76C11C0F90858114AC5

Uniqueness

Uniqueness Score: -1.00%

Function 00411B0E, Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 00411B20

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: 4240533d9f262ce9e2afb649e3049b21eef5bca52de13571118af7fd312099d0
Instruction ID: a5bb6f8230b63ef1b743cc28815be57c126bffb7c95fa9de15f62f736ad40a87
Opcode Fuzzy Hash: 4240533d9f262ce9e2afb649e3049b21eef5bca52de13571118af7fd312099d0
Instruction Fuzzy Hash: 67D017715102118FD370DF28D940B92B7E4EF04300F10483EA4C8D2660E275A8C0CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0068A19C, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

__onexit.LIBCMT ref: 0068A1A2

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: __onexit
String ID:
API String ID: 1448380652-0
Opcode ID: d78d9142898b9c98952a14e3dedbcd9244443e9bdde8ff525791cf48f29bf47b
Instruction ID: ae06a61387d797c22e828c1b7c25c3e299913563c78fa6e94896c5c9041a8ba6
Opcode Fuzzy Hash: d78d9142898b9c98952a14e3dedbcd9244443e9bdde8ff525791cf48f29bf47b
Instruction Fuzzy Hash: 71B0123119810E2A7E0479F5EC0A8357B4DD611660B400727FD0DC51E1DD12A4500285

Uniqueness

Uniqueness Score: -1.00%

Function 0068A19C, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

__onexit.LIBCMT ref: 0068A1A2

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit
String ID:
API String ID: 1448380652-0
Opcode ID: d78d9142898b9c98952a14e3dedbcd9244443e9bdde8ff525791cf48f29bf47b
Instruction ID: ae06a61387d797c22e828c1b7c25c3e299913563c78fa6e94896c5c9041a8ba6
Opcode Fuzzy Hash: d78d9142898b9c98952a14e3dedbcd9244443e9bdde8ff525791cf48f29bf47b
Instruction Fuzzy Hash: 71B0123119810E2A7E0479F5EC0A8357B4DD611660B400727FD0DC51E1DD12A4500285

Uniqueness

Uniqueness Score: -1.00%

Function 00413FBC, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00413FC6

Part of subcall function 00583288: __Thrd_current.LIBCPMT ref: 0058329A
Part of subcall function 00583288: __Mtx_unlock.LIBCPMT ref: 005832E6
Part of subcall function 00583288: __Cnd_broadcast.LIBCPMT ref: 005832F1

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Cnd_broadcastCnd_do_broadcast_at_thread_exitMtx_unlockThrd_current
String ID:
API String ID: 3770271663-0
Opcode ID: 3f8eb422f8433fb0099226f869301b37e91ae3a0cf73d807ab6ed0381c822d4a
Instruction ID: ff022d793bb8bf46b6e52066ac2f291b08853f54aaa20664c344421b08025672
Opcode Fuzzy Hash: 3f8eb422f8433fb0099226f869301b37e91ae3a0cf73d807ab6ed0381c822d4a
Instruction Fuzzy Hash: 2EC092352142089F8340FBB8D44A81A7BE8AF95B107504079BD068BA21DE31BE14CA96

Uniqueness

Uniqueness Score: -1.00%

Function 0041B285, Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000005,?,?,006BA30D,000000FF,?,00414BF4,?,?,?,?,006BAFEF,000000FF,?,00414B54), ref: 0041B2A7

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b7d7e147e4eae3918f640396de8204c9d911bfb4a66fe297ee34e58f35680f6d
Instruction ID: ffddd8125d501941515929ca90b6babe7630cea014909ab7aa5d8c99fba818a0
Opcode Fuzzy Hash: b7d7e147e4eae3918f640396de8204c9d911bfb4a66fe297ee34e58f35680f6d
Instruction Fuzzy Hash: E4E0DF32949B50EBD6219B48ED02F56B7E8EB09F20F10035EFC15A3B90CB79280087C9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00422D5E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00422D70

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

GetLastError.KERNEL32(?,0078835C,?,004AB6F7,80004005,007A29C4,?,004F4CC6,00000000,?,4s,?,?,004F508D), ref: 00422D76

Part of subcall function 00422D5E: LoadResource.KERNEL32(?,?,4s,?,?,8007000E,?,?,?,004AB6F7,80004005,007A29C4,?,004F4CC6,00000000), ref: 00422DD7
Part of subcall function 00422D5E: LockResource.KERNEL32(00000000,007A29C4,?,?,4s,?,?,8007000E,?,?,?,004AB6F7,80004005,007A29C4,?,004F4CC6), ref: 00422DE3
Part of subcall function 00422D5E: SizeofResource.KERNEL32(?,?,?,?,4s,?,?,8007000E,?,?,?,004AB6F7,80004005,007A29C4,?,004F4CC6), ref: 00422DF1

Strings

4s, xrefs: 00422DD0

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Resource$ErrorExceptionException@8LastLoadLockRaiseSizeofThrow
String ID: 4s
API String ID: 294969344-1257959787
Opcode ID: 14b93b8610f04b95de01a3b08f1d8995d8b73e4958a1c2cc6fbb48db3d2eb4bc
Instruction ID: e2ff399347e63724e1a48493567a94bfb53cd13b7b159f511e72fd9b16053eda
Opcode Fuzzy Hash: 14b93b8610f04b95de01a3b08f1d8995d8b73e4958a1c2cc6fbb48db3d2eb4bc
Instruction Fuzzy Hash: 3E218731300334BB9B346A69BE88ABB779CDE40340790492BFD06E7210D9F8DC8091E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F6FA
GetProcessHeap.KERNEL32(007A29C4,?,004F4CBE,?,4s,?,?,004F508D,?,?,00403520), ref: 0040F717

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

Tz, xrefs: 0040F746

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prologHeapProcess__onexit
String ID: Tz
API String ID: 3671622277-2318832878
Opcode ID: 931f211b5acad43e0fe7fa319d87153985568281d381914c03da8773852ad73b
Instruction ID: 839f150a8a5d501b72f51f15b3c6a476b49f3470d528c605fd5a46d2b99ea3e3
Opcode Fuzzy Hash: 931f211b5acad43e0fe7fa319d87153985568281d381914c03da8773852ad73b
Instruction Fuzzy Hash: FC114F71D06B44DEC750DF68A9456497BA3F78A711B50822EE418CB2A2D77C49548B08

Uniqueness

Uniqueness Score: -1.00%

Function 006B4283, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 006A9EDF: GetLastError.KERNEL32(?,?,00694D4A,00787350,00000010), ref: 006A9EE3
Part of subcall function 006A9EDF: _free.LIBCMT ref: 006A9F16
Part of subcall function 006A9EDF: SetLastError.KERNEL32(00000000), ref: 006A9F57
Part of subcall function 006A9EDF: _abort.LIBCMT ref: 006A9F5D

EnumSystemLocalesW.KERNEL32(006B43AB,00000001,00000000,?,gj,?,006B49D8,00000000,?,?,?), ref: 006B42F5

Strings

gj, xrefs: 006B4288

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: gj
API String ID: 1084509184-1676337594
Opcode ID: a935f39fd08785f3ac0f6caa8418c1fc9e87a0ca5ed90fccc634c658b005e534
Instruction ID: 0b6bafda0a16ef11edc29af3d053539e70b99a4224493b7781d747a30fe14851
Opcode Fuzzy Hash: a935f39fd08785f3ac0f6caa8418c1fc9e87a0ca5ed90fccc634c658b005e534
Instruction Fuzzy Hash: 1511297A2107059FDB18AF39C8916FAB7D3FF80318B18442DE98687741D7716982D740

Uniqueness

Uniqueness Score: -1.00%

Function 006B431E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 006A9EDF: GetLastError.KERNEL32(?,?,00694D4A,00787350,00000010), ref: 006A9EE3
Part of subcall function 006A9EDF: _free.LIBCMT ref: 006A9F16
Part of subcall function 006A9EDF: SetLastError.KERNEL32(00000000), ref: 006A9F57
Part of subcall function 006A9EDF: _abort.LIBCMT ref: 006A9F5D

EnumSystemLocalesW.KERNEL32(006B45FB,00000001,?,?,gj,?,006B499C,gj,?,?,?,?,?,006A67E1,?,?), ref: 006B436A

Strings

gj, xrefs: 006B4323

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: gj
API String ID: 1084509184-1676337594
Opcode ID: 7ebffd56639f2defa4b2ead8d12a4b1d820cbd09f4290a87aeb3c15b68d0575b
Instruction ID: 4c083e5e6d0408cbd57e3f690cacf17773c027bf15068017588ee9cefd35f46e
Opcode Fuzzy Hash: 7ebffd56639f2defa4b2ead8d12a4b1d820cbd09f4290a87aeb3c15b68d0575b
Instruction Fuzzy Hash: FAF022763047055FDB24AF3A9881BAA7BD2FF80368B09842DF9458B651DBB1AC828700

Uniqueness

Uniqueness Score: -1.00%

Function 004113B9, Relevance: 3.2, APIs: 2, Instructions: 217COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004113BD

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 004113C8

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExceptionException@8H_prologRaiseThrow
String ID:
API String ID: 1681477883-0
Opcode ID: d73a396e38651f6354d36f35ef898224866296dd0cfb3a318e0202f52072f2a9
Instruction ID: e2e607e14e58e7e41733aa102ccf732a804b3ee68eabd10fbec28d3070090437
Opcode Fuzzy Hash: d73a396e38651f6354d36f35ef898224866296dd0cfb3a318e0202f52072f2a9
Instruction Fuzzy Hash: 5A81BCB1D052689FDB08CFA9D4806EDFFF1AF59300F14416EE546AB312C3749982CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 006AB108, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 006A0DBB: RtlEnterCriticalSection.NTDLL(?), ref: 006A0DCA

EnumSystemLocalesW.KERNEL32(006AB0C2,00000001,007878A0,0000000C), ref: 006AB140

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 7e0eaf0777491e23d1b4b257fc8ad12449b7175e3f23d24e463f3d2539339caf
Instruction ID: ddfdd50f4df3eab810e3373bff4247805515509e0037ea3ada06d79e30261cdb
Opcode Fuzzy Hash: 7e0eaf0777491e23d1b4b257fc8ad12449b7175e3f23d24e463f3d2539339caf
Instruction Fuzzy Hash: A5F06272A503049FE740FF68D84AB5D77E2AB05720F10912AF414DB2E2CB789D50CF49

Uniqueness

Uniqueness Score: -1.00%

Function 006B4238, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006A9EDF: GetLastError.KERNEL32(?,?,00694D4A,00787350,00000010), ref: 006A9EE3
Part of subcall function 006A9EDF: _free.LIBCMT ref: 006A9F16
Part of subcall function 006A9EDF: SetLastError.KERNEL32(00000000), ref: 006A9F57
Part of subcall function 006A9EDF: _abort.LIBCMT ref: 006A9F5D

EnumSystemLocalesW.KERNEL32(006B418F,00000001,?,?,?,006B49FA,gj,?,?,?,?,?,006A67E1,?,?,?), ref: 006B426F

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: d79cceaddea3650cb212f7887d45d7ce42db4c1b0a41ba0b70deaf60f1c5be44
Instruction ID: a18c80a9de2099ed1876594a4e358e30649c6dfecbc53c22f2d857991daeecbe
Opcode Fuzzy Hash: d79cceaddea3650cb212f7887d45d7ce42db4c1b0a41ba0b70deaf60f1c5be44
Instruction Fuzzy Hash: D6F0E53A70020567DB04EF39DC456BABF96EFC1754B074059FE098B252CA719D82D790

Uniqueness

Uniqueness Score: -1.00%

Function 006AE329, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc3cc8353ef8f1f5534cb11bbcdfc1ea91611f8f5f96f528f5c2c42ca6c9430
Instruction ID: d6709bee3ebf09830fb42cd458cf18533495af581d7071c8fd351e6c460da2e9
Opcode Fuzzy Hash: efc3cc8353ef8f1f5534cb11bbcdfc1ea91611f8f5f96f528f5c2c42ca6c9430
Instruction Fuzzy Hash: C2322622D29F414DD723A638C822375A289EFB73D4F55D737E81AB5AE5EB2DC8834500

Uniqueness

Uniqueness Score: -1.00%

Function 0068D297, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 92199de5172b3a5f8dcf52eacf9614f1c2d9b11861722f5666c94265d543df00
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 1AC1B5322051534ADF2D563AC4740BEFBA29EA27B231A476DD4B7CB2C4EE20D565D730

Uniqueness

Uniqueness Score: -1.00%

Function 006B126E, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166b73c8d5597a5829625895e3f999a526be9071ca78160c954ba25d2dab37fb
Instruction ID: dc3ed2224ba13425ef41b167af18743155ae36e4e8f581ebf8b021903f9f41c4
Opcode Fuzzy Hash: 166b73c8d5597a5829625895e3f999a526be9071ca78160c954ba25d2dab37fb
Instruction Fuzzy Hash: 8CB12420E2AF404DC3239A399835336B75CAFBB2D5F91D72BFC5A74D62EB2585834240

Uniqueness

Uniqueness Score: -1.00%

Function 00693097, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be3e1614cdfc3947abe39d5e0442bac034afd8b796972b6abc36f2e3f709b81
Instruction ID: 58e62c9208ce8801216a1b373bd6580a63ac6f293040d4590f6a179f0fa3b793
Opcode Fuzzy Hash: 2be3e1614cdfc3947abe39d5e0442bac034afd8b796972b6abc36f2e3f709b81
Instruction Fuzzy Hash: 3561687120033956DE385A684856BFE739FEB41704F24051EE843DBFA1D612DF42D319

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA72, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3f7e1f18e3c7d79d3b64c130862757a094c5a6eed26b047f490793c0227657
Instruction ID: a81d5ed95a12d33e288bf159931503bdfebec61ba3c2220e1b971e36f664e6c7
Opcode Fuzzy Hash: 8c3f7e1f18e3c7d79d3b64c130862757a094c5a6eed26b047f490793c0227657
Instruction Fuzzy Hash: 42312477A14285CFC308CF6D5C823A9BF60FBE2200B04866AE845E72C2D2755515C75C

Uniqueness

Uniqueness Score: -1.00%

Function 0068DCD0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d06656e20026d60f37c570f50b5db1d9077cfb13f2486579efa34f5771838e14
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 49117DB724004243D614A63DE4B46FBE797EFCA324B3D43BAD1424B7D8D222E9419760

Uniqueness

Uniqueness Score: -1.00%

Function 00526AF6, Relevance: 64.9, APIs: 1, Strings: 36, Instructions: 111COMMON

Download Yara Rule

APIs

__swprintf.LEGACY_STDIO_DEFINITIONS ref: 00526C17

Strings

Input COI is not supported, xrefs: 00526BD6
One of arguments' values is out of range, xrefs: 00526B3F
Input image depth is not supported by function, xrefs: 00526BD0
Insufficient memory, xrefs: 00526C3B
Incorrect size of input array, xrefs: 00526B1B
Bad number of channels, xrefs: 00526BCA
Unsupported format or combination of formats, xrefs: 00526B45
Autotrace call, xrefs: 00526BBE
Image step is wrong, xrefs: 00526BC4
Bad flag (parameter or structure field), xrefs: 00526B4B
Backtrace, xrefs: 00526C29
Unspecified error, xrefs: 00526C2F
Requested object was not found, xrefs: 00526B2D
OpenGL API call, xrefs: 00526B87
Bad argument, xrefs: 00526BDC
Unknown %s code %d, xrefs: 00526C11
Sizes of input arguments do not match, xrefs: 00526B39
The function/feature is not implemented, xrefs: 00526B63
Gpu API call, xrefs: 00526B7B
Bad type of mask argument, xrefs: 00526B57
Inplace operation is not supported, xrefs: 00526B27
Formats of input arguments do not match, xrefs: 00526B33
No GPU support, xrefs: 00526B75
Assertion failed, xrefs: 00526B6F
Memory block has been corrupted, xrefs: 00526B69
Iterations do not converge, xrefs: 00526BB8
Null pointer, xrefs: 00526B8D
No OpenGL support, xrefs: 00526B81
Bad parameter of type CvPoint, xrefs: 00526B51
Parsing error, xrefs: 00526B5D
hZz, xrefs: 00526C08
status, xrefs: 00526C03, 00526C10
Internal error, xrefs: 00526C35
error, xrefs: 00526BFD
No Error, xrefs: 00526C23
Division by zero occured, xrefs: 00526B21

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __swprintf
String ID: Assertion failed$Autotrace call$Backtrace$Bad argument$Bad flag (parameter or structure field)$Bad number of channels$Bad parameter of type CvPoint$Bad type of mask argument$Division by zero occured$Formats of input arguments do not match$Gpu API call$Image step is wrong$Incorrect size of input array$Inplace operation is not supported$Input COI is not supported$Input image depth is not supported by function$Insufficient memory$Internal error$Iterations do not converge$Memory block has been corrupted$No Error$No GPU support$No OpenGL support$Null pointer$One of arguments' values is out of range$OpenGL API call$Parsing error$Requested object was not found$Sizes of input arguments do not match$The function/feature is not implemented$Unknown %s code %d$Unspecified error$Unsupported format or combination of formats$error$hZz$status
API String ID: 1857805200-3617848470
Opcode ID: f3631eacad4194858451593ae7bd8c722872eccafc81514b0dc3c4b03d3a3f41
Instruction ID: 53b4af2ab741bcb213036afcfe5f3fbf30b126f3875418c0a415ac75eb0e4bf0
Opcode Fuzzy Hash: f3631eacad4194858451593ae7bd8c722872eccafc81514b0dc3c4b03d3a3f41
Instruction Fuzzy Hash: DC21C62DA0086587BF2CD23C696453D2480FED63A4FEC47B6F569D3EE3C25D8D412146

Uniqueness

Uniqueness Score: -1.00%

Function 0040946C, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409471
_strlen.LIBCMT ref: 00409499

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 004094E3
_strlen.LIBCMT ref: 0040952A
_strlen.LIBCMT ref: 00409571
_strlen.LIBCMT ref: 004095BB
_strlen.LIBCMT ref: 0040961A

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00409515, 00409520, 00409531
B67AE8584CAA73B2, xrefs: 004094CE, 004094D9, 004094EA
(6z, xrefs: 00409541
54FF53A5F1D36F1C, xrefs: 0040955C, 00409567, 00409578
p6z, xrefs: 00409636
X6z, xrefs: 004095D8
B05688C2B3E6C1FD, xrefs: 004095F6, 00409607, 00409621
A09E667F3BCC908B, xrefs: 00409481, 0040948F, 004094A0
10E527FADE682D1D, xrefs: 004095A3, 004095AE, 004095C2
@6z, xrefs: 00409588

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: (6z$10E527FADE682D1D$54FF53A5F1D36F1C$@6z$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$X6z$p6z
API String ID: 1696903463-1706306428
Opcode ID: 95a60c4083a07c6cc9d6182e440e4d026990cc8caa21d6153466da05e5911a11
Instruction ID: 4d2ba738191a77f09488d5e29782d35add50baeb1bf84f2c720dbd8f47036253
Opcode Fuzzy Hash: 95a60c4083a07c6cc9d6182e440e4d026990cc8caa21d6153466da05e5911a11
Instruction Fuzzy Hash: 60517571C05298AEEF50EBA9D841BEDBBF4AF55310F1040AEE518F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004025C9, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004025CE
_strlen.LIBCMT ref: 004025F6

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00402640
_strlen.LIBCMT ref: 00402687
_strlen.LIBCMT ref: 004026CE
_strlen.LIBCMT ref: 00402718
_strlen.LIBCMT ref: 00402777

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

(z, xrefs: 0040260D
C6EF372FE94F82BE, xrefs: 00402672, 0040267D, 0040268E
B67AE8584CAA73B2, xrefs: 0040262B, 00402636, 00402647
54FF53A5F1D36F1C, xrefs: 004026B9, 004026C4, 004026D5
B05688C2B3E6C1FD, xrefs: 00402753, 00402764, 0040277E
A09E667F3BCC908B, xrefs: 004025DE, 004025EC, 004025FD
P(z, xrefs: 0040269E
h(z, xrefs: 004026E5
8(z, xrefs: 00402657
10E527FADE682D1D, xrefs: 00402700, 0040270B, 0040271F

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: (z$10E527FADE682D1D$54FF53A5F1D36F1C$8(z$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$P(z$h(z
API String ID: 1696903463-591745840
Opcode ID: 3feda909450b4b9ab8d189fe7f5619ffa5ce6370bd3db9a94cd67501869d619e
Instruction ID: a8c62cec194af75547a06af4c4d031433f53898ae6789a29735227d731b8ce65
Opcode Fuzzy Hash: 3feda909450b4b9ab8d189fe7f5619ffa5ce6370bd3db9a94cd67501869d619e
Instruction Fuzzy Hash: A4517571C05298AEEF50EBA9D8417EDBBF4EF55300F1040AEE519F7282DA781E44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A602, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A607
_strlen.LIBCMT ref: 0040A62F

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040A679
_strlen.LIBCMT ref: 0040A6C0
_strlen.LIBCMT ref: 0040A707
_strlen.LIBCMT ref: 0040A751
_strlen.LIBCMT ref: 0040A7B0

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

h9z, xrefs: 0040A76E
C6EF372FE94F82BE, xrefs: 0040A6AB, 0040A6B6, 0040A6C7
B67AE8584CAA73B2, xrefs: 0040A664, 0040A66F, 0040A680
54FF53A5F1D36F1C, xrefs: 0040A6F2, 0040A6FD, 0040A70E
89z, xrefs: 0040A6D7
B05688C2B3E6C1FD, xrefs: 0040A78C, 0040A79D, 0040A7B7
A09E667F3BCC908B, xrefs: 0040A617, 0040A625, 0040A636
10E527FADE682D1D, xrefs: 0040A739, 0040A744, 0040A758
9z, xrefs: 0040A690
P9z, xrefs: 0040A71E

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 9z$10E527FADE682D1D$54FF53A5F1D36F1C$89z$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$P9z$h9z
API String ID: 1696903463-2271471946
Opcode ID: 9746221f712d3e1eaa5899f2a646c379e26f4b0f7777e4763b8007b9e7cd3909
Instruction ID: f0ce4762724f2496d363b9ff8ce18a79b1f23062014612d5764ce21e7d78337e
Opcode Fuzzy Hash: 9746221f712d3e1eaa5899f2a646c379e26f4b0f7777e4763b8007b9e7cd3909
Instruction Fuzzy Hash: 73518470C05298AEEF50EBA9D841BEDBBF4AF55304F1040AEE518F7282DA781F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00408A51, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408A56
_strlen.LIBCMT ref: 00408A7E

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00408AC8
_strlen.LIBCMT ref: 00408B0F
_strlen.LIBCMT ref: 00408B56
_strlen.LIBCMT ref: 00408BA0
_strlen.LIBCMT ref: 00408BFF

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

p4z, xrefs: 00408B6D
C6EF372FE94F82BE, xrefs: 00408AFA, 00408B05, 00408B16
B67AE8584CAA73B2, xrefs: 00408AB3, 00408ABE, 00408ACF
X4z, xrefs: 00408B26
54FF53A5F1D36F1C, xrefs: 00408B41, 00408B4C, 00408B5D
B05688C2B3E6C1FD, xrefs: 00408BDB, 00408BEC, 00408C06
@4z, xrefs: 00408ADF
A09E667F3BCC908B, xrefs: 00408A66, 00408A74, 00408A85
(4z, xrefs: 00408A95
10E527FADE682D1D, xrefs: 00408B88, 00408B93, 00408BA7

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: (4z$10E527FADE682D1D$54FF53A5F1D36F1C$@4z$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$X4z$p4z
API String ID: 1696903463-961351470
Opcode ID: 3b828ac162d4d801fe9ca9003b39c8fd378de2a200aac9dc0416fc12b3e4df80
Instruction ID: 82927464066e5d64ad563dfa16edb15fe9c21c111162d48adc6cf5b025f25bcb
Opcode Fuzzy Hash: 3b828ac162d4d801fe9ca9003b39c8fd378de2a200aac9dc0416fc12b3e4df80
Instruction Fuzzy Hash: 40518570C05298AEEF51EBA9D841BEDBBF4AF55300F1040AEE518F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA3A, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040BA3F
_strlen.LIBCMT ref: 0040BA67

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040BAB1
_strlen.LIBCMT ref: 0040BAF8
_strlen.LIBCMT ref: 0040BB3F
_strlen.LIBCMT ref: 0040BB89
_strlen.LIBCMT ref: 0040BBE8

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040BAE3, 0040BAEE, 0040BAFF
B67AE8584CAA73B2, xrefs: 0040BA9C, 0040BAA7, 0040BAB8
54FF53A5F1D36F1C, xrefs: 0040BB2A, 0040BB35, 0040BB46
B05688C2B3E6C1FD, xrefs: 0040BBC4, 0040BBD5, 0040BBEF
A09E667F3BCC908B, xrefs: 0040BA4F, 0040BA5D, 0040BA6E
p=z, xrefs: 0040BC04
X=z, xrefs: 0040BBA6
@=z, xrefs: 0040BB56
(=z, xrefs: 0040BB0F
10E527FADE682D1D, xrefs: 0040BB71, 0040BB7C, 0040BB90

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: (=z$10E527FADE682D1D$54FF53A5F1D36F1C$@=z$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$X=z$p=z
API String ID: 1696903463-3215198734
Opcode ID: ece90caf9d2156672c675aeb9fe84a7ee171d553391dffd18224cc01dd581836
Instruction ID: 3e08494f35b8cde1c610577c4d327f5c83fe12eb6bdad06052aed652266d80c4
Opcode Fuzzy Hash: ece90caf9d2156672c675aeb9fe84a7ee171d553391dffd18224cc01dd581836
Instruction Fuzzy Hash: 94517371C05298EEEB50EBA9D841BEDBBF4AF55300F2040AEE519F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00403A3E, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403A43
_strlen.LIBCMT ref: 00403A6B

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00403AB5
_strlen.LIBCMT ref: 00403AFC
_strlen.LIBCMT ref: 00403B43
_strlen.LIBCMT ref: 00403B8D
_strlen.LIBCMT ref: 00403BEC

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00403AE7, 00403AF2, 00403B03
B67AE8584CAA73B2, xrefs: 00403AA0, 00403AAB, 00403ABC
54FF53A5F1D36F1C, xrefs: 00403B2E, 00403B39, 00403B4A
(-z, xrefs: 00403B5A
B05688C2B3E6C1FD, xrefs: 00403BC8, 00403BD9, 00403BF3
A09E667F3BCC908B, xrefs: 00403A53, 00403A61, 00403A72
X-z, xrefs: 00403C08
,z, xrefs: 00403A82
@-z, xrefs: 00403BAA
10E527FADE682D1D, xrefs: 00403B75, 00403B80, 00403B94

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: (-z$10E527FADE682D1D$54FF53A5F1D36F1C$@-z$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$X-z$,z
API String ID: 1696903463-3266490203
Opcode ID: cc2957080fea7f1e5fb55394890987b2b87fed19a7eed7031bf9f53bf35e530d
Instruction ID: 6faacacecdca159b47fe45b6687c44c1110e8f8eb63eb4d1c5e500ac5924087c
Opcode Fuzzy Hash: cc2957080fea7f1e5fb55394890987b2b87fed19a7eed7031bf9f53bf35e530d
Instruction Fuzzy Hash: B1518571C05298AEEF50EBA9D841BEDBBF4AF55310F1040AEE518F7282DA741E44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC0, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404CC5
_strlen.LIBCMT ref: 00404CED

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00404D37
_strlen.LIBCMT ref: 00404D7E
_strlen.LIBCMT ref: 00404DC5
_strlen.LIBCMT ref: 00404E0F
_strlen.LIBCMT ref: 00404E6E

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00404D69, 00404D74, 00404D85
B67AE8584CAA73B2, xrefs: 00404D22, 00404D2D, 00404D3E
0z, xrefs: 00404D04
01z, xrefs: 00404DDC
H1z, xrefs: 00404E2C
54FF53A5F1D36F1C, xrefs: 00404DB0, 00404DBB, 00404DCC
B05688C2B3E6C1FD, xrefs: 00404E4A, 00404E5B, 00404E75
A09E667F3BCC908B, xrefs: 00404CD5, 00404CE3, 00404CF4
`1z, xrefs: 00404E8A
10E527FADE682D1D, xrefs: 00404DF7, 00404E02, 00404E16

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 01z$10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$H1z$`1z$0z
API String ID: 1696903463-1650584012
Opcode ID: 290cafacbd53c204e441b0478ff1d337334aae9510839c9fb5161cf68c7f52d0
Instruction ID: eaae416ebb35603555c3f789ceabeecb30c4b6f400c3e9e5542155036aaf6c01
Opcode Fuzzy Hash: 290cafacbd53c204e441b0478ff1d337334aae9510839c9fb5161cf68c7f52d0
Instruction Fuzzy Hash: 83518570C05298AEEB50EBA9D8417EDBBF4AF55300F1040AEE515F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00402F3C, Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F41
_strlen.LIBCMT ref: 00402F69

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00402FB3
_strlen.LIBCMT ref: 00402FFA
_strlen.LIBCMT ref: 00403041
_strlen.LIBCMT ref: 0040308B
_strlen.LIBCMT ref: 004030EA

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00402FE5, 00402FF0, 00403001
B67AE8584CAA73B2, xrefs: 00402F9E, 00402FA9, 00402FBA
`*z, xrefs: 00403058
54FF53A5F1D36F1C, xrefs: 0040302C, 00403037, 00403048
B05688C2B3E6C1FD, xrefs: 004030C6, 004030D7, 004030F1
x*z, xrefs: 004030A8
0*z, xrefs: 00402FCA
A09E667F3BCC908B, xrefs: 00402F51, 00402F5F, 00402F70
10E527FADE682D1D, xrefs: 00403073, 0040307E, 00403092
H*z, xrefs: 00403011

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 0*z$10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$H*z$`*z$x*z
API String ID: 1696903463-2813043560
Opcode ID: 3d29f2705bfb22b2fd2482d8278430ab10a569d027284c0e9e6f5c58689800ad
Instruction ID: 4fba442bb1a59a595b84180c4880f6809e2015f66193d20c28dad2148c4affbd
Opcode Fuzzy Hash: 3d29f2705bfb22b2fd2482d8278430ab10a569d027284c0e9e6f5c58689800ad
Instruction Fuzzy Hash: 04518570C05298AEEF50EBA9D8417EDBBF4AF55310F1080AEE519F7282DB741E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE3A, Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CE3F
_strlen.LIBCMT ref: 0040CE67

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040CEB1
_strlen.LIBCMT ref: 0040CEF8
_strlen.LIBCMT ref: 0040CF3F
_strlen.LIBCMT ref: 0040CF89
_strlen.LIBCMT ref: 0040CFE8

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040CEE3, 0040CEEE, 0040CEFF
B67AE8584CAA73B2, xrefs: 0040CE9C, 0040CEA7, 0040CEB8
p@z, xrefs: 0040CF0F
X@z, xrefs: 0040CEC8
54FF53A5F1D36F1C, xrefs: 0040CF2A, 0040CF35, 0040CF46
B05688C2B3E6C1FD, xrefs: 0040CFC4, 0040CFD5, 0040CFEF
A09E667F3BCC908B, xrefs: 0040CE4F, 0040CE5D, 0040CE6E
@@z, xrefs: 0040CE7E
10E527FADE682D1D, xrefs: 0040CF71, 0040CF7C, 0040CF90

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$@@z$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$X@z$p@z
API String ID: 1696903463-3942732538
Opcode ID: 0c8ac397413d8da9525258a0ed7f8eaa3fc334b03395a30a92dad4bb7cf9fb5b
Instruction ID: 541d9324fba16dbb128df455bd45aacc064f521391c7b7f941088558b1f4484e
Opcode Fuzzy Hash: 0c8ac397413d8da9525258a0ed7f8eaa3fc334b03395a30a92dad4bb7cf9fb5b
Instruction Fuzzy Hash: 3E519571C05298AEEF50EBA9D841BEDBBF4AF95300F1040AEE518F7282DB741E44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00408186, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040818B
_strlen.LIBCMT ref: 004081B3

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 004081FD
_strlen.LIBCMT ref: 00408244
_strlen.LIBCMT ref: 0040828B
_strlen.LIBCMT ref: 004082D5
_strlen.LIBCMT ref: 00408334

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040822F, 0040823A, 0040824B
B67AE8584CAA73B2, xrefs: 004081E8, 004081F3, 00408204
2z, xrefs: 00408350
p2z, xrefs: 004081CA
54FF53A5F1D36F1C, xrefs: 00408276, 00408281, 00408292
B05688C2B3E6C1FD, xrefs: 00408310, 00408321, 0040833B
A09E667F3BCC908B, xrefs: 0040819B, 004081A9, 004081BA
10E527FADE682D1D, xrefs: 004082BD, 004082C8, 004082DC

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$p2z$2z
API String ID: 1696903463-3877225866
Opcode ID: 995eb74369adb7bbf03cc4ed1e01772886de029ce3036e54ea3235f385977d09
Instruction ID: 15fbb3c951a0cf78df6a900232873ff12f33c2b58c4e3dc235cfb68bbab15b2e
Opcode Fuzzy Hash: 995eb74369adb7bbf03cc4ed1e01772886de029ce3036e54ea3235f385977d09
Instruction Fuzzy Hash: 56518371C05298EEEB50EBA9D841BEDBBF4AF55300F2041AEE518F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004043CE, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004043D3
_strlen.LIBCMT ref: 004043FB

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00404445
_strlen.LIBCMT ref: 0040448C
_strlen.LIBCMT ref: 004044D3
_strlen.LIBCMT ref: 0040451D
_strlen.LIBCMT ref: 0040457C

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00404477, 00404482, 00404493
B67AE8584CAA73B2, xrefs: 00404430, 0040443B, 0040444C
`/z, xrefs: 00404412
54FF53A5F1D36F1C, xrefs: 004044BE, 004044C9, 004044DA
B05688C2B3E6C1FD, xrefs: 00404558, 00404569, 00404583
x/z, xrefs: 0040445C
A09E667F3BCC908B, xrefs: 004043E3, 004043F1, 00404402
10E527FADE682D1D, xrefs: 00404505, 00404510, 00404524

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$`/z$x/z
API String ID: 1696903463-141989387
Opcode ID: a76f732e67a0fa0e75b19c7f622461b09b07d39da60e4ef5b578fc29960b9fa8
Instruction ID: 4e1a102844bff2765a4901dda53e7d72d31fbbcdeb7d9b590e8ec79db0352fad
Opcode Fuzzy Hash: a76f732e67a0fa0e75b19c7f622461b09b07d39da60e4ef5b578fc29960b9fa8
Instruction Fuzzy Hash: 2C517571C05298AEEF50EBA9D841BEDBBF4AF55300F2040AEE518F7282DA741E44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4BA, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B4BF
_strlen.LIBCMT ref: 0040B4E7

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040B531
_strlen.LIBCMT ref: 0040B578
_strlen.LIBCMT ref: 0040B5BF
_strlen.LIBCMT ref: 0040B609
_strlen.LIBCMT ref: 0040B668

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040B563, 0040B56E, 0040B57F
B67AE8584CAA73B2, xrefs: 0040B51C, 0040B527, 0040B538
;z, xrefs: 0040B58F
54FF53A5F1D36F1C, xrefs: 0040B5AA, 0040B5B5, 0040B5C6
(<z, xrefs: 0040B684
B05688C2B3E6C1FD, xrefs: 0040B644, 0040B655, 0040B66F
A09E667F3BCC908B, xrefs: 0040B4CF, 0040B4DD, 0040B4EE
10E527FADE682D1D, xrefs: 0040B5F1, 0040B5FC, 0040B610

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: (<z$10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$;z
API String ID: 1696903463-3392207317
Opcode ID: da92171128c37d69877074191c8fac31340c3036f7f8d6c1cc3f16fd6f649cee
Instruction ID: 0b10c994a98373b41a76bcbfd873894fa1b253c0060d470191d0c7fac13e59e7
Opcode Fuzzy Hash: da92171128c37d69877074191c8fac31340c3036f7f8d6c1cc3f16fd6f649cee
Instruction Fuzzy Hash: DD518571C05298AEEF50EBA9D841BEDBBF4AF55310F1040AEE518F7282DA781F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C56F, Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C574
_strlen.LIBCMT ref: 0040C59C

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040C5E6
_strlen.LIBCMT ref: 0040C62D
_strlen.LIBCMT ref: 0040C674
_strlen.LIBCMT ref: 0040C6BE
_strlen.LIBCMT ref: 0040C71D

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 0040C618, 0040C623, 0040C634
B67AE8584CAA73B2, xrefs: 0040C5D1, 0040C5DC, 0040C5ED
54FF53A5F1D36F1C, xrefs: 0040C65F, 0040C66A, 0040C67B
B05688C2B3E6C1FD, xrefs: 0040C6F9, 0040C70A, 0040C724
A09E667F3BCC908B, xrefs: 0040C584, 0040C592, 0040C5A3
10E527FADE682D1D, xrefs: 0040C6A6, 0040C6B1, 0040C6C5
(?z, xrefs: 0040C739
>z, xrefs: 0040C644

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: (?z$10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$>z
API String ID: 1696903463-3049155343
Opcode ID: 6c026317bebbf7b7c405ab0befe261287171c72385a719fb5cd12f882a5119bc
Instruction ID: 820a24787a4c911dc0989f6c5ac4e6f79867204f4eee875757e2da9dc1641ecf
Opcode Fuzzy Hash: 6c026317bebbf7b7c405ab0befe261287171c72385a719fb5cd12f882a5119bc
Instruction Fuzzy Hash: A0517371C05298AEEB50EBA9D841BEDBBF4AF55300F1040AEE519F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401CFE, Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D03
_strlen.LIBCMT ref: 00401D2B

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00401D75
_strlen.LIBCMT ref: 00401DBC
_strlen.LIBCMT ref: 00401E03
_strlen.LIBCMT ref: 00401E4D
_strlen.LIBCMT ref: 00401EAC

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00401DA7, 00401DB2, 00401DC3
B67AE8584CAA73B2, xrefs: 00401D60, 00401D6B, 00401D7C
54FF53A5F1D36F1C, xrefs: 00401DEE, 00401DF9, 00401E0A
B05688C2B3E6C1FD, xrefs: 00401E88, 00401E99, 00401EB3
A09E667F3BCC908B, xrefs: 00401D13, 00401D21, 00401D32
10E527FADE682D1D, xrefs: 00401E35, 00401E40, 00401E54
&z, xrefs: 00401E1A

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$&z
API String ID: 1696903463-156134297
Opcode ID: 3bedb631c0a4b06801061e8491d7fa453f15b9102ed5a69f4b59a813cae07cd0
Instruction ID: 388b3798e02ed03193ac068aceda45cce49af5378e7c8aeec3d21fccb1fb2aa5
Opcode Fuzzy Hash: 3bedb631c0a4b06801061e8491d7fa453f15b9102ed5a69f4b59a813cae07cd0
Instruction Fuzzy Hash: AB518471C05298EEEF50EBA9D841BEDBBF4AF55300F2040AEE519F7282DA741E44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00409D37, Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409D3C
_strlen.LIBCMT ref: 00409D64

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 00409DAE
_strlen.LIBCMT ref: 00409DF5
_strlen.LIBCMT ref: 00409E3C
_strlen.LIBCMT ref: 00409E86
_strlen.LIBCMT ref: 00409EE5

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

C6EF372FE94F82BE, xrefs: 00409DE0, 00409DEB, 00409DFC
B67AE8584CAA73B2, xrefs: 00409D99, 00409DA4, 00409DB5
7z, xrefs: 00409EA3
54FF53A5F1D36F1C, xrefs: 00409E27, 00409E32, 00409E43
B05688C2B3E6C1FD, xrefs: 00409EC1, 00409ED2, 00409EEC
A09E667F3BCC908B, xrefs: 00409D4C, 00409D5A, 00409D6B
10E527FADE682D1D, xrefs: 00409E6E, 00409E79, 00409E8D

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$7z
API String ID: 1696903463-1519863945
Opcode ID: 84e130cd6483e89973cbae7b342aa4a4504ab2b7b1d03f7abe03f646f7a68cd9
Instruction ID: 35ebbac7bb1781522342f4c7d3fa7f4cef39866379cb8abfbf86703b1897f498
Opcode Fuzzy Hash: 84e130cd6483e89973cbae7b342aa4a4504ab2b7b1d03f7abe03f646f7a68cd9
Instruction Fuzzy Hash: 46519370C01298AEEF50EBA9D841BEDBBF4AF55300F2040AEE519F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401346, Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040136F
_strlen.LIBCMT ref: 004013B6
_strlen.LIBCMT ref: 004013FD
_strlen.LIBCMT ref: 00401447
_strlen.LIBCMT ref: 004014A6

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

B67AE8584CAA73B2, xrefs: 0040135A, 00401365, 00401376
C6EF372FE94F82BE, xrefs: 004013A1, 004013AC, 004013BD
p%z, xrefs: 00401464
@%z, xrefs: 004013CD
X%z, xrefs: 00401414
54FF53A5F1D36F1C, xrefs: 004013E8, 004013F3, 00401404
(%z, xrefs: 00401386
B05688C2B3E6C1FD, xrefs: 00401482, 00401493, 004014AD
10E527FADE682D1D, xrefs: 0040142F, 0040143A, 0040144E

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$Deallocate__onexitstd::_
String ID: (%z$10E527FADE682D1D$54FF53A5F1D36F1C$@%z$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE$X%z$p%z
API String ID: 2266438879-1159415767
Opcode ID: 03f33ff7b304adb48864389e25ab5661045592062fd0ec4a3c77c5ddd9337a85
Instruction ID: e3f6e4ed26c1171030c5f62641186f8f80774c7b3595355818da57d0c299be82
Opcode Fuzzy Hash: 03f33ff7b304adb48864389e25ab5661045592062fd0ec4a3c77c5ddd9337a85
Instruction Fuzzy Hash: 77518870C05298DEDF54DBA9D8417EDBBF4AF55300F2080AEE519F7282DA781E44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 006B35AE, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006B35F2

Part of subcall function 006B294C: _free.LIBCMT ref: 006B2969
Part of subcall function 006B294C: _free.LIBCMT ref: 006B297B
Part of subcall function 006B294C: _free.LIBCMT ref: 006B298D
Part of subcall function 006B294C: _free.LIBCMT ref: 006B299F
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29B1
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29C3
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29D5
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29E7
Part of subcall function 006B294C: _free.LIBCMT ref: 006B29F9
Part of subcall function 006B294C: _free.LIBCMT ref: 006B2A0B
Part of subcall function 006B294C: _free.LIBCMT ref: 006B2A1D
Part of subcall function 006B294C: _free.LIBCMT ref: 006B2A2F
Part of subcall function 006B294C: _free.LIBCMT ref: 006B2A41

_free.LIBCMT ref: 006B35E7

Part of subcall function 006A071F: RtlFreeHeap.NTDLL(00000000,00000000,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?), ref: 006A0735
Part of subcall function 006A071F: GetLastError.KERNEL32(?,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?,?), ref: 006A0747

_free.LIBCMT ref: 006B3609
_free.LIBCMT ref: 006B361E
_free.LIBCMT ref: 006B3629
_free.LIBCMT ref: 006B364B
_free.LIBCMT ref: 006B365E
_free.LIBCMT ref: 006B366C
_free.LIBCMT ref: 006B3677
_free.LIBCMT ref: 006B36AF
_free.LIBCMT ref: 006B36B6
_free.LIBCMT ref: 006B36D3
_free.LIBCMT ref: 006B36EB

Strings

@x, xrefs: 006B369A

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: @x
API String ID: 161543041-3514461932
Opcode ID: 22e0ebc2dc0bc577573503d58250b994c71ce553ff67965e23d9e30414200400
Instruction ID: 30f4044870023e86c0627b08cd35f893ab27d886ae8d4ed0a4237555938979c7
Opcode Fuzzy Hash: 22e0ebc2dc0bc577573503d58250b994c71ce553ff67965e23d9e30414200400
Instruction Fuzzy Hash: CD314CB1600615AFEB60AA39D855BD673EAAF01310F20442DE559DB3A1EF30EE948F24

Uniqueness

Uniqueness Score: -1.00%

Function 0040AECD, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AED2
_strlen.LIBCMT ref: 0040AEFA

Part of subcall function 00411BC8: std::_Deallocate.LIBCONCRT ref: 00411BF8

_strlen.LIBCMT ref: 0040AF44
_strlen.LIBCMT ref: 0040AF8B
_strlen.LIBCMT ref: 0040AFD2
_strlen.LIBCMT ref: 0040B01C
_strlen.LIBCMT ref: 0040B07B

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

B67AE8584CAA73B2, xrefs: 0040AF2F, 0040AF3A, 0040AF4B
C6EF372FE94F82BE, xrefs: 0040AF76, 0040AF81, 0040AF92
54FF53A5F1D36F1C, xrefs: 0040AFBD, 0040AFC8, 0040AFD9
B05688C2B3E6C1FD, xrefs: 0040B057, 0040B068, 0040B082
A09E667F3BCC908B, xrefs: 0040AEE2, 0040AEF0, 0040AF01
10E527FADE682D1D, xrefs: 0040B004, 0040B00F, 0040B023

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$DeallocateH_prolog__onexitstd::_
String ID: 10E527FADE682D1D$54FF53A5F1D36F1C$A09E667F3BCC908B$B05688C2B3E6C1FD$B67AE8584CAA73B2$C6EF372FE94F82BE
API String ID: 1696903463-4081904993
Opcode ID: fa22a63bf2ee99deaecce6ae1364edf1627cc3f1699dc499476059d2733b4512
Instruction ID: cedfa38532cc3c87211090a3ce261768bfbfd649fecbc882319574a78002f880
Opcode Fuzzy Hash: fa22a63bf2ee99deaecce6ae1364edf1627cc3f1699dc499476059d2733b4512
Instruction Fuzzy Hash: 93517671C05298AEEB50EBA5D8417EDBBF4AF55300F1080AEE519F7282DA741F44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00574E11, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 208COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00574E16
new.LIBCMT ref: 00574E5C

Part of subcall function 00575AFF: __EH_prolog.LIBCMT ref: 00575B04
Part of subcall function 00575AFF: _strlen.LIBCMT ref: 00575B3B

new.LIBCMT ref: 00574EA6
new.LIBCMT ref: 00574EFA
new.LIBCMT ref: 00574F44
new.LIBCMT ref: 00574F93
new.LIBCMT ref: 00574FDD

Part of subcall function 00689E2F: Concurrency::cancel_current_task.LIBCPMT ref: 00689E47

Part of subcall function 005788C9: __EH_prolog.LIBCMT ref: 005788CE
Part of subcall function 005788C9: _strlen.LIBCMT ref: 005788F0

new.LIBCMT ref: 00575029

Strings

8Fz, xrefs: 00574E22
8Fz, xrefs: 00575077
DFz, xrefs: 00574EDD

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$_strlen$Concurrency::cancel_current_task
String ID: 8Fz$8Fz$DFz
API String ID: 194979272-3454328395
Opcode ID: d348dd2e255e7a04975d9478a94b6ef38bd829f02040cb2e86af2ca7f9850373
Instruction ID: ec79fdd97f30282d325d4aa532c5880f809d8fb84260d4748b0d03db5f89a7f5
Opcode Fuzzy Hash: d348dd2e255e7a04975d9478a94b6ef38bd829f02040cb2e86af2ca7f9850373
Instruction Fuzzy Hash: 84816270D0578ADECF01EFB895556EEBFB4BF55300F14846EE104AB281DBB48A04EB65

Uniqueness

Uniqueness Score: -1.00%

Function 004149A2, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 131COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004149A7
VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 00414A2A
VerifyVersionInfoW.KERNEL32(?,00000002,00000000), ref: 00414A3B
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 00414A91
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 00414A9E

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

new.LIBCMT ref: 00414ADD
new.LIBCMT ref: 00414AF6

Strings

IKA, xrefs: 004149E1
iocp, xrefs: 00414AB9
yFA, xrefs: 004149BE

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$CompletionConditionCreateErrorInfoLastMaskPortVerifyVersion
String ID: IKA$iocp$yFA
API String ID: 1196141489-2608038400
Opcode ID: 4986c1491a2db2f7b8d9f1aa5ba03b7600fcac1162b12af0b918ebf57e0b935a
Instruction ID: 1be28db19f12501b6fb4aff77f28c7ab733547099b558ec7f059dc77d5376b3d
Opcode Fuzzy Hash: 4986c1491a2db2f7b8d9f1aa5ba03b7600fcac1162b12af0b918ebf57e0b935a
Instruction Fuzzy Hash: EA51BCB1804384DFDB14CF69C88579EBFF4AF55310F1081AEE8489B392C3B88A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00415033, Relevance: 15.2, APIs: 10, Instructions: 236COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415038
RtlEnterCriticalSection.NTDLL(?), ref: 00415061
RtlLeaveCriticalSection.NTDLL(?), ref: 004150C3
SetLastError.KERNEL32(00000000,73B765A0,?,00000000), ref: 004150D5
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,?,?,00000000), ref: 004150ED
GetLastError.KERNEL32(?,00000000), ref: 004150F6
__ExceptionPtrCopy.LIBCPMT ref: 004151B2
__ExceptionPtrCopy.LIBCPMT ref: 004151C3
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00415241
GetLastError.KERNEL32(?,00000000), ref: 0041524B

Part of subcall function 00414F2A: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 00414F51
Part of subcall function 00414F2A: GetLastError.KERNEL32 ref: 00414F5B

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$CompletionQueuedStatus$CopyCriticalExceptionPostSection$EnterH_prologLeave
String ID:
API String ID: 4011970719-0
Opcode ID: 55e090ddf1c9b92d45048a01d25a9e272ec8599fe88ab40c7b02e9ae99173a20
Instruction ID: 34897399caa75640775a5bbacf9fec6c5dd6c2ccf09fc9a0a4bf3d95f6a717ac
Opcode Fuzzy Hash: 55e090ddf1c9b92d45048a01d25a9e272ec8599fe88ab40c7b02e9ae99173a20
Instruction Fuzzy Hash: 59917971D00619DFCF15DFA4C840AEEBBB5FF88310B14846AE816EB241D7789A46CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0054D4B0, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0054D4B5
_strlen.LIBCMT ref: 0054D572

Part of subcall function 00526747: __EH_prolog.LIBCMT ref: 0052674C

Strings

(, xrefs: 0054D4CD
cvRegisterType, xrefs: 0054D529, 0054D600, 0054D67A, 0054D6D4
Some of required function pointers (is_instance, release, read or write) are NULL, xrefs: 0054D68B
Type name should contain only letters, digits, - and _, xrefs: 0054D611
Invalid type info, xrefs: 0054D6E5
Type name should start with a letter or _, xrefs: 0054D53A

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$_strlen
String ID: ($Invalid type info$Some of required function pointers (is_instance, release, read or write) are NULL$Type name should contain only letters, digits, - and _$Type name should start with a letter or _$cvRegisterType
API String ID: 1490583215-3333454738
Opcode ID: 04df3a7afce0991216eb495b987f1af19d2ece20d4bb6b7dc744d4d72a3e485a
Instruction ID: 95645daa29c1e11541bb8f57286c8cbbb84a8f79c9b96ede5d7eeefff689ba99
Opcode Fuzzy Hash: 04df3a7afce0991216eb495b987f1af19d2ece20d4bb6b7dc744d4d72a3e485a
Instruction Fuzzy Hash: 62610371D01348EECB10EF94D981BEEBFB4BF54308F64415AE205A7182EB785B4ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 004161F3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004161F8
GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 0041622E
GetProcAddress.KERNEL32(00000000), ref: 00416235
GetLastError.KERNEL32 ref: 0041624A
RtlEnterCriticalSection.NTDLL(00000018), ref: 004162C7
RtlLeaveCriticalSection.NTDLL(00000018), ref: 004162F5

Strings

CancelIoEx, xrefs: 00416224
KERNEL32, xrefs: 00416229

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$AddressEnterErrorH_prologHandleLastLeaveModuleProc
String ID: CancelIoEx$KERNEL32
API String ID: 3905279128-434325024
Opcode ID: 369d6c3a43dcee6edc7e1e7c4f54f33cb79032d60b7f67d996bbbdc7e2ba924e
Instruction ID: a7006d18d8acdee5e0b967cd4137457068317b79715a05f2329568f27a806d5a
Opcode Fuzzy Hash: 369d6c3a43dcee6edc7e1e7c4f54f33cb79032d60b7f67d996bbbdc7e2ba924e
Instruction Fuzzy Hash: 9D31C271A002499FDF11EFA4C8816EEB7B5FF48324F15406EE855A7241CBB899428BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004226AE, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004226B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004226D9

Strings

ios_base::badbit set, xrefs: 004226E8
%(B, xrefs: 004226FC
ios_base::eofbit set, xrefs: 0042273A
ios_base::failbit set, xrefs: 0042271C
-J, xrefs: 00422742, 00422724, 004226F0
-J, xrefs: 00422707

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Exception@8H_prologThrow
String ID: %(B$-J$-J$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3222999186-1624389419
Opcode ID: 321b7316f0767ef0116021abc2423ed97814d3a0d76f17a2fbc1baf0e6f94302
Instruction ID: aa09175c34796eb147eb1c34b455be395ae94e8227792fea42777a0b9671923f
Opcode Fuzzy Hash: 321b7316f0767ef0116021abc2423ed97814d3a0d76f17a2fbc1baf0e6f94302
Instruction Fuzzy Hash: 0311CEB1A40218BBDF00EB94DA56BEE7774AB40704F80415EE901BA1E2DBFD0940DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00414512, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414517
std::exception::exception.LIBCONCRT ref: 00414537

Part of subcall function 0040F2EC: ___std_exception_copy.LIBVCRUNTIME ref: 0040F313

Part of subcall function 0041CAA1: __EH_prolog.LIBCMT ref: 0041CAA6
Part of subcall function 0041CAA1: __CxxThrowException@8.LIBVCRUNTIME ref: 0041CAF4

RtlEnterCriticalSection.NTDLL ref: 00414568
RtlLeaveCriticalSection.NTDLL ref: 004145B0
std::exception::exception.LIBCONCRT ref: 004145D1

Strings

Service already exists., xrefs: 004145C9
Invalid service owner., xrefs: 0041452F

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalH_prologSectionstd::exception::exception$EnterException@8LeaveThrow___std_exception_copy
String ID: Invalid service owner.$Service already exists.
API String ID: 479834926-4115445021
Opcode ID: c426ae453c5316bb45af9c006bb095a1d0b55481944eb36e95d83558caf1e521
Instruction ID: 5e1c88f37677eba64b8ed75703ef542653ff074ccc6753e62f2279e524c2587a
Opcode Fuzzy Hash: c426ae453c5316bb45af9c006bb095a1d0b55481944eb36e95d83558caf1e521
Instruction Fuzzy Hash: 81219E70801208EFDB10DF94C5856DEBBF1FF14318F2085ADE445AB282C775AE49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006A8527, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,?,?,?,?,?,?,?,?,006A8C9C,00000003,?,00000000,?,00000003,0000000C), ref: 006A8569
__fassign.LIBCMT ref: 006A85E4
__fassign.LIBCMT ref: 006A85FF
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00000000,00000005,00000000,00000000), ref: 006A8625
WriteFile.KERNEL32(?,00000000,00000000,006A8C9C,00000000,?,?,?,?,?,?,?,?,?,006A8C9C,00000003), ref: 006A8644
WriteFile.KERNEL32(?,00000003,00000001,006A8C9C,00000000,?,?,?,?,?,?,?,?,?,006A8C9C,00000003), ref: 006A867D

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a4fb15a280a3df87c7f1162d6d12aa4791068cc59d807f6e0048688618483a99
Instruction ID: 4af2083b363394f3ca84eaff485e078f5c9dece442a29705e769d0c756245d66
Opcode Fuzzy Hash: a4fb15a280a3df87c7f1162d6d12aa4791068cc59d807f6e0048688618483a99
Instruction Fuzzy Hash: 1051B4B09002499FDF10DFA8D885AEEBBFAEF0A300F14415AE955E7291DB70AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041CCAF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CCB4

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CD02

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041CD0D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CD5B
__EH_prolog.LIBCMT ref: 0041CD66

Part of subcall function 0040F475: _strlen.LIBCMT ref: 0040F485

Strings

3A, xrefs: 0041CD39

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$Exception@8Throw$ExceptionRaise_strlen
String ID: 3A
API String ID: 758559670-806190331
Opcode ID: 42fd87ea4819fe2b05e15145a030c26ff6d14b0b13b4373018a6c0d805e2198b
Instruction ID: cec53c1234c2a68bedd9df6ae565de06b4952f5a9b79dd2467cc18505cd15cb9
Opcode Fuzzy Hash: 42fd87ea4819fe2b05e15145a030c26ff6d14b0b13b4373018a6c0d805e2198b
Instruction Fuzzy Hash: 78316DB1D04208AFDF04EFA9DC4AADDBBB5FF14314F10426EE451A7292D7B84A48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 006AD14B, Relevance: 10.6, APIs: 7, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b900bbcb01477f4e141551503b896da17f5ea667a10895f775943265d655cca
Instruction ID: babc3e73ec232d7096968ca4467dc329eabdec266ccb64ca4dba459d984b8e4d
Opcode Fuzzy Hash: 2b900bbcb01477f4e141551503b896da17f5ea667a10895f775943265d655cca
Instruction Fuzzy Hash: 7711B172604259BFEB207F759C45E6B3AAFEF86770B100619F926C7680DA71CD41CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 006B3344, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 006B308B: _free.LIBCMT ref: 006B30B4

_free.LIBCMT ref: 006B3392

Part of subcall function 006A071F: RtlFreeHeap.NTDLL(00000000,00000000,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?), ref: 006A0735
Part of subcall function 006A071F: GetLastError.KERNEL32(?,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?,?), ref: 006A0747

_free.LIBCMT ref: 006B339D
_free.LIBCMT ref: 006B33A8
_free.LIBCMT ref: 006B33FC
_free.LIBCMT ref: 006B3407
_free.LIBCMT ref: 006B3412
_free.LIBCMT ref: 006B341D

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ac6e9f41725dbc442b8bf6185ea0e6681560b3f7bb414a306dcc5ae4d5976125
Instruction ID: f8fa9848ae50d5837f6260adba8007ed8adb660ecc6370a83eee419dea8051ce
Opcode Fuzzy Hash: ac6e9f41725dbc442b8bf6185ea0e6681560b3f7bb414a306dcc5ae4d5976125
Instruction Fuzzy Hash: 361172B1640718E6D5A0B770CC47FCB779E5F05700F40081CB299662E3DB34BA544B55

Uniqueness

Uniqueness Score: -1.00%

Function 006900FC, Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006900F3,0068F564,0068586A), ref: 0069010A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00690118
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00690131
SetLastError.KERNEL32(00000000,?,006900F3,0068F564,0068586A), ref: 00690183

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5340f9a24e142925b2301bf7bca368ba6d16f6fa562447b18330113c868601b4
Instruction ID: d11d2948e26b249223f5eba63a445aae939a2f14cc7691c44b8471b0f6637430
Opcode Fuzzy Hash: 5340f9a24e142925b2301bf7bca368ba6d16f6fa562447b18330113c868601b4
Instruction Fuzzy Hash: 8401F13220D3216EBB6027B4AC86566265BDB07374730472FF610856F2EF215C015258

Uniqueness

Uniqueness Score: -1.00%

Function 004106A7, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004106AC

Strings

End of file, xrefs: 004106D7
The descriptor does not fit into the select call's fd_set, xrefs: 004106EF
Already open, xrefs: 004106C6
asio.misc error, xrefs: 004106F6
Element not found, xrefs: 004106E3

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: Already open$Element not found$End of file$The descriptor does not fit into the select call's fd_set$asio.misc error
API String ID: 3519838083-1489422305
Opcode ID: 0e974919303888db856ae624f66fddceb7bc6d713ec0c067eb07c25d7527eddb
Instruction ID: d67ba4f39ddab518590b04328f340580a13f1bfa5124be1068f38476ce4b5b78
Opcode Fuzzy Hash: 0e974919303888db856ae624f66fddceb7bc6d713ec0c067eb07c25d7527eddb
Instruction Fuzzy Hash: 3DF0A471A44128A78B20DF55A8518EFBB65FBD5760F10440BF945D2240C6F849E1878B

Uniqueness

Uniqueness Score: -1.00%

Function 006A486D, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006A4862,00000003,?,006A4802,00000003,00787658,0000000C,006A4915,00000003,00000002), ref: 006A488D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006A48A0
FreeLibrary.KERNEL32(00000000,?,?,?,006A4862,00000003,?,006A4802,00000003,00787658,0000000C,006A4915,00000003,00000002,00000000), ref: 006A48C3

Strings

0A, xrefs: 006A48B1
mscoree.dll, xrefs: 006A4886
CorExitProcess, xrefs: 006A4898

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 0A$CorExitProcess$mscoree.dll
API String ID: 4061214504-242658392
Opcode ID: 9df3df2a0e177dc7cd2e605b1649d3258fc5b3d1bd9aa78d63051723fbfae371
Instruction ID: 50e48b579043fcda82c136a0126160869b8aca19eaf4220f6d071175e2de8cb7
Opcode Fuzzy Hash: 9df3df2a0e177dc7cd2e605b1649d3258fc5b3d1bd9aa78d63051723fbfae371
Instruction Fuzzy Hash: DAF03170A00259ABEB11AB94DC49BDDBFB6EB44751F004168E805A6290DFB89E80CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDE5, Relevance: 9.2, APIs: 6, Instructions: 154windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040FDEA
FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 0040FE11
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040FE51
LocalFree.KERNEL32(?,00000001,00000000), ref: 0040FEDF

Part of subcall function 0040FD96: __EH_prolog.LIBCMT ref: 0040FD9B

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$ByteCharFormatFreeLocalMessageMultiWide
String ID:
API String ID: 2190881784-0
Opcode ID: 7447653f63256e29e746bcbfbdcb52320ffe7cff5478916db63b9fb25bd4cf1a
Instruction ID: cf0ca7360bed704e01f4f90639002dea4767b1b19a570e1babbfe4c1e91deba9
Opcode Fuzzy Hash: 7447653f63256e29e746bcbfbdcb52320ffe7cff5478916db63b9fb25bd4cf1a
Instruction Fuzzy Hash: 9E516E70915249AEEF14DF99DC84EAEBBB8FF05304F10403EF415A6691D7789E488B64

Uniqueness

Uniqueness Score: -1.00%

Function 00412CE4, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412CE9

Part of subcall function 0040F39B: __EH_prolog.LIBCMT ref: 0040F3A0

Part of subcall function 0041308A: __EH_prolog.LIBCMT ref: 0041308F

Part of subcall function 0041046F: __EH_prolog.LIBCMT ref: 00410474

new.LIBCMT ref: 00412DCD

Part of subcall function 00412F5C: __EH_prolog.LIBCMT ref: 00412F61

Strings

5A, xrefs: 00412D76
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 00412DA3
a0A, xrefs: 00412D65

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: a0A$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)$5A
API String ID: 3519838083-280365165
Opcode ID: 1f1b671c34ff57fd70009a9013ecf0c592aee9d0963705604a3299a6ef5eb55e
Instruction ID: 87e0541cf2904c335b22cf6d6275a1c02b6df84ccc2e5eca1df84b1b5e94cea1
Opcode Fuzzy Hash: 1f1b671c34ff57fd70009a9013ecf0c592aee9d0963705604a3299a6ef5eb55e
Instruction Fuzzy Hash: 4E5175B0D04288DFDB00DF98D9846EDBFB6AF55308F14806EE404EB241D7B89A49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00695013, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

tdA, xrefs: 00695015

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: tdA
API String ID: 0-2901657147
Opcode ID: c6e9f190fb23edd07fa84333adef7a853451afe721767e536ff5a6b36f26999d
Instruction ID: 5eac8436f541adff5e16d85cf94dd1f9aa58db9647923bcfe447eda4d50430eb
Opcode Fuzzy Hash: c6e9f190fb23edd07fa84333adef7a853451afe721767e536ff5a6b36f26999d
Instruction Fuzzy Hash: 54410E71A00704BFDB259F78CC41B9ABBFEEB48710F10452EF152DBA81D675994187D4

Uniqueness

Uniqueness Score: -1.00%

Function 00526C8E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00526C93
_strlen.LIBCMT ref: 00526CBC
_strlen.LIBCMT ref: 00526CC9

Strings

cvRegisterModule, xrefs: 00526D65
module != 0 && module->name != 0 && module->version != 0, xrefs: 00526D76

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _strlen$H_prolog
String ID: cvRegisterModule$module != 0 && module->name != 0 && module->version != 0
API String ID: 1011152186-743800567
Opcode ID: 98610e52668e412a932fd91fc7827e780124b1c5506717b150534b5dbda01d70
Instruction ID: 1c216b274c29c07072239776dbc70d41aa8b3040de0a75e9c3b73208a9111316
Opcode Fuzzy Hash: 98610e52668e412a932fd91fc7827e780124b1c5506717b150534b5dbda01d70
Instruction Fuzzy Hash: BD31E0B2A002189BEB19DBA4DC51BEEBBB5EF45304F10852AF502D66A2DB749948CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00526972, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__swprintf.LEGACY_STDIO_DEFINITIONS ref: 00526A0F
__CxxThrowException@8.LIBVCRUNTIME ref: 00526A67

Strings

unknown function, xrefs: 005269E1, 00526A00
%s, xrefs: 00526A1E
OpenCV Error: %s (%s) in %s, file %s, line %d, xrefs: 00526A09

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Exception@8Throw__swprintf
String ID: %s$OpenCV Error: %s (%s) in %s, file %s, line %d$unknown function
API String ID: 2877379683-3808662302
Opcode ID: f0bf1f0858aa9d57627bb78dcaa79b95fe79175b50f9a71919c5454ad5ba66d1
Instruction ID: 3b8d40520611cb171773fca5a058683afeea0e28cbdaed5988659c37b117de5a
Opcode Fuzzy Hash: f0bf1f0858aa9d57627bb78dcaa79b95fe79175b50f9a71919c5454ad5ba66d1
Instruction Fuzzy Hash: 3431AF70500611DFEB18DB64E909E667BAAFF86300F50096CE142875E2DBB1F9C0CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414F8F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00414FA1

Strings

)@A, xrefs: 0041415C

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Value
String ID: )@A
API String ID: 3702945584-964663934
Opcode ID: f31d188394a58046fcd61eff6e3b51ac5bb85199b8a6c03775566fc7413cb432
Instruction ID: 3f9ac80ab9e63e5c189cd3529ccbf7650f272e568715f3399f6b8bfdb81578f8
Opcode Fuzzy Hash: f31d188394a58046fcd61eff6e3b51ac5bb85199b8a6c03775566fc7413cb432
Instruction Fuzzy Hash: 8731B4B2D01209DFDB14EFA8C9499DEBFF8FF41310F10826AE815A7291D3349E458B95

Uniqueness

Uniqueness Score: -1.00%

Function 004130E6, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00412F5C: __EH_prolog.LIBCMT ref: 00412F61

__CxxThrowException@8.LIBVCRUNTIME ref: 00413103

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041310E
new.LIBCMT ref: 0041311F

Part of subcall function 0041308A: __EH_prolog.LIBCMT ref: 0041308F

Part of subcall function 0041046F: __EH_prolog.LIBCMT ref: 00410474

Strings

5A, xrefs: 0041316E
a0A, xrefs: 0041315C

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: a0A$5A
API String ID: 1193697898-3613670376
Opcode ID: 0453ab6e11982f829910caa79824c4668a638d97d96eae85b71ff3758c7a650f
Instruction ID: 5228e2c018721e28874958e8575dc73d0ed4b1a8756d38538d9b1c8856c80e62
Opcode Fuzzy Hash: 0453ab6e11982f829910caa79824c4668a638d97d96eae85b71ff3758c7a650f
Instruction Fuzzy Hash: 9421F3B1A00209EFC704DFA8C449A9DBBF9FF48318F10425EE5149B682D7B5E945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410A77, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410A7C

Strings

unspecified system error, xrefs: 00410AB0
stream truncated, xrefs: 00410AB7
asio.ssl.stream error, xrefs: 00410A9D
unexpected result, xrefs: 00410AA9

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: asio.ssl.stream error$stream truncated$unexpected result$unspecified system error
API String ID: 3519838083-2829376187
Opcode ID: dbb5516d7c3d89220cb4e4ca4bcf79310b10f97cd92497cff856f96e53a8ec9a
Instruction ID: 65e10c3dc9cb61e760b7f4d5ad23a2a917327bd022f706b357d93f4a6e5b9524
Opcode Fuzzy Hash: dbb5516d7c3d89220cb4e4ca4bcf79310b10f97cd92497cff856f96e53a8ec9a
Instruction Fuzzy Hash: F0F030B1A84325EB8714DF9CE5459E97BA4BF55780F00420BB84992681C6FE89C0879A

Uniqueness

Uniqueness Score: -1.00%

Function 0069CD82, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a423657d6bb5382cc7bc649591f87164532835b2354604c8317a08be089027
Instruction ID: 24ba474dbbdd3b28a4a5c7296d2cea6c369e8b687720244efb5db8b9d57c0838
Opcode Fuzzy Hash: a8a423657d6bb5382cc7bc649591f87164532835b2354604c8317a08be089027
Instruction Fuzzy Hash: FA71AF319002569BDF218F59C884AFFBB7FEF55370F24422AE811A7A81DB718D46C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041D6A1, Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D6A6

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041D6F4

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 0041D6FF
RtlEnterCriticalSection.NTDLL(?), ref: 0041D724
RtlLeaveCriticalSection.NTDLL(?), ref: 0041D752

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$CriticalSection$EnterExceptionException@8LeaveRaiseThrow
String ID:
API String ID: 537737055-0
Opcode ID: 1c2c8261b984f744e3a78c220d5e8aedbd37beea5302cea5b2fd59e408a19213
Instruction ID: 3248e6935b0eb2cd45827ad17518be7122569734d78bedb4deb8f612837ccfd3
Opcode Fuzzy Hash: 1c2c8261b984f744e3a78c220d5e8aedbd37beea5302cea5b2fd59e408a19213
Instruction Fuzzy Hash: AF2191B1D04248EFDB00EFA9C845BEEBFF5AF14314F20416DE411A7252D7B84A48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 006A9F63, Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0069C0D2,006A0714,?,006A9F0D,00000001,00000364,?,00694D4A,00787350,00000010), ref: 006A9F68
_free.LIBCMT ref: 006A9F9D
_free.LIBCMT ref: 006A9FC4
SetLastError.KERNEL32(00000000), ref: 006A9FD1
SetLastError.KERNEL32(00000000), ref: 006A9FDA

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8328903fcff850ccbd23dead1f757586a81dbf0e02a8ac5e4d39728d1e046843
Instruction ID: fa21aa506f4c0d5e5c2bd84afaa4edc4ec0e982bd3b30746a003c66e938accaf
Opcode Fuzzy Hash: 8328903fcff850ccbd23dead1f757586a81dbf0e02a8ac5e4d39728d1e046843
Instruction Fuzzy Hash: B20144362486002FBB1236306C85EAA226BDBD33307380128F905D63A2EFB4CC424D38

Uniqueness

Uniqueness Score: -1.00%

Function 006B2E06, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006B2E1E

Part of subcall function 006A071F: RtlFreeHeap.NTDLL(00000000,00000000,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?), ref: 006A0735
Part of subcall function 006A071F: GetLastError.KERNEL32(?,?,006B30B9,?,00000000,?,00000000,?,006B335D,?,00000007,?,?,006B3746,?,?), ref: 006A0747

_free.LIBCMT ref: 006B2E30
_free.LIBCMT ref: 006B2E42
_free.LIBCMT ref: 006B2E54
_free.LIBCMT ref: 006B2E66

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5aa368f264e038e900a824d98831a4a2008d9a9b755e4e2f4df0ff6330c95aee
Instruction ID: a9bd2fc81ccc56ffc52ee5ada315827af27516196d19c29db94d0d854f5d902a
Opcode Fuzzy Hash: 5aa368f264e038e900a824d98831a4a2008d9a9b755e4e2f4df0ff6330c95aee
Instruction Fuzzy Hash: 08F090B2500205AB9660FB69E8E6C8B73EBBA057107645C09F105D7A60CB34FCC18F7C

Uniqueness

Uniqueness Score: -1.00%

Function 00412B0E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412B13

Part of subcall function 0040F438: __EH_prolog.LIBCMT ref: 0040F43D

Part of subcall function 00413005: __EH_prolog.LIBCMT ref: 0041300A

Part of subcall function 0041046F: __EH_prolog.LIBCMT ref: 00410474

new.LIBCMT ref: 00412BF7

Part of subcall function 00412ECB: __EH_prolog.LIBCMT ref: 00412ED0

Strings

5A, xrefs: 00412BA0
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 00412BCD

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)$5A
API String ID: 3519838083-1110745283
Opcode ID: d322324abf91fe9c18dfd66f5177100459ffbe902949565ec11c28fa7b5e422f
Instruction ID: 74f255da9f5d830f86434fac7068c22bc75ddf711811b1d044a069a6a3fb180b
Opcode Fuzzy Hash: d322324abf91fe9c18dfd66f5177100459ffbe902949565ec11c28fa7b5e422f
Instruction Fuzzy Hash: CE5165B1D05248DFDB00DF98D9846EEBFF5AF15308F14806EE504AB341E7B89A88CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004140F9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004140FE
__ExceptionPtrCopy.LIBCPMT ref: 0041412F

Part of subcall function 00582D26: _Reset.LIBCPMT ref: 00582D3A

__ExceptionPtrCopy.LIBCPMT ref: 00414167

Part of subcall function 00582DB3: shared_ptr.LIBCPMT ref: 00582DBB

Part of subcall function 00582D16: shared_ptr.LIBCPMT ref: 00582D1F

Strings

)@A, xrefs: 0041415C

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CopyExceptionshared_ptr$H_prologReset
String ID: )@A
API String ID: 3356224348-964663934
Opcode ID: 25f800c6cad72c364c18cfbcf649618c335befb1227d7aeb18aff7734a65c357
Instruction ID: f99f7249fa56ae8e0a70bdf426ee4549c90b71bd115ae9360ca48c8d4fa7b845
Opcode Fuzzy Hash: 25f800c6cad72c364c18cfbcf649618c335befb1227d7aeb18aff7734a65c357
Instruction Fuzzy Hash: 572150B2C01209AFDB10EFA8C94A9DEBFF8FF45310F10865AE415A3291E7759B058B54

Uniqueness

Uniqueness Score: -1.00%

Function 00413208, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00412ECB: __EH_prolog.LIBCMT ref: 00412ED0

__CxxThrowException@8.LIBVCRUNTIME ref: 00413225

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

__EH_prolog.LIBCMT ref: 00413230
new.LIBCMT ref: 00413241

Part of subcall function 00413005: __EH_prolog.LIBCMT ref: 0041300A

Part of subcall function 0041046F: __EH_prolog.LIBCMT ref: 00410474

Strings

5A, xrefs: 00413290

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: 5A
API String ID: 1193697898-1205544748
Opcode ID: 384d465795c22ab1ba6152e2b118ee0d2ee54f20568b894faee348875323fcc2
Instruction ID: 2959379232cb9b729b7ea92543b75de708907a1a88a4badf2d514b17641bbd42
Opcode Fuzzy Hash: 384d465795c22ab1ba6152e2b118ee0d2ee54f20568b894faee348875323fcc2
Instruction Fuzzy Hash: D521F3B1A00209EBC704DFA8C849B9DBBF9FF48328F10425DE0149B682E7B5E944CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00576A2C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00576A31

Part of subcall function 00579730: __EH_prolog.LIBCMT ref: 00579735

_strlen.LIBCMT ref: 00576A53

Strings

}jW, xrefs: 00576A4D
Windows bitmap (*.bmp;*.dib), xrefs: 00576A47, 00576A4C, 00576A5A

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$_strlen
String ID: Windows bitmap (*.bmp;*.dib)$}jW
API String ID: 1490583215-1740260866
Opcode ID: 54271a53ae72cbb626b6c16fbf17fe7f9379f2c224ebd6f00fc21604c6392371
Instruction ID: 030bba940c4e6c41b1e2b76196a51ab20cdfe42042398e5736aee373c93e6e37
Opcode Fuzzy Hash: 54271a53ae72cbb626b6c16fbf17fe7f9379f2c224ebd6f00fc21604c6392371
Instruction Fuzzy Hash: 77F0A0B1910644AFDB24AF5CD9067AEFBF8EF91721F10466FF41593692C7B81D0086A4

Uniqueness

Uniqueness Score: -1.00%

Function 00577908, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0057790D

Part of subcall function 00579730: __EH_prolog.LIBCMT ref: 00579735

_strlen.LIBCMT ref: 0057792F

Strings

Sun raster files (*.sr;*.ras), xrefs: 00577923, 00577928, 00577936
UyW, xrefs: 00577929

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$_strlen
String ID: Sun raster files (*.sr;*.ras)$UyW
API String ID: 1490583215-848707096
Opcode ID: ddead4b9a87fd835eccbb75d35e2e3dba18cf440126460d579d3d90bfd3e2ccc
Instruction ID: 29e51aecd8a14f9d31a8023f2f254d11cadb7f92f184b1635359828d0c3eb00c
Opcode Fuzzy Hash: ddead4b9a87fd835eccbb75d35e2e3dba18cf440126460d579d3d90bfd3e2ccc
Instruction Fuzzy Hash: 18E0E5729101149FDB14AF58D8027AEBBBCEF91721F10026FF41493282C7B41D0096A5

Uniqueness

Uniqueness Score: -1.00%

Function 0041645F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416464
std::exception::exception.LIBCONCRT ref: 00416481

Part of subcall function 0040F2EC: ___std_exception_copy.LIBVCRUNTIME ref: 0040F313

Part of subcall function 0041CC56: __EH_prolog.LIBCMT ref: 0041CC5B
Part of subcall function 0041CC56: __CxxThrowException@8.LIBVCRUNTIME ref: 0041CCA9

Strings

\$n, xrefs: 00416498
could not convert calendar time to UTC time, xrefs: 00416479

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$Exception@8Throw___std_exception_copystd::exception::exception
String ID: \$n$could not convert calendar time to UTC time
API String ID: 4220666059-2154543917
Opcode ID: d7fddeb6a064ba2be686af1137db9a1ef2c884885b7df00f073050f86353281e
Instruction ID: 8a9a92933aec560c30ce54c15b6476c3cd712f5fe7399fc520bae466908f9048
Opcode Fuzzy Hash: d7fddeb6a064ba2be686af1137db9a1ef2c884885b7df00f073050f86353281e
Instruction Fuzzy Hash: 11E0927094410AABDF00FF90D4127EDBF75EB10308F00406DE80966682DB354A89C7C9

Uniqueness

Uniqueness Score: -1.00%

Function 00694DA2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,00694E72,00000000), ref: 00694DB8
FreeLibrary.KERNEL32(00000000,00000000,?,00694E72,00000000), ref: 00694DC7
_free.LIBCMT ref: 00694DCE

Strings

rNi, xrefs: 00694DA8, 00694DCD

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: rNi
API String ID: 621396759-4070628955
Opcode ID: 34b808362cbe94b35fb9f7d9d15df1adc94c0a75e731caff01fbd810c097c0fa
Instruction ID: cc26c4fcb4a770e691d764eabadab309c4522081c77c2f79e02484117e592f6e
Opcode Fuzzy Hash: 34b808362cbe94b35fb9f7d9d15df1adc94c0a75e731caff01fbd810c097c0fa
Instruction Fuzzy Hash: 3EE04632400724ABDB212B45E848F96BBAAEF40321F14802AE55916960CB75AC99CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F250, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0040F255
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0040F261

Strings

CreateSymbolicLinkW, xrefs: 0040F25B
kernel32.dll, xrefs: 0040F250

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CreateSymbolicLinkW$kernel32.dll
API String ID: 1646373207-1962376091
Opcode ID: bd1c4cbd6ce50e022914dd3e2c166698ba0eed112ea3e3cb77a4a08f240cc9c4
Instruction ID: 590e85ebbecf18d2bf37684d831ec6b356c8ba3942a5e88775856824f88f2486
Opcode Fuzzy Hash: bd1c4cbd6ce50e022914dd3e2c166698ba0eed112ea3e3cb77a4a08f240cc9c4
Instruction Fuzzy Hash: 19B092B05823D0ABDB005BE1ACCD91C3B2ABA14702701A451F842CE664DFB442828E14

Uniqueness

Uniqueness Score: -1.00%

Function 0040F230, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0040F235
GetProcAddress.KERNEL32(00000000,CreateHardLinkW), ref: 0040F241

Strings

CreateHardLinkW, xrefs: 0040F23B
kernel32.dll, xrefs: 0040F230

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CreateHardLinkW$kernel32.dll
API String ID: 1646373207-294928789
Opcode ID: e8356c8db0eb464db37513e9733c3783437a20d9dd90c0bb0afac3dc72d696ec
Instruction ID: 14882fced2e313a79112ea7472962911ea01498a907f2e19416e74a3366ec373
Opcode Fuzzy Hash: e8356c8db0eb464db37513e9733c3783437a20d9dd90c0bb0afac3dc72d696ec
Instruction Fuzzy Hash: 5EB092B15813C49BDB005BF2AC4D91C3AAAFA0A782B019021F141AE660DBB852828F14

Uniqueness

Uniqueness Score: -1.00%

Function 006B50BE, Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006B51ED

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d15ac559203b72c196b27b72f6e21bc6a17af2adb0e8fb0789b8ad363a07fa4c
Instruction ID: 0dfcad7caee3b2497596fc1d964b1c9f8261fca2fb2356e2399031e2505374ac
Opcode Fuzzy Hash: d15ac559203b72c196b27b72f6e21bc6a17af2adb0e8fb0789b8ad363a07fa4c
Instruction Fuzzy Hash: A34138B1A00A00ABEF617A7C8C42BEE36ABEF42370F140619F526C6291DB758D814B75

Uniqueness

Uniqueness Score: -1.00%

Function 00695013, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e9f190fb23edd07fa84333adef7a853451afe721767e536ff5a6b36f26999d
Instruction ID: 5eac8436f541adff5e16d85cf94dd1f9aa58db9647923bcfe447eda4d50430eb
Opcode Fuzzy Hash: c6e9f190fb23edd07fa84333adef7a853451afe721767e536ff5a6b36f26999d
Instruction Fuzzy Hash: 54410E71A00704BFDB259F78CC41B9ABBFEEB48710F10452EF152DBA81D675994187D4

Uniqueness

Uniqueness Score: -1.00%

Function 006B042E, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000107,00000000,00000000,?,?,?,?,00000001,00000107,?,00000001,?,00000000), ref: 006B047B
MultiByteToWideChar.KERNEL32(?,00000001,?,00000107,00000000,?,?,?,?,00000001,00000107,?,00000001,?,00000000,?), ref: 006B0504
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000107,?,00000001,?,00000000,?,00000107,?), ref: 006B0516
__freea.LIBCMT ref: 006B051F

Part of subcall function 006A108E: RtlAllocateHeap.NTDLL(00000000,00000003,00000003), ref: 006A10C0

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 97f42e6e783000c67b4c068e863534cc4fc4ab11a9e61b10c8c2f8b25a44b242
Instruction ID: cc9d3210c437c6616901ac33e6ac38521ebe38c45e241f758d63c01827b6ee30
Opcode Fuzzy Hash: 97f42e6e783000c67b4c068e863534cc4fc4ab11a9e61b10c8c2f8b25a44b242
Instruction Fuzzy Hash: DB31AEB2A0021AABEF259F64CC45DEF7BA6EB40310F144169FC05DA290EB35CD90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005717F8, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005717FD
new.LIBCMT ref: 0057182A
RtlInitializeCriticalSection.NTDLL(0000001C), ref: 0057184D
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00571F4A,?,?,?,0040F09B), ref: 00571864

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateCriticalEventH_prologInitializeSection
String ID:
API String ID: 3158263371-0
Opcode ID: 94b41bb9ff59bbe4f5ad02acec730859a2dbfae20486d502a5a7aa5c2f1e2c00
Instruction ID: 876213ab9cbc130f362b3ed82c620c3093d4f37ea1a0ae280deac4a34f932a9a
Opcode Fuzzy Hash: 94b41bb9ff59bbe4f5ad02acec730859a2dbfae20486d502a5a7aa5c2f1e2c00
Instruction Fuzzy Hash: BC3132B08053009FDBA4DF68D8847967BE4FF09310F1046AEEC19CF28AE3B18944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00414E09, Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414E0E
TlsGetValue.KERNEL32 ref: 00414E88
TlsSetValue.KERNEL32(?), ref: 00414EA1
TlsSetValue.KERNEL32(?,?,?,?,?,?,?), ref: 00414ED4

Part of subcall function 00414F2A: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 00414F51
Part of subcall function 00414F2A: GetLastError.KERNEL32 ref: 00414F5B

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Value$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 158160221-0
Opcode ID: 586e919ffb6655bfbbf2e445b8256441f2e0ea899b9af754ab72a0c52bca22dc
Instruction ID: d71777ad571c8ca19c34f38a4bac23b68ce0d84137122360d3092e72d4341679
Opcode Fuzzy Hash: 586e919ffb6655bfbbf2e445b8256441f2e0ea899b9af754ab72a0c52bca22dc
Instruction Fuzzy Hash: DC31C071D00608EFDB05DFA9D8819EEBBB5FF88300F10813EE415A7260DB395A098B94

Uniqueness

Uniqueness Score: -1.00%

Function 00410817, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041081C
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 00410856
RtlEnterCriticalSection.NTDLL ref: 00410867
RtlLeaveCriticalSection.NTDLL ref: 00410897

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: 9f8ffbdbcf60fbe60262c8921c14737b7b0069439acc42f7ec21859bc28d27a0
Instruction ID: 595c1b188952251bd2dacb951881a4d652b48873ec76a9dc35cae2145f26181e
Opcode Fuzzy Hash: 9f8ffbdbcf60fbe60262c8921c14737b7b0069439acc42f7ec21859bc28d27a0
Instruction Fuzzy Hash: FC11EF71905215DBDB15EF64C885BAFBBB8FF45729F10006EE801AB341C7B89981CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00413E53, Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413E58
__Cnd_init.LIBCPMT ref: 00413E6F
__Mtx_init.LIBCPMT ref: 00413E94
std::_Cnd_initX.LIBCPMT ref: 00413EB8

Part of subcall function 00582E5D: std::_Throw_Cpp_error.LIBCPMT ref: 00582E84

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Cnd_initstd::_$Cpp_errorH_prologMtx_initThrow_
String ID:
API String ID: 3198263272-0
Opcode ID: fe5f18b6a7b7e998c36a799b37ad03f86760fab93763aa9cdcdedf13cffe35c5
Instruction ID: 8ec1a045a9a24e33f5b2c8459339143f0a3fdbf57a09db9abca812865670e0ac
Opcode Fuzzy Hash: fe5f18b6a7b7e998c36a799b37ad03f86760fab93763aa9cdcdedf13cffe35c5
Instruction Fuzzy Hash: FB110832905346DACB10EFAC94456EEBFF4AF45320F10455EF458B3282C7796B44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006AB2BD, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,006AB264,?,00000000,00000000,00000000,?,006AB590,00000006,FlsSetValue), ref: 006AB2EF
GetLastError.KERNEL32(?,006AB264,?,00000000,00000000,00000000,?,006AB590,00000006,FlsSetValue,0071F508,0071F510,00000000,00000364,?,006A9FB1), ref: 006AB2FB
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006AB264,?,00000000,00000000,00000000,?,006AB590,00000006,FlsSetValue,0071F508,0071F510,00000000), ref: 006AB309

Memory Dump Source

Source File: 00000001.00000001.681219648.0000000000672000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.681198215.0000000000400000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681570191.000000000078C000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681588045.00000000007A2000.00000040.00020000.sdmp Download File
Associated: 00000001.00000001.681598595.00000000007CE000.00000040.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4376a6cb57514a3e2f998794821d34c283dc87282710ac62b7bad34459de6416
Instruction ID: 4bdbfffff69f1da8354d80988fd09d6fcd354b261645325d4f3cf7198916ad7f
Opcode Fuzzy Hash: 4376a6cb57514a3e2f998794821d34c283dc87282710ac62b7bad34459de6416
Instruction Fuzzy Hash: F401FC32605223ABDF215B68AC44AA777DAEF06760B115124F905D7242D760DD018EE0

Uniqueness

Uniqueness Score: -1.00%

Function 00414FC5, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414FCA
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,?), ref: 00414FE6
RtlEnterCriticalSection.NTDLL(?), ref: 00414FF8
RtlLeaveCriticalSection.NTDLL(?), ref: 0041501A

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterH_prologLeavePostQueuedStatus
String ID:
API String ID: 3890610498-0
Opcode ID: 795c4aaf7302f1d8da56c00ef435025cb7637fe8cdecffaf110e4b1caab2fa0b
Instruction ID: e4ccac70859e7255c06649105df93775297bbe88067fbb39c88871d14b751ec6
Opcode Fuzzy Hash: 795c4aaf7302f1d8da56c00ef435025cb7637fe8cdecffaf110e4b1caab2fa0b
Instruction Fuzzy Hash: B8018B72500609EFDB04DFA4DD84BEABBB9FF48325F00012AF60596590C7B09E55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004165B5, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004165BA

Strings

d, xrefs: 004165D0
Day of month is not valid for year, xrefs: 00416694

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: Day of month is not valid for year$d
API String ID: 3519838083-3980292007
Opcode ID: f0d9c1bc68be35919035e67856b0244b9289362c3dc5eae8e337aafa6987f361
Instruction ID: aa6edb0c93ecd5314a4e0f99c3c8531e0ddc2fcbff495adc8c709a8d16015b63
Opcode Fuzzy Hash: f0d9c1bc68be35919035e67856b0244b9289362c3dc5eae8e337aafa6987f361
Instruction Fuzzy Hash: 8E310872B402159AEB14CF79CD0A7FEB7A69B54314F06812BE504E72C4EA78CD44C2A4

Uniqueness

Uniqueness Score: -1.00%

Function 00526860, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00526865

Strings

%s:%d: error: (%d) %s in function %s, xrefs: 005268A3
%s:%d: error: (%d) %s, xrefs: 005268D8

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: %s:%d: error: (%d) %s$%s:%d: error: (%d) %s in function %s
API String ID: 3519838083-3777411579
Opcode ID: fefbe61fdca9b4d97fe0ed6ba593f287757ab4f2b15c0176700458856e3a7404
Instruction ID: 4ccea0192ace5affc3e80e56c8df7a7576fd484cde543b620d4a3d333096873b
Opcode Fuzzy Hash: fefbe61fdca9b4d97fe0ed6ba593f287757ab4f2b15c0176700458856e3a7404
Instruction Fuzzy Hash: FD219F71800719EFEB18DF94D845AAABBF5FF06304F50095DE016575E2E7B2EA84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00532D66, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00532D6B

Part of subcall function 00526915: __EH_prolog.LIBCMT ref: 0052691A

Part of subcall function 00526747: __EH_prolog.LIBCMT ref: 0052674C

Part of subcall function 00526972: __CxxThrowException@8.LIBVCRUNTIME ref: 00526A67

Strings

cv::OutOfMemoryError, xrefs: 00532D8D
Failed to allocate %lu bytes, xrefs: 00532D9F

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$Exception@8Throw
String ID: Failed to allocate %lu bytes$cv::OutOfMemoryError
API String ID: 1007369359-255125719
Opcode ID: 06a199d06ec91613aa1f69611cc07f16b3b59c01b79db57447051bd22eb1c95a
Instruction ID: ab5bdab6b197a06c747e07827ce1222954709d7041fbdea029814ad387865ae6
Opcode Fuzzy Hash: 06a199d06ec91613aa1f69611cc07f16b3b59c01b79db57447051bd22eb1c95a
Instruction Fuzzy Hash: BD01F972D12128AADB15E7E8DC0AFDD7BB8AF55310F14419EE210571C2EBB45B48C761

Uniqueness

Uniqueness Score: -1.00%

Function 00526A6D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00526A72
std::exception::exception.LIBCMT ref: 00526A83

Part of subcall function 0040F323: ___std_exception_copy.LIBVCRUNTIME ref: 0040F341

Strings

%gR, xrefs: 00526A93

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog___std_exception_copystd::exception::exception
String ID: %gR
API String ID: 238416039-1847496865
Opcode ID: e7ec8c1aeff8aea54c0622960873d249bf79ad0e652b139f01fc3f524725f57b
Instruction ID: 6cc51797dc93b3519a544e1ec05f9a053a762e6795f56af9aefd895cec0c021b
Opcode Fuzzy Hash: e7ec8c1aeff8aea54c0622960873d249bf79ad0e652b139f01fc3f524725f57b
Instruction Fuzzy Hash: 93117C71801A48EBC711DBA9C444ADEFBF8FF18314F00426FE55293A91DBB4BA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00576D95, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00576D9A

Part of subcall function 005795C0: __EH_prolog.LIBCMT ref: 005795C5

Part of subcall function 00575BCD: __EH_prolog.LIBCMT ref: 00575BD2

_strlen.LIBCMT ref: 00576DEA

Strings

8nW, xrefs: 00576DCA

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$_strlen
String ID: 8nW
API String ID: 1490583215-3678990148
Opcode ID: ffd4a3557ac63b3e5b3d12016631cb2498e3b012ed64ddd7264892b3a9d8037d
Instruction ID: 587648060941c9228cce58899d5a74ac498c95b054a415b06a8918cc77285a0e
Opcode Fuzzy Hash: ffd4a3557ac63b3e5b3d12016631cb2498e3b012ed64ddd7264892b3a9d8037d
Instruction Fuzzy Hash: D50124B19006459EDB24DB69A8057AEFFE8EF82320F00876FE46593292D7B81E00D751

Uniqueness

Uniqueness Score: -1.00%

Function 00414F2A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 00414F51
GetLastError.KERNEL32 ref: 00414F5B

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

Strings

pqcs, xrefs: 00414F76

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CompletionErrorH_prologLastPostQueuedStatus
String ID: pqcs
API String ID: 1288862127-2559862021
Opcode ID: 62289c2a887ff509f8b4b6feebd40a0b0ec8652ac821b74d8e0d5ea0993a9edb
Instruction ID: 9a0a4618d32c31c4ca22fcb0b4eafbf0e41916f42df2d488f0aae1e67509a8b1
Opcode Fuzzy Hash: 62289c2a887ff509f8b4b6feebd40a0b0ec8652ac821b74d8e0d5ea0993a9edb
Instruction Fuzzy Hash: D8F08171A00128AF9B219B6588009ABBBADEE8075875080AAEC049B211DA74CD4787E5

Uniqueness

Uniqueness Score: -1.00%

Function 00412603, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412608

Part of subcall function 0041267E: __EH_prolog.LIBCMT ref: 00412683

Part of subcall function 00410E24: __EH_prolog.LIBCMT ref: 00410E29

Strings

6A, xrefs: 0041265A
06A, xrefs: 00412653

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: 6A$06A
API String ID: 3519838083-223357171
Opcode ID: f4c3e68e4bc28e1f1f5753c539ab613bd7e891ffd08312e5e4756ce1d1509342
Instruction ID: f4364291f978b96d95e8ab4b4c58549ffb775d8411f43ab9772b0b80358d3521
Opcode Fuzzy Hash: f4c3e68e4bc28e1f1f5753c539ab613bd7e891ffd08312e5e4756ce1d1509342
Instruction Fuzzy Hash: 2A01D4B6501608EAC714DF5CDA006EABFFAFB86B50F10865EE4558B641DBB46A08CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED61, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041ED66
new.LIBCMT ref: 0041ED7C

Strings

0A, xrefs: 0041ED9D

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: 0A
API String ID: 3519838083-187954893
Opcode ID: 081576209a9c57e4d9c2b992600b254f77e2010209fbc48a5611ec0d19550154
Instruction ID: 1205f1b611dd8bb5a84b9eeda5d22fa35e1725b24406dc39a0c12df70a1429ab
Opcode Fuzzy Hash: 081576209a9c57e4d9c2b992600b254f77e2010209fbc48a5611ec0d19550154
Instruction Fuzzy Hash: B1017CB290234AEEC764DFA9854169AFFF5FF15310F10867EE09993641D3B05A00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00412A6E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412A73
new.LIBCMT ref: 00412A86

Strings

63A, xrefs: 00412AA7

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: 63A
API String ID: 3519838083-706171910
Opcode ID: cf93a89df8cc1614a4b55885b72047a4b4a4e31fe59863db90c130c1885feb11
Instruction ID: 4d3f0011076075110644a449004c8b57a75cd4cfa51f76ef3dbae39df9de59a1
Opcode Fuzzy Hash: cf93a89df8cc1614a4b55885b72047a4b4a4e31fe59863db90c130c1885feb11
Instruction Fuzzy Hash: 3E019AB1901348EEC720DF99C50579AFFE6FB81321F20826EE484A7281C3B41A00DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004F4C91, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004F4C96

Part of subcall function 0040F6F5: __EH_prolog.LIBCMT ref: 0040F6FA
Part of subcall function 0040F6F5: GetProcessHeap.KERNEL32(007A29C4,?,004F4CBE,?,4s,?,?,004F508D,?,?,00403520), ref: 0040F717

Strings

4s, xrefs: 004F4C9D, 004F4C9F
MO, xrefs: 004F4CA4

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$HeapProcess
String ID: MO$4s
API String ID: 2845616704-1959134711
Opcode ID: e77d5ff1307ee3a604e189cca595570f67578b3cbff8e24ed796561535490fbd
Instruction ID: dbdc0edb21ee75685d1cf78b0f74f817e5f646d255c02b152c54bcf46313bc55
Opcode Fuzzy Hash: e77d5ff1307ee3a604e189cca595570f67578b3cbff8e24ed796561535490fbd
Instruction Fuzzy Hash: 2601B1B29222158AC354CF5DA80195BB7A4FFD6B10F00C22EE014B3272D77829028B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00412F5C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412F61

Strings

5A, xrefs: 00412FB1
a0A, xrefs: 00412FA1

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: a0A$5A
API String ID: 3519838083-3613670376
Opcode ID: e8c153ac05fb0abf176b655d90569e05d8d2991294badc8d9fe4da1b69cf7429
Instruction ID: 74fbbeb34ab73e4fc6f72e5c78d6e4a9b63b2581873420e1e30d010f3b3e697a
Opcode Fuzzy Hash: e8c153ac05fb0abf176b655d90569e05d8d2991294badc8d9fe4da1b69cf7429
Instruction Fuzzy Hash: 2F014CB1900708DFD724CF98C5487AABBF1FB08359F10865DE49A9B641C3B4DA44CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00582EF6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00582EFD
Concurrency::critical_section::critical_section.LIBCONCRT ref: 00582F32

Strings

~/X, xrefs: 00582F29

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Concurrency::critical_section::critical_sectionH_prolog3
String ID: ~/X
API String ID: 221928310-3598876131
Opcode ID: 01dc7ca36c9af132488cd6549aaafe1517b30a06729ffdfcfab98c78d5166254
Instruction ID: 4a58cd136fa69847c5614ee1920342e576b9da8fa92b96101e1748f9aea83a6d
Opcode Fuzzy Hash: 01dc7ca36c9af132488cd6549aaafe1517b30a06729ffdfcfab98c78d5166254
Instruction Fuzzy Hash: E5F03C702121019BEB18FF51C89BA393FB2BF40309F58441DEE06EA641DB74D841DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00575AFF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00575B04

Part of subcall function 005795C0: __EH_prolog.LIBCMT ref: 005795C5

Part of subcall function 00575BCD: __EH_prolog.LIBCMT ref: 00575BD2

_strlen.LIBCMT ref: 00575B3B

Strings

n[W, xrefs: 00575B1E

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$_strlen
String ID: n[W
API String ID: 1490583215-289964016
Opcode ID: 2b98277521df22681b7ba6bd46524f9a12fb829eeaca7df9408db371412e3afc
Instruction ID: 116ed5f195a8f9595ed03f01da3e54f7049565018eaee3be61271c96f31a9a8b
Opcode Fuzzy Hash: 2b98277521df22681b7ba6bd46524f9a12fb829eeaca7df9408db371412e3afc
Instruction Fuzzy Hash: 52F0F971904A449ED725DB2CA8056AEBFF5EB85320F10835FF46643292D7B41A419355

Uniqueness

Uniqueness Score: -1.00%

Function 00582572, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00582579
__ExceptionPtr::__ExceptionPtr.LIBCMT ref: 005825C1

Part of subcall function 005826A0: RtlEncodePointer.NTDLL(?), ref: 00582750

Strings

m+X, xrefs: 00582598

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Exception$EncodeH_prolog3PointerPtr::__
String ID: m+X
API String ID: 4003105897-2895029710
Opcode ID: 9392fe750c38a4d8bfbc62396106ad4d130a47cbc6f6cb885b36cf1f9f01c99e
Instruction ID: f12b37a3ac4dd88ebc41c038999ec7c113d9cd0f1659cfeced54df5a5d6e3699
Opcode Fuzzy Hash: 9392fe750c38a4d8bfbc62396106ad4d130a47cbc6f6cb885b36cf1f9f01c99e
Instruction Fuzzy Hash: 9EF09071A407459FDB10EF998841B9EFFF5BF84714F10442EF554AB291CBB09A048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00410769, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00410770
GetLastError.KERNEL32 ref: 0041077F

Part of subcall function 0041037A: __EH_prolog.LIBCMT ref: 0041037F

Strings

tss, xrefs: 0041079A

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocErrorH_prologLast
String ID: tss
API String ID: 249634027-1638339373
Opcode ID: 37c532ff2c1216f657573317fc955fae18d32346f171784d35b4c882b7803e8d
Instruction ID: 7767345e25553655080e048a62f20e34ffe8b35e099c56ff0bf57211427a5901
Opcode Fuzzy Hash: 37c532ff2c1216f657573317fc955fae18d32346f171784d35b4c882b7803e8d
Instruction Fuzzy Hash: 92E02B30F00218ABC71077B968C409EBBE9DAC8234710427BE81597392DAB8498B4B95

Uniqueness

Uniqueness Score: -1.00%

Function 0041280A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041280F

Part of subcall function 0041267E: __EH_prolog.LIBCMT ref: 00412683

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

Strings

6A, xrefs: 0041284E
06A, xrefs: 00412847

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: 6A$06A
API String ID: 3519838083-223357171
Opcode ID: 7b6c715e5130c8721710a9e487e975662c75c4ea1790463ee8de8202fc14d362
Instruction ID: eca12a43316dbb3a31cd2df608725b8f5681017cfb1e8438f01c40cfb5baac28
Opcode Fuzzy Hash: 7b6c715e5130c8721710a9e487e975662c75c4ea1790463ee8de8202fc14d362
Instruction Fuzzy Hash: 1AF06DB1401209EBC704EF99D6056EDFFB6FF52354F10425EE1149B691CBB55A24CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005788C9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005788CE

Part of subcall function 00579730: __EH_prolog.LIBCMT ref: 00579735

_strlen.LIBCMT ref: 005788F0

Strings

Portable image format (*.pbm;*.pgm;*.ppm;*.pxm;*.pnm), xrefs: 005788E4, 005788E9, 005788F7

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$_strlen
String ID: Portable image format (*.pbm;*.pgm;*.ppm;*.pxm;*.pnm)
API String ID: 1490583215-1029613475
Opcode ID: fb69ea1aa904fa1b80504c525c44d4d7249f0eb676a8fdfece690de429d9b3fe
Instruction ID: 80bb32cce355ac01261c6b69d11c3c2255739fbf66f3e5c7b8534e45542ca4f9
Opcode Fuzzy Hash: fb69ea1aa904fa1b80504c525c44d4d7249f0eb676a8fdfece690de429d9b3fe
Instruction Fuzzy Hash: 6BF0A0729106449ADB24AF58D9067AEBBFCEF91721F10066FF42593692CBB42D0096A0

Uniqueness

Uniqueness Score: -1.00%

Function 00578E52, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00578E57

Part of subcall function 00579730: __EH_prolog.LIBCMT ref: 00579735

_strlen.LIBCMT ref: 00578E79

Strings

TIFF Files (*.tiff;*.tif), xrefs: 00578E6D, 00578E72, 00578E80

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$_strlen
String ID: TIFF Files (*.tiff;*.tif)
API String ID: 1490583215-969518115
Opcode ID: 094ba78a1fe63a674c422feaf51403e5da3140e967ef29c034c1d59aa25ade87
Instruction ID: a0667cf50f8be4ec036636b3a3dd9cc6271612a5837f91897a9604bb1794b09c
Opcode Fuzzy Hash: 094ba78a1fe63a674c422feaf51403e5da3140e967ef29c034c1d59aa25ade87
Instruction Fuzzy Hash: 83F020729205449AD724AF5CD8067AEFBBCEF91720F10026FF011A3682C7B42D0092A0

Uniqueness

Uniqueness Score: -1.00%

Function 00582526, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058252D
__ExceptionPtr::__ExceptionPtr.LIBCMT ref: 00582563

Part of subcall function 005826A0: RtlEncodePointer.NTDLL(?), ref: 00582750

Strings

m+X, xrefs: 00582547

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: Exception$EncodeH_prolog3PointerPtr::__
String ID: m+X
API String ID: 4003105897-2895029710
Opcode ID: 913da3cebc69cc95631334cc77f5ad99483d006c37bc7e4efa03e1888d330ccb
Instruction ID: 8df42ccd2d3fdfc9fd85804b76f056dd488c732d34ba028371c2f0bb644040cc
Opcode Fuzzy Hash: 913da3cebc69cc95631334cc77f5ad99483d006c37bc7e4efa03e1888d330ccb
Instruction Fuzzy Hash: BCF08570A112169FCB50EFA8C0006AEBFF1BF09300F10846EB899EB201DB709A04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00410C7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410C82
CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 00410C94

Part of subcall function 00410B2A: __EH_prolog.LIBCMT ref: 00410B2F

Part of subcall function 004123F5: __CxxThrowException@8.LIBVCRUNTIME ref: 0041240F

Strings

boost::thread_resource_error, xrefs: 00410C9E

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$CreateEventException@8Throw
String ID: boost::thread_resource_error
API String ID: 198059956-52533987
Opcode ID: 1a164ffb7d7992499a21f89b34fc0440501e870148e75efce5f3466bc3cc7b47
Instruction ID: 49e4c0660a23dcb75cd5f3498cc31a18c8345470ec49bbbe7571606633aa47d7
Opcode Fuzzy Hash: 1a164ffb7d7992499a21f89b34fc0440501e870148e75efce5f3466bc3cc7b47
Instruction Fuzzy Hash: BFF0A0B198420CEBDB10EFE0DD05BDE7B71FB14705F004159F904AA280DBB94A84DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00596BC4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0040F608: InitializeCriticalSectionEx.KERNEL32(0079E760,00000000,00000000,0079E74C,00596BF3,?,?,?,0040F21C), ref: 0040F60E
Part of subcall function 0040F608: GetLastError.KERNEL32(?,?,?,0040F21C), ref: 0040F618

IsDebuggerPresent.KERNEL32(?,?,?,0040F21C), ref: 00596BF7
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040F21C), ref: 00596C06

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00596C01

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 88da9bc2f899907a1d6627ffafd0da83b39259829df6f6793debda9842619c1e
Instruction ID: d4c036fcae37f4084c567cba2579976e98d4a324b05579e4f57c4f6623958f28
Opcode Fuzzy Hash: 88da9bc2f899907a1d6627ffafd0da83b39259829df6f6793debda9842619c1e
Instruction Fuzzy Hash: 16E06D702017818FDB709F25E5087827FE5AB14349F01892DF885D7651EBB5D988CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041236F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412374

Part of subcall function 00412559: __EH_prolog.LIBCMT ref: 0041255E

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 004123C2

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

86A, xrefs: 004123AE

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: 86A
API String ID: 1193697898-1576963401
Opcode ID: f6fefb93a8016f4d5820b687e0725b4b40c18e82d00a83300a8d939c596b7758
Instruction ID: 0b62c954ae02e6c1c718dab4881d14592e3510e7da179f93061bc6e4a504c101
Opcode Fuzzy Hash: f6fefb93a8016f4d5820b687e0725b4b40c18e82d00a83300a8d939c596b7758
Instruction Fuzzy Hash: 91F01CB180528CEADB04EBE5C64E6CCBFB5AB10318F204168D0517B186C7B90B88C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D648, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041D64D

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041D69B

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

RA, xrefs: 0041D679

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: RA
API String ID: 1193697898-2489262598
Opcode ID: ed25e96609f27017d1fbef0252baa919f2359df7f3a56548066db5bc896ddfdd
Instruction ID: f7f83b3d672e2e3ea372a55306b04b1c76932bacc795154e1acbce626890db18
Opcode Fuzzy Hash: ed25e96609f27017d1fbef0252baa919f2359df7f3a56548066db5bc896ddfdd
Instruction Fuzzy Hash: 31F01CB1C1425CEBDF04FFA5C94AADCBEB4AB24318F14426CE4517B192C7B90A48CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA48, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CA4D

Part of subcall function 0041D8B4: std::exception::exception.LIBCMT ref: 0041D8D6

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CA9B

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

bA, xrefs: 0041CA79

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrowstd::exception::exception
String ID: bA
API String ID: 1371192639-897489536
Opcode ID: 2716bbbf81c842bf1b27c6300b8ecd3f3c6e2e1163b5b2925c245b324a45f4df
Instruction ID: 1702613bc4d7873dff79c591d96cd102a775604c8e5d15698f88d781f926d443
Opcode Fuzzy Hash: 2716bbbf81c842bf1b27c6300b8ecd3f3c6e2e1163b5b2925c245b324a45f4df
Instruction Fuzzy Hash: 00F01CB1C1425CEADF04FBA9D94AADCBBB4AF14318F14426CE06176192C7B91648CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAFA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CAFF

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CB4D

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

JA, xrefs: 0041CB2B

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrow
String ID: JA
API String ID: 1193697898-3301965381
Opcode ID: 8bd85736b7c2cea6e92f45583433b4f34073cc927cf1b11944b1a8d4cd02a7cb
Instruction ID: 5228f20f21dc8152200ef69f30287661c6e84751c9a023f01c5366d53ad0930e
Opcode Fuzzy Hash: 8bd85736b7c2cea6e92f45583433b4f34073cc927cf1b11944b1a8d4cd02a7cb
Instruction Fuzzy Hash: 5EF0F8B2C1825CEBDF04EBA5C94A6DDBFB5AB14308F108268E05176182CBB90648CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC56, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041CC5B

Part of subcall function 0040F569: std::exception::exception.LIBCMT ref: 0040F58B

Part of subcall function 004103BF: __EH_prolog.LIBCMT ref: 004103C4

__CxxThrowException@8.LIBVCRUNTIME ref: 0041CCA9

Part of subcall function 0068E3DE: RaiseException.KERNEL32(?,00582150,P!X,?,?,0078FB6C,?,?,?,?,?,00582150,?,00783398,?), ref: 0068E43D

Strings

KA, xrefs: 0041CC87

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$ExceptionException@8RaiseThrowstd::exception::exception
String ID: KA
API String ID: 1371192639-4189050869
Opcode ID: 4c1ea2af7b9039861cb6726c3c3c17fcbc05b0211f7b0f8da518d32bef9fb658
Instruction ID: 48157b314adcb158eb4ecfb938529cea034f0d970046aa0e08d466c5143675d8
Opcode Fuzzy Hash: 4c1ea2af7b9039861cb6726c3c3c17fcbc05b0211f7b0f8da518d32bef9fb658
Instruction Fuzzy Hash: 0FF0F8B1C1425CEADF14EFA5D94AACCBAB0AB14308F14426DE06176193C7B94648CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00410ADF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410AE4

Strings

qA, xrefs: 00410B09
`Uz, xrefs: 00410B1A

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: `Uz$qA
API String ID: 3519838083-2024558899
Opcode ID: 6b33433e007b65559b7cafbdfe7bff9aa3f0982848ef6cb80251720f99cb93bb
Instruction ID: 3ad52aaa06ea09f0f7196b81621c333171edef379798820baad56bcef2dd4997
Opcode Fuzzy Hash: 6b33433e007b65559b7cafbdfe7bff9aa3f0982848ef6cb80251720f99cb93bb
Instruction Fuzzy Hash: 27E09A70E50A88CBC720CFA4E601398BBB3F786718F14836AE80097660D77C5A908B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040526D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00405274

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040526E, 00405273, 0040527B
1.38, xrefs: 0040527C

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 11bf2bc1005ffb2344021703183b3157be3893686496db78ae5409396bbd7434
Instruction ID: e266af1bf60833dd135b2964f202bcab8b80facd9f0f7c2e15cfabd8b8876539
Opcode Fuzzy Hash: 11bf2bc1005ffb2344021703183b3157be3893686496db78ae5409396bbd7434
Instruction Fuzzy Hash: C2C04C12D9A5202D394933A9380BDEA024E9D57360B16106FF540A55D25C892D8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2E4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040A2EB

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040A2E5, 0040A2F2
1.38, xrefs: 0040A2F3

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: d958756c7256d3fcf64aa329ed57a0a29324a30b041b1f3b3ee1870b61b4dfc0
Instruction ID: ddb6bf3122922fbe502811115ade512f7d7a5d7aa7b7724a637a58d77962b036
Opcode Fuzzy Hash: d958756c7256d3fcf64aa329ed57a0a29324a30b041b1f3b3ee1870b61b4dfc0
Instruction Fuzzy Hash: 0AC04C5299A5202D39493255380BDEE424F8D96320F16117FF540656D25D892D8155FE

Uniqueness

Uniqueness Score: -1.00%

Function 004022AB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004022B2

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 004022AC, 004022B1, 004022B9
1.38, xrefs: 004022BA

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: a1174dc1a00085616ef2ba1bc0671f78d28000fcd45517a343cec4728d2715fc
Instruction ID: 5077432d5b53f128c306b847c1f12a9bec3d7b103ef96dfda9e75c436612fc35
Opcode Fuzzy Hash: a1174dc1a00085616ef2ba1bc0671f78d28000fcd45517a343cec4728d2715fc
Instruction Fuzzy Hash: 7FC04C22A9A62029394972653C07DEA025E8D56720B16147FF940E55D25C992D8142FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040D3EE

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040D3E8, 0040D3ED, 0040D3F5
1.38, xrefs: 0040D3F6

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 2a813249673244ee0fee1c5d2432c7ba412ffafd5776d6bbf080f4aaff927167
Instruction ID: 8d93459c49d6af7b25c8a4b4c202fd9f8707758037e8c628de551d446fba8bf7
Opcode Fuzzy Hash: 2a813249673244ee0fee1c5d2432c7ba412ffafd5776d6bbf080f4aaff927167
Instruction Fuzzy Hash: 59C04C125AA5212D3D4933A53807DEA024E8D97320B26107FB641A59D25C882D8141FF

Uniqueness

Uniqueness Score: -1.00%

Function 0040B47A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040B481

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040B47B, 0040B488
1.38, xrefs: 0040B489

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 444236848f96ecb7e6e56a9a0ee6419da61691b9dfb13f6720e9baa2c7228214
Instruction ID: 5b22846f854b49fb38c1f477b0dd8c63ec913540427ac75266d689f0d58e517d
Opcode Fuzzy Hash: 444236848f96ecb7e6e56a9a0ee6419da61691b9dfb13f6720e9baa2c7228214
Instruction Fuzzy Hash: 1CC04C1299A5206D395933653817DEE024E8D96320B16107FF541A69D35D992C8141FE

Uniqueness

Uniqueness Score: -1.00%

Function 004034E9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004034F0

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 004034EA, 004034EF, 004034F7
1.38, xrefs: 004034F8

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: b3a2a359b2ef589216629a33769251a8df8ba84c9f5f19386adae22a4316d369
Instruction ID: b1944bd9225a8aa413123696bc0613764c06176728732efb393501e9ef0666f4
Opcode Fuzzy Hash: b3a2a359b2ef589216629a33769251a8df8ba84c9f5f19386adae22a4316d369
Instruction Fuzzy Hash: 7CC04C1259A5206D394932553807DEA024E8D97320B16107FF6406A5D25C892C9142FE

Uniqueness

Uniqueness Score: -1.00%

Function 00408733, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040873A

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 00408734, 00408739, 00408741
1.38, xrefs: 00408742

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 988417579d30e404e7177d0b444c2cee079fc6bc7bbf151f41cc03f59a8a273c
Instruction ID: 077a2de6e530767f8f8a5263a5e530a8d9f8b299f56ac8d3a85c5ecfd48a5b9a
Opcode Fuzzy Hash: 988417579d30e404e7177d0b444c2cee079fc6bc7bbf151f41cc03f59a8a273c
Instruction Fuzzy Hash: 67C04C2259A6306D3D4933A5794BDEA024E8D57324B16107FF541A55D25C893C8151FE

Uniqueness

Uniqueness Score: -1.00%

Function 004018A5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 004018AC

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 004018A6, 004018AB, 004018B3
1.38, xrefs: 004018B4

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 11e84a957d33b55c9dfede8c28236c55395bb6ab96e9670dab8194ee1fc9a583
Instruction ID: dd26f7408a621207772bc125f8f53bc7781b5565fce5ce3598a79d70814a804d
Opcode Fuzzy Hash: 11e84a957d33b55c9dfede8c28236c55395bb6ab96e9670dab8194ee1fc9a583
Instruction Fuzzy Hash: 9FC08C5298A1202C384837643817DEE028E8C52320B02003FF500A15C21C882C8142FF

Uniqueness

Uniqueness Score: -1.00%

Function 0040497B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00404982

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040497C, 00404981, 00404989
1.38, xrefs: 0040498A

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: a4be57f78aa625e08334b1114d9a90a57a78a2e83df7568f09402af674db06b6
Instruction ID: ce8c6b9130df83ab8c0afd1af596a027e8b0888e437793a1298583a6eb38ad6b
Opcode Fuzzy Hash: a4be57f78aa625e08334b1114d9a90a57a78a2e83df7568f09402af674db06b6
Instruction Fuzzy Hash: BCC04C1259A5202D398932953C17DEF024E8D57320B16206FBA40695D25C892D8141FF

Uniqueness

Uniqueness Score: -1.00%

Function 00409A19, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00409A20

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 00409A1A, 00409A1F, 00409A27
1.38, xrefs: 00409A28

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 3dd63a3bf900a545803efa0e339d436ba3480874ba30ccdc8b707adcf33f859f
Instruction ID: b225cc8389eede286499cdf83a1b8471753445de4cac1218ef575fddac2c498f
Opcode Fuzzy Hash: 3dd63a3bf900a545803efa0e339d436ba3480874ba30ccdc8b707adcf33f859f
Instruction Fuzzy Hash: 13C04C1299A5212D395936557807DEE034E8D97320B56106FB644655D35D893C8141FE

Uniqueness

Uniqueness Score: -1.00%

Function 00402B76, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00402B7D

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 00402B77, 00402B7C, 00402B84
1.38, xrefs: 00402B85

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 032cb3ed4896f6953f209fd74065b221ca5a5c54e37c2eeda837943d7977bdb6
Instruction ID: 4f5c75626164dbfafd80348b99963ab7a9d84dd1f5d8ec61549205f2f7f59819
Opcode Fuzzy Hash: 032cb3ed4896f6953f209fd74065b221ca5a5c54e37c2eeda837943d7977bdb6
Instruction Fuzzy Hash: 11C04C5299E5202D394932657817DEE124E8D57320B16117FFA40655D35C892D8182FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB1C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040CB23

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040CB1D, 0040CB22, 0040CB2A
1.38, xrefs: 0040CB2B

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: cfd8427584e99c30d4ad69b824dcbfccfb2ef5504156480edc4e452b1e842b73
Instruction ID: 531aef82cc003a45f3d6309ecc600574b307fd2a97c03e21a80bdfbb73218b3a
Opcode Fuzzy Hash: cfd8427584e99c30d4ad69b824dcbfccfb2ef5504156480edc4e452b1e842b73
Instruction Fuzzy Hash: 10C04C6259E5202D3D4933953907DEA028E8D57330B16107FF641655D25D883D8141FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABAF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040ABB6

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040ABB0, 0040ABB5, 0040ABBD
1.38, xrefs: 0040ABBE

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 74238967f7875711565623e95ed8a652a2ce544fb00d7e6939fcece1ebf411ac
Instruction ID: fd8eaf1fce6ce899814d2ce77275db4dd5cac19f9901057d6998bcb7c5abf39e
Opcode Fuzzy Hash: 74238967f7875711565623e95ed8a652a2ce544fb00d7e6939fcece1ebf411ac
Instruction Fuzzy Hash: 59C04C529DA5202D394933A53807DEE025E8D96320B16106FB540655D25D992C8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 0040BFE7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040BFEE

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 0040BFE8, 0040BFED, 0040BFF5
1.38, xrefs: 0040BFF6

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: b9b8bbd2a0b16ead823c408ee37204dcfdeb919558ebfaab324eca31a0d80543
Instruction ID: 07e3ef0655ae120fdb825b051de23d3fb4e269e6c9c3a0bd06e4c5c8a0b38d33
Opcode Fuzzy Hash: b9b8bbd2a0b16ead823c408ee37204dcfdeb919558ebfaab324eca31a0d80543
Instruction Fuzzy Hash: 6BC08C2289A5206C3C4833947C07CEA024E8C52320F12003FF541615C20C883C8141FF

Uniqueness

Uniqueness Score: -1.00%

Function 00403FEB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00403FF2

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 00403FFA
1.38, xrefs: 00403FEC, 00403FF1, 00403FF9

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 7d7056d2c737650ac44a68defaba5afdb81995daaf35dc8912e4668e8f508269
Instruction ID: 946720b3df80c76aa4a2be5918f5c609d4831dd0e29be592aa96ecbff9660df6
Opcode Fuzzy Hash: 7d7056d2c737650ac44a68defaba5afdb81995daaf35dc8912e4668e8f508269
Instruction Fuzzy Hash: 6CC04C1299A5306D398933593807DEA024E8D96320B16117FB640669D25C893C8181FE

Uniqueness

Uniqueness Score: -1.00%

Function 00408FFE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00409005

Part of subcall function 0068A19C: __onexit.LIBCMT ref: 0068A1A2

Strings

1.38, xrefs: 00408FFF, 00409004, 0040900C
1.38, xrefs: 0040900D

Memory Dump Source

Source File: 00000001.00000002.943732410.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.944201292.000000000078C000.00000040.00000001.sdmp Download File
Associated: 00000001.00000002.944222961.00000000007CE000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID: __onexit_strlen
String ID: 1.38$1.38
API String ID: 4000879885-3497077264
Opcode ID: 020001e252d8e1853f4bb6802d1969decffad4c23503c88e34a071c2c8f841d2
Instruction ID: fff324d0faf7d8b0d14dcd6155d2c71b54e2705f0ba7604b252d380fc4553fc4
Opcode Fuzzy Hash: 020001e252d8e1853f4bb6802d1969decffad4c23503c88e34a071c2c8f841d2
Instruction Fuzzy Hash: F8C04C125AE5206D394932653D07DEA024E8D56720B16106FF545655D65C893C8141FE

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report cyr8VsVRxv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: BitRat

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 0057FBA0, Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Function 00581390, Relevance: 7.6, APIs: 5, Instructions: 59
COMMON