Play interactive tour

Edit tour

Windows Analysis Report duLT5gkRjy.exe

Overview

General Information

Sample Name:	duLT5gkRjy.exe
Analysis ID:	528744
MD5:	d42456f7afc812628a9ff67d8c9340eb
SHA1:	30f49d0f3d46cc9ccf8733247a0709555ad2099f
SHA256:	a5b981c10065983578a2bca4399f901bd5a4e87b4ebe2d05c1f9971fb9fb36ac
Tags:	exeSocelars
Infos:
Most interesting Screenshot:

Detection

Socelars

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Socelars

Multi AV Scanner detection for domain / URL

May check the online IP address of the machine

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Enables debug privileges

AV process strings found (often used to terminate AV products)

Enables driver privileges

PE file contains strange resources

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Enables security privileges

Classification

Process Tree

System is w10x64

duLT5gkRjy.exe (PID: 3892 cmdline: "C:\Users\user\Desktop\duLT5gkRjy.exe" MD5: D42456F7AFC812628A9FF67D8C9340EB)

WerFault.exe (PID: 4760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1116 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Socelars

{"C2 url": "http://ngdatas.pw/"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
duLT5gkRjy.exe	JoeSecurity_Socelars	Yara detected Socelars	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000000.00000000.306515847.000000000105A000.00000002.00020000.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
Process Memory Space: duLT5gkRjy.exe PID: 3892	JoeSecurity_Socelars	Yara detected Socelars	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.duLT5gkRjy.exe.f40000.0.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
0.0.duLT5gkRjy.exe.f40000.1.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
0.2.duLT5gkRjy.exe.f40000.0.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security
0.0.duLT5gkRjy.exe.f40000.2.unpack	JoeSecurity_Socelars	Yara detected Socelars	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: duLT5gkRjy.exe

Malware Configuration Extractor: Socelars {"C2 url": "http://ngdatas.pw/"}

Multi AV Scanner detection for submitted file

Show sources

Source: duLT5gkRjy.exe	Virustotal: Detection: 62%			Perma Link
Source: duLT5gkRjy.exe	ReversingLabs: Detection: 62%

Multi AV Scanner detection for domain / URL

Show sources

Source: www.listincode.com

Virustotal: Detection: 9%

Perma Link

Source: duLT5gkRjy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.3:49743 version: TLS 1.2

Source: duLT5gkRjy.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbN source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.310917911.0000000005027000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311494456.0000000003466000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311005034.0000000003466000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbj source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbX source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: ncrypt.pdb5 source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000004.00000002.327372019.0000000000A12000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdbg source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.310988169.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311684113.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbV source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb3 source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.311380961.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311026320.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdbB source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdbD source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbU source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb? source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: netbios.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.310988169.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311684113.0000000003460000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbr source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb- source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb` source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb~ source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbl source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb{ source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.311380961.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311026320.000000000346C000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.311494456.0000000003466000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311005034.0000000003466000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdbt source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

DNS query: name: iplogger.org

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://ngdatas.pw/

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 149.28.253.196 149.28.253.196
Source: Joe Sandbox View	IP Address: 5.9.162.45 5.9.162.45
Source: Joe Sandbox View	IP Address: 5.9.162.45 5.9.162.45

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Source: duLT5gkRjy.exe

String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)

Source: duLT5gkRjy.exe, 00000000.00000003.302571040.00000000015BC000.00000004.00000001.sdmp, duLT5gkRjy.exe, 00000000.00000003.302543791.00000000015BC000.00000004.00000001.sdmp, duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp, WerFault.exe, 00000004.00000002.328072230.0000000004FF0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: duLT5gkRjy.exe	String found in binary or memory: http://ngdatas.pw/
Source: duLT5gkRjy.exe	String found in binary or memory: http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: duLT5gkRjy.exe	String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExe
Source: duLT5gkRjy.exe	String found in binary or memory: http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband
Source: duLT5gkRjy.exe	String found in binary or memory: http://www.ecgbg.com
Source: duLT5gkRjy.exe	String found in binary or memory: http://www.ecgbg.com/Home/Index/getdata
Source: duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/143up7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/14Jup7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/14Qju7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/14ePy7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/169Bx7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/16ajh7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/16xjh7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1746b7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1756b7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/19iM77
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1BBCf7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1CDGu7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1CUGu7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Cr3a7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1DE477
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1G7Sc7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1GWfv7
Source: duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1GWfv7=
Source: duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/1GWfv7eZr
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1GaLz7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Gbzj7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Gczj7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Ghzj7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1GiLz7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Gjzj7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1H3Fa7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1KyTy7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1O2BH
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1OXFG
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1OZVH
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1OhAG
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Pdet7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1RWXp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1SWks7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Smzs7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Sxzs7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1T79i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1T89i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1TBch7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1TCch7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1TW3i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1TXch7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Tkij7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1UKG97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1UpU57
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Uts87
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1X8M97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1XJq97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1XKq97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1XSq97
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1Z7qd7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1aaVp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1b4887
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1bV787
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1fHtp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1lcZz
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1mxKf7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1pdxr7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1q6Jt7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1rDMq7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1rd8N6
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1rqRg7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1s4qp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1s5qp7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1spuy7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1uS4i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1uW6i7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1wnqn7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1x5bg7
Source: duLT5gkRjy.exe	String found in binary or memory: https://iplogger.org/1yXwr7
Source: duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp	String found in binary or memory: https://iplogger.org/:U
Source: duLT5gkRjy.exe	String found in binary or memory: https://prntscr.com/upload.php
Source: duLT5gkRjy.exe	String found in binary or memory: https://prntscr.com/upload.phphttps://prntscr.com/upload.php
Source: duLT5gkRjy.exe	String found in binary or memory: https://sm.ms/api/v2/upload?inajax=1
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.amazon.com/
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.aol.com
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.google.com
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.google.com/search?q=admob&oq=admob
Source: duLT5gkRjy.exe	String found in binary or memory: https://www.listincode.com/

Source: unknown

DNS traffic detected: queries for: www.listincode.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: www.listincode.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1GWfv7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Host: iplogger.orgCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 149.28.253.196:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.9.162.45:443 -> 192.168.2.3:49743 version: TLS 1.2

Source: duLT5gkRjy.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1116

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F7B0E0	0_2_00F7B0E0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F550B0	0_2_00F550B0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_0103095E	0_2_0103095E
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00FB1090	0_2_00FB1090
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F61060	0_2_00F61060
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F659F0	0_2_00F659F0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F889E0	0_2_00F889E0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F9F9C0	0_2_00F9F9C0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00FA1170	0_2_00FA1170
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_010328C0	0_2_010328C0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F84130	0_2_00F84130
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F83AF0	0_2_00F83AF0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F58AA0	0_2_00F58AA0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F7AAA0	0_2_00F7AAA0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F61A80	0_2_00F61A80
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F7E260	0_2_00F7E260
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F47A30	0_2_00F47A30
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F4B3F0	0_2_00F4B3F0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F63BE0	0_2_00F63BE0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F5A3C0	0_2_00F5A3C0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F523A0	0_2_00F523A0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F753A0	0_2_00F753A0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F42380	0_2_00F42380
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00FC1B70	0_2_00FC1B70
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F4CB60	0_2_00F4CB60
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F7FB60	0_2_00F7FB60
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00FA0B60	0_2_00FA0B60
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F51B40	0_2_00F51B40
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F69CA0	0_2_00F69CA0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F9DC90	0_2_00F9DC90
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F4A460	0_2_00F4A460
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F565C0	0_2_00F565C0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F8F570	0_2_00F8F570
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F6DD20	0_2_00F6DD20
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F626C0	0_2_00F626C0
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F48E60	0_2_00F48E60
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F67E40	0_2_00F67E40
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F93630	0_2_00F93630
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F79790	0_2_00F79790
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F96F60	0_2_00F96F60
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00FC6F60	0_2_00FC6F60
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F5EF40	0_2_00F5EF40
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F84740	0_2_00F84740
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00FC0F10	0_2_00FC0F10
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_00F62F00	0_2_00F62F00

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: String function: 00F47720 appears 121 times
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: String function: 00F481E0 appears 138 times
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: String function: 00F62220 appears 34 times
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: String function: 00F47470 appears 47 times

Source: duLT5gkRjy.exe

Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Process token adjusted: Load Driver

Jump to behavior

Source: duLT5gkRjy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: duLT5gkRjy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: duLT5gkRjy.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Process token adjusted: Security

Jump to behavior

Source: duLT5gkRjy.exe	Virustotal: Detection: 62%
Source: duLT5gkRjy.exe	ReversingLabs: Detection: 62%

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\duLT5gkRjy.exe "C:\Users\user\Desktop\duLT5gkRjy.exe"
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1116

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC887.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.winEXE@2/6@2/2

Source: duLT5gkRjy.exe, duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp	Binary or memory string: SELECT host,name,value,expiry FROM moz_cookies where host='.facebook.com';
Source: duLT5gkRjy.exe, duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: duLT5gkRjy.exe, duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: duLT5gkRjy.exe, 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3892
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Mutant created: \Sessions\1\BaseNamedObjects\patatoes

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: duLT5gkRjy.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: duLT5gkRjy.exe

Static file information: File size 1552896 > 1048576

Source: duLT5gkRjy.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x112400

Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: duLT5gkRjy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: duLT5gkRjy.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: duLT5gkRjy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbN source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.310917911.0000000005027000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311494456.0000000003466000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311005034.0000000003466000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdbj source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbX source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: ncrypt.pdb5 source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000004.00000002.327372019.0000000000A12000.00000004.00000001.sdmp
Source:	Binary string: dpapi.pdbg source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.310988169.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311684113.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbV source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb3 source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.311380961.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311026320.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdbB source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdbD source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbU source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb? source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: netbios.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.310988169.0000000003460000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311684113.0000000003460000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbr source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb- source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb` source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb~ source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbl source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb{ source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.311380961.000000000346C000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311026320.000000000346C000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.317235651.00000000053C1000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317309674.00000000053C5000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317353963.00000000053C5000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.317347843.00000000053C0000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.311494456.0000000003466000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.311005034.0000000003466000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdbt source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.317276292.00000000053F1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.317360502.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317318320.00000000053C8000.00000004.00000040.sdmp, WerFault.exe, 00000004.00000003.317245129.00000000053C8000.00000004.00000040.sdmp

Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: duLT5gkRjy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: duLT5gkRjy.exe	Static PE information: section name: .ogtrfyj
Source: duLT5gkRjy.exe	Static PE information: section name: .ogtrfyj

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000004.00000002.328060193.0000000004FDA000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000002.328024784.0000000004F1E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Code function: 0_2_0102B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0102B8A6

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_010383D7 mov eax, dword ptr fs:[00000030h]		0_2_010383D7
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_010424F8 mov eax, dword ptr fs:[00000030h]		0_2_010424F8

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_0102B8A6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0102B8A6
Source: C:\Users\user\Desktop\duLT5gkRjy.exe	Code function: 0_2_01024F72 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_01024F72

Source: duLT5gkRjy.exe, 00000000.00000000.307006199.0000000001D30000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.305763813.0000000001D30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: duLT5gkRjy.exe, 00000000.00000000.307006199.0000000001D30000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.305763813.0000000001D30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: duLT5gkRjy.exe, 00000000.00000000.307006199.0000000001D30000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.305763813.0000000001D30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: duLT5gkRjy.exe, 00000000.00000000.307006199.0000000001D30000.00000002.00020000.sdmp, duLT5gkRjy.exe, 00000000.00000000.305763813.0000000001D30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Code function: 0_2_01026304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01026304

Source: C:\Users\user\Desktop\duLT5gkRjy.exe

Code function: 0_2_010429E0 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_010429E0

Source: Amcache.hve.4.dr, Amcache.hve.LOG1.4.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr, Amcache.hve.LOG1.4.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information:

Yara detected Socelars

Show sources

Source: Yara match	File source: duLT5gkRjy.exe, type: SAMPLE
Source: Yara match	File source: 0.0.duLT5gkRjy.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.duLT5gkRjy.exe.f40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.duLT5gkRjy.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.duLT5gkRjy.exe.f40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.306515847.000000000105A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: duLT5gkRjy.exe PID: 3892, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	LSASS Driver1	Process Injection2	Virtualization/Sandbox Evasion1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	LSASS Driver1	Process Injection2	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
duLT5gkRjy.exe	62%	Virustotal		Browse
duLT5gkRjy.exe	62%	ReversingLabs	Win32.Adware.ExtInstaller

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.listincode.com	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.channelinfo.pw/index.php/Home/Index/getExe	0%	URL Reputation	safe
http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	0%	URL Reputation	safe
http://www.ecgbg.com	0%	Virustotal		Browse
http://www.ecgbg.com	0%	Avira URL Cloud	safe
https://www.listincode.com/	0%	URL Reputation	safe
http://www.ecgbg.com/Home/Index/getdata	0%	Avira URL Cloud	safe
http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband	0%	URL Reputation	safe
http://ngdatas.pw/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
iplogger.org	5.9.162.45	true	false		high
www.listincode.com	149.28.253.196	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://iplogger.org/1GWfv7	false		high
https://www.listincode.com/	true	URL Reputation: safe	unknown
http://ngdatas.pw/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://iplogger.org/1KyTy7	duLT5gkRjy.exe	false		high
https://iplogger.org/14Qju7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Gjzj7	duLT5gkRjy.exe	false		high
https://iplogger.org/1756b7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Gbzj7	duLT5gkRjy.exe	false		high
https://iplogger.org/1TBch7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Cr3a7	duLT5gkRjy.exe	false		high
https://iplogger.org/1spuy7	duLT5gkRjy.exe	false		high
https://iplogger.org/1UKG97	duLT5gkRjy.exe	false		high
http://www.channelinfo.pw/index.php/Home/Index/getExe	duLT5gkRjy.exe	false	URL Reputation: safe	unknown
https://iplogger.org/	duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp	false		high
https://iplogger.org/1fHtp7	duLT5gkRjy.exe	false		high
https://iplogger.org/1XJq97	duLT5gkRjy.exe	false		high
https://iplogger.org/1BBCf7	duLT5gkRjy.exe	false		high
http://ngdatas.pw/https://www.listincode.com/0.0.0.0%d.%d.%d.%dhttp-1ZIP	duLT5gkRjy.exe	true	URL Reputation: safe	unknown
https://iplogger.org/143up7	duLT5gkRjy.exe	false		high
https://iplogger.org/1DE477	duLT5gkRjy.exe	false		high
https://iplogger.org/1Tkij7	duLT5gkRjy.exe	false		high
https://iplogger.org/1T79i7	duLT5gkRjy.exe	false		high
https://www.google.com	duLT5gkRjy.exe	false		high
http://www.ecgbg.com	duLT5gkRjy.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://iplogger.org/1s5qp7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Uts87	duLT5gkRjy.exe	false		high
https://iplogger.org/1TCch7	duLT5gkRjy.exe	false		high
https://iplogger.org/1G7Sc7	duLT5gkRjy.exe	false		high
https://iplogger.org/1GWfv7eZr	duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp	false		high
https://iplogger.org/1OhAG	duLT5gkRjy.exe	false		high
https://iplogger.org/1b4887	duLT5gkRjy.exe	false		high
https://iplogger.org/1pdxr7	duLT5gkRjy.exe	false		high
https://iplogger.org/1rqRg7	duLT5gkRjy.exe	false		high
https://iplogger.org/1aaVp7	duLT5gkRjy.exe	false		high
http://www.ecgbg.com/Home/Index/getdata	duLT5gkRjy.exe	false	Avira URL Cloud: safe	unknown
https://iplogger.org/1H3Fa7	duLT5gkRjy.exe	false		high
https://iplogger.org/1OZVH	duLT5gkRjy.exe	false		high
https://iplogger.org/1UpU57	duLT5gkRjy.exe	false		high
https://iplogger.org/1rd8N6	duLT5gkRjy.exe	false		high
https://iplogger.org/1O2BH	duLT5gkRjy.exe	false		high
https://iplogger.org/1Pdet7	duLT5gkRjy.exe	false		high
http://www.channelinfo.pw/index.php/Home/Index/getExeidnameexe_urlexe_namerun_valuecountry_codeaband	duLT5gkRjy.exe	false	URL Reputation: safe	unknown
https://iplogger.org/1x5bg7	duLT5gkRjy.exe	false		high
https://iplogger.org/1XKq97	duLT5gkRjy.exe	false		high
https://iplogger.org/1XSq97	duLT5gkRjy.exe	false		high
https://iplogger.org/1746b7	duLT5gkRjy.exe	false		high
https://iplogger.org/19iM77	duLT5gkRjy.exe	false		high
https://iplogger.org/169Bx7	duLT5gkRjy.exe	false		high
https://iplogger.org/1T89i7	duLT5gkRjy.exe	false		high
https://iplogger.org/1rDMq785https://iplogger.org/1rd8N686https://iplogger.org/1spuy788https://iplog	duLT5gkRjy.exe	false		high
https://iplogger.org/1s4qp7	duLT5gkRjy.exe	false		high
https://iplogger.org/1uS4i7	duLT5gkRjy.exe	false		high
https://iplogger.org/1uW6i7	duLT5gkRjy.exe	false		high
https://iplogger.org/16ajh7	duLT5gkRjy.exe	false		high
https://iplogger.org/14ePy7	duLT5gkRjy.exe	false		high
https://iplogger.org/16xjh7	duLT5gkRjy.exe	false		high
https://iplogger.org/1wnqn7	duLT5gkRjy.exe	false		high
https://iplogger.org/1X8M97	duLT5gkRjy.exe	false		high
https://www.amazon.com/	duLT5gkRjy.exe	false		high
https://iplogger.org/1Ghzj7	duLT5gkRjy.exe	false		high
https://iplogger.org/1rDMq7	duLT5gkRjy.exe	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://iplogger.org/1lcZz	duLT5gkRjy.exe	false		high
https://iplogger.org/1TW3i7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Z7qd7	duLT5gkRjy.exe	false		high
https://iplogger.org/1q6Jt7	duLT5gkRjy.exe	false		high
https://iplogger.org/1mxKf7	duLT5gkRjy.exe	false		high
https://iplogger.org/1CUGu7	duLT5gkRjy.exe	false		high
https://iplogger.org/1OXFG	duLT5gkRjy.exe	false		high
https://iplogger.org/:U	duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp	false		high
https://iplogger.org/1bV787	duLT5gkRjy.exe	false		high
https://prntscr.com/upload.php	duLT5gkRjy.exe	false		high
https://sm.ms/api/v2/upload?inajax=1	duLT5gkRjy.exe	false		high
https://www.google.com/search?q=admob&oq=admob	duLT5gkRjy.exe	false		high
https://iplogger.org/14Jup7	duLT5gkRjy.exe	false		high
https://iplogger.org/1GWfv7=	duLT5gkRjy.exe, 00000000.00000000.305608344.00000000015B7000.00000004.00000020.sdmp	false		high
https://iplogger.org/1SWks7	duLT5gkRjy.exe	false		high
https://iplogger.org/1TXch7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Gczj7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Sxzs7	duLT5gkRjy.exe	false		high
https://iplogger.org/1GiLz7	duLT5gkRjy.exe	false		high
https://prntscr.com/upload.phphttps://prntscr.com/upload.php	duLT5gkRjy.exe	false		high
https://iplogger.org/1GaLz7	duLT5gkRjy.exe	false		high
https://iplogger.org/1Smzs7	duLT5gkRjy.exe	false		high
https://www.aol.com	duLT5gkRjy.exe	false		high
https://iplogger.org/1CDGu7	duLT5gkRjy.exe	false		high
https://iplogger.org/1yXwr7	duLT5gkRjy.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.28.253.196	www.listincode.com	United States		20473	AS-CHOOPAUS	true
5.9.162.45	iplogger.org	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528744
Start date:	25.11.2021
Start time:	18:30:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	duLT5gkRjy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.winEXE@2/6@2/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.89.179.12 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.28.253.196	duLT5gkRjy.exe	Get hash	malicious	Browse
	EaCmG75WxF.exe	Get hash	malicious	Browse
	EaCmG75WxF.exe	Get hash	malicious	Browse
	OPKyR75fJn.exe	Get hash	malicious	Browse
	LZxr7xI4nc.exe	Get hash	malicious	Browse
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse
	FhP4JYCU7J.exe	Get hash	malicious	Browse
	FhP4JYCU7J.exe	Get hash	malicious	Browse
	44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exe	Get hash	malicious	Browse
	77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe	Get hash	malicious	Browse
	WQRrng5aiw.exe	Get hash	malicious	Browse
	WQRrng5aiw.exe	Get hash	malicious	Browse
	22BA4262D93379DE524029DAFC7528E431E56A22CB293.exe	Get hash	malicious	Browse
	kq5Of3SOMZ.exe	Get hash	malicious	Browse
	QABYgAqa5Z.exe	Get hash	malicious	Browse
	aBGNeDS7yM.exe	Get hash	malicious	Browse
	aBGNeDS7yM.exe	Get hash	malicious	Browse
5.9.162.45	VDnn1698j5.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	TEiwRyJ2v1.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	sBz6zVtsB1.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	qTtykpVyaY.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	mXLL1BHUQh.exe	Get hash	malicious	Browse	iplogger.org/1YLyj7
	EVhIUVrKx8.exe	Get hash	malicious	Browse	iplogger.org/2A2xh6
	pQscpg84Lh.exe	Get hash	malicious	Browse	iplogger.org/1PZN77
	pl8c1emoOu.exe	Get hash	malicious	Browse	iplogger.org/1juiu7
	RmzVjXQ0a6.exe	Get hash	malicious	Browse	iplogger.org/1juiu7
	fMo9q56dnX.exe	Get hash	malicious	Browse	iplogger.org/1juiu7
	Screenshot00112021.scr.exe	Get hash	malicious	Browse	iplogger.org/1BwFn7.gz
	SAlxtNmHFR.exe	Get hash	malicious	Browse	iplogger.org/1BTpm7

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
iplogger.org	VYeSXonMT1.exe	Get hash	malicious	Browse	5.9.162.45
	duLT5gkRjy.exe	Get hash	malicious	Browse	5.9.162.45
	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	5.9.162.45
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	5.9.162.45
	j0UcwcqjvM.exe	Get hash	malicious	Browse	5.9.162.45
	0K31jgS20G.exe	Get hash	malicious	Browse	5.9.162.45
	vAsfZhw32P.exe	Get hash	malicious	Browse	5.9.162.45
	FhP4JYCU7J.exe	Get hash	malicious	Browse	5.9.162.45
	FhP4JYCU7J.exe	Get hash	malicious	Browse	5.9.162.45
	WQRrng5aiw.exe	Get hash	malicious	Browse	5.9.162.45
	WQRrng5aiw.exe	Get hash	malicious	Browse	5.9.162.45
	e8rimWGicH.exe	Get hash	malicious	Browse	5.9.162.45
	kq5Of3SOMZ.exe	Get hash	malicious	Browse	5.9.162.45
	RtpLhZOyaf.exe	Get hash	malicious	Browse	5.9.162.45
	vWNrGi9qLx.exe	Get hash	malicious	Browse	5.9.162.45
	VDnn1698j5.exe	Get hash	malicious	Browse	5.9.162.45
	TEiwRyJ2v1.exe	Get hash	malicious	Browse	5.9.162.45
	iIrI72Motw.exe	Get hash	malicious	Browse	5.9.162.45
www.listincode.com	duLT5gkRjy.exe	Get hash	malicious	Browse	149.28.253.196
	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196
	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	149.28.253.196
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	149.28.253.196
	FhP4JYCU7J.exe	Get hash	malicious	Browse	149.28.253.196
	FhP4JYCU7J.exe	Get hash	malicious	Browse	149.28.253.196
	WQRrng5aiw.exe	Get hash	malicious	Browse	149.28.253.196
	WQRrng5aiw.exe	Get hash	malicious	Browse	149.28.253.196
	kq5Of3SOMZ.exe	Get hash	malicious	Browse	149.28.253.196
	aBGNeDS7yM.exe	Get hash	malicious	Browse	149.28.253.196
	aBGNeDS7yM.exe	Get hash	malicious	Browse	149.28.253.196
	f4gxrcTDkV.exe	Get hash	malicious	Browse	149.28.253.196
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	149.28.253.196
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	149.28.253.196
	f4gxrcTDkV.exe	Get hash	malicious	Browse	149.28.253.196
	I6erIt5Uil.exe	Get hash	malicious	Browse	149.28.253.196
	I6erIt5Uil.exe	Get hash	malicious	Browse	149.28.253.196
	B4A1AFA93C65EBA3AB6EFEB4624DCC8D65DBDEFEFE682.exe	Get hash	malicious	Browse	149.28.253.196
	fXlJhe5OGb.exe	Get hash	malicious	Browse	149.28.253.196

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	duLT5gkRjy.exe	Get hash	malicious	Browse	149.28.253.196
	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196
	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196
	EzCOXP6oxy.dll	Get hash	malicious	Browse	66.42.57.149
	IkroV40UrZ.dll	Get hash	malicious	Browse	66.42.57.149
	C1Q17Dg4RT.dll	Get hash	malicious	Browse	66.42.57.149
	MakbLShaqA.dll	Get hash	malicious	Browse	66.42.57.149
	MakbLShaqA.dll	Get hash	malicious	Browse	66.42.57.149
	OPKyR75fJn.exe	Get hash	malicious	Browse	149.28.253.196
	Ljm7n1QDZe	Get hash	malicious	Browse	68.232.173.117
	Jx35I5pwgd	Get hash	malicious	Browse	66.42.54.65
	tUJXpPwU27.dll	Get hash	malicious	Browse	66.42.57.149
	LZxr7xI4nc.exe	Get hash	malicious	Browse	149.28.253.196
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	149.28.253.196
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	149.28.253.196
	asbestos_safety_and_eradication_agency_enterprise_agreement 41573 .js	Get hash	malicious	Browse	45.76.154.237
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	149.28.253.196
	DA8063D9EB60622915D492542A6A8AE318BC87B4C5F89.exe	Get hash	malicious	Browse	155.138.201.103
	asbestos_safety_and_eradication_agency_enterprise_agreement 64081 .js	Get hash	malicious	Browse	45.76.154.237
	pYebrdRKvR.dll	Get hash	malicious	Browse	66.42.57.149
HETZNER-ASDE	VYeSXonMT1.exe	Get hash	malicious	Browse	5.9.162.45
	duLT5gkRjy.exe	Get hash	malicious	Browse	5.9.162.45
	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	8p2NlqFgew.exe	Get hash	malicious	Browse	49.12.42.56
	EaCmG75WxF.exe	Get hash	malicious	Browse	5.9.162.45
	EzCOXP6oxy.dll	Get hash	malicious	Browse	78.47.204.80
	IkroV40UrZ.dll	Get hash	malicious	Browse	78.47.204.80
	C1Q17Dg4RT.dll	Get hash	malicious	Browse	78.47.204.80
	ff0231.exe	Get hash	malicious	Browse	5.9.96.94
	MakbLShaqA.dll	Get hash	malicious	Browse	78.47.204.80
	MakbLShaqA.dll	Get hash	malicious	Browse	78.47.204.80
	Zr26f1rL6r.exe	Get hash	malicious	Browse	88.99.22.5
	OPKyR75fJn.exe	Get hash	malicious	Browse	5.9.162.45
	meerkat.arm7	Get hash	malicious	Browse	148.251.220.118
	oQANZnrt9d	Get hash	malicious	Browse	135.181.142.151
	tUJXpPwU27.dll	Get hash	malicious	Browse	78.47.204.80
	LZxr7xI4nc.exe	Get hash	malicious	Browse	5.9.162.45
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	5.9.162.45
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	5.9.162.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	duLT5gkRjy.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	fpvN6iDp5r.msi	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	EaCmG75WxF.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Se adjunta el pedido, proforma.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Statement.html	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Michal November 23, 2021.html	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	survey-1384723731.xls	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Wfedtqxbgeorkwcgiehsnsjbdjghrpjtlr.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	survey-1378794827.xls	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Zr26f1rL6r.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	mN2NobuuDv.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	cs.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	ORDINE + DDT A.M.F SpA.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	mal1.html	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	DOC5629.htm	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	Racun je u prilogu.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	exe.exe	Get hash	malicious	Browse	149.28.253.196 5.9.162.45
	INF-BRdocsx.NDVDELDKRS.msi	Get hash	malicious	Browse	149.28.253.196 5.9.162.45

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_duLT5gkRjy.exe_1716a7dbaca25d22b8ce403b85cf2c886155787b_b69a8483_13b5e2e5\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0233191102109929
Encrypted:	false
SSDEEP:	192:Anc8oB6HBUZMXYjmH6v8/u7sOS274Itc1:dBSBUZMXYj18/u7sOX4Itc
MD5:	64532E6982B75B13DCB8E8AFE3E5D9E0
SHA1:	4F58B6E10EBA0E84C59F55D67F5D450350A44670
SHA-256:	1BF3C2BBF16B5EED060FD344A1E2879505549B8417BA80CC436F9689C0ABD050
SHA-512:	67B5736CB2CA94A37AF63A7B3C26DA5E3EA27800A15799EB5019E6E6029993485AFD14C4C2C06DB4B727A71937E2AE0851784CD9386580198F4FA7D2FBAE4D5B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.3.6.7.4.7.7.6.4.2.1.6.2.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.3.6.7.4.8.2.9.8.5.8.9.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.4.8.f.e.a.e.-.a.2.2.7.-.4.3.8.1.-.a.0.6.0.-.2.7.1.d.9.9.2.9.a.b.6.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.6.e.1.0.5.5.-.7.8.7.5.-.4.e.0.f.-.a.5.2.b.-.e.f.d.a.6.6.5.8.5.9.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.d.u.L.T.5.g.k.R.j.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.3.4.-.0.0.0.1.-.0.0.1.c.-.5.5.7.b.-.e.7.a.c.6.d.e.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.c.8.5.b.f.e.1.d.6.f.e.f.d.b.d.a.c.0.f.9.1.5.3.d.0.2.f.9.b.5.5.0.0.0.0.0.9.0.4.!.0.0.0.0.3.0.f.4.9.d.0.f.3.d.4.6.c.c.9.c.c.f.8.7.3.3.2.4.7.a.0.7.0.9.5.5.5.a.d.2.0.9.9.f.!.d.u.L.T.5.g.k.R.j.y...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC887.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Nov 26 02:31:19 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	133586
Entropy (8bit):	1.9575006011588891
Encrypted:	false
SSDEEP:	768:a6GOGq543us47/2TTV50q1LWT67lBm8k:nGqqZ4LKVdLial08k
MD5:	7FA23BBCFBD011A38BF36DD254ACF6B0
SHA1:	8410BD2F5824B1AB8989369B9A3C628837D348A3
SHA-256:	82EA97751C7F3D31CD2F84A0E68B9B1DB72EAF45EB3C134ECD34380AF75A4B13
SHA-512:	66C5ED495472BB3B42958DBE84FC4AFAE843C19DD63B4CE0340C0948885406627107C9E120FCA7ACC933223A433E64AF51235EC1A6BA61AF9E8141EB4DA80F90
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........F.a............D...........,...L............Q..........T.......8...........T............J.............x#..........d%...................................................................U...........B.......%......GenuineIntelW...........T.......4....F.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD308.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8306
Entropy (8bit):	3.700997041446704
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNioa6I6YFMSUUmagmffSFCpr2f89bF7sfSXm:RrlsNiF6I6YuSUUmagmffScFAf7
MD5:	33CB3256453AE76BE6D89398FA592F7E
SHA1:	8654B77403BFA841A21276F51A95605ABCCD816C
SHA-256:	D9596FBC7F7EFDDB3A2DF46D3F688C8E12253C9DF81DDEE5C0EC5D5BB4F2FCBC
SHA-512:	6CAEF9E616B5ACF2A02E23A09A154260AB0B0F478D92D6E4856FCB2D484A881ADF00E786C2F58D911D5EE1EA39DF6D5054EF959232206B660E317A5BAB379766
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD693.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4563
Entropy (8bit):	4.475383153915464
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtWI9CUWSC8BeZ8fm8M4JnCfBifsFw+q8OxuDOj5tdF0q0Fd:uITfqFNSNQeJnC81XQStdF0q0Fd
MD5:	D76B493DDC621380DC76E582217ED256
SHA1:	143AAB5BDD3F857150EA509D20A43E5E361563A6
SHA-256:	896B01034D3EBB0E57C1E297E7109C2E2CEAE8E0469E193D3DACBB65A8DD8D1C
SHA-512:	D471889DE7BE37B3D8EB3085CBF3A68A7999273AE4F34000E9D697A3E7BFFCB268D9A691196B90D82744F347EB56CC7D377B7C2A6791BEC85C5CEBF003EDF09E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1270781" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.2725546722942855
Encrypted:	false
SSDEEP:	12288:0DA07ZfdOy5nfGhGoOf0kxdQFkRT5dZc/sv8p/OxOHoVoIi2p0L3O:MA07ZfdOy5nfGhiK
MD5:	A6693480A81EF21D7876A7896A7A3749
SHA1:	C7B276BF35B42C64272A88CD7BB06921597B5F76
SHA-256:	7F61CC853388EEF9D9D3486AF095472F0D7FFB818D0DBACB6AD27054DC568A30
SHA-512:	EA29C0F9B5BDCC37873F7AE73073CD8CFF84764685C6888A264D35D654AD5A6B24993F8B0B88CB43CEDD59ABF87591AC0F915D829F5949AF721061382ED01421
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..,.m................................................................................................................................................................................................................................................................................................................................................(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.208443372093175
Encrypted:	false
SSDEEP:	768:/zhdCYMwqh/r3CmC5ftx1PJ4X8FFtr7pBqXieq5QMVyi6a74LXRuzmHjW:kf/yzfoCReI
MD5:	580DA4A16D4EEEE9725C6DEBF8FB021F
SHA1:	D121FB158E66331237922491C237BFD209EC7A2F
SHA-256:	4FA6C26141496B0660848CE64070C9A1835DB5BAF9F1BEDB030879966E180513
SHA-512:	F7D3A3AF3E30CB8DF4BC7BC777B3E12AE0A0315E1B479F6B284146DAA0027BA45028C6ABC937AD86A79E482315C9A7F7092147B3D6FC10A019DD4EC508667DDB
Malicious:	false
Reputation:	low
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..,.m................................................................................................................................................................................................................................................................................................................................................(.HvLE........Y............84.\w....0".I{7......... ....... .......P.......0................... ..hbin................p.\..,..........nk,...,.m................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...,.m....... ........................... .......Z.......................Root........lf......Root....nk ...,.m....................}.............. ...............*...............DeviceCensus.......................vk..................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.685246086092563
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	duLT5gkRjy.exe
File size:	1552896
MD5:	d42456f7afc812628a9ff67d8c9340eb
SHA1:	30f49d0f3d46cc9ccf8733247a0709555ad2099f
SHA256:	a5b981c10065983578a2bca4399f901bd5a4e87b4ebe2d05c1f9971fb9fb36ac
SHA512:	02de7cd71c5155ac5d08f7e432f5f3a138a6800d74479c4696cf877bbcf8fc99bbbf972a50991ca978b5416b89d76b6ab652a9d7315bc61b1baf23aacfdbd755
SSDEEP:	24576:+CjpXA4U35ozW03XRp/hESVE5uU2xbVN6pZVnoYLRZgUQs8n:rpTJxPNlcPVnoYLRZvz8n
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........@...............-.......+.w.....+..............-.......&..............(......./......./.7.....*.......+....................

File Icon


Icon Hash:	c8d8d8b6f0f83c58

Static PE Info

General
Entrypoint:	0x4e5eb3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619F64CF [Thu Nov 25 10:26:23 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d69e4c13e25f0ad622344ac56118c0df

Entrypoint Preview

Instruction
call 00007F77545C60EEh
jmp 00007F77545C5AC9h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00528BCCh
mov dword ptr [ecx], 0051A510h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F77545C5C2Fh
push 00543C5Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F77545C7AD3h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F7754575B75h
push 0053FF54h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F77545C7AB6h
int3
int3
push 004E9EA0h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00546944h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
push ebp
mov ebp, esp
and dword ptr [0054C488h], 00000000h
sub esp, 24h
or dword ptr [00546960h], 01h
push 0000000Ah
call dword ptr [0051A1D4h]
test eax, eax
je 00007F77545C5DFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1445f4	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14f000	0x2c550	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17c000	0x8098	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13d910	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x13da40	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x13d948	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11a000	0x30c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1122a1	0x112400	False	0.505059964676	data	6.55728577412	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.ogtrfyj	0x114000	0x580a	0x5a00	False	0.466579861111	data	5.981573238	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x11a000	0x2b7b2	0x2b800	False	0.447607983118	data	5.81232244285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x146000	0x77a4	0x2e00	False	0.252802309783	data	3.89020136245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ogtrfyj	0x14e000	0x50	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14f000	0x2c550	0x2c600	False	0.68740096831	data	6.50827273455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17c000	0x8098	0x8200	False	0.705498798077	data	6.64096530369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
ZIP	0x16f100	0xc2ce	Zip archive data, at least v1.0 to extract	Chinese	China
RT_ICON	0x14f360	0x668	data	Chinese	China
RT_ICON	0x14f9c8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2541320505, next used block 1153431	Chinese	China
RT_ICON	0x14fcb0	0x128	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x14fdd8	0xea8	data	Chinese	China
RT_ICON	0x150c80	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15757402, next used block 15166820	Chinese	China
RT_ICON	0x151528	0x568	GLS_BINARY_LSB_FIRST	Chinese	China
RT_ICON	0x151a90	0x9160	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Chinese	China
RT_ICON	0x15abf0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x16b418	0x25a8	data	Chinese	China
RT_ICON	0x16d9c0	0x10a8	data	Chinese	China
RT_ICON	0x16ea68	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_GROUP_ICON	0x16eed0	0xa0	data	Chinese	China
RT_VERSION	0x16ef70	0x18c	PGP symmetric key encrypted data - Plaintext or unencrypted data	Chinese	China
RT_MANIFEST	0x17b3d0	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetComputerNameW, GetModuleFileNameA, GetCurrentProcessId, OpenProcess, GetModuleFileNameW, SetLastError, WaitForSingleObject, CreateEventW, FreeLibrary, WinExec, GetPrivateProfileStringW, CopyFileW, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, LocalFree, LocalAlloc, LoadResource, FindResourceW, SizeofResource, LockResource, GetTickCount, GetCurrentThread, Sleep, GetProcessHeap, HeapAlloc, GetLastError, GetTempPathA, SetCurrentDirectoryW, GetShortPathNameA, LoadLibraryW, GetProcAddress, WideCharToMultiByte, MultiByteToWideChar, SystemTimeToFileTime, DosDateTimeToFileTime, GetCurrentProcess, DuplicateHandle, CloseHandle, WriteFile, SetFileTime, SetFilePointer, ReadFile, GetFileType, CreateFileW, CreateDirectoryW, TerminateProcess, GetCurrentDirectoryW, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, GetFileSizeEx, GetConsoleOutputCP, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, RaiseException, GetStringTypeW, WriteConsoleW, GetCPInfo, CompareStringEx, LCMapStringEx, DecodePointer, EncodePointer, InitializeCriticalSectionEx, InitializeSListHead, GetStartupInfoW, IsDebuggerPresent, GetModuleHandleW, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FlushFileBuffers, QueryPerformanceCounter, MapViewOfFile, CreateFileMappingW, AreFileApisANSI, TryEnterCriticalSection, HeapCreate, HeapFree, EnterCriticalSection, GetFullPathNameW, GetDiskFreeSpaceW, OutputDebugStringA, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, UnlockFileEx, GetTempPathW, CreateMutexW, GetFileAttributesW, GetCurrentThreadId, UnmapViewOfFile, HeapValidate, HeapSize, FormatMessageW, GetDiskFreeSpaceA, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, GetSystemInfo, HeapCompact, HeapDestroy, UnlockFile, LockFileEx, GetFileSize, DeleteCriticalSection, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA
ADVAPI32.dll	LookupPrivilegeValueW, AdjustTokenPrivileges, LookupAccountNameW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, IsValidSecurityDescriptor, InitializeSecurityDescriptor, InitializeAcl, GetTokenInformation, GetLengthSid, FreeSid, EqualSid, DuplicateToken, AllocateAndInitializeSid, AddAccessAllowedAce, AccessCheck, OpenThreadToken, OpenProcessToken
SHELL32.dll	ShellExecuteExA
ole32.dll	CoInitializeEx, CoGetObject, CoUninitialize
WININET.dll	InternetGetCookieExA
NETAPI32.dll	Netbios
ntdll.dll	RtlInitUnicodeString, NtFreeVirtualMemory, LdrEnumerateLoadedModules, RtlEqualUnicodeString, RtlAcquirePebLock, NtAllocateVirtualMemory, RtlReleasePebLock, RtlNtStatusToDosError, RtlCreateHeap, RtlDestroyHeap, RtlAllocateHeap, RtlFreeHeap, NtClose, NtOpenKey, NtEnumerateValueKey, NtQueryValueKey

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2019
FileVersion	1.0.0.1
ProductVersion	1.0.0.1
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:31:12.532079935 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:12.532138109 CET	443	49742	149.28.253.196	192.168.2.3
Nov 25, 2021 18:31:12.532258034 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:12.551681042 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:12.551717043 CET	443	49742	149.28.253.196	192.168.2.3
Nov 25, 2021 18:31:12.967639923 CET	443	49742	149.28.253.196	192.168.2.3
Nov 25, 2021 18:31:12.967834949 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:13.236102104 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:13.236160040 CET	443	49742	149.28.253.196	192.168.2.3
Nov 25, 2021 18:31:13.236682892 CET	443	49742	149.28.253.196	192.168.2.3
Nov 25, 2021 18:31:13.236828089 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:13.240427971 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:13.280915976 CET	443	49742	149.28.253.196	192.168.2.3
Nov 25, 2021 18:31:13.744211912 CET	443	49742	149.28.253.196	192.168.2.3
Nov 25, 2021 18:31:13.744285107 CET	443	49742	149.28.253.196	192.168.2.3
Nov 25, 2021 18:31:13.744432926 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:13.744487047 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:13.745064020 CET	49742	443	192.168.2.3	149.28.253.196
Nov 25, 2021 18:31:13.745085955 CET	443	49742	149.28.253.196	192.168.2.3
Nov 25, 2021 18:31:13.831502914 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.831552982 CET	443	49743	5.9.162.45	192.168.2.3
Nov 25, 2021 18:31:13.831710100 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.833194017 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.833240032 CET	443	49743	5.9.162.45	192.168.2.3
Nov 25, 2021 18:31:13.926969051 CET	443	49743	5.9.162.45	192.168.2.3
Nov 25, 2021 18:31:13.927119970 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.935358047 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.935394049 CET	443	49743	5.9.162.45	192.168.2.3
Nov 25, 2021 18:31:13.935803890 CET	443	49743	5.9.162.45	192.168.2.3
Nov 25, 2021 18:31:13.935878992 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.936772108 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.971000910 CET	443	49743	5.9.162.45	192.168.2.3
Nov 25, 2021 18:31:13.971102953 CET	443	49743	5.9.162.45	192.168.2.3
Nov 25, 2021 18:31:13.971105099 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.971182108 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.995783091 CET	49743	443	192.168.2.3	5.9.162.45
Nov 25, 2021 18:31:13.995820045 CET	443	49743	5.9.162.45	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 18:31:12.471581936 CET	58045	53	192.168.2.3	8.8.8.8
Nov 25, 2021 18:31:12.510402918 CET	53	58045	8.8.8.8	192.168.2.3
Nov 25, 2021 18:31:13.787858963 CET	57459	53	192.168.2.3	8.8.8.8
Nov 25, 2021 18:31:13.825834036 CET	53	57459	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 18:31:12.471581936 CET	192.168.2.3	8.8.8.8	0x9a8b	Standard query (0)	www.listincode.com	A (IP address)	IN (0x0001)
Nov 25, 2021 18:31:13.787858963 CET	192.168.2.3	8.8.8.8	0x7bcf	Standard query (0)	iplogger.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 18:31:12.510402918 CET	8.8.8.8	192.168.2.3	0x9a8b	No error (0)	www.listincode.com		149.28.253.196	A (IP address)	IN (0x0001)
Nov 25, 2021 18:31:13.825834036 CET	8.8.8.8	192.168.2.3	0x7bcf	No error (0)	iplogger.org		5.9.162.45	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.listincode.com

iplogger.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49742	149.28.253.196	443	C:\Users\user\Desktop\duLT5gkRjy.exe

Timestamp	Direction	Data
2021-11-25 17:31:13 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: www.listincode.com Cache-Control: no-cache
2021-11-25 17:31:13 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Nov 2021 17:31:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2 Connection: close X-Powered-By: PHP/5.6.40 Access-Control-Allow-Origin: *
2021-11-25 17:31:13 UTC	IN	Data Raw: 47 42 Data Ascii: GB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49743	5.9.162.45	443	C:\Users\user\Desktop\duLT5gkRjy.exe

Timestamp	kBytes transferred	Direction	Data
2021-11-25 17:31:13 UTC	0	OUT	GET /1GWfv7 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Host: iplogger.org Cache-Control: no-cache
2021-11-25 17:31:13 UTC	0	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Nov 2021 17:31:13 GMT Content-Type: image/png Transfer-Encoding: chunked Connection: close Set-Cookie: clhf03028ja=84.17.52.63; expires=Wed, 18-Jul-2029 05:49:51 GMT; Max-Age=241186718; path=/ Set-Cookie: timezone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Cache-Control: no-store, no-cache, must-revalidate Expires: Thu, 25 Nov 2021 17:31:13 +0000 Answers: whoami: dd7a5982e8b1de9b0cc7da7fe0ec7879c44089276a00308f59743c09424407f5 Strict-Transport-Security: max-age=31536000; preload X-Frame-Options: DENY
2021-11-25 17:31:13 UTC	1	IN	Data Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a 30 0d 0a 0d 0a Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: duLT5gkRjy.exe PID: 3892 Parent PID: 3676

General

Start time:	18:31:11
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\duLT5gkRjy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\duLT5gkRjy.exe"
Imagebase:	0xf40000
File size:	1552896 bytes
MD5 hash:	D42456F7AFC812628A9FF67D8C9340EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000000.305417578.000000000105A000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000000.306515847.000000000105A000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Socelars, Description: Yara detected Socelars, Source: 00000000.00000000.298952440.000000000105A000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 4760 Parent PID: 3892

General

Start time:	18:31:15
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1116
Imagebase:	0xbf0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: duLT5gkRjy.exe PID: 3892 Parent PID: 3676 duLT5gkRjy.exeCOMMON

Executed Functions

Function 01027D6F, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01025F0E,?,?,?,01025F0E,00FED863,0107FF54,00FED863), ref: 01027DCF

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c4c3885e29a11b281839e1ffeed2cb4b7295ca650d8af13e0ffcc6856073253c
Instruction ID: 0e4a5482392703a5f3021b8a85a9a25de99a7635ef356ded83a6ee297afd4fe5
Opcode Fuzzy Hash: c4c3885e29a11b281839e1ffeed2cb4b7295ca650d8af13e0ffcc6856073253c
Instruction Fuzzy Hash: 46018F36A00218ABD701AF5CD984BAEBFF9FF55614F154199EA84AB391D770A900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01025172, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 01025EFB

Part of subcall function 01027D6F: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,01025F0E,?,?,?,01025F0E,00FED863,0107FF54,00FED863), ref: 01027DCF

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DispatcherExceptionUserstdext::threads::lock_error::lock_error
String ID:
API String ID: 3035003668-0
Opcode ID: 744bedf6f1ad0e99c099baad8c627db0ec6e52c81421d051072a1b5bb838be27
Instruction ID: b6a5c7cb336560b91cc3827d604db3a38aa12b1f366018fca0482a65b317dcc0
Opcode Fuzzy Hash: 744bedf6f1ad0e99c099baad8c627db0ec6e52c81421d051072a1b5bb838be27
Instruction Fuzzy Hash: BCF0E93480471E76CF18B6B9EC159EE777C6E10710F608171E9E49A4D0EF70E61985C4

Uniqueness

Uniqueness Score: -1.00%

Function 0103D77C, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00FED863,00000000,?,0103D3A3,00000001,00000364,00000006,000000FF,?,00000000,?,0102F02E,0103D4F0), ref: 0103D7BD

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e7bb09e3acc5bf9d4deb92c38abf75c0105c7e89af11187d6c3fed381d9555be
Instruction ID: d57cae6c077e9f99aaa827ff6b6816ce290346e7b76de647a018b17d32f9b3f3
Opcode Fuzzy Hash: e7bb09e3acc5bf9d4deb92c38abf75c0105c7e89af11187d6c3fed381d9555be
Instruction Fuzzy Hash: 61F0E0316041755AB7A31AB69844A9E3B9CBFC06B0B444151EDC4D7184EB30D40047F0

Uniqueness

Uniqueness Score: -1.00%

Function 0103D4AD, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0102518C,00000000,00000000,00FE41D7,00000008), ref: 0103D4DF

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 488a94680b62249e8c6490a0b2f059da05e3a8a58517a1da5c2007a4828ca8f2
Instruction ID: c33d27d74e764b229059ca69923657110e4e05e87050e3ad963652295c07b53f
Opcode Fuzzy Hash: 488a94680b62249e8c6490a0b2f059da05e3a8a58517a1da5c2007a4828ca8f2
Instruction Fuzzy Hash: 6BE03031605225A7E67266A99914BDF3A9DABC22A0F450151EDD596190CE55A80083F1

Uniqueness

Uniqueness Score: -1.00%

Function 01003950, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

Concurrency::details::SweeperContext::SweeperContext.LIBCMTD ref: 0100397D

Part of subcall function 01008A90: allocator.LIBCONCRTD ref: 01008AA8

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Sweeper$Concurrency::details::ContextContext::allocator
String ID:
API String ID: 1818788282-0
Opcode ID: 3984ac3b85756b9455ef929abe313970a59e66325267b19afb490f20f7e134b3
Instruction ID: f2ce028e52657bfa7f268c9b8c0eb7c4e903f499d19a36e865b36293652cbd81
Opcode Fuzzy Hash: 3984ac3b85756b9455ef929abe313970a59e66325267b19afb490f20f7e134b3
Instruction Fuzzy Hash: 6DF0DAB2A08649EBCB15DF88DD40BAEB7B8FB49720F10466AF865977C0DB356900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01008A90, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 01008AA8

Part of subcall function 0100DE50: _Allocate.LIBCONCRTD ref: 0100DE64

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Allocateallocator
String ID:
API String ID: 40054573-0
Opcode ID: a96456a152ed901be9ef967162b874377f0fd57863a1e0a734a6904219b92e4b
Instruction ID: 730977f7f84263ad3dfa04c7c53cd0f83126579b4e854240224c4ee660bb2ad8
Opcode Fuzzy Hash: a96456a152ed901be9ef967162b874377f0fd57863a1e0a734a6904219b92e4b
Instruction Fuzzy Hash: BCD06774A05208EBD704DF94D641B99FBF5EB49704F2082D9E8085B391D672AE00DB95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F8F570, Relevance: 28.9, Strings: 22, Instructions: 1395COMMON

Download Yara Rule

Strings

views may not be indexed, xrefs: 00F8F91B
sqlite_autoindex_%s_%d, xrefs: 00F8FACD
name='%q' AND type='index', xrefs: 00F90571
expressions prohibited in PRIMARY KEY and UNIQUE constraints, xrefs: 00F8FFA7
sqlite_temp_master, xrefs: 00F8FAFF
corrupt database, xrefs: 00F8F632
sqlite_, xrefs: 00F8F839
altertab_, xrefs: 00F8F897
sqlite_master, xrefs: 00F8FB09, 00F8FB19, 00F90483
CREATE%s INDEX %.*s, xrefs: 00F90456
cannot create a TEMP index on non-TEMP table "%s", xrefs: 00F8F783
index, xrefs: 00F8F6E0, 00F8FC4B
there is already a table named %s, xrefs: 00F8F9DB
conflicting ON CONFLICT clauses specified, xrefs: 00F90213
virtual tables may not be indexed, xrefs: 00F8F93D
too many columns in %s, xrefs: 00F8FC50
table %s may not be indexed, xrefs: 00F8F8DF
UNIQUE, xrefs: 00F90448
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);, xrefs: 00F9048E
BINARY, xrefs: 00F8FF09, 00F8FF30, 00F8FF4D, 00F900EA
index %s already exists, xrefs: 00F8FA14
unknown database %T, xrefs: 00F8F661

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: UNIQUE$BINARY$CREATE%s INDEX %.*s$INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);$altertab_$cannot create a TEMP index on non-TEMP table "%s"$conflicting ON CONFLICT clauses specified$corrupt database$expressions prohibited in PRIMARY KEY and UNIQUE constraints$index$index %s already exists$name='%q' AND type='index'$sqlite_$sqlite_autoindex_%s_%d$sqlite_master$sqlite_temp_master$table %s may not be indexed$there is already a table named %s$too many columns in %s$unknown database %T$views may not be indexed$virtual tables may not be indexed
API String ID: 0-4131144391
Opcode ID: 48b700f2bca696aa9a53593e9bc0d135c90b099f2604e5c88dc1c8d33706afd1
Instruction ID: 02084bf6378e34e3e3eba325c51bd26f89c01728db54ce35d6439278883c1ad4
Opcode Fuzzy Hash: 48b700f2bca696aa9a53593e9bc0d135c90b099f2604e5c88dc1c8d33706afd1
Instruction Fuzzy Hash: 6AC2F471A043018FDB14DF28C490B6ABBE1FF88324F19856DE8999B352DB35EC45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F626C0, Relevance: 15.7, Strings: 12, Instructions: 686COMMON

Download Yara Rule

Strings

Failed to read ptrmap key=%d, xrefs: 00F6294E, 00F62B23, 00F62BBF
Extends off end of page, xrefs: 00F62A41
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d), xrefs: 00F6297D, 00F62B52, 00F62BEE
Fragmentation of %d bytes reported as %d on page %d, xrefs: 00F62EA5
Multiple uses for byte %u of page %d, xrefs: 00F62E55
Child page depth differs, xrefs: 00F62C22
unable to get the page. error code=%d, xrefs: 00F627D4
2nd reference to page %d, xrefs: 00F6277B, 00F62781
Offset %d out of range %d..%d, xrefs: 00F62C72
Rowid %lld out of order, xrefs: 00F62A89
invalid page number %d, xrefs: 00F62734, 00F62739
btreeInitPage() returns error code %d, xrefs: 00F62830

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 2nd reference to page %d$Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)$Child page depth differs$Extends off end of page$Failed to read ptrmap key=%d$Fragmentation of %d bytes reported as %d on page %d$Multiple uses for byte %u of page %d$Offset %d out of range %d..%d$Rowid %lld out of order$btreeInitPage() returns error code %d$invalid page number %d$unable to get the page. error code=%d
API String ID: 0-1545182708
Opcode ID: cd1cf84b944675cb249e3d2a871fb0e1b857177508f36c7494aa9bb2797ff779
Instruction ID: e1cccbafbb35d31d8d7555e71759ef7334b60e488dfbd6595a35cf593d56b3d6
Opcode Fuzzy Hash: cd1cf84b944675cb249e3d2a871fb0e1b857177508f36c7494aa9bb2797ff779
Instruction Fuzzy Hash: 6C42ABB0A087419FD764CF18C880A6ABBE6FBD8310F18495DF889CB342D735E945DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F79790, Relevance: 13.3, Strings: 10, Instructions: 829COMMON

Download Yara Rule

Strings

%s: %s.%s.%s, xrefs: 00F79F83
row value misused, xrefs: 00F79FFB
new, xrefs: 00F79BF6
%s: %s, xrefs: 00F7A07B
ambiguous column name, xrefs: 00F79F67
%s: %s.%s, xrefs: 00F7A06A
ROWID, xrefs: 00F7A1EC, 00F7A1F6
misuse of aliased aggregate %s, xrefs: 00F79FBA
old, xrefs: 00F79C45
no such column, xrefs: 00F79F6C, 00F79F82, 00F7A069, 00F7A07A

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s: %s$%s: %s.%s$%s: %s.%s.%s$ROWID$ambiguous column name$misuse of aliased aggregate %s$new$no such column$old$row value misused
API String ID: 0-690255045
Opcode ID: 4e63b0c2411c96a546393e116e1f3ecb9c9619fc6d0bca85285e4b1fbef862c6
Instruction ID: df8953643d1e1386a34a796869067d4b9f5fb8f6a328bb2da4e2d3c2597daa18
Opcode Fuzzy Hash: 4e63b0c2411c96a546393e116e1f3ecb9c9619fc6d0bca85285e4b1fbef862c6
Instruction Fuzzy Hash: DB729E31A083918FC715CF29C490A6ABBF1BF89324F19859EE9D98B352C775EC01DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F6DD20, Relevance: 12.9, Strings: 10, Instructions: 412COMMON

Download Yara Rule

Strings

%lld, xrefs: 00F6E040
'%.*q', xrefs: 00F6E0FC
-- , xrefs: 00F6DDC0, 00F6DDD7
`$, xrefs: 00F6E115
%!.15g, xrefs: 00F6E068
NULL, xrefs: 00F6E00B
NULL, xrefs: 00F6E025
zeroblob(%d), xrefs: 00F6E146
%02x, xrefs: 00F6E1AC
d, xrefs: 00F6DD6A

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %!.15g$%02x$%lld$'%.*q'$-- $NULL$NULL$`$$d$zeroblob(%d)
API String ID: 0-425311666
Opcode ID: 425f5e70a6acd1299562ec354a21fdf78e7a4fe8487c7863ebe024995a785b89
Instruction ID: 39578fdb1a954a04cb37ea8174f9d85e9174dcdd2c8e9942f9ea71ed731d8d1f
Opcode Fuzzy Hash: 425f5e70a6acd1299562ec354a21fdf78e7a4fe8487c7863ebe024995a785b89
Instruction Fuzzy Hash: 14F1E176E083408FE724DF24C8517AABBE1AFD5314F24482DF8D687261E776D845DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B0E0, Relevance: 12.9, Strings: 10, Instructions: 356COMMON

Download Yara Rule

Strings

ORDER, xrefs: 00F7B419
UNION, xrefs: 00F7B51D
UNION ALL, xrefs: 00F7B532, 00F7B537
SELECTs to the left and right of %s do not have the same number of result columns, xrefs: 00F7B538
aggregate functions are not allowed in the GROUP BY clause, xrefs: 00F7B4E4
all VALUES must have the same number of terms, xrefs: 00F7B4F4
INTERSECT, xrefs: 00F7B524
a GROUP BY clause is required before HAVING, xrefs: 00F7B4BD
GROUP, xrefs: 00F7B449
EXCEPT, xrefs: 00F7B52B

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: EXCEPT$GROUP$INTERSECT$ORDER$SELECTs to the left and right of %s do not have the same number of result columns$UNION$UNION ALL$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause$all VALUES must have the same number of terms
API String ID: 0-2775031899
Opcode ID: a37d26e9ffbc70ea54480a8496f0706e6821a44fe5598c10c171a5bc5c265a73
Instruction ID: 75a82f83806226dcb1fcc2955fd3a5bfc617fd3d53cb2f08bc0f65486402a222
Opcode Fuzzy Hash: a37d26e9ffbc70ea54480a8496f0706e6821a44fe5598c10c171a5bc5c265a73
Instruction Fuzzy Hash: 49E19071A043028FC714CF18C884B6AB7E1FF8A714F548A5EE8899B751E775EC51DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00FB1090, Relevance: 12.1, Strings: 9, Instructions: 816COMMON

Download Yara Rule

Strings

%s.%s.%s, xrefs: 00FB18DB
subquery_%p, xrefs: 00FB1201
no tables specified, xrefs: 00FB19BC
too many references to "%s": max 65535, xrefs: 00FB1364
too many columns in result set, xrefs: 00FB1A05
Expression tree is too large (maximum depth %d), xrefs: 00FB173F
'%s' is not a function, xrefs: 00FB1348
no such table: %s, xrefs: 00FB19A9
%s.%s, xrefs: 00FB17B9

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s.%s$%s.%s.%s$'%s' is not a function$Expression tree is too large (maximum depth %d)$no such table: %s$no tables specified$subquery_%p$too many columns in result set$too many references to "%s": max 65535
API String ID: 0-1692665679
Opcode ID: 9449c398e78c47ec7286e14826325d9e9eb2718d0456cd867ebe27f07006694e
Instruction ID: 4a7fb52a5b3f0dae21610a29effbb00fd2c0792e4c27c7a8e7b3721560a2c38b
Opcode Fuzzy Hash: 9449c398e78c47ec7286e14826325d9e9eb2718d0456cd867ebe27f07006694e
Instruction Fuzzy Hash: 7862D471A043018FCB14CF2AC8A0AAAB7E1FF89724F58456DE8899B351D735EC45DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00FA1170, Relevance: 11.8, Strings: 9, Instructions: 525COMMON

Download Yara Rule

Strings

lib, xrefs: 00FA13BC
unable to open shared library [%s], xrefs: 00FA12E7
_init, xrefs: 00FA145C
te3_, xrefs: 00FA138F
sqlite3_extension_init, xrefs: 00FA1220
no entry point [%s] in shared library [%s], xrefs: 00FA1637
not authorized, xrefs: 00FA11F6
%s.%s, xrefs: 00FA124C
error during initialization: %s, xrefs: 00FA1517

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_extension_init$te3_$unable to open shared library [%s]
API String ID: 0-842236153
Opcode ID: 775e0325955016fbb635f3bb770f81954e23882437a1cd815296debd4dcec7ac
Instruction ID: cd0e9db7a97e59bb5f55864087a32c662bf7dc9bd4e63082f23366e0edb63d67
Opcode Fuzzy Hash: 775e0325955016fbb635f3bb770f81954e23882437a1cd815296debd4dcec7ac
Instruction Fuzzy Hash: A102D7B1A043018FC714DF68D84476AB7E8BF8A324F090669FC99C7341EB39D915DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FC1B70, Relevance: 11.2, Strings: 8, Instructions: 1235COMMON

Download Yara Rule

Strings

,, xrefs: 00FC2A95
NOCASE, xrefs: 00FC248B
E, xrefs: 00FC27F3
ON clause references tables to its right, xrefs: 00FC1D78
F, xrefs: 00FC2802
BINARY, xrefs: 00FC2234, 00FC2486
Expression tree is too large (maximum depth %d), xrefs: 00FC28C6
-, xrefs: 00FC215E

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ,$-$BINARY$E$Expression tree is too large (maximum depth %d)$F$NOCASE$ON clause references tables to its right
API String ID: 0-653960482
Opcode ID: f0ac8332f64257ea9c167b596acec9065274c75af0252da7cde60f2254bb8804
Instruction ID: 7cb2ab3dd4584dcc97f289d0745af6a59e50839730e02ea326c761e40ed270d5
Opcode Fuzzy Hash: f0ac8332f64257ea9c167b596acec9065274c75af0252da7cde60f2254bb8804
Instruction Fuzzy Hash: 34B2B074A083428FD764CF28C581B2ABBE1FF89314F14895DE8998B352D735EC46DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F753A0, Relevance: 9.3, Strings: 7, Instructions: 565COMMON

Download Yara Rule

Strings

no such column: "%s", xrefs: 00F758E4
cannot open table without rowid: %s, xrefs: 00F758F4
cannot open virtual table: %s, xrefs: 00F758FC
cannot open view: %s, xrefs: 00F758EC
indexed, xrefs: 00F75642
foreign key, xrefs: 00F755F5
cannot open %s column for writing, xrefs: 00F758B0

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
API String ID: 0-594550510
Opcode ID: 6a89c2dfb50bcbc41ad32bede18aafee11fc282a735f2c7e23072771dfe05cc0
Instruction ID: 4dc3297fb660bc23aae1ddaed397fe7123ee0eeb386787befad618f71239fea6
Opcode Fuzzy Hash: 6a89c2dfb50bcbc41ad32bede18aafee11fc282a735f2c7e23072771dfe05cc0
Instruction Fuzzy Hash: B032C470A04741CFDB14DF28C490B6AB7E2BF88B14F14856EE8898B346D7B5DC45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F889E0, Relevance: 8.0, Strings: 6, Instructions: 527COMMON

Download Yara Rule

Strings

database is already attached, xrefs: 00F88CDA
out of memory, xrefs: 00F88FB9
database %s is already in use, xrefs: 00F88B82
attached databases must use the same text encoding as main database, xrefs: 00F88D2F
unable to open database: %s, xrefs: 00F88F38
too many attached databases - max %d, xrefs: 00F88ABA

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: attached databases must use the same text encoding as main database$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 0-2224017942
Opcode ID: 64d6090f953a69abe0b92dc07ed7c4b632d2bfd278f6df8091d4e75ec4462b67
Instruction ID: b208e5a685ee3296affcc3f36750bfb6ef6ae27e3316b9e3a0d73d8e4633e566
Opcode Fuzzy Hash: 64d6090f953a69abe0b92dc07ed7c4b632d2bfd278f6df8091d4e75ec4462b67
Instruction Fuzzy Hash: 51124970A083419FCB24EF24C4807BABBE1BF85354F58465DE8958B382DB75EC46EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F51B40, Relevance: 8.0, Strings: 6, Instructions: 491COMMON

Download Yara Rule

Strings

1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00F51ECB
-wal, xrefs: 00F51D0D
nolock, xrefs: 00F51DB6
%s at line %d of [%.10s], xrefs: 00F51EDA
immutable, xrefs: 00F51F1F
cannot open file, xrefs: 00F51ED5

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$-wal$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$cannot open file$immutable$nolock
API String ID: 0-3103482366
Opcode ID: 9e7c074498f96bf32aeadc6e0c358a09916a58e1ac632d4a6eb0d1e6b1f5689d
Instruction ID: 1a1435cee998e6e9b937fc4c773f5644c4d79b382b14f681eb1da46e4f4a9ceb
Opcode Fuzzy Hash: 9e7c074498f96bf32aeadc6e0c358a09916a58e1ac632d4a6eb0d1e6b1f5689d
Instruction Fuzzy Hash: 470211B1E007059FDB14CF68C8517EEBBF1AF45314F14826DD99A9B382D736A90ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 010429E0, Relevance: 7.8, APIs: 5, Instructions: 330timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01042A9D
_free.LIBCMT ref: 01042C69
_free.LIBCMT ref: 01042CE1
GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,01042EA2,?,?,00000000), ref: 01042CF3

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: a7af232f64b4f3ffeb6d7e679e4d4f2dd86937b06cb474435b84b29ae18e9a68
Instruction ID: f560f411a2ad3b864643f22ba9a14add2b91e4ba6a681274d5416247c8dcc6f5
Opcode Fuzzy Hash: a7af232f64b4f3ffeb6d7e679e4d4f2dd86937b06cb474435b84b29ae18e9a68
Instruction Fuzzy Hash: D8A1F8B1A00216ABDB24BF68EDC1AEE7BB9EF54750F144079F9C1D7154E7319A40C790

Uniqueness

Uniqueness Score: -1.00%

Function 00F523A0, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 389COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F527C9

Part of subcall function 00F52140: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F52225

Strings

1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00F524F4
%s at line %d of [%.10s], xrefs: 00F52503
cannot open file, xrefs: 00F524FE

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$cannot open file
API String ID: 885266447-3209268730
Opcode ID: eb4702de6f2c4aa6958cfee7e7f5a9cc28bb1c8b295875760c8da0b782390976
Instruction ID: 35c964a711418ae3c3c6eb06567832e3fec8893127755e36d9efd1068e74ca19
Opcode Fuzzy Hash: eb4702de6f2c4aa6958cfee7e7f5a9cc28bb1c8b295875760c8da0b782390976
Instruction Fuzzy Hash: D6E1F571A04742AFD754CF28C840B6AB7E0BF86325F08475DEA588B281E774EC48DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F62F00, Relevance: 6.6, Strings: 5, Instructions: 392COMMON

Download Yara Rule

Strings

Page %d is never used, xrefs: 00F63226
Failed to read ptrmap key=%d, xrefs: 00F6310A
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d), xrefs: 00F6313F
Pointer map page %d is referenced, xrefs: 00F6328F
d, xrefs: 00F62FA1

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)$Failed to read ptrmap key=%d$Page %d is never used$Pointer map page %d is referenced$d
API String ID: 0-1091876281
Opcode ID: 84f9d2f23f79d6b73f7f419f7c2bb196b62b53059cae311430acf16770e6d6be
Instruction ID: e41312e8bfd2f362274f1d9cefe61b04375e761ce8db335eba22ee8cd28da71d
Opcode Fuzzy Hash: 84f9d2f23f79d6b73f7f419f7c2bb196b62b53059cae311430acf16770e6d6be
Instruction Fuzzy Hash: 62F1B371E002248BDF24CF28CC55BAEB7B5BF45314F1482D9D849AB282DB359E85DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F67E40, Relevance: 5.6, Strings: 4, Instructions: 627COMMON

Download Yara Rule

Strings

MJ collide: %s, xrefs: 00F680A6
%s-mjXXXXXX9XXz, xrefs: 00F68054
-mj%06X9%02X, xrefs: 00F680DC
MJ delete: %s, xrefs: 00F68118

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s-mjXXXXXX9XXz$-mj%06X9%02X$MJ collide: %s$MJ delete: %s
API String ID: 0-4034981963
Opcode ID: 5aa5f0bbc1676ad44df5b0dd5298f24769760018727a2317e79999099d24c450
Instruction ID: 5648040f1320647cb080adf2bf3393631a636de5775610f75b25943ce83789f4
Opcode Fuzzy Hash: 5aa5f0bbc1676ad44df5b0dd5298f24769760018727a2317e79999099d24c450
Instruction Fuzzy Hash: F8229174A047018FD714DF28D891B6BB7E1EF88364F144A6DE8998B341DB35EC06DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FA0B60, Relevance: 5.5, Strings: 4, Instructions: 460COMMON

Download Yara Rule

Strings

1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00FA0BA7
%s at line %d of [%.10s], xrefs: 00FA0BB6
misuse, xrefs: 00FA0BB1
d, xrefs: 00FA0DC7

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$d$misuse
API String ID: 0-14470748
Opcode ID: 089c3da4e996e1fa15b24322688ff4107c9129d34a614c9a05632a52a9a880de
Instruction ID: 4e3bee840ce0695071522a0ee389c7bd2c696d9b8e0ea5d19350f4ae17720787
Opcode Fuzzy Hash: 089c3da4e996e1fa15b24322688ff4107c9129d34a614c9a05632a52a9a880de
Instruction Fuzzy Hash: 7D02BFB1A083409FC724CF28D484B6BB7E5BF85724F15492DF8859B242DB75EC45EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F7AAA0, Relevance: 5.3, Strings: 4, Instructions: 327COMMON

Download Yara Rule

Strings

ORDER, xrefs: 00F7AE38
%r ORDER BY term does not match any column in the result set, xrefs: 00F7AE68
%r %s BY term out of range - should be between 1 and %d, xrefs: 00F7AE3E
too many terms in ORDER BY clause, xrefs: 00F7AAE2

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %r %s BY term out of range - should be between 1 and %d$%r ORDER BY term does not match any column in the result set$ORDER$too many terms in ORDER BY clause
API String ID: 0-3892209816
Opcode ID: b09ba8afb2ba4eeb92586916e258ff07aabbb4485f134a9e5d724b5c38b56956
Instruction ID: 74ebe0814f8604cceea665cd4a26fc99e951f7d5c8decf9f834c331d159e4f96
Opcode Fuzzy Hash: b09ba8afb2ba4eeb92586916e258ff07aabbb4485f134a9e5d724b5c38b56956
Instruction Fuzzy Hash: D4C15A71A043428FC715CF18C880A2AB7E1BFC9724F168A5EE8899B351D775EC46DB93

Uniqueness

Uniqueness Score: -1.00%

Function 00F96F60, Relevance: 5.3, Strings: 4, Instructions: 315COMMON

Download Yara Rule

Strings

%!.20e, xrefs: 00F97023
%!.15g, xrefs: 00F96FE1
NULL, xrefs: 00F9729F
string or blob too big, xrefs: 00F97161, 00F972BB

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %!.15g$%!.20e$NULL$string or blob too big
API String ID: 0-1779043326
Opcode ID: d4543cb6cec75d9f42369807658d9d3f43899c5135902201a6129e29cd9bec57
Instruction ID: d8191d64be484ff7807ea42f6684451cbb75a8308199749baecd19b9c84eae93
Opcode Fuzzy Hash: d4543cb6cec75d9f42369807658d9d3f43899c5135902201a6129e29cd9bec57
Instruction Fuzzy Hash: D8B18E31A1C3408BEB14EF18DC4176AB7A2AF86324F28465DF4858B293E736DC459792

Uniqueness

Uniqueness Score: -1.00%

Function 00F5EF40, Relevance: 5.2, Strings: 3, Instructions: 1440COMMON

Download Yara Rule

Strings

1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00F5F2AE, 00F5F64B, 00F5F994, 00F5F9BF, 00F5FA9A, 00F5FDA5
%s at line %d of [%.10s], xrefs: 00F5F2BD, 00F5F65A, 00F5F9A3, 00F5F9CE, 00F5FAA9, 00F5FDB4
database corruption, xrefs: 00F5F2B8, 00F5F655, 00F5F99E, 00F5F9C9, 00F5FAA4, 00F5FDAF

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$database corruption
API String ID: 0-3078602584
Opcode ID: de35bd9addb762b3155b8a034807a055ce87ae958ebd0e880f4ed36bfdb977c3
Instruction ID: f8e8c83bdd99330a17b1e9e4a0d191ad8269d9f96feff5e80cb1e816d14031a2
Opcode Fuzzy Hash: de35bd9addb762b3155b8a034807a055ce87ae958ebd0e880f4ed36bfdb977c3
Instruction Fuzzy Hash: 3BD25875A083418FC714DF19C480A6BBBE1BFC8314F5489ADE9C98B351EB34E949DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0102B8A6, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0102B99E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0102B9A8
UnhandledExceptionFilter.KERNEL32(?), ref: 0102B9B5

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c9caba9c254362d5df0e98181b21b0c3839e4c327a4d913fb0fc1d15be81c979
Instruction ID: 8ba9859d8f72f29f295c5d852ae7a34dcf3fbd687dc252d60d5d39b631336009
Opcode Fuzzy Hash: c9caba9c254362d5df0e98181b21b0c3839e4c327a4d913fb0fc1d15be81c979
Instruction Fuzzy Hash: 5631C2749012299BCB61DF68D8887CDBBF8BF18310F5041EAE84CA7250EB759B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00F69CA0, Relevance: 4.5, Strings: 3, Instructions: 775COMMON

Download Yara Rule

Strings

1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00F69DFF, 00F6A5B6, 00F6A5F0
%s at line %d of [%.10s], xrefs: 00F69E0E, 00F6A5C5, 00F6A5FF
database corruption, xrefs: 00F69E09, 00F6A5C0, 00F6A5FA

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$database corruption
API String ID: 0-3078602584
Opcode ID: 16401e22e239bcf08a1c81d5879a666fd593f7b1889262e3a2549c73842e3211
Instruction ID: c7dc931cc8247d29e504f9ac8f18d41a4a655a6acc9aaa9eb5572b004209efac
Opcode Fuzzy Hash: 16401e22e239bcf08a1c81d5879a666fd593f7b1889262e3a2549c73842e3211
Instruction Fuzzy Hash: 21521B71A083518FC714CF28C49122ABBD2BFC5364F18C66DE4EAAB291D775D842EF52

Uniqueness

Uniqueness Score: -1.00%

Function 010383D7, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,010383D6,00000000,?,00000000,00000000,00000000,00000000), ref: 010383F9
TerminateProcess.KERNEL32(00000000,?,010383D6,00000000,?,00000000,00000000,00000000,00000000), ref: 01038400
ExitProcess.KERNEL32 ref: 01038412

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: af5b92214f873c23821601b82572543e9025d96fe69ee9064c64a4482dc52919
Instruction ID: 00a6403aba12640c6051680b8e60f57e59d6d43582e5dcef1294e8a051216f7f
Opcode Fuzzy Hash: af5b92214f873c23821601b82572543e9025d96fe69ee9064c64a4482dc52919
Instruction Fuzzy Hash: 5DE0E671510304EFCF216F54D94C95A7F6DFB80291B008659F58697521CF3AD992DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F61060, Relevance: 4.3, Strings: 3, Instructions: 566COMMON

Download Yara Rule

Strings

1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00F61445
%s at line %d of [%.10s], xrefs: 00F61454
database corruption, xrefs: 00F6144F

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$database corruption
API String ID: 0-3078602584
Opcode ID: 35e2147e91415874c2b11f6a5ced2b476556a4d22a86fb5d4b00d503fa31ece5
Instruction ID: 95ec1e9729a6cdae30ab7ee48218b5fc03d229c41cba4a960389d6c7776a9aef
Opcode Fuzzy Hash: 35e2147e91415874c2b11f6a5ced2b476556a4d22a86fb5d4b00d503fa31ece5
Instruction Fuzzy Hash: 05228E71A043019FD714DF18C881B6AB7E5FF88324F1989ADE8899B352DB31EC85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F58AA0, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 633COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F591B2

Strings

:memory:, xrefs: 00F58AF7

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: :memory:
API String ID: 885266447-2920599690
Opcode ID: b34e00b092a33c7578f2fa1bf4c6e0dffcab6a891918836c28d19677e70b8529
Instruction ID: 9be9100066c73772b0f07c6414b469b3c55f673b3c63da6fe52dcc5ad6aae700
Opcode Fuzzy Hash: b34e00b092a33c7578f2fa1bf4c6e0dffcab6a891918836c28d19677e70b8529
Instruction Fuzzy Hash: B832E2B0E042159FDB24CF28CC45BAABBB5BF44355F1440A8DE49AB382DB35DD4ADB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5A3C0, Relevance: 4.1, Strings: 3, Instructions: 374COMMON

Download Yara Rule

Strings

1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827, xrefs: 00F5A484
%s at line %d of [%.10s], xrefs: 00F5A493
database corruption, xrefs: 00F5A48E

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s at line %d of [%.10s]$1a584e499906b5c87ec7d43d4abce641fdf017c42125b083109bc77c4de48827$database corruption
API String ID: 0-3078602584
Opcode ID: c2a38faaec49508776d274233865e4e23621aa9d40abfff01642bd1e3bc9b884
Instruction ID: 5851e98d993be6afbb310dbedf3827602814508cb87eac7f81a536f822b95a33
Opcode Fuzzy Hash: c2a38faaec49508776d274233865e4e23621aa9d40abfff01642bd1e3bc9b884
Instruction Fuzzy Hash: 4BD1AF71A042019FC718DF28D881A6AB7E6FFC8324F458669ED498B352DB31EC55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F9DC90, Relevance: 4.1, Strings: 2, Instructions: 1615COMMON

Download Yara Rule

Strings

5, xrefs: 00F9EF02
%s.%s, xrefs: 00F9DE06

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s.%s$5
API String ID: 0-2511244239
Opcode ID: c1ec202c75865416f5cadaa5885a50604d0165137b08a32b11c50c2e632b1a74
Instruction ID: 2d7a6cdba9f365328964076cef51b2d17c8c9b3b4799d48757128341f1472b46
Opcode Fuzzy Hash: c1ec202c75865416f5cadaa5885a50604d0165137b08a32b11c50c2e632b1a74
Instruction Fuzzy Hash: 33F28C74A043418FEB24DF19C490B6AB7E2FF88314F15895DE8898B362DB75E845DF82

Uniqueness

Uniqueness Score: -1.00%

Function 00F9F9C0, Relevance: 3.8, Strings: 2, Instructions: 1266COMMON

Download Yara Rule

Strings

), xrefs: 00FA0201
BINARY, xrefs: 00FA06AE

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )$BINARY
API String ID: 0-1060320443
Opcode ID: 12a687080aac93a223982f3d87b07928fae274a7f547489c00e52651d841025b
Instruction ID: 7ab4a60219c80424b554086979ec96d386c3aa3410007a5bf5ad4cf0fb895466
Opcode Fuzzy Hash: 12a687080aac93a223982f3d87b07928fae274a7f547489c00e52651d841025b
Instruction Fuzzy Hash: A0C28B70A047018FDB20DF18C490F26B7E1FF89314F15856DE9898B3A2DB7AE959DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F93630, Relevance: 3.7, Strings: 2, Instructions: 1223COMMON

Download Yara Rule

Strings

rows deleted, xrefs: 00F94666
@, xrefs: 00F93B18

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @$rows deleted
API String ID: 0-3120709674
Opcode ID: ded54df425d13fa7f42a02beed3ffce78041028cc371f0d357e746a8c01bd5d5
Instruction ID: 5ab529b48a46edc25c82a9bee794d8f33fb7214d5cf5ebeeee0021369f181c19
Opcode Fuzzy Hash: ded54df425d13fa7f42a02beed3ffce78041028cc371f0d357e746a8c01bd5d5
Instruction Fuzzy Hash: AAC2AA70A043419FEB24DF18C480F2ABBE1FF88314F15866DE9858B392DB75E955DB82

Uniqueness

Uniqueness Score: -1.00%

Function 010328C0, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbf0c3c63a637c419a535c86fc4d261a80a9a02937f433d8af929c6e9bcacd5
Instruction ID: a94021ac7d55687b9b2b2c990de1b4c3c310bc9008692fd251228c62fc7dee54
Opcode Fuzzy Hash: 6fbf0c3c63a637c419a535c86fc4d261a80a9a02937f433d8af929c6e9bcacd5
Instruction Fuzzy Hash: DAF13D71E002199FDF14CFA9C8806EEBBF5FF88314F1582A9D959AB345D731AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F7FB60, Relevance: 2.5, Strings: 1, Instructions: 1239COMMON

Download Yara Rule

Strings

w, xrefs: 00F80322

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: bdc306a97b2500dc3bc08746cf0bdf6648d7af5cfa7416aac44a34bdd2fd1dfb
Instruction ID: 9ef4003d3601cea48177011647bcf9a982abb8574e7b9cb8798d866042188853
Opcode Fuzzy Hash: bdc306a97b2500dc3bc08746cf0bdf6648d7af5cfa7416aac44a34bdd2fd1dfb
Instruction Fuzzy Hash: DAC28970A047018FC724EF18C490FA6BBE1FF89314F55856EE9898B362DB35E859DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F63BE0, Relevance: 2.3, APIs: 1, Instructions: 803COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F6435C

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 226e6e1d6acaf4f084465245b8289f1f626914eb4becf05418419da89943debf
Instruction ID: dc00044b5e31bc41be9da4f6c7d67ac7ae72c11fae2426304f4d0a03f911c446
Opcode Fuzzy Hash: 226e6e1d6acaf4f084465245b8289f1f626914eb4becf05418419da89943debf
Instruction Fuzzy Hash: 40628E71A042119FD729DF28C480B2AB7F1BF89324F15869CEC598B342DB35ED85EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F7E260, Relevance: 2.1, Strings: 1, Instructions: 807COMMON

Download Yara Rule

Strings

USING INDEX %s FOR IN-OPERATOR, xrefs: 00F7E8D7

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: USING INDEX %s FOR IN-OPERATOR
API String ID: 0-3230214820
Opcode ID: aa6cbfc9af28145c20d3a1348c4fd46ad523f35488ea7b395566144dbaa44302
Instruction ID: f6ca6677fd05b1f4857340c93a841b03c8204a334a01517f3614b13f0492d1a3
Opcode Fuzzy Hash: aa6cbfc9af28145c20d3a1348c4fd46ad523f35488ea7b395566144dbaa44302
Instruction Fuzzy Hash: B1728F75A043418FD714CF18C480A6AB7E2BF99324F19C6AFE8899B352D735EC45DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F565C0, Relevance: 2.0, APIs: 1, Instructions: 512COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F5699F

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: ab9f3dfa6032e75b6d774dd52d21b7dbf3e3a478c2d49a6d68912a47e296d0a6
Instruction ID: a79809af42bf5580d9c2fb924391cc3967aaa983e48352b1e437733f0df9a047
Opcode Fuzzy Hash: ab9f3dfa6032e75b6d774dd52d21b7dbf3e3a478c2d49a6d68912a47e296d0a6
Instruction Fuzzy Hash: 70128B71E00219AFDB14CFA8D880BADB7B1BF48325F544129EE29EB341D774AC59DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FC0F10, Relevance: 2.0, Strings: 1, Instructions: 709COMMON

Download Yara Rule

Strings

Expression tree is too large (maximum depth %d), xrefs: 00FC171A

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Expression tree is too large (maximum depth %d)
API String ID: 0-1961352115
Opcode ID: 9461b96a41f85ef20b3a9f7399b29888ba80dcb5f0434f2ef16034e6e95965d8
Instruction ID: 352607f7ada70886f92808e563dd1e95518349a38a8fef68cfada1cbdce13d99
Opcode Fuzzy Hash: 9461b96a41f85ef20b3a9f7399b29888ba80dcb5f0434f2ef16034e6e95965d8
Instruction Fuzzy Hash: 8852B335A043428FD714CF18C581B2AB7E2BFCA314F248A6DE8859B342D775EC56DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F659F0, Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

%s%s, xrefs: 00F65DE6

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 28906e17bc0e955719a41fb2239bcb3ce770f70c634df05d02a46fe3f0bc07e2
Instruction ID: d1a9e5e37d535982efd50589cd685964ba304bd9a98d31013a8803662285b7c3
Opcode Fuzzy Hash: 28906e17bc0e955719a41fb2239bcb3ce770f70c634df05d02a46fe3f0bc07e2
Instruction Fuzzy Hash: 75F1F171B08B418BC714DF28C85176AB7E1AFC9728F04865DE8899B392DB36D941DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F84740, Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

^, xrefs: 00F84A88

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ^
API String ID: 0-1590793086
Opcode ID: d5b1275268433ebffd864dbb3e256118796eff192b917a887ddfaa0811342628
Instruction ID: 900f13d903cf8439c98dbd6eddbf3f5afc405f40925a6f251312d4c58eee6143
Opcode Fuzzy Hash: d5b1275268433ebffd864dbb3e256118796eff192b917a887ddfaa0811342628
Instruction Fuzzy Hash: 07A12A31B042938FCB28EF24D8916BABBD1EF95324F08456DE8D98B241D725FC45E792

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A460, Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

winUnlockReadLock, xrefs: 00F4A6D5

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: winUnlockReadLock
API String ID: 0-4244601998
Opcode ID: f69089349281943f9f9aed1fcbd5592fe1dfca3d9c9d0c2fa78deee90355ffdf
Instruction ID: ed3c3d9b377b011f488b09269130fdf9e2b10c9b1f322facb269493bf69c6635
Opcode Fuzzy Hash: f69089349281943f9f9aed1fcbd5592fe1dfca3d9c9d0c2fa78deee90355ffdf
Instruction Fuzzy Hash: 0091C571E803099BDB30CFA5C8457AEBFF5FF48710F24811AED85A6284D7B699809F81

Uniqueness

Uniqueness Score: -1.00%

Function 00F61A80, Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5798c7871e6e5a15d313a5e50c2fe8b74ec75d7e099e47de9a35ab3ae86dbc1f
Instruction ID: 7428237c812cb9ff1c5e56c22c64537e5391e139691653bf72f735b6d9dee064
Opcode Fuzzy Hash: 5798c7871e6e5a15d313a5e50c2fe8b74ec75d7e099e47de9a35ab3ae86dbc1f
Instruction Fuzzy Hash: B702BE71A046019FD718DF18C880B6AB7E6FF88324F19859DE8498B792DB31FC85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F83AF0, Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6590a4d678dd3225fea83a7e9821ef7fba02f79a9fa39edacd002770a1001137
Instruction ID: dc17b2fddb6299b97cc585777674c7000da6f9544552fa6340bb87ce0cfda655
Opcode Fuzzy Hash: 6590a4d678dd3225fea83a7e9821ef7fba02f79a9fa39edacd002770a1001137
Instruction Fuzzy Hash: F202F4716043428FCB14EF18C880BABBBE1FF88314F05855EE9898B352DB36E915DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F84130, Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e9669a6d3f8ca7d248f90f7780f914977410553264ad357e7ac18a30006fa8
Instruction ID: 97d062ad1854b80dfac34ada07326d45acf149ad7f9109ab85875d1d5da24d0f
Opcode Fuzzy Hash: c5e9669a6d3f8ca7d248f90f7780f914977410553264ad357e7ac18a30006fa8
Instruction Fuzzy Hash: 570208716043468FCB14EF18D890BABBBE1FF89314F04456EE8898B352EB35E855DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F47A30, Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1218e95429324033d8528edfea389ce964ffdd389acfeea845af2e34ef67492
Instruction ID: d11ece654d60bafaba9e5ad0b5d95ea2ca34e7fa8e2a434c3e4de1dd79711bd0
Opcode Fuzzy Hash: b1218e95429324033d8528edfea389ce964ffdd389acfeea845af2e34ef67492
Instruction Fuzzy Hash: B1E1197390C3824FD7159E38C4913A9BFD2DFA5310F184AA9DCE587382D329D949E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F42380, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c9b5c37c1104d4e4c63647ebb639bd3b91c0fda22cd7d67eefea748bd9fdf5
Instruction ID: 501da9eddd9d0b0fef97f1ad5991a32c3532c7ff4f08a681941679e191e3e6b4
Opcode Fuzzy Hash: 30c9b5c37c1104d4e4c63647ebb639bd3b91c0fda22cd7d67eefea748bd9fdf5
Instruction Fuzzy Hash: 48D15774A007058FDB68CF68C4907AABBF1BF48314F95846DEC5A97345EB34E941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F550B0, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1462c77c1c16698f6d2b7c88db4aa4b7f2e9f45800ffbdb4872b9949ff22dd0b
Instruction ID: c71adbed28664a42850c277823e47cb9e178e0e1119873c2754f547d981146d9
Opcode Fuzzy Hash: 1462c77c1c16698f6d2b7c88db4aa4b7f2e9f45800ffbdb4872b9949ff22dd0b
Instruction Fuzzy Hash: 35A19CB1A087018BC710DF58D890A6FBBE9BFC8755F14092DFD8A97311E735E9098B92

Uniqueness

Uniqueness Score: -1.00%

Function 00FC6F60, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ffc9eecdad37601c7c4e092e4196e1e41947fa18915327b56ae8e1c25ad611
Instruction ID: a20fee01dd61886df5c7105a02668cd32977fee5356303a996f645ba278b5c79
Opcode Fuzzy Hash: d5ffc9eecdad37601c7c4e092e4196e1e41947fa18915327b56ae8e1c25ad611
Instruction Fuzzy Hash: A9A13D71E0420A9FDF15DFA9C981AADB7F2BF98310F2991ADD805A7301D730A941DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00F4B3F0, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf5d5a23a0f58df6a89e4ca852bc5dcc5a6b002c537e326e1376b000d386af0
Instruction ID: c5e9320cdc6fb366d02381921cdb16a5ebf42db020c358f2212bc55b6e34121c
Opcode Fuzzy Hash: 0cf5d5a23a0f58df6a89e4ca852bc5dcc5a6b002c537e326e1376b000d386af0
Instruction Fuzzy Hash: F8617C75E047099BDB20CF65C8847AFBBB4EF08760F198159EC45AB25AE7B4D900DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F4CB60, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c60f2a8ac5ecace8b4fea9ab94ccd409d8283ec42a50d210269cb56c40859a34
Instruction ID: e2dead4fa58e190485a4154bcc2bbcafcbee3eaa4b5aafe100ce8fc245d451a6
Opcode Fuzzy Hash: c60f2a8ac5ecace8b4fea9ab94ccd409d8283ec42a50d210269cb56c40859a34
Instruction Fuzzy Hash: 4251F53020D3A10ACB2ACF38C49457FBBE2BE8D98576945BED4D6CE443E526D60BC781

Uniqueness

Uniqueness Score: -1.00%

Function 0103095E, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd028cca51dcb0a9ce8e1b7b517d940cc06647a0eff984a25aff3c88d84d55f
Instruction ID: 84072fe464ede0cd4385db172752b88ccc53bb909cf10abca08cf4915c3865b1
Opcode Fuzzy Hash: 2dd028cca51dcb0a9ce8e1b7b517d940cc06647a0eff984a25aff3c88d84d55f
Instruction Fuzzy Hash: AA518172E01219EFDF05CF99C980AEEBBB6EF88300F19819DE555AB245C7349E51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F48E60, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction ID: aa3443951588b621e29965b24b9999746dbfd368bbca5a3a1554545aa400a050
Opcode Fuzzy Hash: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction Fuzzy Hash: 6321A341E1A6A84BDB00593EC890796BFC1C796329F28D3F4D8588FBDED518A40AC3E1

Uniqueness

Uniqueness Score: -1.00%

Function 010424F8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858e7b9b8f89abda53e995bf705560342153d45e2927cfa6cabf3195b3abe9c3
Instruction ID: ecf150b4a7bc05668b0a6bad9466ea66a6363d4aa70a9e3ea3b0ebaf9489b42d
Opcode Fuzzy Hash: 858e7b9b8f89abda53e995bf705560342153d45e2927cfa6cabf3195b3abe9c3
Instruction Fuzzy Hash: F6E08C72A11228EBCB25DBDCD95498AF7ECEB44B00B1140A6F602D3240C270DE00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00F41360, Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270COMMON

Download Yara Rule

APIs

_Smanip.LIBCPMTD ref: 00F41739

Strings

3, xrefs: 00F41492
0, xrefs: 00F416A4
1, xrefs: 00F41431
5, xrefs: 00F41507
2, xrefs: 00F4144E
20211125182607, xrefs: 00F41745
?, xrefs: 00F41631
8, xrefs: 00F415C0
4, xrefs: 00F414C3
9, xrefs: 00F415DD
6, xrefs: 00F4154B
0, xrefs: 00F415F7
7, xrefs: 00F4158F
1, xrefs: 00F413EC
1, xrefs: 00F41611

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Smanip
String ID: 0$0$1$1$1$2$20211125182607$3$4$5$6$7$8$9$?
API String ID: 2140389272-3556083766
Opcode ID: b44aa0a25bc9ae6cd2a8169fe69b5acca2c4bdd8117fdfbbd7c281e936d45e76
Instruction ID: 67bc3b89fdfffe3dd965e7fdde9f4338366e0ab7486a772ad5f6fe79e8b5c2d1
Opcode Fuzzy Hash: b44aa0a25bc9ae6cd2a8169fe69b5acca2c4bdd8117fdfbbd7c281e936d45e76
Instruction Fuzzy Hash: 95B10811D081D555E70A8A7881A43FEAFB76B63340F1C80F9C4DA9FBC7C1AA8AC5D791

Uniqueness

Uniqueness Score: -1.00%

Function 00F41D50, Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 270COMMON

Download Yara Rule

APIs

_Smanip.LIBCPMTD ref: 00F42129

Strings

1, xrefs: 00F42001
7, xrefs: 00F41F7F
5, xrefs: 00F41EF7
1, xrefs: 00F41DDC
1, xrefs: 00F41E21
9, xrefs: 00F41FCD
2, xrefs: 00F41E3E
?, xrefs: 00F42021
0, xrefs: 00F41FE7
0, xrefs: 00F42094
8, xrefs: 00F41FB0
20211125182615, xrefs: 00F42135
3, xrefs: 00F41E82
6, xrefs: 00F41F3B
4, xrefs: 00F41EB3

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Smanip
String ID: 0$0$1$1$1$2$20211125182615$3$4$5$6$7$8$9$?
API String ID: 2140389272-3902516752
Opcode ID: 0a075381188ae9ead519f55c5535c892e6f78586cdb2af2cd244caa282701d64
Instruction ID: 1341c0ef20120c74f75d0af6d0b038c864ef304b5d8e43cc6303c6c49c50b770
Opcode Fuzzy Hash: 0a075381188ae9ead519f55c5535c892e6f78586cdb2af2cd244caa282701d64
Instruction Fuzzy Hash: 22B10A11D082D549E70A867840A43FEAFB6AB52350F5CC1FAD8D19FB87C17A8AC6D391

Uniqueness

Uniqueness Score: -1.00%

Function 00F440C0, Relevance: 23.2, APIs: 6, Strings: 7, Instructions: 403COMMON

Download Yara Rule

Strings

%lld, xrefs: 00F444E4
%06.3f, xrefs: 00F4430B
%02d, xrefs: 00F442B8, 00F443EB
%.16g, xrefs: 00F44481
string or blob too big, xrefs: 00F4460B
%04d, xrefs: 00F44572
W, xrefs: 00F443BE

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %.16g$%02d$%04d$%06.3f$%lld$W$string or blob too big
API String ID: 0-4289744004
Opcode ID: e5874a131f333c6e7e1931678acfb9d0e64e182674e9d8475c282bcfd5ea4453
Instruction ID: 1039a7de8f39a0103e5f8a69f769dbad66e61e5c000dcde54b6a4f89440827aa
Opcode Fuzzy Hash: e5874a131f333c6e7e1931678acfb9d0e64e182674e9d8475c282bcfd5ea4453
Instruction Fuzzy Hash: 8CE142729087819BD721CF28CC01BAABBE5BF95310F054A0CFCD877291E735E905AB92

Uniqueness

Uniqueness Score: -1.00%

Function 01044F12, Relevance: 19.6, APIs: 13, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01044F2F

Part of subcall function 0103D7D9: HeapFree.KERNEL32(00000000,00000000,?,01045667,?,00000000,?,?,?,0104590A,?,00000007,?,?,01045F00,?), ref: 0103D7EF
Part of subcall function 0103D7D9: GetLastError.KERNEL32(?,?,01045667,?,00000000,?,?,?,0104590A,?,00000007,?,?,01045F00,?,?), ref: 0103D801

_free.LIBCMT ref: 01044F41
_free.LIBCMT ref: 01044F53
_free.LIBCMT ref: 01044F65
_free.LIBCMT ref: 01044F77
_free.LIBCMT ref: 01044F89
_free.LIBCMT ref: 01044F9B
_free.LIBCMT ref: 01044FAD
_free.LIBCMT ref: 01044FBF
_free.LIBCMT ref: 01044FD1
_free.LIBCMT ref: 01044FE3
_free.LIBCMT ref: 01044FF5
_free.LIBCMT ref: 01045007

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9051a0dfb251f7cfb4f3ddc28ecffb2c7888196bb55ad493b42c8e9c36ade04c
Instruction ID: d6c76c6075dd0f9acb317c73acbb043577f4f4ca8ac1a33c33e03fc5deaa2d00
Opcode Fuzzy Hash: 9051a0dfb251f7cfb4f3ddc28ecffb2c7888196bb55ad493b42c8e9c36ade04c
Instruction Fuzzy Hash: CD216FB2118640AFC671EBA8F0C5D5A77FEBA60310BA10855F1C6D7D80DB36F8808B20

Uniqueness

Uniqueness Score: -1.00%

Function 01045D69, Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01045DA2

Part of subcall function 0103D7D9: HeapFree.KERNEL32(00000000,00000000,?,01045667,?,00000000,?,?,?,0104590A,?,00000007,?,?,01045F00,?), ref: 0103D7EF
Part of subcall function 0103D7D9: GetLastError.KERNEL32(?,?,01045667,?,00000000,?,?,?,0104590A,?,00000007,?,?,01045F00,?,?), ref: 0103D801

Part of subcall function 01044F12: _free.LIBCMT ref: 01044F2F
Part of subcall function 01044F12: _free.LIBCMT ref: 01044F41
Part of subcall function 01044F12: _free.LIBCMT ref: 01044F53
Part of subcall function 01044F12: _free.LIBCMT ref: 01044F65
Part of subcall function 01044F12: _free.LIBCMT ref: 01044F77
Part of subcall function 01044F12: _free.LIBCMT ref: 01044F89
Part of subcall function 01044F12: _free.LIBCMT ref: 01044F9B
Part of subcall function 01044F12: _free.LIBCMT ref: 01044FAD
Part of subcall function 01044F12: _free.LIBCMT ref: 01044FBF
Part of subcall function 01044F12: _free.LIBCMT ref: 01044FD1
Part of subcall function 01044F12: _free.LIBCMT ref: 01044FE3
Part of subcall function 01044F12: _free.LIBCMT ref: 01044FF5
Part of subcall function 01044F12: _free.LIBCMT ref: 01045007

_free.LIBCMT ref: 01045DC4
_free.LIBCMT ref: 01045DD9
_free.LIBCMT ref: 01045DE4
_free.LIBCMT ref: 01045E06
_free.LIBCMT ref: 01045E19
_free.LIBCMT ref: 01045E27
_free.LIBCMT ref: 01045E32
_free.LIBCMT ref: 01045E6A
_free.LIBCMT ref: 01045E71
_free.LIBCMT ref: 01045E8E
_free.LIBCMT ref: 01045EA6

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a6380aa6589b21caad996aad0fab67f0a8681b8cfdca0b61951c3d1b15dabd6c
Instruction ID: 4b4156adf439e8720af171682cbdedfcf63b9967d49589ca50fca40b1fc39d0f
Opcode Fuzzy Hash: a6380aa6589b21caad996aad0fab67f0a8681b8cfdca0b61951c3d1b15dabd6c
Instruction Fuzzy Hash: 67316FB16007029FEB76AABDDCC4B9677E9BF50310F50846AE5CADB550EB30E881D710

Uniqueness

Uniqueness Score: -1.00%

Function 0103EB80, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 0103EBEB
api-ms-, xrefs: 0103EBD7

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 2447f4a7463c215a814feba45fcb17ca4108ca39ca20462402c40f397973cee7
Instruction ID: b77c2e89b4c74a6bec836f06c01b182c364786ab8dffa18e0ad87895485b48ac
Opcode Fuzzy Hash: 2447f4a7463c215a814feba45fcb17ca4108ca39ca20462402c40f397973cee7
Instruction Fuzzy Hash: E521D531A11319EBDB325A28DC44B5F7BACAF85760F150761FDD6A7281D635EC02C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 010458F1, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0104563D: _free.LIBCMT ref: 01045662

_free.LIBCMT ref: 0104593F

Part of subcall function 0103D7D9: HeapFree.KERNEL32(00000000,00000000,?,01045667,?,00000000,?,?,?,0104590A,?,00000007,?,?,01045F00,?), ref: 0103D7EF
Part of subcall function 0103D7D9: GetLastError.KERNEL32(?,?,01045667,?,00000000,?,?,?,0104590A,?,00000007,?,?,01045F00,?,?), ref: 0103D801

_free.LIBCMT ref: 0104594A
_free.LIBCMT ref: 01045955
_free.LIBCMT ref: 010459A9
_free.LIBCMT ref: 010459B4
_free.LIBCMT ref: 010459BF
_free.LIBCMT ref: 010459CA

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 35f84c64f34e1e0517763829f0a7c6ae07e8a8b33e5521f426628032795adce8
Instruction ID: 6a9e67d923989f1525265f395136cf07bc38f1d2e97b038e2c2214f4918fbf32
Opcode Fuzzy Hash: 35f84c64f34e1e0517763829f0a7c6ae07e8a8b33e5521f426628032795adce8
Instruction Fuzzy Hash: EE1190B1540B45BBD621BBB0DC85FCB77BDAF68740F800826A6DAA7450EB74B5048790

Uniqueness

Uniqueness Score: -1.00%

Function 01037D08, Relevance: 9.3, APIs: 6, Instructions: 270COMMON

Download Yara Rule

APIs

Part of subcall function 01037BDE: CloseHandle.KERNEL32(?,?,?,01037D15,?,?,00F479A9,00000000), ref: 01037C0F
Part of subcall function 01037BDE: FreeLibraryAndExitThread.KERNEL32(?,?,?,?,01037D15,?,?,00F479A9,00000000), ref: 01037C25
Part of subcall function 01037BDE: ExitThread.KERNEL32 ref: 01037C2E

__allrem.LIBCMT ref: 01037E9E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01037EBA
__allrem.LIBCMT ref: 01037ED1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01037EEF
__allrem.LIBCMT ref: 01037F06
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01037F24

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 1885649644-0
Opcode ID: e367ace3abe78447e7299370a9459d1cc3c9eb8354e912311c34a5635fed5eea
Instruction ID: 2f87530e34bb0f4afe0f969b77c6b20c21f7cbe2de82417b192200ff51b4514a
Opcode Fuzzy Hash: e367ace3abe78447e7299370a9459d1cc3c9eb8354e912311c34a5635fed5eea
Instruction Fuzzy Hash: 0681E8F2A00707AFD725AF69CC80BAAB7FDAF95320F144639E595D7280EB74D9008790

Uniqueness

Uniqueness Score: -1.00%

Function 00FFFB90, Relevance: 9.2, APIs: 6, Instructions: 244COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 00FFFBEE
allocator.LIBCONCRTD ref: 00FFFC44

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: b64182ae9f6fa97852f84c13de5cb5d4d026e1b49917d21487634e3379361938
Instruction ID: d691574b9b24b302d61cf142c2c1f024183ff0b6a8b5136b719e1435725378b9
Opcode Fuzzy Hash: b64182ae9f6fa97852f84c13de5cb5d4d026e1b49917d21487634e3379361938
Instruction Fuzzy Hash: C9A1FA74A002499FCB04DF58C890BBEBBB1AF88354F18C168E9499F356D735EE45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01038419, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0103840E,00000000,?,010383D6,00000000,?,00000000), ref: 0103842E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01038441
FreeLibrary.KERNEL32(00000000,?,?,0103840E,00000000,?,010383D6,00000000,?,00000000), ref: 01038464

Strings

CorExitProcess, xrefs: 01038439
mscoree.dll, xrefs: 01038427

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: df559ba5f080c1d04d004c735945522cb1540f85b1557b3c0aad900d16eaa705
Instruction ID: e4402ff027c78917187444e345c33dbc355774939950e2f41162a58923ee138b
Opcode Fuzzy Hash: df559ba5f080c1d04d004c735945522cb1540f85b1557b3c0aad900d16eaa705
Instruction Fuzzy Hash: 69F01231600218FBEB219BA5D909B9E7FB8EB41756F108295B681A6150CB758E00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010453C6, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 010453DE

Part of subcall function 0103D7D9: HeapFree.KERNEL32(00000000,00000000,?,01045667,?,00000000,?,?,?,0104590A,?,00000007,?,?,01045F00,?), ref: 0103D7EF
Part of subcall function 0103D7D9: GetLastError.KERNEL32(?,?,01045667,?,00000000,?,?,?,0104590A,?,00000007,?,?,01045F00,?,?), ref: 0103D801

_free.LIBCMT ref: 010453F0
_free.LIBCMT ref: 01045402
_free.LIBCMT ref: 01045414
_free.LIBCMT ref: 01045426

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cdf73e145620af3f6f98c058933167ace196e58471b7a963316cf7cc891786ff
Instruction ID: a7135a07ec2a7cc8f822cf0841e4a4d8e9208c1927d6f254edd016d00dc3cb36
Opcode Fuzzy Hash: cdf73e145620af3f6f98c058933167ace196e58471b7a963316cf7cc891786ff
Instruction Fuzzy Hash: 18F0C8B2504150ABD170EB58F4C0C4E77EEBE90711F554855F1C5CBC40CB35F8808B50

Uniqueness

Uniqueness Score: -1.00%

Function 00F87030, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00F870CA

Strings

%llu, xrefs: 00F8707B
%llu, xrefs: 00F870D1
string or blob too big, xrefs: 00F87127

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __aulldiv
String ID: %llu$%llu$string or blob too big
API String ID: 3732870572-3890766324
Opcode ID: c9451a28e4d7bae9df09cadac9eff331042c85ba0be7cacb78d5d3e59c661c77
Instruction ID: 512a45ed3f101119d26fb0a103a3b048457319c0c5328135749d3940cb8d031d
Opcode Fuzzy Hash: c9451a28e4d7bae9df09cadac9eff331042c85ba0be7cacb78d5d3e59c661c77
Instruction Fuzzy Hash: D2318F72A446006BC720BA289C06FA73756DB85730F284368FC659F2C2E666D80597E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A230, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F4A26B

Strings

winTruncate1, xrefs: 00F4A2D7
winSeekFile, xrefs: 00F4A2BA
winTruncate2, xrefs: 00F4A305

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __allrem
String ID: winSeekFile$winTruncate1$winTruncate2
API String ID: 2933888876-2471937615
Opcode ID: b8c4f0e52eae994aa9b9b8b0016a072750f7e7a1b790aa0f6ba3134a57a1b450
Instruction ID: 7afa234e337cbf3923b553a6ec01dea82a13dd0a10e950435dcfebc13f0c34f8
Opcode Fuzzy Hash: b8c4f0e52eae994aa9b9b8b0016a072750f7e7a1b790aa0f6ba3134a57a1b450
Instruction Fuzzy Hash: 7831A5716447019FD720CF39DC8596B7BE5FB84720F508A2DF895C7680E675EC009B62

Uniqueness

Uniqueness Score: -1.00%

Function 00F493B0, Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00F493DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F493FC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F4944D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F49497

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv
String ID:
API String ID: 3650730422-0
Opcode ID: 3758f4f8d86c60f8b9e256b8a50f170e0918f8824a274ebfe6d6b9702ab5db16
Instruction ID: ec52d19c26c838e5546281e7effc763a542bf50fbcfdc8ba479985973a345cbe
Opcode Fuzzy Hash: 3758f4f8d86c60f8b9e256b8a50f170e0918f8824a274ebfe6d6b9702ab5db16
Instruction Fuzzy Hash: 3A313872B0811467DB34D999EC85BAF7F58DB81734F24C2BDED18D72B0E6E98C426290

Uniqueness

Uniqueness Score: -1.00%

Function 0103D201, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,0103B690,?,?,01042D85,?,00000000,00000040,00000000,00000000,00000040,?,00000000,00000080), ref: 0103D206
_free.LIBCMT ref: 0103D263
_free.LIBCMT ref: 0103D299
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01042D85,?,00000000,00000040,00000000,00000000,00000040,?,00000000,00000080,00000000), ref: 0103D2A4

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: ae55d667d47be01b1c36f1bfc7edc2b859a4526acf373fa57be5f9f918bea230
Instruction ID: 1c55a3b4479c4ed11102bd394b3aa55a87e9fd60a8dba2db63088a5be6e8ea20
Opcode Fuzzy Hash: ae55d667d47be01b1c36f1bfc7edc2b859a4526acf373fa57be5f9f918bea230
Instruction Fuzzy Hash: CD11E9766046022ED7A236F9AC84D7F2A9DEBE1778B550734F6D5971C0DE66CC019320

Uniqueness

Uniqueness Score: -1.00%

Function 0103D358, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0102F02E,0103D4F0,?,?,0102518C,00000000,00000000,00FE41D7,00000008), ref: 0103D35D
_free.LIBCMT ref: 0103D3BA
_free.LIBCMT ref: 0103D3F0
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,0102F02E,0103D4F0,?,?,0102518C,00000000,00000000,00FE41D7,00000008), ref: 0103D3FB

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e0bee3df9f03168e893e5e92851f192a0e5cdb3e8cb259c1a75755d5436d3f48
Instruction ID: 92a893a50da4f75f5dafbf9e4a9e04c2dc818fecf2e4e090c4c40adbdfaa411f
Opcode Fuzzy Hash: e0bee3df9f03168e893e5e92851f192a0e5cdb3e8cb259c1a75755d5436d3f48
Instruction Fuzzy Hash: 00110C363046016ED76226FC9C80D6F2A9DEBD17B4F554334F6D5931D4DF268C059321

Uniqueness

Uniqueness Score: -1.00%

Function 0102582B, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,010257C8,00000064), ref: 0102584E
LeaveCriticalSection.KERNEL32(0108C460,?,?,010257C8,00000064,?,?,?,00FED838,0108B130,287F9D3E,?,0104FAD1,000000FF,?,00F41068), ref: 01025858
WaitForSingleObjectEx.KERNEL32(?,00000000,?,010257C8,00000064,?,?,?,00FED838,0108B130,287F9D3E,?,0104FAD1,000000FF,?,00F41068), ref: 01025869
EnterCriticalSection.KERNEL32(0108C460,?,010257C8,00000064,?,?,?,00FED838,0108B130,287F9D3E,?,0104FAD1,000000FF,?,00F41068), ref: 01025870

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: cac6acf8f239de0f555e72f5c4ad2cc836fa20bed5f91b25858cc7e37ea86ee6
Instruction ID: 348e98d73ab95ddc855e51a4e14163d3406469045adfc9ee485215ba421f7e2e
Opcode Fuzzy Hash: cac6acf8f239de0f555e72f5c4ad2cc836fa20bed5f91b25858cc7e37ea86ee6
Instruction Fuzzy Hash: 1DE06535645234E7E7212A59FD09ADE3F64AB05A50B044114F6C5671148FAB584087E9

Uniqueness

Uniqueness Score: -1.00%

Function 00F50500, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 303COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5060C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5065A

Strings

recovered %d pages from %s, xrefs: 00F50807

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: recovered %d pages from %s
API String ID: 885266447-1623757624
Opcode ID: ccee568c457a69930eb7028bc4bd778aa222eb63f5d73bb9202917ad3de20132
Instruction ID: 919247d9ec106e1381f1a072fab618be27ab8e868b2ed6a8241fa03151f187fd
Opcode Fuzzy Hash: ccee568c457a69930eb7028bc4bd778aa222eb63f5d73bb9202917ad3de20132
Instruction Fuzzy Hash: F0B1AE75E006169FDB25CF68D880AAEB7B1BF48321F044128EE55A7341EB34BD59DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F41190, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

_Smanip.LIBCPMTD ref: 00F411F7

Strings

Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36, xrefs: 00F411C6
User-Agent, xrefs: 00F411CB

Memory Dump Source

Source File: 00000000.00000002.328702735.0000000000F41000.00000020.00020000.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.328688213.0000000000F40000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328881527.000000000105A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328919587.0000000001086000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328928578.000000000108B000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.328938164.000000000108F000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.328959564.00000000010AA000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Smanip
String ID: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36$User-Agent
API String ID: 2140389272-3885995274
Opcode ID: 822534729e2a14d0a56d178d95812c3bf576be85ceb04ac6ad1dca6bfe8eedfb
Instruction ID: e49b1828d3757469d1339ec8deac6d108febd1502df7ba92e8ffb3bfb74f8037
Opcode Fuzzy Hash: 822534729e2a14d0a56d178d95812c3bf576be85ceb04ac6ad1dca6bfe8eedfb
Instruction Fuzzy Hash: B811CEB1904248ABCB11EBD4DD45FDEB7B8FB44B10F00822DF5926B2C5EBB96608CB51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report duLT5gkRjy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socelars

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets